From 13eec9346b7d513e42cb676bd45c781ce324bbe3 Mon Sep 17 00:00:00 2001 From: rolux Date: Wed, 22 Feb 2012 10:14:07 +0000 Subject: [PATCH] properly escape user names and list names --- pandora/item/models.py | 14 +++++++++++++- pandora/place/views.py | 2 +- pandora/user/views.py | 7 ++++++- static/js/pandora/account.js | 5 ++++- static/js/pandora/folderBrowserList.js | 6 ++++++ static/js/pandora/folderList.js | 8 +++++++- static/js/pandora/home.padma.js | 4 ++-- static/js/pandora/listDialog.js | 5 ++++- static/js/pandora/logsDialog.js | 22 +++++++++++++++------- static/js/pandora/menu.js | 6 ++++-- static/js/pandora/usersDialog.js | 8 +++++--- static/js/pandora/utils.js | 2 +- 12 files changed, 68 insertions(+), 21 deletions(-) diff --git a/pandora/item/models.py b/pandora/item/models.py index 980111bd..5690bfe6 100644 --- a/pandora/item/models.py +++ b/pandora/item/models.py @@ -211,6 +211,7 @@ class Item(models.Model): groups = data.pop('groups') if isinstance(groups, list): groups = filter(lambda g: g.strip(), groups) + groups = [ox.escape_html(g) for g in groups] self.groups.exclude(name__in=groups).delete() current_groups = [g.name for g in self.groups.all()] for g in filter(lambda g: g not in current_groups, groups): @@ -234,10 +235,21 @@ class Item(models.Model): del self.data[key] else: k = filter(lambda i: i['id'] == key, settings.CONFIG['itemKeys']) - if k and k.get('type') == 'text': + ktype = k and k[0].get('type') or '' + if ktype == 'text': self.data[key] = ox.parse_html(data[key]) + elif ktype == '[text]': + self.data[key] = [ox.parse_html(t) for t in data[key]] + elif ktype == '[string]': + self.data[key] = [ox.escape_html(t) for t in data[key]] elif isinstance(data[key], basestring): self.data[key] = ox.escape_html(data[key]) + elif isinstance(data[key], list): + def cleanup(i): + if isinstance(i, basestring): + i = ox.escape_html(i) + return i + self.data[key] = [cleanup(i) for i in data[key]] else: self.data[key] = ox.escape_html(data[key]) return self.save() diff --git a/pandora/place/views.py b/pandora/place/views.py index 8f82d2f5..9961a51d 100644 --- a/pandora/place/views.py +++ b/pandora/place/views.py @@ -51,7 +51,7 @@ def addPlace(request): name = 'Untitled [%s]' %n n += 1 names = [name] + data.get('alternativeNames', []) - data['alternativveNames'] = [ox.escape_html(n) + data['alternativeNames'] = [ox.escape_html(n) for n in data.get('alternativeNames', [])] name = ox.escape_html(name) for n in names: diff --git a/pandora/user/views.py b/pandora/user/views.py index 60e6e234..6fc501ab 100644 --- a/pandora/user/views.py +++ b/pandora/user/views.py @@ -131,6 +131,8 @@ def signup(request): data = json.loads(request.POST['data']) if 'username' in data and 'password' in data: data['username'] = data['username'].strip() + if 'email' in data: + data['email'] = ox.escape_html(data['email']) if models.User.objects.filter(username__iexact=data['username']).count() > 0: response = json_response({ 'errors': { @@ -324,6 +326,8 @@ def editUser(request): if 'disabled' in data: user.is_active = not data['disabled'] if 'email' in data: + if 'email' in data: + data['email'] = ox.escape_html(data['email']) if models.User.objects.filter(email__iexact=data['email']).exclude(id=user.id).count()>0: response = json_response(status=403, text='email already in use') return render_to_json_response(response) @@ -338,6 +342,7 @@ def editUser(request): groups = data['groups'] if isinstance(groups, list): groups = filter(lambda g: g.strip(), groups) + groups = [ox.escape_html(g) for g in groups] user.groups.exclude(name__in=groups).delete() current_groups = [g.name for g in user.groups.all()] for g in filter(lambda g: g not in current_groups, groups): @@ -696,7 +701,7 @@ def editPreferences(request): errors['email'] = 'Email address already in use' else: change = True - request.user.email = data['email'] + request.user.email = ox.escape_html(data['email']) if 'newsletter' in data: profile = request.user.get_profile() profile.newsletter = data['newsletter'] diff --git a/static/js/pandora/account.js b/static/js/pandora/account.js index c3e1ce1f..9ac49c3d 100644 --- a/static/js/pandora/account.js +++ b/static/js/pandora/account.js @@ -379,7 +379,10 @@ pandora.ui.accountWelcomeDialog = function() { .append( Ox.Element() .css({position: 'absolute', left: '96px', top: '16px', width: '192px'}) - .html('Welcome, ' + pandora.user.username + '!

