forked from 0x2620/pandora
properly escape user names and list names
This commit is contained in:
parent
4610811821
commit
13eec9346b
12 changed files with 68 additions and 21 deletions
|
@ -211,6 +211,7 @@ class Item(models.Model):
|
|||
groups = data.pop('groups')
|
||||
if isinstance(groups, list):
|
||||
groups = filter(lambda g: g.strip(), groups)
|
||||
groups = [ox.escape_html(g) for g in groups]
|
||||
self.groups.exclude(name__in=groups).delete()
|
||||
current_groups = [g.name for g in self.groups.all()]
|
||||
for g in filter(lambda g: g not in current_groups, groups):
|
||||
|
@ -234,10 +235,21 @@ class Item(models.Model):
|
|||
del self.data[key]
|
||||
else:
|
||||
k = filter(lambda i: i['id'] == key, settings.CONFIG['itemKeys'])
|
||||
if k and k.get('type') == 'text':
|
||||
ktype = k and k[0].get('type') or ''
|
||||
if ktype == 'text':
|
||||
self.data[key] = ox.parse_html(data[key])
|
||||
elif ktype == '[text]':
|
||||
self.data[key] = [ox.parse_html(t) for t in data[key]]
|
||||
elif ktype == '[string]':
|
||||
self.data[key] = [ox.escape_html(t) for t in data[key]]
|
||||
elif isinstance(data[key], basestring):
|
||||
self.data[key] = ox.escape_html(data[key])
|
||||
elif isinstance(data[key], list):
|
||||
def cleanup(i):
|
||||
if isinstance(i, basestring):
|
||||
i = ox.escape_html(i)
|
||||
return i
|
||||
self.data[key] = [cleanup(i) for i in data[key]]
|
||||
else:
|
||||
self.data[key] = ox.escape_html(data[key])
|
||||
return self.save()
|
||||
|
|
|
@ -51,7 +51,7 @@ def addPlace(request):
|
|||
name = 'Untitled [%s]' %n
|
||||
n += 1
|
||||
names = [name] + data.get('alternativeNames', [])
|
||||
data['alternativveNames'] = [ox.escape_html(n)
|
||||
data['alternativeNames'] = [ox.escape_html(n)
|
||||
for n in data.get('alternativeNames', [])]
|
||||
name = ox.escape_html(name)
|
||||
for n in names:
|
||||
|
|
|
@ -131,6 +131,8 @@ def signup(request):
|
|||
data = json.loads(request.POST['data'])
|
||||
if 'username' in data and 'password' in data:
|
||||
data['username'] = data['username'].strip()
|
||||
if 'email' in data:
|
||||
data['email'] = ox.escape_html(data['email'])
|
||||
if models.User.objects.filter(username__iexact=data['username']).count() > 0:
|
||||
response = json_response({
|
||||
'errors': {
|
||||
|
@ -324,6 +326,8 @@ def editUser(request):
|
|||
if 'disabled' in data:
|
||||
user.is_active = not data['disabled']
|
||||
if 'email' in data:
|
||||
if 'email' in data:
|
||||
data['email'] = ox.escape_html(data['email'])
|
||||
if models.User.objects.filter(email__iexact=data['email']).exclude(id=user.id).count()>0:
|
||||
response = json_response(status=403, text='email already in use')
|
||||
return render_to_json_response(response)
|
||||
|
@ -338,6 +342,7 @@ def editUser(request):
|
|||
groups = data['groups']
|
||||
if isinstance(groups, list):
|
||||
groups = filter(lambda g: g.strip(), groups)
|
||||
groups = [ox.escape_html(g) for g in groups]
|
||||
user.groups.exclude(name__in=groups).delete()
|
||||
current_groups = [g.name for g in user.groups.all()]
|
||||
for g in filter(lambda g: g not in current_groups, groups):
|
||||
|
@ -696,7 +701,7 @@ def editPreferences(request):
|
|||
errors['email'] = 'Email address already in use'
|
||||
else:
|
||||
change = True
|
||||
request.user.email = data['email']
|
||||
request.user.email = ox.escape_html(data['email'])
|
||||
if 'newsletter' in data:
|
||||
profile = request.user.get_profile()
|
||||
profile.newsletter = data['newsletter']
|
||||
|
|
|
@ -379,7 +379,10 @@ pandora.ui.accountWelcomeDialog = function() {
|
|||
.append(
|
||||
Ox.Element()
|
||||
.css({position: 'absolute', left: '96px', top: '16px', width: '192px'})
|
||||
.html('Welcome, ' + pandora.user.username + '!<br/><br/>Your account has been created.')
|
||||
.html(
|
||||
'Welcome, ' + Ox.encodeHTMLEntities(pandora.user.username)
|
||||
+ '!<br/><br/>Your account has been created.'
