This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch db/8536
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 2869dfdf58eefdf3c564e56953bc7cacd6192e89
Author: Dave Brondsema <dbronds...@slashdotmedia.com>
AuthorDate: Fri Feb 9 16:12:37 2024 -0500
[#8536] move/improve |safe usage
---
Allura/allura/app.py | 7 ++++---
Allura/allura/ext/admin/templates/project_groups.html | 2 +-
Allura/allura/lib/diff.py | 3 ++-
Allura/allura/templates/jinja_master/sidebar_menu.html | 2 +-
Allura/allura/templates/repo/barediff.html | 2 +-
Allura/allura/templates/repo/diff.html | 2 +-
Allura/allura/templates_responsive/jinja_master/sidebar_menu.html | 2 +-
ForgeTracker/forgetracker/tracker_main.py | 6 ++++--
ForgeWiki/forgewiki/wiki_main.py | 5 +++--
9 files changed, 18 insertions(+), 13 deletions(-)
diff --git a/Allura/allura/app.py b/Allura/allura/app.py
index 1beddf562..23f18d1b3 100644
--- a/Allura/allura/app.py
+++ b/Allura/allura/app.py
@@ -24,6 +24,7 @@ from xml.etree import ElementTree as ET
from copy import copy
import pkg_resources
+from markupsafe import Markup
from tg import expose, redirect, flash, validate
from tg.decorators import without_trailing_slash
from tg import config as tg_config
@@ -619,13 +620,13 @@ class Application(ActivityObject):
"""
return []
- def sidebar_menu_js(self):
+ def sidebar_menu_js(self) -> Markup:
"""Return Javascript needed by the sidebar menu of this Application.
- :return: a string of Javascript code
+ :return: Markup string of Javascript code
"""
- return ""
+ return Markup("")
@LazyProperty
def _webhooks(self):
diff --git a/Allura/allura/ext/admin/templates/project_groups.html
b/Allura/allura/ext/admin/templates/project_groups.html
index bb5571010..ed941dd9d 100644
--- a/Allura/allura/ext/admin/templates/project_groups.html
+++ b/Allura/allura/ext/admin/templates/project_groups.html
@@ -76,7 +76,7 @@
{% for r in role.users_with_role() %}
<li class="deleter" data-user="{{r.user.username}}">
{{ g.icons['perm_delete'].render(
- title=('<span>%s</span> (%s)' % (r.user.display_name | escape,
r.user.username | escape)) | safe,
+ title=('<span>%s</span> (%s)'|safe) % (r.user.display_name,
r.user.username),
show_title=True,
extra_css='deleter',
**{'data-user': r.user.username}) }}
diff --git a/Allura/allura/lib/diff.py b/Allura/allura/lib/diff.py
index 000ecce01..ee9087253 100644
--- a/Allura/allura/lib/diff.py
+++ b/Allura/allura/lib/diff.py
@@ -24,6 +24,7 @@ from collections.abc import Iterable, Generator
import sxsdiff
from diff_match_patch import diff_match_patch
import six
+from markupsafe import Markup
from sxsdiff.calculator import LineChange, ElementsHolder, PlainElement,
AdditionElement, DeletionElement
log = logging.getLogger(__name__)
@@ -67,7 +68,7 @@ class SxsOutputGenerator(sxsdiff.BaseGenerator):
def run(self, diff_result: Iterable[LineChange | None]):
self.out = ''
super().run(diff_result)
- return self.out
+ return Markup(self.out) # "safe" because we use html.escape in a few
key places below
def visit_row(self, line_change: LineChange | None):
if line_change is None:
diff --git a/Allura/allura/templates/jinja_master/sidebar_menu.html
b/Allura/allura/templates/jinja_master/sidebar_menu.html
index 6097e7132..d9db22f24 100644
--- a/Allura/allura/templates/jinja_master/sidebar_menu.html
+++ b/Allura/allura/templates/jinja_master/sidebar_menu.html
@@ -95,7 +95,7 @@