Your account has been created.') + .html( + 'Welcome, ' + Ox.encodeHTMLEntities(pandora.user.username) + + '!

Your account has been created.' + ) ), fixedSize: true, height: 128, diff --git a/static/js/pandora/folderBrowserList.js b/static/js/pandora/folderBrowserList.js index 49985556..12e020ea 100644 --- a/static/js/pandora/folderBrowserList.js +++ b/static/js/pandora/folderBrowserList.js @@ -38,6 +38,9 @@ pandora.ui.folderBrowserList = function(id) { width: 16 }, { + format: function(value) { + return Ox.encodeHTMLEntities(value); + }, id: 'user', operator: '+', title: 'User', @@ -45,6 +48,9 @@ pandora.ui.folderBrowserList = function(id) { width: Math.floor(columnWidth) }, { + format: function(value) { + return Ox.encodeHTMLEntities(value); + }, id: 'name', operator: '+', title: 'List', diff --git a/static/js/pandora/folderList.js b/static/js/pandora/folderList.js index 257f1334..4ae9deb5 100644 --- a/static/js/pandora/folderList.js +++ b/static/js/pandora/folderList.js @@ -35,7 +35,7 @@ pandora.ui.folderList = function(id) { }, { format: function(value) { - return value.split(':').join(': '); + return Ox.encodeHTMLEntities(value.split(':').join(': ')); }, id: 'id', operator: '+', @@ -49,12 +49,18 @@ pandora.ui.folderList = function(id) { editable: function(data) { return data.user == pandora.user.username; }, + format: function(value) { + return Ox.encodeHTMLEntities(value); + }, id: 'name', input: { autovalidate: pandora.ui.autovalidateListname }, operator: '+', tooltip: id == 'personal' ? 'Edit Title' : '', + unformat: function(value) { + return Ox.decodeHTMLEntities(value); + }, visible: id != 'favorite', width: pandora.user.ui.sidebarWidth - 96 }, diff --git a/static/js/pandora/home.padma.js b/static/js/pandora/home.padma.js index 762aa522..0499e447 100644 --- a/static/js/pandora/home.padma.js +++ b/static/js/pandora/home.padma.js @@ -466,7 +466,7 @@ pandora.ui.home = function() { .appendTo($listsContent); $listIcon[i] = Ox.Element({ element: '', - tooltip: list.name + tooltip: Ox.encodeHTMLEntities(list.name) }) .attr({ src: '/list/' + list.user + ':' @@ -556,7 +556,7 @@ pandora.ui.home = function() { + lists[selected].name + '/icon256.jpg' }); $text.html( - '' + lists[selected].name + '

' + '' + Ox.encodeHTMLEntities(lists[selected].name) + '

' + lists[selected].description ); } diff --git a/static/js/pandora/listDialog.js b/static/js/pandora/listDialog.js index 36bd463c..9fa18353 100644 --- a/static/js/pandora/listDialog.js +++ b/static/js/pandora/listDialog.js @@ -108,7 +108,7 @@ pandora.ui.listDialog = function(section) { height: 312, // keys: {enter: 'save', escape: 'cancel'}, removeOnClose: true, - title: 'List - ' + listData.name, + title: 'List - ' + Ox.encodeHTMLEntities(listData.name), width: width }); @@ -243,6 +243,9 @@ pandora.ui.listGeneralPanel = function(listData) { listData.name = result.data.name; Ox.Request.clearCache('findLists'); pandora.$ui.info.updateListInfo(); + pandora.$ui.listDialog.options({ + title: 'List - ' + Ox.encodeHTMLEntities(listData.name) + ' - General' + }); } }); } diff --git a/static/js/pandora/logsDialog.js b/static/js/pandora/logsDialog.js index 592c0081..6aa8da96 100644 --- a/static/js/pandora/logsDialog.js +++ b/static/js/pandora/logsDialog.js @@ -60,34 +60,42 @@ pandora.ui.logsDialog = function() { visible: false, }, { + format: function(value) { + return Ox.encodeHTMLEntities(value); + }, id: 'user', + operator: '+', title: 'User', visible: true, width: 72 }, { - id: 'created', - title: 