|
||||
)
|
||||
),
|
||||
fixedSize: true,
|
||||
height: 128,
|
||||
|
|
|
@ -38,6 +38,9 @@ pandora.ui.folderBrowserList = function(id) {
|
|||
width: 16
|
||||
},
|
||||
{
|
||||
format: function(value) {
|
||||
return Ox.encodeHTMLEntities(value);
|
||||
},
|
||||
id: 'user',
|
||||
operator: '+',
|
||||
title: 'User',
|
||||
|
@ -45,6 +48,9 @@ pandora.ui.folderBrowserList = function(id) {
|
|||
width: Math.floor(columnWidth)
|
||||
},
|
||||
{
|
||||
format: function(value) {
|
||||
return Ox.encodeHTMLEntities(value);
|
||||
},
|
||||
id: 'name',
|
||||
operator: '+',
|
||||
title: 'List',
|
||||
|
|
|
@ -35,7 +35,7 @@ pandora.ui.folderList = function(id) {
|
|||
},
|
||||
{
|
||||
format: function(value) {
|
||||
return value.split(':').join(': ');
|
||||
return Ox.encodeHTMLEntities(value.split(':').join(': '));
|
||||
},
|
||||
id: 'id',
|
||||
operator: '+',
|
||||
|
@ -49,12 +49,18 @@ pandora.ui.folderList = function(id) {
|
|||
editable: function(data) {
|
||||
return data.user == pandora.user.username;
|
||||
},
|
||||
format: function(value) {
|
||||
return Ox.encodeHTMLEntities(value);
|
||||
},
|
||||
id: 'name',
|
||||
input: {
|
||||
autovalidate: pandora.ui.autovalidateListname
|
||||
},
|
||||
operator: '+',
|
||||
tooltip: id == 'personal' ? 'Edit Title' : '',
|
||||
unformat: function(value) {
|
||||
return Ox.decodeHTMLEntities(value);
|
||||
},
|
||||
visible: id != 'favorite',
|
||||
width: pandora.user.ui.sidebarWidth - 96
|
||||
},
|
||||
|
|
|
@ -466,7 +466,7 @@ pandora.ui.home = function() {
|
|||
.appendTo($listsContent);
|
||||
$listIcon[i] = Ox.Element({
|
||||
element: '<img>',
|
||||
tooltip: list.name
|
||||
tooltip: Ox.encodeHTMLEntities(list.name)
|
||||
})
|
||||
.attr({
|
||||
src: '/list/' + list.user + ':'
|
||||
|
@ -556,7 +556,7 @@ pandora.ui.home = function() {
|
|||
+ lists[selected].name + '/icon256.jpg'
|
||||
});
|
||||
$text.html(
|
||||
'<b>' + lists[selected].name + '</b><br><br>'
|
||||
'<b>' + Ox.encodeHTMLEntities(lists[selected].name) + '</b><br><br>'
|
||||
+ lists[selected].description
|
||||
);
|
||||
}
|
||||
|
|
|
@ -108,7 +108,7 @@ pandora.ui.listDialog = function(section) {
|
|||
height: 312,
|
||||
// keys: {enter: 'save', escape: 'cancel'},
|
||||
removeOnClose: true,
|
||||
title: 'List - ' + listData.name,
|
||||
title: 'List - ' + Ox.encodeHTMLEntities(listData.name),
|
||||
width: width
|
||||
});
|
||||
|
||||
|
@ -243,6 +243,9 @@ pandora.ui.listGeneralPanel = function(listData) {
|
|||
listData.name = result.data.name;
|
||||
Ox.Request.clearCache('findLists');
|
||||
pandora.$ui.info.updateListInfo();
|
||||
pandora.$ui.listDialog.options({
|
||||
title: 'List - ' + Ox.encodeHTMLEntities(listData.name) + ' - General'
|
||||
});
|
||||
}
|
||||
});
|
||||
}
|
||||
|
|
|
@ -60,34 +60,42 @@ pandora.ui.logsDialog = function() {
|
|||
visible: false,
|
||||
},
|
||||
{
|
||||
format: function(value) {
|
||||
return Ox.encodeHTMLEntities(value);
|
||||
},
|
||||
id: 'user',
|
||||
operator: '+',
|
||||
title: 'User',
|
||||
visible: true,
|
||||
width: 72
|
||||
},
|
||||
{
|
||||
id: 'created',
|
||||
title: 'Date',
|
||||
align: 'right',
|
||||
format: function(value) {
|
||||
return value.replace(/[TZ]/g, ' ');
|
||||
},
|
||||
id: 'created',
|
||||
operator: '-',
|
||||
title: 'Date',
|
||||
visible: true,
|
||||
width: 144
|
||||
},
|
||||
{
|
||||
id: 'url',
|
||||
title: 'URL',
|
||||
format: function(value, data) {
|
||||
format: function(value) {
