diff --git a/pandora/item/models.py b/pandora/item/models.py
index 980111bda..5690bfe69 100644
--- a/pandora/item/models.py
+++ b/pandora/item/models.py
@@ -211,6 +211,7 @@ class Item(models.Model):
groups = data.pop('groups')
if isinstance(groups, list):
groups = filter(lambda g: g.strip(), groups)
+ groups = [ox.escape_html(g) for g in groups]
self.groups.exclude(name__in=groups).delete()
current_groups = [g.name for g in self.groups.all()]
for g in filter(lambda g: g not in current_groups, groups):
@@ -234,10 +235,21 @@ class Item(models.Model):
del self.data[key]
else:
k = filter(lambda i: i['id'] == key, settings.CONFIG['itemKeys'])
- if k and k.get('type') == 'text':
+ ktype = k and k[0].get('type') or ''
+ if ktype == 'text':
self.data[key] = ox.parse_html(data[key])
+ elif ktype == '[text]':
+ self.data[key] = [ox.parse_html(t) for t in data[key]]
+ elif ktype == '[string]':
+ self.data[key] = [ox.escape_html(t) for t in data[key]]
elif isinstance(data[key], basestring):
self.data[key] = ox.escape_html(data[key])
+ elif isinstance(data[key], list):
+ def cleanup(i):
+ if isinstance(i, basestring):
+ i = ox.escape_html(i)
+ return i
+ self.data[key] = [cleanup(i) for i in data[key]]
else:
self.data[key] = ox.escape_html(data[key])
return self.save()
diff --git a/pandora/place/views.py b/pandora/place/views.py
index 8f82d2f5e..9961a51df 100644
--- a/pandora/place/views.py
+++ b/pandora/place/views.py
@@ -51,7 +51,7 @@ def addPlace(request):
name = 'Untitled [%s]' %n
n += 1
names = [name] + data.get('alternativeNames', [])
- data['alternativveNames'] = [ox.escape_html(n)
+ data['alternativeNames'] = [ox.escape_html(n)
for n in data.get('alternativeNames', [])]
name = ox.escape_html(name)
for n in names:
diff --git a/pandora/user/views.py b/pandora/user/views.py
index 60e6e234c..6fc501abf 100644
--- a/pandora/user/views.py
+++ b/pandora/user/views.py
@@ -131,6 +131,8 @@ def signup(request):
data = json.loads(request.POST['data'])
if 'username' in data and 'password' in data:
data['username'] = data['username'].strip()
+ if 'email' in data:
+ data['email'] = ox.escape_html(data['email'])
if models.User.objects.filter(username__iexact=data['username']).count() > 0:
response = json_response({
'errors': {
@@ -324,6 +326,8 @@ def editUser(request):
if 'disabled' in data:
user.is_active = not data['disabled']
if 'email' in data:
+ if 'email' in data:
+ data['email'] = ox.escape_html(data['email'])
if models.User.objects.filter(email__iexact=data['email']).exclude(id=user.id).count()>0:
response = json_response(status=403, text='email already in use')
return render_to_json_response(response)
@@ -338,6 +342,7 @@ def editUser(request):
groups = data['groups']
if isinstance(groups, list):
groups = filter(lambda g: g.strip(), groups)
+ groups = [ox.escape_html(g) for g in groups]
user.groups.exclude(name__in=groups).delete()
current_groups = [g.name for g in user.groups.all()]
for g in filter(lambda g: g not in current_groups, groups):
@@ -696,7 +701,7 @@ def editPreferences(request):
errors['email'] = 'Email address already in use'
else:
change = True
- request.user.email = data['email']
+ request.user.email = ox.escape_html(data['email'])
if 'newsletter' in data:
profile = request.user.get_profile()
profile.newsletter = data['newsletter']
diff --git a/static/js/pandora/account.js b/static/js/pandora/account.js
index c3e1ce1fc..9ac49c3df 100644
--- a/static/js/pandora/account.js
+++ b/static/js/pandora/account.js
@@ -379,7 +379,10 @@ pandora.ui.accountWelcomeDialog = function() {
.append(
Ox.Element()
.css({position: 'absolute', left: '96px', top: '16px', width: '192px'})
- .html('Welcome, ' + pandora.user.username + '!
Your account has been created.')
+ .html(
+ 'Welcome, ' + Ox.encodeHTMLEntities(pandora.user.username)
+ + '!
