Changeset - 12e7421e0469
Parent rev.
Child rev.
[Not reviewed]
default
0 2 0
Mads Kiilerich - 10 years ago 2016-01-20 01:47:11
madski@unity3d.com
comments: avoid js string formatting of html template from DOM - avoid insecure naming

Multiple inline comment forms were only distinguished by the line number - not
by the filename.

Instead, just keep it simple and avoid trying to assign "globally" unique names
and use jQuery instead.
2 files changed with 10 insertions and 12 deletions:
kallithea/public/js/base.js
7
5
kallithea/templates/changeset/changeset_file_comment.html
3
7
0 comments (0 inline, 0 general)
kallithea/public/js/base.js
Show inline comments
 
@@ -638,135 +638,137 @@ function show_comment_form($bubble) {
 
    var f_path = $bubble.closest('div.full_f_path').data('f_path');
 
    var parts = line_td_id.split('_');
 
    var line_no = parts[parts.length-1];
 
    comment_div_state($comment_div, f_path, line_no, true);
 
}
 

			




	
	
	
		
 
// return comment div for target_id - add it if it doesn't exist yet

			




	
	
	
		
 
function _get_add_comment_div(target_id) {

			




	
	
	
		
 
    var comments_box_id = 'comments-' + target_id;

			




	
	
	
		
 
    var $comments_box = $('#' + comments_box_id);

			




	
	
	
		
 
    if (!$comments_box.length) {

			




	
	
	
		
 
        var html = '<tr><td id="{0}" colspan="3" class="inline-comments"></td></tr>'.format(comments_box_id);

			




	
	
	
		
 
        $('#' + target_id).closest('tr').after(html);

			




	
	
	
		
 
        $comments_box = $('#' + comments_box_id);

			




	
	
	
		
 
    }

			




	
	
	
		
 
    return $comments_box;

			




	
	
	
		
 
}

			




	
	
	
		
 

			




	
	
	
		
 
// set $comment_div state - showing or not showing form and Add button

			




	
	
	
		
 
function comment_div_state($comment_div, f_path, line_no, show_form) {

			




	
	
	
		
 
    var $forms = $comment_div.children('.comment-inline-form');

			




	
	
	
		
 
    var $buttonrow = $comment_div.children('.add-button-row');

			




	
	
	
		
 
    var $comments = $comment_div.children('.comment');

			




	
	
	
		
 
    if (show_form) {

			




	
	
	
		
 
        if (!$forms.length) {

			




	
	
	
		
 
            _comment_div_append_form($comment_div, f_path, line_no);

			




	
	
	
		
 
        }

			




	
	
	
		
 
    } else {

			




	
	
	
		
 
        $forms.remove();

			




	
	
	
		
 
    }

			




	
	
	
		
 
    $buttonrow.remove();

			




	
	
	
		
 
    if ($comments.length && !show_form) {

			




	
	
	
		
 
        _comment_div_append_add($comment_div, f_path, line_no);

			




	
	
	
		
 
    }

			




	
	
	
		
 
}

			




	
	
	
		
 

			




	
	
	
		
 
// append an Add button to $comment_div and hook it up to show form

			




	
	
	
		
 
function _comment_div_append_add($comment_div, f_path, line_no) {

			




	
	
	
		
 
    var addlabel = TRANSLATION_MAP['Add Another Comment'];

			




	
	
	
		
 
    var $add = $('<div class="add-button-row"><span class="btn btn-mini add-button">{0}</span></div>'.format(addlabel));

			




	
	
	
		
 
    $comment_div.append($add);

			




	
	
	
		
 
    $add.children('.add-button').click(function(e) {

			




	
	
	
		
 
        comment_div_state($comment_div, f_path, line_no, true);

			




	
	
	
		
 
    });

			




	
	
	
		
 
}

			




	
	
	
		
 

			




	
	
	
		
 
// append a comment form to $comment_div

			




	
	
	
		
 
function _comment_div_append_form($comment_div, f_path, line_no) {

			




	
	
	
		
 
    var $form_div = $($('#comment-inline-form-template').html().format(f_path, line_no))

			




	
	
	
		
 
    var $form_div = $('#comment-inline-form-template').children()

			




	
	
	
		
 
        .clone()

			




	
	
	
		
 
        .addClass('comment-inline-form');

			




	
	
	
		
 
    $comment_div.append($form_div);

			




	
	
	
		
 
    var $form = $comment_div.find("form");

			




	
	
