Repository: zeppelin Updated Branches: refs/heads/master 3eea57ab2 -> 645037b36
[minor] Escape string before insertion it into HTML In current implementation some of the unescaped HTML get passed to frontend via BootstrapDialog, this PR is to escape those string (and sanitize the output). [Improvement] * Does the licenses files need update? * Is there breaking changes for older versions? * Does this needs documentation? Author: Prabhjyot Singh <[email protected]> Closes #2888 from prabhjyotsingh/applyEscapeBootstrapDialog and squashes the following commits: 757cfff91 [Prabhjyot Singh] apply _.Escape to BootstrapDialog Change-Id: Icabd5e5713591929cb4ff9a41036f06ca99b6db8 Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/645037b3 Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/645037b3 Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/645037b3 Branch: refs/heads/master Commit: 645037b367fd3249ea000392a3237313a83f3506 Parents: 3eea57a Author: Prabhjyot Singh <[email protected]> Authored: Thu Mar 22 14:45:09 2018 +0530 Committer: Prabhjyot Singh <[email protected]> Committed: Sat Mar 24 10:50:00 2018 +0530 ---------------------------------------------------------------------- zeppelin-web/src/app/helium/helium.controller.js | 12 ++++++------ .../src/app/interpreter/interpreter.controller.js | 6 +++--- .../src/app/jobmanager/job/job.component.js | 2 +- .../src/app/notebook/notebook.controller.js | 18 +++++++++++------- .../components/note-action/note-action.service.js | 2 +- .../websocket/websocket-event.factory.js | 2 +- 6 files changed, 23 insertions(+), 19 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/zeppelin/blob/645037b3/zeppelin-web/src/app/helium/helium.controller.js ---------------------------------------------------------------------- diff --git a/zeppelin-web/src/app/helium/helium.controller.js b/zeppelin-web/src/app/helium/helium.controller.js index 4728e08..043a9ad 100644 --- a/zeppelin-web/src/app/helium/helium.controller.js +++ b/zeppelin-web/src/app/helium/helium.controller.js @@ -150,7 +150,7 @@ export default function HeliumCtrl($scope, $rootScope, $sce, console.log('Failed to save order'); BootstrapDialog.show({ title: 'Error on saving order ', - message: data.message, + message: _.escape(data.message), }); }); return false; @@ -244,8 +244,8 @@ export default function HeliumCtrl($scope, $rootScope, $sce, confirm.close(); console.log('Failed to enable package %o %o. %o', name, artifact, data); BootstrapDialog.show({ - title: 'Error on enabling ' + name, - message: data.message, + title: 'Error on enabling ' + _.escape(name), + message: _.escape(data.message), }); }); return false; @@ -261,7 +261,7 @@ export default function HeliumCtrl($scope, $rootScope, $sce, closeByBackdrop: false, closeByKeyboard: false, title: '<div style="font-weight: 300;">Do you want to disable Helium Package?</div>', - message: artifact, + message: _.escape(artifact), callback: function(result) { if (result) { confirm.$modalFooter.find('button').addClass('disabled'); @@ -276,8 +276,8 @@ export default function HeliumCtrl($scope, $rootScope, $sce, confirm.close(); console.log('Failed to disable package %o. %o', name, data); BootstrapDialog.show({ - title: 'Error on disabling ' + name, - message: data.message, + title: 'Error on disabling ' + _.escape(name), + message: _.escape(data.message), }); }); return false; http://git-wip-us.apache.org/repos/asf/zeppelin/blob/645037b3/zeppelin-web/src/app/interpreter/interpreter.controller.js ---------------------------------------------------------------------- diff --git a/zeppelin-web/src/app/interpreter/interpreter.controller.js b/zeppelin-web/src/app/interpreter/interpreter.controller.js index d220dba..ef6b8a5 100644 --- a/zeppelin-web/src/app/interpreter/interpreter.controller.js +++ b/zeppelin-web/src/app/interpreter/interpreter.controller.js @@ -508,7 +508,7 @@ function InterpreterCtrl($rootScope, $scope, $http, baseUrlSrv, ngToast, $timeou BootstrapDialog.alert({ closable: true, title: 'Add interpreter', - message: 'Name ' + $scope.newInterpreterSetting.name + ' already exists', + message: 'Name ' + _.escape($scope.newInterpreterSetting.name) + ' already exists', }); return; } @@ -747,7 +747,7 @@ function InterpreterCtrl($rootScope, $scope, $http, baseUrlSrv, ngToast, $timeou $scope.showErrorMessage = function(setting) { BootstrapDialog.show({ title: 'Error downloading dependencies', - message: setting.errorReason, + message: _.escape(setting.errorReason), }); }; @@ -775,7 +775,7 @@ function InterpreterCtrl($rootScope, $scope, $http, baseUrlSrv, ngToast, $timeou window.open(res.data.body.url, '_blank'); } else { BootstrapDialog.alert({ - message: res.data.body.message, + message: _.escape(res.data.body.message), }); } }).catch(function(res) { http://git-wip-us.apache.org/repos/asf/zeppelin/blob/645037b3/zeppelin-web/src/app/jobmanager/job/job.component.js ---------------------------------------------------------------------- diff --git a/zeppelin-web/src/app/jobmanager/job/job.component.js b/zeppelin-web/src/app/jobmanager/job/job.component.js index e6f102f..982fa28 100644 --- a/zeppelin-web/src/app/jobmanager/job/job.component.js +++ b/zeppelin-web/src/app/jobmanager/job/job.component.js @@ -94,7 +94,7 @@ class JobController { BootstrapDialog.alert({ closable: true, title: title, - message: errorMessage, + message: _.escape(errorMessage), }); } http://git-wip-us.apache.org/repos/asf/zeppelin/blob/645037b3/zeppelin-web/src/app/notebook/notebook.controller.js ---------------------------------------------------------------------- diff --git a/zeppelin-web/src/app/notebook/notebook.controller.js b/zeppelin-web/src/app/notebook/notebook.controller.js index 4c9de9c..ba88e3f 100644 --- a/zeppelin-web/src/app/notebook/notebook.controller.js +++ b/zeppelin-web/src/app/notebook/notebook.controller.js @@ -1010,7 +1010,7 @@ function NotebookCtrl($scope, $route, $routeParams, $location, $rootScope, closeByBackdrop: false, closeByKeyboard: false, title: '', - message: 'Do you want to restart ' + interpreter.name + ' interpreter?', + message: 'Do you want to restart ' + _.escape(interpreter.name) + ' interpreter?', callback: function(result) { if (result) { let payload = { @@ -1031,7 +1031,7 @@ function NotebookCtrl($scope, $route, $routeParams, $location, $rootScope, console.log('Error %o %o', status, data.message); BootstrapDialog.show({ title: 'Error restart interpreter.', - message: data.message, + message: _.escape(data.message), }); }); return false; @@ -1050,7 +1050,7 @@ function NotebookCtrl($scope, $route, $routeParams, $location, $rootScope, closable: false, title: 'Setting Owners Permissions', message: 'Please fill the [Owners] field. If not, it will set as current user.\n\n' + - 'Current user : [ ' + $rootScope.ticket.principal + ']', + 'Current user : [ ' + _.escape($rootScope.ticket.principal) + ']', buttons: [ { label: 'Set', @@ -1083,9 +1083,13 @@ function NotebookCtrl($scope, $route, $routeParams, $location, $rootScope, BootstrapDialog.alert({ closable: true, title: 'Permissions Saved Successfully', - message: 'Owners : ' + $scope.permissions.owners + '\n\n' + 'Readers : ' + - $scope.permissions.readers + '\n\n' + 'Runners : ' + $scope.permissions.runners + - '\n\n' + 'Writers : ' + $scope.permissions.writers, + message: 'Owners : ' + _.escape($scope.permissions.owners) + + '\n\n' + + 'Readers : ' + _.escape($scope.permissions.readers) + + '\n\n' + + 'Runners : ' + _.escape($scope.permissions.runners) + + '\n\n' + + 'Writers : ' + _.escape($scope.permissions.writers), }); $scope.showPermissions = false; }); @@ -1097,7 +1101,7 @@ function NotebookCtrl($scope, $route, $routeParams, $location, $rootScope, closeByBackdrop: false, closeByKeyboard: false, title: 'Insufficient privileges', - message: data.message, + message: _.escape(data.message), buttons: [ { label: 'Login', http://git-wip-us.apache.org/repos/asf/zeppelin/blob/645037b3/zeppelin-web/src/components/note-action/note-action.service.js ---------------------------------------------------------------------- diff --git a/zeppelin-web/src/components/note-action/note-action.service.js b/zeppelin-web/src/components/note-action/note-action.service.js index d4bf6f0..83cb6df 100644 --- a/zeppelin-web/src/components/note-action/note-action.service.js +++ b/zeppelin-web/src/components/note-action/note-action.service.js @@ -139,7 +139,7 @@ function noteActionService(websocketMsgSrv, $location, noteRenameService, noteLi type: BootstrapDialog.TYPE_WARNING, closable: true, title: 'WARNING! The folder will be MERGED', - message: 'The folder will be merged into <strong>' + newFolderId + '</strong>. Are you sure?', + message: 'The folder will be merged into <strong>' + _.escape(newFolderId) + '</strong>. Are you sure?', callback: function(result) { if (result) { websocketMsgSrv.renameFolder(folderId, newFolderId); http://git-wip-us.apache.org/repos/asf/zeppelin/blob/645037b3/zeppelin-web/src/components/websocket/websocket-event.factory.js ---------------------------------------------------------------------- diff --git a/zeppelin-web/src/components/websocket/websocket-event.factory.js b/zeppelin-web/src/components/websocket/websocket-event.factory.js index 18c704d..ca33263 100644 --- a/zeppelin-web/src/components/websocket/websocket-event.factory.js +++ b/zeppelin-web/src/components/websocket/websocket-event.factory.js @@ -150,7 +150,7 @@ function WebsocketEventFactory($rootScope, $websocket, $location, baseUrlSrv) { closeByBackdrop: false, closeByKeyboard: false, title: 'Details', - message: data.info.toString(), + message: _.escape(data.info.toString()), buttons: [{ // close all the dialogs when there are error on running all paragraphs label: 'Close',
