kallithea Changeset - 12e7421e0469

Changeset - 12e7421e0469

Parent rev.

Child rev.

[Not reviewed]

default

0 2 0

Mads Kiilerich - 10 years ago 2016-01-20 01:47:11
madski@unity3d.com

comments: avoid js string formatting of html template from DOM - avoid insecure naming

Multiple inline comment forms were only distinguished by the line number - not
by the filename.

Instead, just keep it simple and avoid trying to assign "globally" unique names
and use jQuery instead.

2 files changed with 10 insertions and 12 deletions:

kallithea/public/js/base.js

kallithea/templates/changeset/changeset_file_comment.html

0 comments (0 inline, 0 general)

kallithea/public/js/base.js

➞

Show inline comments

@@ @@ -674,33 +674,36 @@ function comment_div_state($comment_div, @@
 // append an Add button to $comment_div and hook it up to show form
 function _comment_div_append_add($comment_div, f_path, line_no) {
     var addlabel = TRANSLATION_MAP['Add Another Comment'];
     var $add = $('<div class="add-button-row"><span class="btn btn-mini add-button">{0}</span></div>'.format(addlabel));
     $comment_div.append($add);
     $add.children('.add-button').click(function(e) {
         comment_div_state($comment_div, f_path, line_no, true);
     });
+}
 // append a comment form to $comment_div
 function _comment_div_append_form($comment_div, f_path, line_no) {
     var $form_div = $($('#comment-inline-form-template').html().format(f_path, line_no))
     var $form_div = $('#comment-inline-form-template').children()
         .clone()
         .addClass('comment-inline-form');
     $comment_div.append($form_div);
     var $form = $comment_div.find("form");
     var $textarea = $form.find('textarea');
     var $mentions_container = $form.find('div.mentions-container');
     $form.submit(function(e) {
         e.preventDefault();
-        var text = $('#text_'+line_no).val();
+        var text = $textarea.val();
         if (!text){
             return;
+        }
         $form.find('.submitting-overlay').show();
         var success = function(json_data) {
             $comment_div.append(json_data['rendered_text']);
             comment_div_state($comment_div, f_path, line_no, false);
             linkInlineComments($('.firstlink'), $('.comment:first-child'));
         };
         var postData = {
@@ @@ -710,27 +713,26 @@ function _comment_div_append_form($comme @@
         };
         ajaxPOST(AJAX_COMMENT_URL, postData, success);
     });
     // create event for hide button
     $form.find('.hide-inline-form').click(function(e) {
         comment_div_state($comment_div, f_path, line_no, false);
     });
     setTimeout(function() {
         // callbacks
         tooltip_activate();
         MentionsAutoComplete($('#text_'+line_no), $('#mentions_container_'+line_no),
                              _USERS_AC_DATA);
         $('#text_'+line_no).focus();
         MentionsAutoComplete($textarea, $mentions_container, _USERS_AC_DATA);
         $textarea.focus();
     }, 10);
+}
 function deleteComment(comment_id) {
     var url = AJAX_COMMENT_DELETE_URL.replace('__COMMENT_ID__', comment_id);
     var postData = {'_method': 'delete'};
     var success = function(o) {
         $('#comment-'+comment_id).remove();
         // Ignore that this might leave a stray Add button (or have a pending form with another comment) ...
+    }
     ajaxPOST(url, postData, success);

kallithea/templates/changeset/changeset_file_comment.html

➞

Show inline comments

@@ @@ -39,42 +39,38 @@ @@
              </p>
            </div>
         %endif
         %if co.text:
           ${h.render_w_mentions(co.text, c.repo_name)|n}
         %endif
       </div>
     </div>
   </div>
 </%def>
 ## expanded with .format(f_path, line_no)
 ## TODO: don't assume line_no is globally unique ...
 <%def name="comment_inline_form()">
 <div id='comment-inline-form-template' style="display:none">
   <div class="ac">
   %if c.authuser.username != 'default':
     ${h.form('#', class_='inline-form')}
       <div class="clearfix">
-        <div class="comment-help">${_('Commenting on line {1}.')}
         <div class="comment-help">${_('Commenting on line.')}
           <span style="color:#577632" class="tooltip">${_('Comments are in plain text. Use @username inside this text to notify another user.')|n}</span>
         </div>
         <div class="mentions-container" id="mentions_container_{1}"></div>
         <textarea id="text_{1}" name="text" class="comment-block-ta yui-ac-input"></textarea>
         <div class="mentions-container"></div>
         <textarea name="text" class="comment-block-ta yui-ac-input"></textarea>
       </div>
       <div class="comment-button">
         <div class="submitting-overlay">${_('Submitting ...')}</div>
         <input type="hidden" name="f_path" value="{0}">
         <input type="hidden" name="line" value="{1}">
         ${h.submit('save', _('Comment'), class_='btn btn-small save-inline-form')}
         ${h.reset('hide-inline-form', _('Cancel'), class_='btn btn-small hide-inline-form')}
       </div>
     ${h.end_form()}
   %else:
       ${h.form('')}
       <div class="clearfix">
           <div class="comment-help">
             ${_('You need to be logged in to comment.')} <a href="${h.url('login_home', came_from=request.path_qs)}">${_('Login now')}</a>
           </div>
       </div>
       <div class="comment-button">

0 comments (0 inline, 0 general)