Your account has been created.'
+ )
),
fixedSize: true,
height: 128,
diff --git a/static/js/pandora/folderBrowserList.js b/static/js/pandora/folderBrowserList.js
index 499855568..12e020eaa 100644
--- a/static/js/pandora/folderBrowserList.js
+++ b/static/js/pandora/folderBrowserList.js
@@ -38,6 +38,9 @@ pandora.ui.folderBrowserList = function(id) {
width: 16
},
{
+ format: function(value) {
+ return Ox.encodeHTMLEntities(value);
+ },
id: 'user',
operator: '+',
title: 'User',
@@ -45,6 +48,9 @@ pandora.ui.folderBrowserList = function(id) {
width: Math.floor(columnWidth)
},
{
+ format: function(value) {
+ return Ox.encodeHTMLEntities(value);
+ },
id: 'name',
operator: '+',
title: 'List',
diff --git a/static/js/pandora/folderList.js b/static/js/pandora/folderList.js
index 257f1334a..4ae9deb57 100644
--- a/static/js/pandora/folderList.js
+++ b/static/js/pandora/folderList.js
@@ -35,7 +35,7 @@ pandora.ui.folderList = function(id) {
},
{
format: function(value) {
- return value.split(':').join(': ');
+ return Ox.encodeHTMLEntities(value.split(':').join(': '));
},
id: 'id',
operator: '+',
@@ -49,12 +49,18 @@ pandora.ui.folderList = function(id) {
editable: function(data) {
return data.user == pandora.user.username;
},
+ format: function(value) {
+ return Ox.encodeHTMLEntities(value);
+ },
id: 'name',
input: {
autovalidate: pandora.ui.autovalidateListname
},
operator: '+',
tooltip: id == 'personal' ? 'Edit Title' : '',
+ unformat: function(value) {
+ return Ox.decodeHTMLEntities(value);
+ },
visible: id != 'favorite',
width: pandora.user.ui.sidebarWidth - 96
},
diff --git a/static/js/pandora/home.padma.js b/static/js/pandora/home.padma.js
index 762aa5227..0499e4478 100644
--- a/static/js/pandora/home.padma.js
+++ b/static/js/pandora/home.padma.js
@@ -466,7 +466,7 @@ pandora.ui.home = function() {
.appendTo($listsContent);
$listIcon[i] = Ox.Element({
element: '',
- tooltip: list.name
+ tooltip: Ox.encodeHTMLEntities(list.name)
})
.attr({
src: '/list/' + list.user + ':'
@@ -556,7 +556,7 @@ pandora.ui.home = function() {
+ lists[selected].name + '/icon256.jpg'
});
$text.html(
- '' + lists[selected].name + '
'
+ '' + Ox.encodeHTMLEntities(lists[selected].name) + '
'
+ lists[selected].description
);
}
diff --git a/static/js/pandora/listDialog.js b/static/js/pandora/listDialog.js
index 36bd463c6..9fa183534 100644
--- a/static/js/pandora/listDialog.js
+++ b/static/js/pandora/listDialog.js
@@ -108,7 +108,7 @@ pandora.ui.listDialog = function(section) {
height: 312,
// keys: {enter: 'save', escape: 'cancel'},
removeOnClose: true,
- title: 'List - ' + listData.name,
+ title: 'List - ' + Ox.encodeHTMLEntities(listData.name),
width: width
});
@@ -243,6 +243,9 @@ pandora.ui.listGeneralPanel = function(listData) {
listData.name = result.data.name;
Ox.Request.clearCache('findLists');
pandora.$ui.info.updateListInfo();
+ pandora.$ui.listDialog.options({
+ title: 'List - ' + Ox.encodeHTMLEntities(listData.name) + ' - General'
+ });
}
});
}
diff --git a/static/js/pandora/logsDialog.js b/static/js/pandora/logsDialog.js
index 592c0081b..6aa8da966 100644
--- a/static/js/pandora/logsDialog.js
+++ b/static/js/pandora/logsDialog.js
@@ -60,34 +60,42 @@ pandora.ui.logsDialog = function() {
visible: false,
},
{
+ format: function(value) {
+ return Ox.encodeHTMLEntities(value);
+ },
id: 'user',
+ operator: '+',
title: 'User',
visible: true,
width: 72
},
{
- id: 'created',
- title: 'Date',
align: 'right',
format: function(value) {