	
		
 
    var $textarea = $form.find('textarea');

			




	
	
	
		
 
    var $mentions_container = $form.find('div.mentions-container');

			




	
	
	
		
 

			




	
	
	
		
 
    $form.submit(function(e) {

			




	
	
	
		
 
        e.preventDefault();

			




	
	
	
		
 

			




	
	
	
		
 
        var text = $('#text_'+line_no).val();

			




	
	
	
		
 
        var text = $textarea.val();

			




	
	
	
		
 
        if (!text){

			




	
	
	
		
 
            return;

			




	
	
	
		
 
        }

			




	
	
	
		
 

			




	
	
	
		
 
        $form.find('.submitting-overlay').show();

			




	
	
	
		
 

			




	
	
	
		
 
        var success = function(json_data) {

			




	
	
	
		
 
            $comment_div.append(json_data['rendered_text']);

			




	
	
	
		
 
            comment_div_state($comment_div, f_path, line_no, false);

			




	
	
	
		
 
            linkInlineComments($('.firstlink'), $('.comment:first-child'));

			




	
	
	
		
 
        };

			




	
	
	
		
 
        var postData = {

			




	
	
	
		
 
            'text': text,

			




	
	
	
		
 
            'f_path': f_path,

			




	
	
	
		
 
            'line': line_no

			




	
	
	
		
 
        };

			




	
	
	
		
 
        ajaxPOST(AJAX_COMMENT_URL, postData, success);

			




	
	
	
		
 
    });

			




	
	
	
		
 

			




	
	
	
		
 
    // create event for hide button

			




	
	
	
		
 
    $form.find('.hide-inline-form').click(function(e) {

			




	
	
	
		
 
        comment_div_state($comment_div, f_path, line_no, false);

			




	
	
	
		
 
    });

			




	
	
	
		
 

			




	
	
	
		
 
    setTimeout(function() {

			




	
	
	
		
 
        // callbacks

			




	
	
	
		
 
        tooltip_activate();

			




	
	
	
		
 
        MentionsAutoComplete($('#text_'+line_no), $('#mentions_container_'+line_no),

			




	
	
	
		
 
                             _USERS_AC_DATA);

			




	
	
	
		
 
        $('#text_'+line_no).focus();

			




	
	
	
		
 
        MentionsAutoComplete($textarea, $mentions_container, _USERS_AC_DATA);

			




	
	
	
		
 
        $textarea.focus();

			




	
	
	
		
 
    }, 10);

			




	
	
	
		
 
}

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
function deleteComment(comment_id) {

			




	
	
	
		
 
    var url = AJAX_COMMENT_DELETE_URL.replace('__COMMENT_ID__', comment_id);

			




	
	
	
		
 
    var postData = {'_method': 'delete'};

			




	
	
	
		
 
    var success = function(o) {

			




	
	
	
		
 
        $('#comment-'+comment_id).remove();

			




	
	
	
		
 
        // Ignore that this might leave a stray Add button (or have a pending form with another comment) ...

			




	
	
	
		
 
    }

			




	
	
	
		
 
    ajaxPOST(url, postData, success);

			




	
	
	
		
 
}

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
/**

			




	
	
	
		
 
 * Double link comments

			




	
	
	
		
 
 */

			




	
	
	
		
 
var linkInlineComments = function($firstlinks, $comments){

			




	
	
	
		
 
    if ($comments.length > 0) {

			




	
	
	
		
 
        $firstlinks.html('<a href="#{0}">First comment</a>'.format($comments.prop('id')));

			




	
	
	
		
 
    }

			




	
	
	
		
 
    if ($comments.length <= 1) {

			




	
	
	
		
 
        return;

			




	
	
	
		
 
    }

			




	
	
	
		
 

			




	
	
	
		
 
    $comments.each(function(i, e){

			




	
	
	
		
 
            var prev = '';

			




	
	
	
		
 
            if (i > 0){

			




	
	
	
		
 
                var prev_anchor = $($comments.get(i-1)).prop('id');

			




	
	
	
		
 
                prev = '<a href="#{0}">Previous comment</a>'.format(prev_anchor);

			




	
	
	
		
 
            }

			




	
	
	
		
 
            var next = '';

			




	
	
	
		
 
            if (i+1 < $comments.length){

			




	
	
	
		
 
                var next_anchor = $($comments.get(i+1)).prop('id');

			




	
	
	
		
 
                next = '<a href="#{0}">Next comment</a>'.format(next_anchor);

