0x2620/pandora
2
1
Fork 1
Code Issues 1.3k Pull requests Releases Wiki Activity

properly escape user names and list names

Browse source
This commit is contained in:
rolux 2012-02-22 10:14:07 +00:00
parent 4610811821
commit 13eec9346b
12 changed files with 68 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
pandora/item/models.py
View file

@ -211,6 +211,7 @@ class Item(models.Model):
groups = data.pop('groups') groups = data.pop('groups')
if isinstance(groups, list): if isinstance(groups, list):
groups = filter(lambda g: g.strip(), groups) groups = filter(lambda g: g.strip(), groups)
groups = [ox.escape_html(g) for g in groups]
self.groups.exclude(name__in=groups).delete() self.groups.exclude(name__in=groups).delete()
current_groups = [g.name for g in self.groups.all()] current_groups = [g.name for g in self.groups.all()]
for g in filter(lambda g: g not in current_groups, groups): for g in filter(lambda g: g not in current_groups, groups):
@ -234,10 +235,21 @@ class Item(models.Model):
del self.data[key] del self.data[key]
else: else:
k = filter(lambda i: i['id'] == key, settings.CONFIG['itemKeys']) k = filter(lambda i: i['id'] == key, settings.CONFIG['itemKeys'])
if k and k.get('type') == 'text': ktype = k and k[0].get('type') or ''
if ktype == 'text':
self.data[key] = ox.parse_html(data[key]) self.data[key] = ox.parse_html(data[key])
elif ktype == '[text]':
self.data[key] = [ox.parse_html(t) for t in data[key]]
elif ktype == '[string]':
self.data[key] = [ox.escape_html(t) for t in data[key]]
elif isinstance(data[key], basestring): elif isinstance(data[key], basestring):
self.data[key] = ox.escape_html(data[key]) self.data[key] = ox.escape_html(data[key])
elif isinstance(data[key], list):
def cleanup(i):
if isinstance(i, basestring):
i = ox.escape_html(i)
return i
self.data[key] = [cleanup(i) for i in data[key]]
else: else:
self.data[key] = ox.escape_html(data[key]) self.data[key] = ox.escape_html(data[key])
return self.save() return self.save()

2
pandora/place/views.py
View file

@ -51,7 +51,7 @@ def addPlace(request):
name = 'Untitled [%s]' %n name = 'Untitled [%s]' %n
n += 1 n += 1
names = [name] + data.get('alternativeNames', []) names = [name] + data.get('alternativeNames', [])
data['alternativveNames'] = [ox.escape_html(n) data['alternativeNames'] = [ox.escape_html(n)
for n in data.get('alternativeNames', [])] for n in data.get('alternativeNames', [])]
name = ox.escape_html(name) name = ox.escape_html(name)
for n in names: for n in names:

7
pandora/user/views.py
View file

@ -131,6 +131,8 @@ def signup(request):
data = json.loads(request.POST['data']) data = json.loads(request.POST['data'])
if 'username' in data and 'password' in data: if 'username' in data and 'password' in data:
data['username'] = data['username'].strip() data['username'] = data['username'].strip()
if 'email' in data:
data['email'] = ox.escape_html(data['email'])
if models.User.objects.filter(username__iexact=data['username']).count() > 0: if models.User.objects.filter(username__iexact=data['username']).count() > 0:
response = json_response({ response = json_response({
'errors': { 'errors': {
@ -324,6 +326,8 @@ def editUser(request):
if 'disabled' in data: if 'disabled' in data:
user.is_active = not data['disabled'] user.is_active = not data['disabled']
if 'email' in data: if 'email' in data:
if 'email' in data:
data['email'] = ox.escape_html(data['email'])
if models.User.objects.filter(email__iexact=data['email']).exclude(id=user.id).count()>0: if models.User.objects.filter(email__iexact=data['email']).exclude(id=user.id).count()>0:
response = json_response(status=403, text='email already in use') response = json_response(status=403, text='email already in use')
return render_to_json_response(response) return render_to_json_response(response)
@ -338,6 +342,7 @@ def editUser(request):
groups = data['groups'] groups = data['groups']
if isinstance(groups, list): if isinstance(groups, list):
groups = filter(lambda g: g.strip(), groups) groups = filter(lambda g: g.strip(), groups)
groups = [ox.escape_html(g) for g in groups]
user.groups.exclude(name__in=groups).delete() user.groups.exclude(name__in=groups).delete()
current_groups = [g.name for g in user.groups.all()] current_groups = [g.name for g in user.groups.all()]
for g in filter(lambda g: g not in current_groups, groups): for g in filter(lambda g: g not in current_groups, groups):
@ -696,7 +701,7 @@ def editPreferences(request):
errors['email'] = 'Email address already in use' errors['email'] = 'Email address already in use'
else: else:
change = True change = True
request.user.email = data['email'] request.user.email = ox.escape_html(data['email'])
if 'newsletter' in data: if 'newsletter' in data:
profile = request.user.get_profile() profile = request.user.get_profile()
profile.newsletter = data['newsletter'] profile.newsletter = data['newsletter']

