Files
@ c7728c5736fd
Branch filter:
Location: kallithea/scripts/make-release - annotation
c7728c5736fd
2.4 KiB
text/plain
templates: narrow down scope of webhelpers.html.literal for HTML injection
When using webhelpers.html.literal to inject some explicit HTML code with
some variable data, there are two approaches:
h.literal('some <html> code with %s data' % foobar)
or
h.literal('some <html> code with %s data') % foobar
In the first case, the literal also applies to the contents of variable
'foobar' which may be influenceable by users and thus potentially malicious.
In the second case, this term will be escaped by webhelpers.
See also the documentation:
https://docs.pylonsproject.org/projects/webhelpers/en/latest/modules/html/builder.html#webhelpers.html.builder.literal
"Also, if you add another string to this string, the other string will
be quoted and you will get back another literal object. Also
literal(...) % obj will quote any value(s) from obj."
In files_browser.html, the correction of this scope of literal() also means
that explicit escaping of node.name can be removed. The escaping is now done
automatically by webhelpers as mentioned above.
When using webhelpers.html.literal to inject some explicit HTML code with
some variable data, there are two approaches:
h.literal('some <html> code with %s data' % foobar)
or
h.literal('some <html> code with %s data') % foobar
In the first case, the literal also applies to the contents of variable
'foobar' which may be influenceable by users and thus potentially malicious.
In the second case, this term will be escaped by webhelpers.
See also the documentation:
https://docs.pylonsproject.org/projects/webhelpers/en/latest/modules/html/builder.html#webhelpers.html.builder.literal
"Also, if you add another string to this string, the other string will
be quoted and you will get back another literal object. Also
literal(...) % obj will quote any value(s) from obj."
In files_browser.html, the correction of this scope of literal() also means
that explicit escaping of node.name can be removed. The escaping is now done
automatically by webhelpers as mentioned above.
d4f66ca15110 d4f66ca15110 d4f66ca15110 d4f66ca15110 f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa d06c0566cb23 d06c0566cb23 e4452268c09f d06c0566cb23 d06c0566cb23 dba4e770d4b6 d06c0566cb23 d06c0566cb23 d4f66ca15110 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 b70ad5c7e706 b70ad5c7e706 d06c0566cb23 d06c0566cb23 d06c0566cb23 d4f66ca15110 d4f66ca15110 d06c0566cb23 d4f66ca15110 d4f66ca15110 d4f66ca15110 d06c0566cb23 d4f66ca15110 d4f66ca15110 d06c0566cb23 dba4e770d4b6 d06c0566cb23 d06c0566cb23 cf81d586cf07 d06c0566cb23 08de75df7775 08de75df7775 08de75df7775 d06c0566cb23 d4f66ca15110 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d4f66ca15110 d06c0566cb23 d4f66ca15110 d06c0566cb23 d06c0566cb23 d4f66ca15110 d4f66ca15110 d4f66ca15110 d4f66ca15110 d4f66ca15110 d06c0566cb23 d4f66ca15110 d4f66ca15110 d4f66ca15110 d4f66ca15110 d06c0566cb23 e4452268c09f d06c0566cb23 | #!/bin/bash
set -e
set -x
cleanup()
{
echo "Removing venv $venv"
rm -rf "$venv"
}
echo "Checking that you are NOT inside a virtualenv"
[ -z "$VIRTUAL_ENV" ]
venv=$(mktemp -d --tmpdir kallithea-release-XXXXX)
trap cleanup EXIT
echo "Setting up a fresh virtualenv in $venv"
virtualenv -p python2 "$venv"
. "$venv/bin/activate"
echo "Install/verify tools needed for building and uploading stuff"
pip install --upgrade -e .
pip install --upgrade -r dev_requirements.txt twine
echo "Cleanup and update copyrights ... and clean checkout"
scripts/run-all-cleanup
scripts/update-copyrights.py
hg up -cr .
echo "Make release build from clean checkout in build/"
rm -rf build dist
hg archive build
cd build
echo "Check that each entry in MANIFEST.in match something"
sed -e 's/[^ ]*[ ]*\([^ ]*\).*/\1/g' MANIFEST.in | xargs ls -lad
echo "Build dist"
python2 setup.py compile_catalog
python2 setup.py sdist
echo "Verify VERSION from kallithea/__init__.py"
namerel=$(cd dist && echo Kallithea-*.tar.gz)
namerel=${namerel%.tar.gz}
version=${namerel#Kallithea-}
ls -l $(pwd)/dist/$namerel.tar.gz
echo "Releasing Kallithea $version in directory $namerel"
echo "Verify dist file content"
diff -u <((hg mani | grep -v '^\.hg') | LANG=C sort) <(tar tf dist/Kallithea-$version.tar.gz | sed "s|^$namerel/||" | grep . | grep -v '^kallithea/i18n/.*/LC_MESSAGES/kallithea.mo$\|^Kallithea.egg-info/\|^PKG-INFO$\|/$' | LANG=C sort)
echo "Verify docs build"
python2 setup.py build_sphinx # the results are not actually used, but we want to make sure it builds
echo "Shortlog for inclusion in the release announcement"
scripts/shortlog.py "only('.', branch('stable') & tagged() & public() & not '.')"
cat - << EOT
Now, make sure
* all tests are passing
* release note is ready
* announcement is ready
* source has been pushed to https://kallithea-scm.org/repos/kallithea
EOT
echo "Verify current revision is tagged for $version"
hg log -r "'$version'&." | grep .
echo -n "Enter \"pypi\" to upload Kallithea $version to pypi: "
read answer
[ "$answer" = "pypi" ]
echo "Rebuild readthedocs for docs.kallithea-scm.org"
xdg-open https://readthedocs.org/projects/kallithea/
curl -X POST http://readthedocs.org/build/kallithea
xdg-open https://readthedocs.org/builds/kallithea/
xdg-open http://docs.kallithea-scm.org/en/latest/ # or whatever the branch is
twine upload dist/*
xdg-open https://pypi.python.org/pypi/Kallithea
|