This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch db/syntax_escaping
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 919ab928c5907a24a97e308df261b6d0dc6f8293
Author: Dave Brondsema <dbronds...@slashdotmedia.com>
AuthorDate: Tue Dec 19 14:06:20 2023 -0500
improve JS syntax and escaping
---
Allura/allura/ext/admin/templates/project_trove.html | 2 +-
Allura/allura/lib/widgets/forms.py | 7 ++-----
Allura/allura/lib/widgets/resources/js/post.js | 6 +++---
Allura/allura/public/nf/js/site_admin_new_projects.js | 2 +-
ForgeTracker/forgetracker/templates/tracker/ticket.html | 2 +-
ForgeTracker/forgetracker/widgets/resources/js/mass-edit.js | 4 ++--
ForgeTracker/forgetracker/widgets/resources/js/ticket-list.js | 2 +-
7 files changed, 11 insertions(+), 14 deletions(-)
diff --git a/Allura/allura/ext/admin/templates/project_trove.html
b/Allura/allura/ext/admin/templates/project_trove.html
index e93aac4f5..0d1a9da78 100644
--- a/Allura/allura/ext/admin/templates/project_trove.html
+++ b/Allura/allura/ext/admin/templates/project_trove.html
@@ -130,7 +130,7 @@
insertAfter = this;
}
});
- var $newItem = $('<div><span
class="trove_fullpath">'+resp.trove_full_path+'</span> <form
class="trove_deleter"><input type="hidden" name="type" value="'+type+'"><input
type="hidden" name="trove" value="'+new_id+'">'+del_btn+'</form></div>');
+ var $newItem = $('<div><span
class="trove_fullpath">'+escape_html(resp.trove_full_path)+'</span> <form
class="trove_deleter"><input type="hidden" name="type"
value="'+escape_html(type)+'"><input type="hidden" name="trove"
value="'+escape_html(new_id)+'">'+del_btn+'</form></div>');
if (insertAfter) {
$newItem.insertAfter(insertAfter);
} else {
diff --git a/Allura/allura/lib/widgets/forms.py
b/Allura/allura/lib/widgets/forms.py
index 0ac373b2d..5252819e1 100644
--- a/Allura/allura/lib/widgets/forms.py
+++ b/Allura/allura/lib/widgets/forms.py
@@ -16,7 +16,7 @@
# under the License.
import logging
-import warnings
+from html import escape as html_escape
from tg import app_globals as g, tmpl_context as c
from formencode import validators as fev
@@ -35,8 +35,6 @@ from allura.lib import plugin
from allura.lib.widgets import form_fields as ffw
from allura.lib import exceptions as forge_exc
from allura import model as M
-import six
-from functools import reduce
log = logging.getLogger(__name__)
@@ -104,8 +102,7 @@ class ForgeForm(ew.SimpleForm):
or ctx.get('label')
or getattr(field, 'label', None)
or ctx['name'])
- html = '<label for="{}">{}</label>'.format(
- ctx['id'], label_text)
+ html = '<label for="{}">{}</label>'.format(html_escape(ctx['id']),
html_escape(label_text))
return Markup(html)
def context_for(self, field):
diff --git a/Allura/allura/lib/widgets/resources/js/post.js
b/Allura/allura/lib/widgets/resources/js/post.js
index 6103944eb..d23c6af9c 100644
--- a/Allura/allura/lib/widgets/resources/js/post.js
+++ b/Allura/allura/lib/widgets/resources/js/post.js
@@ -76,8 +76,8 @@
} else if (data.username) {
flash('User blocked', 'success');
// full page form submit
- $('<form method="POST" action="' +
$this.data('discussion-url')+'moderate/save_moderation_bulk_user?username=' +
$this.attr('data-user') + '&spam=1">' +
- '<input name="_session_id" type="hidden"
value="'+cval+'"></form>')
+ $('<form method="POST" action="' +
escape_html($this.data('discussion-url'))+'moderate/save_moderation_bulk_user?username='
+ escape_html($this.attr('data-user')) + '&spam=1">' +
+ '<input name="_session_id" type="hidden"
value="'+escape_html(cval)+'"></form>')
.appendTo('body')
.submit();
} else {
@@ -162,4 +162,4 @@
});
}
});
-}());
\ No newline at end of file
+}());
diff --git a/Allura/allura/public/nf/js/site_admin_new_projects.js
b/Allura/allura/public/nf/js/site_admin_new_projects.js
index 302f4f7ef..b2798a5aa 100644
--- a/Allura/allura/public/nf/js/site_admin_new_projects.js
+++ b/Allura/allura/public/nf/js/site_admin_new_projects.js
@@ -35,7 +35,7 @@ $(document).ready(function() {
$('.js-select-project').change(function() {
var shortname = $(this).attr('data-shortname');
if ($(this).is(':checked')) {
- $('#selected-projects').append(' ' + shortname);
+ $('#selected-projects').append(' ' + escape_html(shortname));
} else {
var shortnames = $('#selected-projects').text().split(' ');
for (var i = 0; i < shortnames.length; i++) {
diff --git a/ForgeTracker/forgetracker/templates/tracker/ticket.html
b/ForgeTracker/forgetracker/templates/tracker/ticket.html
index 9136127f5..e17020bf7 100644
--- a/ForgeTracker/forgetracker/templates/tracker/ticket.html
+++ b/ForgeTracker/forgetracker/templates/tracker/ticket.html
@@ -228,7 +228,7 @@
view_holder.show();
discussion_holder.show();
ticket_content.show();
- title_holder.find('span').html(original_title_text)
+ title_holder.find('span').text(original_title_text);
title_actions.appendTo(title_holder);
title_actions.show();
vote.show();
diff --git a/ForgeTracker/forgetracker/widgets/resources/js/mass-edit.js
b/ForgeTracker/forgetracker/widgets/resources/js/mass-edit.js
index 35d91aa92..886f973ef 100644
--- a/ForgeTracker/forgetracker/widgets/resources/js/mass-edit.js
+++ b/ForgeTracker/forgetracker/widgets/resources/js/mass-edit.js
@@ -19,10 +19,10 @@
$(function(){
$form = $('#update-values');
- if ($form.length == 0) {
+ if ($form.length === 0) {
$form = $('.editbox > form');
}
- if ($('#id_search').length == 0) {
+ if ($('#id_search').length === 0) {
$form.append('<input type="hidden" name="__search" id="id_search">');
}
$('#id_search').val(window.location.search);
diff --git a/ForgeTracker/forgetracker/widgets/resources/js/ticket-list.js
b/ForgeTracker/forgetracker/widgets/resources/js/ticket-list.js
index 5c0a3f687..a11f858df 100644
--- a/ForgeTracker/forgetracker/widgets/resources/js/ticket-list.js
+++ b/ForgeTracker/forgetracker/widgets/resources/js/ticket-list.js
@@ -46,7 +46,7 @@
'&filter=' +
encodeURIComponent(JSON.stringify(filter));
// preserve displayed columns, when filter changes
$('#col_list_form input').each(function() {
- if (this.name.indexOf('columns-') == 0) {
+ if (this.name.indexOf('columns-') === 0) {
var inp = $(this);
var val = inp.val();
if (inp.is(':checkbox') && !inp.is(':checked')) { val = ''; }