5
static/js/pandora/account.js
View file

@ -379,7 +379,10 @@ pandora.ui.accountWelcomeDialog = function() {
.append( .append(
Ox.Element() Ox.Element()
.css({position: 'absolute', left: '96px', top: '16px', width: '192px'}) .css({position: 'absolute', left: '96px', top: '16px', width: '192px'})
.html('Welcome, ' + pandora.user.username + '!<br/><br/>Your account has been created.') .html(
'Welcome, ' + Ox.encodeHTMLEntities(pandora.user.username)
+ '!<br/><br/>Your account has been created.'
)
), ),
fixedSize: true, fixedSize: true,
height: 128, height: 128,

6
static/js/pandora/folderBrowserList.js
View file

@ -38,6 +38,9 @@ pandora.ui.folderBrowserList = function(id) {
width: 16 width: 16
}, },
{ {
format: function(value) {
return Ox.encodeHTMLEntities(value);
},
id: 'user', id: 'user',
operator: '+', operator: '+',
title: 'User', title: 'User',
@ -45,6 +48,9 @@ pandora.ui.folderBrowserList = function(id) {
width: Math.floor(columnWidth) width: Math.floor(columnWidth)
}, },
{ {
format: function(value) {
return Ox.encodeHTMLEntities(value);
},
id: 'name', id: 'name',
operator: '+', operator: '+',
title: 'List', title: 'List',

8
static/js/pandora/folderList.js
View file

@ -35,7 +35,7 @@ pandora.ui.folderList = function(id) {
}, },
{ {
format: function(value) { format: function(value) {
return value.split(':').join(': '); return Ox.encodeHTMLEntities(value.split(':').join(': '));
}, },
id: 'id', id: 'id',
operator: '+', operator: '+',
@ -49,12 +49,18 @@ pandora.ui.folderList = function(id) {
editable: function(data) { editable: function(data) {
return data.user == pandora.user.username; return data.user == pandora.user.username;
}, },
format: function(value) {
return Ox.encodeHTMLEntities(value);
},
id: 'name', id: 'name',
input: { input: {
autovalidate: pandora.ui.autovalidateListname autovalidate: pandora.ui.autovalidateListname
}, },
operator: '+', operator: '+',
tooltip: id == 'personal' ? 'Edit Title' : '', tooltip: id == 'personal' ? 'Edit Title' : '',
unformat: function(value) {
return Ox.decodeHTMLEntities(value);
},
visible: id != 'favorite', visible: id != 'favorite',
width: pandora.user.ui.sidebarWidth - 96 width: pandora.user.ui.sidebarWidth - 96
}, },

4
static/js/pandora/home.padma.js
View file

@ -466,7 +466,7 @@ pandora.ui.home = function() {
.appendTo($listsContent); .appendTo($listsContent);
$listIcon[i] = Ox.Element({ $listIcon[i] = Ox.Element({
element: '<img>', element: '<img>',
tooltip: list.name tooltip: Ox.encodeHTMLEntities(list.name)
}) })
.attr({ .attr({
src: '/list/' + list.user + ':' src: '/list/' + list.user + ':'
@ -556,7 +556,7 @@ pandora.ui.home = function() {
+ lists[selected].name + '/icon256.jpg' + lists[selected].name + '/icon256.jpg'
}); });
$text.html( $text.html(
'<b>' + lists[selected].name + '</b><br><br>' '<b>' + Ox.encodeHTMLEntities(lists[selected].name) + '</b><br><br>'
+ lists[selected].description + lists[selected].description
); );
} }

5
static/js/pandora/listDialog.js
View file

@ -108,7 +108,7 @@ pandora.ui.listDialog = function(section) {
height: 312, height: 312,
// keys: {enter: 'save', escape: 'cancel'}, // keys: {enter: 'save', escape: 'cancel'},
removeOnClose: true, removeOnClose: true,
title: 'List - ' + listData.name, title: 'List - ' + Ox.encodeHTMLEntities(listData.name),
width: width width: width
}); });
@ -243,6 +243,9 @@ pandora.ui.listGeneralPanel = function(listData) {
listData.name = result.data.name; listData.name = result.data.name;
Ox.Request.clearCache('findLists'); Ox.Request.clearCache('findLists');
pandora.$ui.info.updateListInfo(); pandora.$ui.info.updateListInfo();
pandora.$ui.listDialog.options({
title: 'List - ' + Ox.encodeHTMLEntities(listData.name) + ' - General'
});
} }
}); });
} }