|
||||
return formatURL(value, data.line);
|
||||
},
|
||||
id: 'url',
|
||||
operator: '+',
|
||||
title: 'URL',
|
||||
visible: true,
|
||||
width: 320
|
||||
},
|
||||
{
|
||||
format: function(value) {
|
||||
return Ox.encodeHTMLEntities(value);
|
||||
},
|
||||
id: 'text',
|
||||
operator: '+',
|
||||
title: 'Text',
|
||||
visible: true,
|
||||
width: 640
|
||||
|
@ -138,7 +146,7 @@ pandora.ui.logsDialog = function() {
|
|||
margin: '16px',
|
||||
MozUserSelect: 'text',
|
||||
WebkitUserSelect: 'text'
|
||||
}).html(value.text)),
|
||||
}).text(value.text)),
|
||||
height: height - 48,
|
||||
keys: {enter: 'close', escape: 'close'},
|
||||
maximizeButton: true,
|
||||
|
@ -203,7 +211,7 @@ pandora.ui.logsDialog = function() {
|
|||
.appendTo(that.$element.find('.OxButtonsbar'));
|
||||
|
||||
function formatURL(url, line) {
|
||||
return url.split('?')[0] + ':' + line;
|
||||
return Ox.encodeHTMLEntities(url.split('?')[0]) + ':' + line;
|
||||
}
|
||||
|
||||
function renderLog(logData) {
|
||||
|
|
|
@ -27,7 +27,7 @@ pandora.ui.mainMenu = function() {
|
|||
]
|
||||
) },
|
||||
{ id: 'userMenu', title: 'User', items: [
|
||||
{ id: 'username', title: 'User: ' + (isGuest ? 'not logged in' : pandora.user.username), disabled: true },
|
||||
{ id: 'username', title: 'User: ' + (isGuest ? 'not logged in' : Ox.encodeHTMLEntities(pandora.user.username)), disabled: true },
|
||||
{},
|
||||
{ id: 'preferences', title: 'Preferences...', disabled: isGuest, keyboard: 'control ,' },
|
||||
{ id: 'archives', title: 'Archives...', disabled: /*isGuest*/ true },
|
||||
|
@ -455,7 +455,9 @@ pandora.ui.mainMenu = function() {
|
|||
: lists[folder].map(function(list) {
|
||||
return {
|
||||
id: 'viewlist' + list.id,
|
||||
title: (folder == 'favorite' ? list.user + ': ' : '') + list.name,
|
||||
title: Ox.encodeHTMLEntities((
|
||||
folder == 'favorite' ? list.user + ': ' : ''
|
||||
) + list.name),
|
||||
checked: list.id == pandora.user.ui._list
|
||||
};
|
||||
})
|
||||
|
|
|
@ -86,7 +86,7 @@ pandora.ui.usersDialog = function() {
|
|||
format: function(value, data) {
|
||||
return '<span style="opacity: ' + (
|
||||
data.disabled ? 0.5 : 1
|
||||
) + '">' + value + '</span>';
|
||||
) + '">' + Ox.encodeHTMLEntities(value) + '</span>';
|
||||
},
|
||||
id: 'username',
|
||||
operator: '+',
|
||||
|
@ -389,7 +389,8 @@ pandora.ui.usersDialog = function() {
|
|||
result.data.items.filter(function(item) {
|
||||
return item.email;
|
||||
}).map(function(item) {
|
||||
return item.username + ' <' + item.email + '>';
|
||||
return Ox.encodeHTMLEntities(item.username)
|
||||
+ ' <' + item.email + '>';
|
||||
}).join(', ')
|
||||
),
|
||||
removeOnClose: true,
|
||||
|
@ -779,7 +780,8 @@ pandora.ui.usersDialog = function() {
|
|||
: users.length == 1 ? (
|
||||
users[0].level == 'guest'
|
||||
? 'Guest'
|
||||
: users[0].username + ' <' + users[0].email + '>'
|
||||
: Ox.encodeHTMLEntities(users[0].username)
|
||||
+ ' <' + users[0].email + '>'
|
||||
)
|
||||
: users.length + ' users selected';
|
||||
$formLabel.options({title: title});
|
||||
|
|
|
@ -389,7 +389,7 @@ pandora.enableDragAndDrop = function($list, canMove) {
|
|||
].toLowerCase()
|
||||
) + '</br> to ' + (
|
||||
drag.target && !drag.target.selected
|
||||
? 'the list "' + drag.target.name + '"'
|
||||
? 'the list "' + Ox.encodeHTMLEntities(drag.target.name) + '"'
|
||||
: 'another list'
|
||||
);
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue