forked from 0x2620/pandora
properly escape user names and list names
This commit is contained in:
parent
4610811821
commit
13eec9346b
12 changed files with 68 additions and 21 deletions
|
@ -211,6 +211,7 @@ class Item(models.Model):
|
||||||
groups = data.pop('groups')
|
groups = data.pop('groups')
|
||||||
if isinstance(groups, list):
|
if isinstance(groups, list):
|
||||||
groups = filter(lambda g: g.strip(), groups)
|
groups = filter(lambda g: g.strip(), groups)
|
||||||
|
groups = [ox.escape_html(g) for g in groups]
|
||||||
self.groups.exclude(name__in=groups).delete()
|
self.groups.exclude(name__in=groups).delete()
|
||||||
current_groups = [g.name for g in self.groups.all()]
|
current_groups = [g.name for g in self.groups.all()]
|
||||||
for g in filter(lambda g: g not in current_groups, groups):
|
for g in filter(lambda g: g not in current_groups, groups):
|
||||||
|
@ -234,10 +235,21 @@ class Item(models.Model):
|
||||||
del self.data[key]
|
del self.data[key]
|
||||||
else:
|
else:
|
||||||
k = filter(lambda i: i['id'] == key, settings.CONFIG['itemKeys'])
|
k = filter(lambda i: i['id'] == key, settings.CONFIG['itemKeys'])
|
||||||
if k and k.get('type') == 'text':
|
ktype = k and k[0].get('type') or ''
|
||||||
|
if ktype == 'text':
|
||||||
self.data[key] = ox.parse_html(data[key])
|
self.data[key] = ox.parse_html(data[key])
|
||||||
|
elif ktype == '[text]':
|
||||||
|
self.data[key] = [ox.parse_html(t) for t in data[key]]
|
||||||
|
elif ktype == '[string]':
|
||||||
|
self.data[key] = [ox.escape_html(t) for t in data[key]]
|
||||||
elif isinstance(data[key], basestring):
|
elif isinstance(data[key], basestring):
|
||||||
self.data[key] = ox.escape_html(data[key])
|
self.data[key] = ox.escape_html(data[key])
|
||||||
|
elif isinstance(data[key], list):
|
||||||
|
def cleanup(i):
|
||||||
|
if isinstance(i, basestring):
|
||||||
|
i = ox.escape_html(i)
|
||||||
|
return i
|
||||||
|
self.data[key] = [cleanup(i) for i in data[key]]
|
||||||
else:
|
else:
|
||||||
self.data[key] = ox.escape_html(data[key])
|
self.data[key] = ox.escape_html(data[key])
|
||||||
return self.save()
|
return self.save()
|
||||||
|
|
|
@ -51,7 +51,7 @@ def addPlace(request):
|
||||||
name = 'Untitled [%s]' %n
|
name = 'Untitled [%s]' %n
|
||||||
n += 1
|
n += 1
|
||||||
names = [name] + data.get('alternativeNames', [])
|
names = [name] + data.get('alternativeNames', [])
|
||||||
data['alternativveNames'] = [ox.escape_html(n)
|
data['alternativeNames'] = [ox.escape_html(n)
|
||||||
for n in data.get('alternativeNames', [])]
|
for n in data.get('alternativeNames', [])]
|
||||||
name = ox.escape_html(name)
|
name = ox.escape_html(name)
|
||||||
for n in names:
|
for n in names:
|
||||||
|
|
|
@ -131,6 +131,8 @@ def signup(request):
|
||||||
data = json.loads(request.POST['data'])
|
data = json.loads(request.POST['data'])
|
||||||
if 'username' in data and 'password' in data:
|
if 'username' in data and 'password' in data:
|
||||||
data['username'] = data['username'].strip()
|
data['username'] = data['username'].strip()
|
||||||
|
if 'email' in data:
|
||||||
|
data['email'] = ox.escape_html(data['email'])
|
||||||
if models.User.objects.filter(username__iexact=data['username']).count() > 0:
|
if models.User.objects.filter(username__iexact=data['username']).count() > 0:
|
||||||
response = json_response({
|
response = json_response({
|
||||||
'errors': {
|
'errors': {
|
||||||
|
@ -324,6 +326,8 @@ def editUser(request):
|
||||||
if 'disabled' in data:
|
if 'disabled' in data:
|
||||||
user.is_active = not data['disabled']
|
user.is_active = not data['disabled']
|
||||||
if 'email' in data:
|
if 'email' in data:
|
||||||
|
if 'email' in data:
|
||||||
|
data['email'] = ox.escape_html(data['email'])
|
||||||
if models.User.objects.filter(email__iexact=data['email']).exclude(id=user.id).count()>0:
|
if models.User.objects.filter(email__iexact=data['email']).exclude(id=user.id).count()>0:
|
||||||
response = json_response(status=403, text='email already in use')
|
response = json_response(status=403, text='email already in use')
|
||||||
return render_to_json_response(response)
|
return render_to_json_response(response)
|
||||||
|
@ -338,6 +342,7 @@ def editUser(request):
|
||||||
groups = data['groups']
|
groups = data['groups']
|
||||||
if isinstance(groups, list):
|
if isinstance(groups, list):
|
||||||
groups = filter(lambda g: g.strip(), groups)
|
groups = filter(lambda g: g.strip(), groups)
|
||||||
|
groups = [ox.escape_html(g) for g in groups]
|
||||||
user.groups.exclude(name__in=groups).delete()
|
user.groups.exclude(name__in=groups).delete()
|
||||||
current_groups = [g.name for g in user.groups.all()]
|
current_groups = [g.name for g in user.groups.all()]
|
||||||
for g in filter(lambda g: g not in current_groups, groups):
|
for g in filter(lambda g: g not in current_groups, groups):
|
||||||
|
@ -696,7 +701,7 @@ def editPreferences(request):
|
||||||
errors['email'] = 'Email address already in use'
|
errors['email'] = 'Email address already in use'
|
||||||
else:
|
else:
|
||||||
change = True
|
change = True
|
||||||
request.user.email = data['email']
|
request.user.email = ox.escape_html(data['email'])
|
||||||
if 'newsletter' in data:
|
if 'newsletter' in data:
|
||||||
profile = request.user.get_profile()
|
profile = request.user.get_profile()
|
||||||
profile.newsletter = data['newsletter']
|
profile.newsletter = data['newsletter']
|
||||||
|
|
|
@ -379,7 +379,10 @@ pandora.ui.accountWelcomeDialog = function() {
|
||||||
.append(
|
.append(
|
||||||
Ox.Element()
|
Ox.Element()
|
||||||
.css({position: 'absolute', left: '96px', top: '16px', width: '192px'})
|
.css({position: 'absolute', left: '96px', top: '16px', width: '192px'})
|
||||||
.html('Welcome, ' + pandora.user.username + '!<br/><br/>Your account has been created.')
|
.html(
|
||||||
|
'Welcome, ' + Ox.encodeHTMLEntities(pandora.user.username)
|
||||||
|
+ '!<br/><br/>Your account has been created.'
|
||||||
|
)
|
||||||
),
|
),
|
||||||
fixedSize: true,
|
fixedSize: true,
|
||||||
height: 128,
|
height: 128,
|
||||||
|
|
|
@ -38,6 +38,9 @@ pandora.ui.folderBrowserList = function(id) {
|
||||||
width: 16
|
width: 16
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
format: function(value) {
|
||||||
|
return Ox.encodeHTMLEntities(value);
|
||||||
|
},
|
||||||
id: 'user',
|
id: 'user',
|
||||||
operator: '+',
|
operator: '+',
|
||||||
title: 'User',
|
title: 'User',
|
||||||
|
@ -45,6 +48,9 @@ pandora.ui.folderBrowserList = function(id) {
|
||||||
width: Math.floor(columnWidth)
|
width: Math.floor(columnWidth)
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
format: function(value) {
|
||||||
|
return Ox.encodeHTMLEntities(value);
|
||||||
|
},
|
||||||
id: 'name',
|
id: 'name',
|
||||||
operator: '+',
|
operator: '+',
|
||||||
title: 'List',
|
title: 'List',
|
||||||
|
|
|
@ -35,7 +35,7 @@ pandora.ui.folderList = function(id) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
format: function(value) {
|
format: function(value) {
|
||||||
return value.split(':').join(': ');
|
return Ox.encodeHTMLEntities(value.split(':').join(': '));
|
||||||
},
|
},
|
||||||
id: 'id',
|
id: 'id',
|
||||||
operator: '+',
|
operator: '+',
|
||||||
|
@ -49,12 +49,18 @@ pandora.ui.folderList = function(id) {
|
||||||
editable: function(data) {
|
editable: function(data) {
|
||||||
return data.user == pandora.user.username;
|
return data.user == pandora.user.username;
|
||||||
},
|
},
|
||||||
|
format: function(value) {
|
||||||
|
return Ox.encodeHTMLEntities(value);
|
||||||
|
},
|
||||||
id: 'name',
|
id: 'name',
|
||||||
input: {
|
input: {
|
||||||
autovalidate: pandora.ui.autovalidateListname
|
autovalidate: pandora.ui.autovalidateListname
|
||||||
},
|
},
|
||||||
operator: '+',
|
operator: '+',
|
||||||
tooltip: id == 'personal' ? 'Edit Title' : '',
|
tooltip: id == 'personal' ? 'Edit Title' : '',
|
||||||
|
unformat: function(value) {
|
||||||
|
return Ox.decodeHTMLEntities(value);
|
||||||
|
},
|
||||||
visible: id != 'favorite',
|
visible: id != 'favorite',
|
||||||
width: pandora.user.ui.sidebarWidth - 96
|
width: pandora.user.ui.sidebarWidth - 96
|
||||||
},
|
},
|
||||||
|
|
|
@ -466,7 +466,7 @@ pandora.ui.home = function() {
|
||||||
.appendTo($listsContent);
|
.appendTo($listsContent);
|
||||||
$listIcon[i] = Ox.Element({
|
$listIcon[i] = Ox.Element({
|
||||||
element: '<img>',
|
element: '<img>',
|
||||||
tooltip: list.name
|
tooltip: Ox.encodeHTMLEntities(list.name)
|
||||||
})
|
})
|
||||||
.attr({
|
.attr({
|
||||||
src: '/list/' + list.user + ':'
|
src: '/list/' + list.user + ':'
|
||||||
|
@ -556,7 +556,7 @@ pandora.ui.home = function() {
|
||||||
+ lists[selected].name + '/icon256.jpg'
|
+ lists[selected].name + '/icon256.jpg'
|
||||||
});
|
});
|
||||||
$text.html(
|
$text.html(
|
||||||
'<b>' + lists[selected].name + '</b><br><br>'
|
'<b>' + Ox.encodeHTMLEntities(lists[selected].name) + '</b><br><br>'
|
||||||
+ lists[selected].description
|
+ lists[selected].description
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
|
@ -108,7 +108,7 @@ pandora.ui.listDialog = function(section) {
|
||||||
height: 312,
|
height: 312,
|
||||||
// keys: {enter: 'save', escape: 'cancel'},
|
// keys: {enter: 'save', escape: 'cancel'},
|
||||||
removeOnClose: true,
|
removeOnClose: true,
|
||||||
title: 'List - ' + listData.name,
|
title: 'List - ' + Ox.encodeHTMLEntities(listData.name),
|
||||||
width: width
|
width: width
|
||||||
});
|
});
|
||||||
|
|
||||||
|
@ -243,6 +243,9 @@ pandora.ui.listGeneralPanel = function(listData) {
|
||||||
listData.name = result.data.name;
|
listData.name = result.data.name;
|
||||||
Ox.Request.clearCache('findLists');
|
Ox.Request.clearCache('findLists');
|
||||||
pandora.$ui.info.updateListInfo();
|
pandora.$ui.info.updateListInfo();
|
||||||
|
pandora.$ui.listDialog.options({
|
||||||
|
title: 'List - ' + Ox.encodeHTMLEntities(listData.name) + ' - General'
|
||||||
|
});
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
|
@ -60,34 +60,42 @@ pandora.ui.logsDialog = function() {
|
||||||
visible: false,
|
visible: false,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
format: function(value) {
|
||||||
|
return Ox.encodeHTMLEntities(value);
|
||||||
|
},
|
||||||
id: 'user',
|
id: 'user',
|
||||||
|
operator: '+',
|
||||||
title: 'User',
|
title: 'User',
|
||||||
visible: true,
|
visible: true,
|
||||||
width: 72
|
width: 72
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
id: 'created',
|
|
||||||
title: 'Date',
|
|
||||||
align: 'right',
|
align: 'right',
|
||||||
format: function(value) {
|
format: function(value) {
|
||||||
return value.replace(/[TZ]/g, ' ');
|
return value.replace(/[TZ]/g, ' ');
|
||||||
},
|
},
|
||||||
|
id: 'created',
|
||||||
operator: '-',
|
operator: '-',
|
||||||
|
title: 'Date',
|
||||||
visible: true,
|
visible: true,
|
||||||
width: 144
|
width: 144
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
id: 'url',
|
format: function(value) {
|
||||||
title: 'URL',
|
|
||||||
format: function(value, data) {
|
|
||||||
return formatURL(value, data.line);
|
return formatURL(value, data.line);
|
||||||
},
|
},
|
||||||
|
id: 'url',
|
||||||
operator: '+',
|
operator: '+',
|
||||||
|
title: 'URL',
|
||||||
visible: true,
|
visible: true,
|
||||||
width: 320
|
width: 320
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
format: function(value) {
|
||||||
|
return Ox.encodeHTMLEntities(value);
|
||||||
|
},
|
||||||
id: 'text',
|
id: 'text',
|
||||||
|
operator: '+',
|
||||||
title: 'Text',
|
title: 'Text',
|
||||||
visible: true,
|
visible: true,
|
||||||
width: 640
|
width: 640
|
||||||
|
@ -138,7 +146,7 @@ pandora.ui.logsDialog = function() {
|
||||||
margin: '16px',
|
margin: '16px',
|
||||||
MozUserSelect: 'text',
|
MozUserSelect: 'text',
|
||||||
WebkitUserSelect: 'text'
|
WebkitUserSelect: 'text'
|
||||||
}).html(value.text)),
|
}).text(value.text)),
|
||||||
height: height - 48,
|
height: height - 48,
|
||||||
keys: {enter: 'close', escape: 'close'},
|
keys: {enter: 'close', escape: 'close'},
|
||||||
maximizeButton: true,
|
maximizeButton: true,
|
||||||
|
@ -203,7 +211,7 @@ pandora.ui.logsDialog = function() {
|
||||||
.appendTo(that.$element.find('.OxButtonsbar'));
|
.appendTo(that.$element.find('.OxButtonsbar'));
|
||||||
|
|
||||||
function formatURL(url, line) {
|
function formatURL(url, line) {
|
||||||
return url.split('?')[0] + ':' + line;
|
return Ox.encodeHTMLEntities(url.split('?')[0]) + ':' + line;
|
||||||
}
|
}
|
||||||
|
|
||||||
function renderLog(logData) {
|
function renderLog(logData) {
|
||||||
|
|
|
@ -27,7 +27,7 @@ pandora.ui.mainMenu = function() {
|
||||||
]
|
]
|
||||||
) },
|
) },
|
||||||
{ id: 'userMenu', title: 'User', items: [
|
{ id: 'userMenu', title: 'User', items: [
|
||||||
{ id: 'username', title: 'User: ' + (isGuest ? 'not logged in' : pandora.user.username), disabled: true },
|
{ id: 'username', title: 'User: ' + (isGuest ? 'not logged in' : Ox.encodeHTMLEntities(pandora.user.username)), disabled: true },
|
||||||
{},
|
{},
|
||||||
{ id: 'preferences', title: 'Preferences...', disabled: isGuest, keyboard: 'control ,' },
|
{ id: 'preferences', title: 'Preferences...', disabled: isGuest, keyboard: 'control ,' },
|
||||||
{ id: 'archives', title: 'Archives...', disabled: /*isGuest*/ true },
|
{ id: 'archives', title: 'Archives...', disabled: /*isGuest*/ true },
|
||||||
|
@ -455,7 +455,9 @@ pandora.ui.mainMenu = function() {
|
||||||
: lists[folder].map(function(list) {
|
: lists[folder].map(function(list) {
|
||||||
return {
|
return {
|
||||||
id: 'viewlist' + list.id,
|
id: 'viewlist' + list.id,
|
||||||
title: (folder == 'favorite' ? list.user + ': ' : '') + list.name,
|
title: Ox.encodeHTMLEntities((
|
||||||
|
folder == 'favorite' ? list.user + ': ' : ''
|
||||||
|
) + list.name),
|
||||||
checked: list.id == pandora.user.ui._list
|
checked: list.id == pandora.user.ui._list
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
|
|
|
@ -86,7 +86,7 @@ pandora.ui.usersDialog = function() {
|
||||||
format: function(value, data) {
|
format: function(value, data) {
|
||||||
return '<span style="opacity: ' + (
|
return '<span style="opacity: ' + (
|
||||||
data.disabled ? 0.5 : 1
|
data.disabled ? 0.5 : 1
|
||||||
) + '">' + value + '</span>';
|
) + '">' + Ox.encodeHTMLEntities(value) + '</span>';
|
||||||
},
|
},
|
||||||
id: 'username',
|
id: 'username',
|
||||||
operator: '+',
|
operator: '+',
|
||||||
|
@ -389,7 +389,8 @@ pandora.ui.usersDialog = function() {
|
||||||
result.data.items.filter(function(item) {
|
result.data.items.filter(function(item) {
|
||||||
return item.email;
|
return item.email;
|
||||||
}).map(function(item) {
|
}).map(function(item) {
|
||||||
return item.username + ' <' + item.email + '>';
|
return Ox.encodeHTMLEntities(item.username)
|
||||||
|
+ ' <' + item.email + '>';
|
||||||
}).join(', ')
|
}).join(', ')
|
||||||
),
|
),
|
||||||
removeOnClose: true,
|
removeOnClose: true,
|
||||||
|
@ -779,7 +780,8 @@ pandora.ui.usersDialog = function() {
|
||||||
: users.length == 1 ? (
|
: users.length == 1 ? (
|
||||||
users[0].level == 'guest'
|
users[0].level == 'guest'
|
||||||
? 'Guest'
|
? 'Guest'
|
||||||
: users[0].username + ' <' + users[0].email + '>'
|
: Ox.encodeHTMLEntities(users[0].username)
|
||||||
|
+ ' <' + users[0].email + '>'
|
||||||
)
|
)
|
||||||
: users.length + ' users selected';
|
: users.length + ' users selected';
|
||||||
$formLabel.options({title: title});
|
$formLabel.options({title: title});
|
||||||
|
|
|
@ -389,7 +389,7 @@ pandora.enableDragAndDrop = function($list, canMove) {
|
||||||
].toLowerCase()
|
].toLowerCase()
|
||||||
) + '</br> to ' + (
|
) + '</br> to ' + (
|
||||||
drag.target && !drag.target.selected
|
drag.target && !drag.target.selected
|
||||||
? 'the list "' + drag.target.name + '"'
|
? 'the list "' + Ox.encodeHTMLEntities(drag.target.name) + '"'
|
||||||
: 'another list'
|
: 'another list'
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue