This is an automated email from the ASF dual-hosted git repository. brondsem pushed a commit to branch db/8536 in repository https://gitbox.apache.org/repos/asf/allura.git
commit 2869dfdf58eefdf3c564e56953bc7cacd6192e89 Author: Dave Brondsema <dbronds...@slashdotmedia.com> AuthorDate: Fri Feb 9 16:12:37 2024 -0500 [#8536] move/improve |safe usage --- Allura/allura/app.py | 7 ++++--- Allura/allura/ext/admin/templates/project_groups.html | 2 +- Allura/allura/lib/diff.py | 3 ++- Allura/allura/templates/jinja_master/sidebar_menu.html | 2 +- Allura/allura/templates/repo/barediff.html | 2 +- Allura/allura/templates/repo/diff.html | 2 +- Allura/allura/templates_responsive/jinja_master/sidebar_menu.html | 2 +- ForgeTracker/forgetracker/tracker_main.py | 6 ++++-- ForgeWiki/forgewiki/wiki_main.py | 5 +++-- 9 files changed, 18 insertions(+), 13 deletions(-) diff --git a/Allura/allura/app.py b/Allura/allura/app.py index 1beddf562..23f18d1b3 100644 --- a/Allura/allura/app.py +++ b/Allura/allura/app.py @@ -24,6 +24,7 @@ from xml.etree import ElementTree as ET from copy import copy import pkg_resources +from markupsafe import Markup from tg import expose, redirect, flash, validate from tg.decorators import without_trailing_slash from tg import config as tg_config @@ -619,13 +620,13 @@ class Application(ActivityObject): """ return [] - def sidebar_menu_js(self): + def sidebar_menu_js(self) -> Markup: """Return Javascript needed by the sidebar menu of this Application. - :return: a string of Javascript code + :return: Markup string of Javascript code """ - return "" + return Markup("") @LazyProperty def _webhooks(self): diff --git a/Allura/allura/ext/admin/templates/project_groups.html b/Allura/allura/ext/admin/templates/project_groups.html index bb5571010..ed941dd9d 100644 --- a/Allura/allura/ext/admin/templates/project_groups.html +++ b/Allura/allura/ext/admin/templates/project_groups.html @@ -76,7 +76,7 @@ {% for r in role.users_with_role() %} <li class="deleter" data-user="{{r.user.username}}"> {{ g.icons['perm_delete'].render( - title=('<span>%s</span> (%s)' % (r.user.display_name | escape, r.user.username | escape)) | safe, + title=('<span>%s</span> (%s)'|safe) % (r.user.display_name, r.user.username), show_title=True, extra_css='deleter', **{'data-user': r.user.username}) }} diff --git a/Allura/allura/lib/diff.py b/Allura/allura/lib/diff.py index 000ecce01..ee9087253 100644 --- a/Allura/allura/lib/diff.py +++ b/Allura/allura/lib/diff.py @@ -24,6 +24,7 @@ from collections.abc import Iterable, Generator import sxsdiff from diff_match_patch import diff_match_patch import six +from markupsafe import Markup from sxsdiff.calculator import LineChange, ElementsHolder, PlainElement, AdditionElement, DeletionElement log = logging.getLogger(__name__) @@ -67,7 +68,7 @@ class SxsOutputGenerator(sxsdiff.BaseGenerator): def run(self, diff_result: Iterable[LineChange | None]): self.out = '' super().run(diff_result) - return self.out + return Markup(self.out) # "safe" because we use html.escape in a few key places below def visit_row(self, line_change: LineChange | None): if line_change is None: diff --git a/Allura/allura/templates/jinja_master/sidebar_menu.html b/Allura/allura/templates/jinja_master/sidebar_menu.html index 6097e7132..d9db22f24 100644 --- a/Allura/allura/templates/jinja_master/sidebar_menu.html +++ b/Allura/allura/templates/jinja_master/sidebar_menu.html @@ -95,7 +95,7 @@ {% endif %} {% if c.app and c.app.sidebar_menu_js() %} <script> - {{c.app.sidebar_menu_js()|safe}} + {{c.app.sidebar_menu_js()}} </script> {% endif %} </div> diff --git a/Allura/allura/templates/repo/barediff.html b/Allura/allura/templates/repo/barediff.html index babccfa61..84085149f 100644 --- a/Allura/allura/templates/repo/barediff.html +++ b/Allura/allura/templates/repo/barediff.html @@ -25,7 +25,7 @@ title="{{h.text.truncate(b.commit._id, 10)}}"/> {% else %} {% if session.diformat == 'sidebyside' %} - {{diff|safe}} + {{diff}} {% else %} {{g.highlight(diff, lexer='diff')}} {% endif%} diff --git a/Allura/allura/templates/repo/diff.html b/Allura/allura/templates/repo/diff.html index df74c6c66..fdbec5663 100644 --- a/Allura/allura/templates/repo/diff.html +++ b/Allura/allura/templates/repo/diff.html @@ -63,7 +63,7 @@ <a rel="nofollow" href="{{ switch_url }}">Switch to {{ switch_text }} view</a> </h3> {% if session.diformat == 'sidebyside' %} - {{diff|safe}} + {{diff}} {% else %} {{g.highlight(diff, lexer='diff')}} {% endif %} diff --git a/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html b/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html index 74b73ebd4..d7ec8664f 100644 --- a/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html +++ b/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html @@ -95,7 +95,7 @@ {% endif %} {% if c.app and c.app.sidebar_menu_js() %} <script> - {{c.app.sidebar_menu_js()|safe}} + {{c.app.sidebar_menu_js()}} </script> {% endif %} </div> diff --git a/ForgeTracker/forgetracker/tracker_main.py b/ForgeTracker/forgetracker/tracker_main.py index a1267ef3b..e70a61d7c 100644 --- a/ForgeTracker/forgetracker/tracker_main.py +++ b/ForgeTracker/forgetracker/tracker_main.py @@ -19,6 +19,8 @@ import logging import re from datetime import datetime, timedelta from urllib.parse import urlencode, unquote + +from markupsafe import Markup from webob import exc import json import os @@ -396,7 +398,7 @@ class ForgeTrackerApp(Application): return links def sidebar_menu_js(self): - return """\ + return Markup("""\ $(function() { $.ajax({ url:'%(app_url)sbin_counts', @@ -426,7 +428,7 @@ class ForgeTrackerApp(Application): } }); } - });""" % {'app_url': c.app.url} + });""") % {'app_url': c.app.url} def has_custom_field(self, field): """Checks if given custom field is defined. diff --git a/ForgeWiki/forgewiki/wiki_main.py b/ForgeWiki/forgewiki/wiki_main.py index f1014f180..bac4d36da 100644 --- a/ForgeWiki/forgewiki/wiki_main.py +++ b/ForgeWiki/forgewiki/wiki_main.py @@ -23,6 +23,7 @@ from pprint import pformat import six from urllib.parse import unquote, urlencode +from markupsafe import Markup # Non-stdlib imports from tg import expose, validate, redirect, flash, jsonify from tg.decorators import with_trailing_slash, without_trailing_slash @@ -305,7 +306,7 @@ The wiki uses [Markdown](%s) syntax. return self.create_common_wiki_menu(has_create_access=has_access(self, 'create')) def sidebar_menu_js(self): - return ''' + return Markup(''' $('#sidebar').on('click', 'a[href$="#toggle-subscribe"]', function(e) { e.preventDefault(); var link = this; @@ -332,7 +333,7 @@ The wiki uses [Markdown](%s) syntax. $(link).attr('href', $(link).attr('href').replace('-unsubscribe','-subscribe')); }); }); - ''' + ''') def install(self, project): 'Set up any default permissions and roles here'