return value.replace(/[TZ]/g, ' ');
},
+ id: 'created',
operator: '-',
+ title: 'Date',
visible: true,
width: 144
},
{
- id: 'url',
- title: 'URL',
- format: function(value, data) {
+ format: function(value) {
return formatURL(value, data.line);
},
+ id: 'url',
operator: '+',
+ title: 'URL',
visible: true,
width: 320
},
{
+ format: function(value) {
+ return Ox.encodeHTMLEntities(value);
+ },
id: 'text',
+ operator: '+',
title: 'Text',
visible: true,
width: 640
@@ -138,7 +146,7 @@ pandora.ui.logsDialog = function() {
margin: '16px',
MozUserSelect: 'text',
WebkitUserSelect: 'text'
- }).html(value.text)),
+ }).text(value.text)),
height: height - 48,
keys: {enter: 'close', escape: 'close'},
maximizeButton: true,
@@ -203,7 +211,7 @@ pandora.ui.logsDialog = function() {
.appendTo(that.$element.find('.OxButtonsbar'));
function formatURL(url, line) {
- return url.split('?')[0] + ':' + line;
+ return Ox.encodeHTMLEntities(url.split('?')[0]) + ':' + line;
}
function renderLog(logData) {
diff --git a/static/js/pandora/menu.js b/static/js/pandora/menu.js
index 26520d02a..810a68ddc 100644
--- a/static/js/pandora/menu.js
+++ b/static/js/pandora/menu.js
@@ -27,7 +27,7 @@ pandora.ui.mainMenu = function() {
]
) },
{ id: 'userMenu', title: 'User', items: [
- { id: 'username', title: 'User: ' + (isGuest ? 'not logged in' : pandora.user.username), disabled: true },
+ { id: 'username', title: 'User: ' + (isGuest ? 'not logged in' : Ox.encodeHTMLEntities(pandora.user.username)), disabled: true },
{},
{ id: 'preferences', title: 'Preferences...', disabled: isGuest, keyboard: 'control ,' },
{ id: 'archives', title: 'Archives...', disabled: /*isGuest*/ true },
@@ -455,7 +455,9 @@ pandora.ui.mainMenu = function() {
: lists[folder].map(function(list) {
return {
id: 'viewlist' + list.id,
- title: (folder == 'favorite' ? list.user + ': ' : '') + list.name,
+ title: Ox.encodeHTMLEntities((
+ folder == 'favorite' ? list.user + ': ' : ''
+ ) + list.name),
checked: list.id == pandora.user.ui._list
};
})
diff --git a/static/js/pandora/usersDialog.js b/static/js/pandora/usersDialog.js
index aef21417d..6d08fc6ec 100644
--- a/static/js/pandora/usersDialog.js
+++ b/static/js/pandora/usersDialog.js
@@ -86,7 +86,7 @@ pandora.ui.usersDialog = function() {
format: function(value, data) {
return '' + value + '';
+ ) + '">' + Ox.encodeHTMLEntities(value) + '';
},
id: 'username',
operator: '+',
@@ -389,7 +389,8 @@ pandora.ui.usersDialog = function() {
result.data.items.filter(function(item) {
return item.email;
}).map(function(item) {
- return item.username + ' <' + item.email + '>';
+ return Ox.encodeHTMLEntities(item.username)
+ + ' <' + item.email + '>';
}).join(', ')
),
removeOnClose: true,
@@ -779,7 +780,8 @@ pandora.ui.usersDialog = function() {
: users.length == 1 ? (
users[0].level == 'guest'
? 'Guest'
- : users[0].username + ' <' + users[0].email + '>'
+ : Ox.encodeHTMLEntities(users[0].username)
+ + ' <' + users[0].email + '>'
)
: users.length + ' users selected';
$formLabel.options({title: title});
diff --git a/static/js/pandora/utils.js b/static/js/pandora/utils.js
index ff9a462ca..bd6b4d1ae 100644
--- a/static/js/pandora/utils.js
+++ b/static/js/pandora/utils.js
@@ -389,7 +389,7 @@ pandora.enableDragAndDrop = function($list, canMove) {
].toLowerCase()
) + ' to ' + (
drag.target && !drag.target.selected
- ? 'the list "' + drag.target.name + '"'
+ ? 'the list "' + Ox.encodeHTMLEntities(drag.target.name) + '"'
: 'another list'
);
}