'Date', align: 'right', format: function(value) { return value.replace(/[TZ]/g, ' '); }, + id: 'created', operator: '-', + title: 'Date', visible: true, width: 144 }, { - id: 'url', - title: 'URL', - format: function(value, data) { + format: function(value) { return formatURL(value, data.line); }, + id: 'url', operator: '+', + title: 'URL', visible: true, width: 320 }, { + format: function(value) { + return Ox.encodeHTMLEntities(value); + }, id: 'text', + operator: '+', title: 'Text', visible: true, width: 640 @@ -138,7 +146,7 @@ pandora.ui.logsDialog = function() { margin: '16px', MozUserSelect: 'text', WebkitUserSelect: 'text' - }).html(value.text)), + }).text(value.text)), height: height - 48, keys: {enter: 'close', escape: 'close'}, maximizeButton: true, @@ -203,7 +211,7 @@ pandora.ui.logsDialog = function() { .appendTo(that.$element.find('.OxButtonsbar')); function formatURL(url, line) { - return url.split('?')[0] + ':' + line; + return Ox.encodeHTMLEntities(url.split('?')[0]) + ':' + line; } function renderLog(logData) { diff --git a/static/js/pandora/menu.js b/static/js/pandora/menu.js index 26520d02..810a68dd 100644 --- a/static/js/pandora/menu.js +++ b/static/js/pandora/menu.js @@ -27,7 +27,7 @@ pandora.ui.mainMenu = function() { ] ) }, { id: 'userMenu', title: 'User', items: [ - { id: 'username', title: 'User: ' + (isGuest ? 'not logged in' : pandora.user.username), disabled: true }, + { id: 'username', title: 'User: ' + (isGuest ? 'not logged in' : Ox.encodeHTMLEntities(pandora.user.username)), disabled: true }, {}, { id: 'preferences', title: 'Preferences...', disabled: isGuest, keyboard: 'control ,' }, { id: 'archives', title: 'Archives...', disabled: /*isGuest*/ true }, @@ -455,7 +455,9 @@ pandora.ui.mainMenu = function() { : lists[folder].map(function(list) { return { id: 'viewlist' + list.id, - title: (folder == 'favorite' ? list.user + ': ' : '') + list.name, + title: Ox.encodeHTMLEntities(( + folder == 'favorite' ? list.user + ': ' : '' + ) + list.name), checked: list.id == pandora.user.ui._list }; }) diff --git a/static/js/pandora/usersDialog.js b/static/js/pandora/usersDialog.js index aef21417..6d08fc6e 100644 --- a/static/js/pandora/usersDialog.js +++ b/static/js/pandora/usersDialog.js @@ -86,7 +86,7 @@ pandora.ui.usersDialog = function() { format: function(value, data) { return '' + value + ''; + ) + '">' + Ox.encodeHTMLEntities(value) + ''; }, id: 'username', operator: '+', @@ -389,7 +389,8 @@ pandora.ui.usersDialog = function() { result.data.items.filter(function(item) { return item.email; }).map(function(item) { - return item.username + ' <' + item.email + '>'; + return Ox.encodeHTMLEntities(item.username) + + ' <' + item.email + '>'; }).join(', ') ), removeOnClose: true, @@ -779,7 +780,8 @@ pandora.ui.usersDialog = function() { : users.length == 1 ? ( users[0].level == 'guest' ? 'Guest' - : users[0].username + ' <' + users[0].email + '>' + : Ox.encodeHTMLEntities(users[0].username) + + ' <' + users[0].email + '>' ) : users.length + ' users selected'; $formLabel.options({title: title}); diff --git a/static/js/pandora/utils.js b/static/js/pandora/utils.js index ff9a462c..bd6b4d1a 100644 --- a/static/js/pandora/utils.js +++ b/static/js/pandora/utils.js @@ -389,7 +389,7 @@ pandora.enableDragAndDrop = function($list, canMove) { ].toLowerCase() ) + '
to ' + ( drag.target && !drag.target.selected - ? 'the list "' + drag.target.name + '"' + ? 'the list "' + Ox.encodeHTMLEntities(drag.target.name) + '"' : 'another list' ); }