22
static/js/pandora/logsDialog.js
View file

@ -60,34 +60,42 @@ pandora.ui.logsDialog = function() {
visible: false, visible: false,
}, },
{ {
format: function(value) {
return Ox.encodeHTMLEntities(value);
},
id: 'user', id: 'user',
operator: '+',
title: 'User', title: 'User',
visible: true, visible: true,
width: 72 width: 72
}, },
{ {
id: 'created',
title: 'Date',
align: 'right', align: 'right',
format: function(value) { format: function(value) {
return value.replace(/[TZ]/g, ' '); return value.replace(/[TZ]/g, ' ');
}, },
id: 'created',
operator: '-', operator: '-',
title: 'Date',
visible: true, visible: true,
width: 144 width: 144
}, },
{ {
id: 'url', format: function(value) {
title: 'URL',
format: function(value, data) {
return formatURL(value, data.line); return formatURL(value, data.line);
}, },
id: 'url',
operator: '+', operator: '+',
title: 'URL',
visible: true, visible: true,
width: 320 width: 320
}, },
{ {
format: function(value) {
return Ox.encodeHTMLEntities(value);
},
id: 'text', id: 'text',
operator: '+',
title: 'Text', title: 'Text',
visible: true, visible: true,
width: 640 width: 640
@ -138,7 +146,7 @@ pandora.ui.logsDialog = function() {
margin: '16px', margin: '16px',
MozUserSelect: 'text', MozUserSelect: 'text',
WebkitUserSelect: 'text' WebkitUserSelect: 'text'
}).html(value.text)), }).text(value.text)),
height: height - 48, height: height - 48,
keys: {enter: 'close', escape: 'close'}, keys: {enter: 'close', escape: 'close'},
maximizeButton: true, maximizeButton: true,
@ -203,7 +211,7 @@ pandora.ui.logsDialog = function() {
.appendTo(that.$element.find('.OxButtonsbar')); .appendTo(that.$element.find('.OxButtonsbar'));
function formatURL(url, line) { function formatURL(url, line) {
return url.split('?')[0] + ':' + line; return Ox.encodeHTMLEntities(url.split('?')[0]) + ':' + line;
} }
function renderLog(logData) { function renderLog(logData) {

6
static/js/pandora/menu.js
View file

@ -27,7 +27,7 @@ pandora.ui.mainMenu = function() {
] ]
) }, ) },
{ id: 'userMenu', title: 'User', items: [ { id: 'userMenu', title: 'User', items: [
{ id: 'username', title: 'User: ' + (isGuest ? 'not logged in' : pandora.user.username), disabled: true }, { id: 'username', title: 'User: ' + (isGuest ? 'not logged in' : Ox.encodeHTMLEntities(pandora.user.username)), disabled: true },
{}, {},
{ id: 'preferences', title: 'Preferences...', disabled: isGuest, keyboard: 'control ,' }, { id: 'preferences', title: 'Preferences...', disabled: isGuest, keyboard: 'control ,' },
{ id: 'archives', title: 'Archives...', disabled: /*isGuest*/ true }, { id: 'archives', title: 'Archives...', disabled: /*isGuest*/ true },
@ -455,7 +455,9 @@ pandora.ui.mainMenu = function() {
: lists[folder].map(function(list) { : lists[folder].map(function(list) {
return { return {
id: 'viewlist' + list.id, id: 'viewlist' + list.id,
title: (folder == 'favorite' ? list.user + ': ' : '') + list.name, title: Ox.encodeHTMLEntities((
folder == 'favorite' ? list.user + ': ' : ''
) + list.name),
checked: list.id == pandora.user.ui._list checked: list.id == pandora.user.ui._list
}; };
}) })

8
static/js/pandora/usersDialog.js
View file

@ -86,7 +86,7 @@ pandora.ui.usersDialog = function() {
format: function(value, data) { format: function(value, data) {
return '<span style="opacity: ' + ( return '<span style="opacity: ' + (
data.disabled ? 0.5 : 1 data.disabled ? 0.5 : 1
) + '">' + value + '</span>'; ) + '">' + Ox.encodeHTMLEntities(value) + '</span>';
}, },
id: 'username', id: 'username',
operator: '+', operator: '+',
@ -389,7 +389,8 @@ pandora.ui.usersDialog = function() {
result.data.items.filter(function(item) { result.data.items.filter(function(item) {
return item.email; return item.email;
}).map(function(item) { }).map(function(item) {
return item.username + ' &lt;' + item.email + '&gt;'; return Ox.encodeHTMLEntities(item.username)
+ ' &lt;' + item.email + '&gt;';
}).join(', ') }).join(', ')
), ),
removeOnClose: true, removeOnClose: true,
@ -779,7 +780,8 @@ pandora.ui.usersDialog = function() {
: users.length == 1 ? ( : users.length == 1 ? (
users[0].level == 'guest' users[0].level == 'guest'
? 'Guest' ? 'Guest'
: users[0].username + ' &lt;' + users[0].email + '&gt;' : Ox.encodeHTMLEntities(users[0].username)
+ ' &lt;' + users[0].email + '&gt;'
) )
: users.length + ' users selected'; : users.length + ' users selected';
$formLabel.options({title: title}); $formLabel.options({title: title});

2
static/js/pandora/utils.js
View file

@ -389,7 +389,7 @@ pandora.enableDragAndDrop = function($list, canMove) {
].toLowerCase() ].toLowerCase()
) + '</br> to ' + ( ) + '</br> to ' + (
drag.target && !drag.target.selected drag.target && !drag.target.selected
? 'the list "' + drag.target.name + '"' ? 'the list "' + Ox.encodeHTMLEntities(drag.target.name) + '"'
: 'another list' : 'another list'
); );
} }