kallithea Changeset - 12e7421e0469

Changeset - 12e7421e0469

Parent rev.

Child rev.

[Not reviewed]

default

0 2 0

Mads Kiilerich - 10 years ago 2016-01-20 01:47:11
madski@unity3d.com

comments: avoid js string formatting of html template from DOM - avoid insecure naming

Multiple inline comment forms were only distinguished by the line number - not
by the filename.

Instead, just keep it simple and avoid trying to assign "globally" unique names
and use jQuery instead.

2 files changed with 10 insertions and 12 deletions:

kallithea/public/js/base.js

kallithea/templates/changeset/changeset_file_comment.html

0 comments (0 inline, 0 general)

kallithea/public/js/base.js

➞

Show inline comments

@@ @@ -683,15 +683,18 @@ function _comment_div_append_add($commen @@
 // append a comment form to $comment_div
 function _comment_div_append_form($comment_div, f_path, line_no) {
     var $form_div = $($('#comment-inline-form-template').html().format(f_path, line_no))
     var $form_div = $('#comment-inline-form-template').children()
         .clone()
         .addClass('comment-inline-form');
     $comment_div.append($form_div);
     var $form = $comment_div.find("form");
     var $textarea = $form.find('textarea');
     var $mentions_container = $form.find('div.mentions-container');
     $form.submit(function(e) {
         e.preventDefault();
-        var text = $('#text_'+line_no).val();
+        var text = $textarea.val();
         if (!text){
             return;
+        }
@@ @@ -719,9 +722,8 @@ function _comment_div_append_form($comme @@
     setTimeout(function() {
         // callbacks
         tooltip_activate();
         MentionsAutoComplete($('#text_'+line_no), $('#mentions_container_'+line_no),
                              _USERS_AC_DATA);
         $('#text_'+line_no).focus();
         MentionsAutoComplete($textarea, $mentions_container, _USERS_AC_DATA);
         $textarea.focus();
     }, 10);
+}

kallithea/templates/changeset/changeset_file_comment.html

➞

Show inline comments

@@ @@ -48,24 +48,20 @@ @@
 </%def>
 ## expanded with .format(f_path, line_no)
 ## TODO: don't assume line_no is globally unique ...
 <%def name="comment_inline_form()">
 <div id='comment-inline-form-template' style="display:none">
   <div class="ac">
   %if c.authuser.username != 'default':
     ${h.form('#', class_='inline-form')}
       <div class="clearfix">
-        <div class="comment-help">${_('Commenting on line {1}.')}
         <div class="comment-help">${_('Commenting on line.')}
           <span style="color:#577632" class="tooltip">${_('Comments are in plain text. Use @username inside this text to notify another user.')|n}</span>
         </div>
         <div class="mentions-container" id="mentions_container_{1}"></div>
         <textarea id="text_{1}" name="text" class="comment-block-ta yui-ac-input"></textarea>
         <div class="mentions-container"></div>
         <textarea name="text" class="comment-block-ta yui-ac-input"></textarea>
       </div>
       <div class="comment-button">
         <div class="submitting-overlay">${_('Submitting ...')}</div>
         <input type="hidden" name="f_path" value="{0}">
         <input type="hidden" name="line" value="{1}">
         ${h.submit('save', _('Comment'), class_='btn btn-small save-inline-form')}
         ${h.reset('hide-inline-form', _('Cancel'), class_='btn btn-small hide-inline-form')}
       </div>

0 comments (0 inline, 0 general)