			




	
	
	
		
 
            }

			




	
	
	
		
 
            $(this).find('.comment-prev-next-links').html(

			




	
	
	
		
 
                '<div class="prev-comment">{0}</div>'.format(prev) +

			




	
	
	
		
 
                '<div class="next-comment">{0}</div>'.format(next));

			




	
	
	
		
 
        });

			




	
	
	
		
 
}

			




	
	
	
		
 

			




	
	
	
		
 
/* activate files.html stuff */

			




	
	
	
		
 
var fileBrowserListeners = function(current_url, node_list_url, url_base){

			




	
	
	
		
 
    var current_url_branch = "?branch=__BRANCH__";

			




	
	
	
		
 

			




	
	
	
		
 
    $('#stay_at_branch').on('click',function(e){

			




        

    


    
    

    

        

                

                    kallithea/templates/changeset/changeset_file_comment.html
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -3,114 +3,110 @@

			




	
	
	
		
 
## <%namespace name="comment" file="/changeset/changeset_file_comment.html"/>

			




	
	
	
		
 
## ${comment.comment_block(co)}

			




	
	
	
		
 
##

			




	
	
	
		
 
<%def name="comment_block(co)">

			




	
	
	
		
 
  <div class="comment" id="comment-${co.comment_id}" line="${co.line_no}">

			




	
	
	
		
 
    <div class="comment-prev-next-links"></div>

			




	
	
	
		
 
    <div class="comment-wrapp">

			




	
	
	
		
 
      <div class="meta">

			




	
	
	
		
 
          <div style="float:left">

			




	
	
	
		
 
               ${h.gravatar(co.author.email, size=20)}

			




	
	
	
		
 
          </div>

			




	
	
	
		
 
          <div class="user">

			




	
	
	
		
 
              ${co.author.full_name_and_username}

			




	
	
	
		
 
          </div>

			




	
	
	
		
 

			




	
	
	
		
 
          <span>

			




	
	
	
		
 
              ${h.age(co.modified_at)}

			




	
	
	
		
 
              %if co.pull_request:

			




	
	
	
		
 
                ${_('on pull request')}

			




	
	
	
		
 
                <a href="${co.pull_request.url()}">"${co.pull_request.title or _("No title")}"</a>

			




	
	
	
		
 
              %else:

			




	
	
	
		
 
                ${_('on this changeset')}

			




	
	
	
		
 
              %endif

			




	
	
	
		
 
              <a class="permalink" href="${co.url()}">&para;</a>

			




	
	
	
		
 
          </span>

			




	
	
	
		
 

			




	
	
	
		
 
          %if h.HasPermissionAny('hg.admin')() or h.HasRepoPermissionAny('repository.admin')(c.repo_name) or co.author.user_id == c.authuser.user_id:

			




	
	
	
		
 
            <div onClick="confirm('${_("Delete comment?")}') && deleteComment(${co.comment_id})" class="buttons delete-comment btn btn-mini">${_('Delete')}</div>

			




	
	
	
		
 
          %endif

			




	
	
	
		
 
      </div>

			




	
	
	
		
 
      <div class="text">

			




	
	
	
		
 
        %if co.status_change:

			




	
	
	
		
 
           <div class="automatic-comment">

			




	
	
	
		
 
             <p>

			




	
	
	
		
 
               <span title="${_('Changeset status')}" class="changeset-status-lbl">${_("Status change")}: ${co.status_change[0].status_lbl}</span>

			




	
	
	
		
 
               <span class="changeset-status-ico"><i class="icon-circle changeset-status-${co.status_change[0].status}"></i></span>

			




	
	
	
		
 
             </p>

			




	
	
	
		
 
           </div>

			




	
	
	
		
 
        %endif

			




	
	
	
		
 
        %if co.text:

			




	
	
	
		
 
          ${h.render_w_mentions(co.text, c.repo_name)|n}

			




	
	
	
		
 
        %endif

			




	
	
	
		
 
      </div>

			




	
	
	
		
 
    </div>

			




	
	
	
		
 
  </div>

			




	
	
	
		
 
</%def>

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
## expanded with .format(f_path, line_no)

			




	
	
	
		
 
## TODO: don't assume line_no is globally unique ...

			




	
	
	
		
 
<%def name="comment_inline_form()">

			




	
	
	
		
 
<div id='comment-inline-form-template' style="display:none">

			




	
	
	
		
 
  <div class="ac">

			




	
	
	
		
 
  %if c.authuser.username != 'default':

			




	
	
	
		
 
    ${h.form('#', class_='inline-form')}

			




	
	
	
		
 
      <div class="clearfix">

			




	
	
	
		
 
        <div class="comment-help">${_('Commenting on line {1}.')}

			




	
	
	
		
 
        <div class="comment-help">${_('Commenting on line.')}

			




	
	
	
		
 
          <span style="color:#577632" class="tooltip">${_('Comments are in plain text. Use @username inside this text to notify another user.')|n}</span>

			




	
	
	
		
 
        </div>

			




	
	
	
		
 
        <div class="mentions-container" id="mentions_container_{1}"></div>

			




	
	
	
		
 
        <textarea id="text_{1}" name="text" class="comment-block-ta yui-ac-input"></textarea>

			




	
	
	
		
 
        <div class="mentions-container"></div>

			




	
	
	
		
 
        <textarea name="text" class="comment-block-ta yui-ac-input"></textarea>

			




	
	
	
		
 
      </div>

			




	
	
	
		
 
      <div class="comment-button">

			




	
	
	
		
 
        <div class="submitting-overlay">${_('Submitting ...')}</div>

			




	
	
	
		
 
        <input type="hidden" name="f_path" value="{0}">

			




	
	
	
		
 
        <input type="hidden" name="line" value="{1}">

			




	
	
	
		
 
        ${h.submit('save', _('Comment'), class_='btn btn-small save-inline-form')}

			




	
	
	
		
 
        ${h.reset('hide-inline-form', _('Cancel'), class_='btn btn-small hide-inline-form')}

			




	
	
	
		
 
      </div>

			




	
	
	
		
 
    ${h.end_form()}

			




	
	
	
		
 
  %else:

			




	
	
	
		
 
      ${h.form('')}

			




	
	
	
		
 
      <div class="clearfix">

			




	
	
	
		
 
          <div class="comment-help">

			




	
	
	
		
 
            ${_('You need to be logged in to comment.')} <a href="${h.url('login_home', came_from=request.path_qs)}">${_('Login now')}</a>

			




	
	
	
		
 
          </div>

			




	
	
	
		
 
      </div>

			




	
	
	
		
 
      <div class="comment-button">

			




	
	
	
		
 
      ${h.reset('hide-inline-form', _('Hide'), class_='btn btn-small hide-inline-form')}

			




	
	
	
		
 
      </div>

			




	
	
	
		
 
      ${h.end_form()}

			




	
	
	
		
 
  %endif

			




	
	
	
		
 
  </div>

			




	
	
	
		
 
</div>

			




	
	
	
		
 
</%def>

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
## show comment count as "x comments (y inline, z general)"

			




	
	
	
		
 
<%def name="comment_count(inline_cnt, general_cnt)">

			




	
	
	
		
 
    ${'%s (%s, %s)' % (

			




	
	
	
		
 
        ungettext("%d comment", "%d comments", inline_cnt + general_cnt) % (inline_cnt + general_cnt),

			




	
	
	
		
 
        ungettext("%d inline", "%d inline", inline_cnt) % inline_cnt,

			




	
	
	
		
 
        ungettext("%d general", "%d general", general_cnt) % general_cnt

			




	
	
	
		
 
    )}

			




	
	
	
		
 
    <span class="firstlink"></span>

			




	
	
	
		
 
</%def>

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
## generate inline comments and the main ones

			




	
	
	
		
 
<%def name="generate_comments()">

			




	
	
	
		
 
<div class="comments">

			




	
	
	
		
 
  %for f_path, lines in c.inline_comments:

			




	
	
	
		
 
    %for line_no, comments in lines.iteritems():

			




	
	
	
		
 
      <div class="comments-list-chunk" data-f_path="${f_path}" data-line_no="${line_no}" data-target-id="${h.safeid(h.safe_unicode(f_path))}_${line_no}">

			




	
	
	
		
 
        %for co in comments:

			




	
	
	
		
 
            ${comment_block(co)}

			




	
	
	
		
 
        %endfor

			




	
	
	
		
 
      </div>

			




	
	
	
		
 
    %endfor

			




	
	
	
		
 
  %endfor

			




	
	
	
		
 

			




	
	
	
		
 
  <div class="comments-number">

			




	
	
	
		
 
    ${comment_count(c.inline_cnt, len(c.comments))}

			




	
	
	
		
 
  </div>

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.