{% endif %}
{% if c.app and c.app.sidebar_menu_js() %}
<script>
- {{c.app.sidebar_menu_js()|safe}}
+ {{c.app.sidebar_menu_js()}}
</script>
{% endif %}
</div>
diff --git a/Allura/allura/templates/repo/barediff.html
b/Allura/allura/templates/repo/barediff.html
index babccfa61..84085149f 100644
--- a/Allura/allura/templates/repo/barediff.html
+++ b/Allura/allura/templates/repo/barediff.html
@@ -25,7 +25,7 @@
title="{{h.text.truncate(b.commit._id, 10)}}"/>
{% else %}
{% if session.diformat == 'sidebyside' %}
- {{diff|safe}}
+ {{diff}}
{% else %}
{{g.highlight(diff, lexer='diff')}}
{% endif%}
diff --git a/Allura/allura/templates/repo/diff.html
b/Allura/allura/templates/repo/diff.html
index df74c6c66..fdbec5663 100644
--- a/Allura/allura/templates/repo/diff.html
+++ b/Allura/allura/templates/repo/diff.html
@@ -63,7 +63,7 @@
<a rel="nofollow" href="{{ switch_url }}">Switch to {{ switch_text }}
view</a>
</h3>
{% if session.diformat == 'sidebyside' %}
- {{diff|safe}}
+ {{diff}}
{% else %}
{{g.highlight(diff, lexer='diff')}}
{% endif %}
diff --git a/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html
b/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html
index 74b73ebd4..d7ec8664f 100644
--- a/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html
+++ b/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html
@@ -95,7 +95,7 @@
{% endif %}
{% if c.app and c.app.sidebar_menu_js() %}
<script>
- {{c.app.sidebar_menu_js()|safe}}
+ {{c.app.sidebar_menu_js()}}
</script>
{% endif %}
</div>
diff --git a/ForgeTracker/forgetracker/tracker_main.py
b/ForgeTracker/forgetracker/tracker_main.py
index a1267ef3b..e70a61d7c 100644
--- a/ForgeTracker/forgetracker/tracker_main.py
+++ b/ForgeTracker/forgetracker/tracker_main.py
@@ -19,6 +19,8 @@ import logging
import re
from datetime import datetime, timedelta
from urllib.parse import urlencode, unquote
+
+from markupsafe import Markup
from webob import exc
import json
import os
@@ -396,7 +398,7 @@ class ForgeTrackerApp(Application):
return links
def sidebar_menu_js(self):
- return """\
+ return Markup("""\
$(function() {
$.ajax({
url:'%(app_url)sbin_counts',
@@ -426,7 +428,7 @@ class ForgeTrackerApp(Application):
}
});
}
- });""" % {'app_url': c.app.url}
+ });""") % {'app_url': c.app.url}
def has_custom_field(self, field):
"""Checks if given custom field is defined.
diff --git a/ForgeWiki/forgewiki/wiki_main.py b/ForgeWiki/forgewiki/wiki_main.py
index f1014f180..bac4d36da 100644
--- a/ForgeWiki/forgewiki/wiki_main.py
+++ b/ForgeWiki/forgewiki/wiki_main.py
@@ -23,6 +23,7 @@ from pprint import pformat
import six
from urllib.parse import unquote, urlencode
+from markupsafe import Markup
# Non-stdlib imports
from tg import expose, validate, redirect, flash, jsonify
from tg.decorators import with_trailing_slash, without_trailing_slash
@@ -305,7 +306,7 @@ The wiki uses [Markdown](%s) syntax.
return self.create_common_wiki_menu(has_create_access=has_access(self,
'create'))
def sidebar_menu_js(self):
- return '''
+ return Markup('''
$('#sidebar').on('click', 'a[href$="#toggle-subscribe"]', function(e) {
e.preventDefault();
var link = this;
@@ -332,7 +333,7 @@ The wiki uses [Markdown](%s) syntax.
$(link).attr('href',
$(link).attr('href').replace('-unsubscribe','-subscribe'));
});
});
- '''
+ ''')
def install(self, project):
'Set up any default permissions and roles here'
