kallithea Changeset - 42a150500c25

Changeset - 42a150500c25

Parent rev.

Child rev.

[Not reviewed]

default

0 1 0

Mads Kiilerich - 7 years ago 2019-02-27 02:29:34
mads@kiilerich.com

base: when using a custom select2 escapeMarkup function, make it clear that the exception only is for a static safe string

1 file changed with 10 insertions and 14 deletions:

kallithea/templates/base/base.html

0 comments (0 inline, 0 general)

kallithea/templates/base/base.html

➞

Show inline comments

@@ @@ -143,115 +143,113 @@ @@
         </li>
         <li class="${'active' if current == 'options' else ''} dropdown" data-context="options">
              %if h.HasRepoPermissionLevel('admin')(c.repo_name):
                <a href="${h.url('edit_repo',repo_name=c.repo_name)}" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-expanded="false" aria-haspopup="true"><i class="icon-wrench"></i>${_('Options')} <i class="caret"></i></a>
              %else:
                <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-expanded="false" aria-haspopup="true"><i class="icon-wrench"></i>${_('Options')} <i class="caret"></i></a>
              %endif
           <ul class="dropdown-menu" role="menu" aria-hidden="true">
              %if h.HasRepoPermissionLevel('admin')(c.repo_name):
                    <li><a href="${h.url('edit_repo',repo_name=c.repo_name)}"><i class="icon-gear"></i>${_('Settings')}</a></li>
              %endif
               %if c.db_repo.fork:
                <li><a href="${h.url('compare_url',repo_name=c.db_repo.fork.repo_name,org_ref_type=c.db_repo.landing_rev[0],org_ref_name=c.db_repo.landing_rev[1], other_repo=c.repo_name,other_ref_type='branch' if request.GET.get('branch') else c.db_repo.landing_rev[0],other_ref_name=request.GET.get('branch') or c.db_repo.landing_rev[1], merge=1)}">
                    <i class="icon-git-compare"></i>${_('Compare Fork')}</a></li>
               %endif
               <li><a href="${h.url('compare_home',repo_name=c.repo_name)}"><i class="icon-git-compare"></i>${_('Compare')}</a></li>
               <li><a href="${h.url('search_repo',repo_name=c.repo_name)}"><i class="icon-search"></i>${_('Search')}</a></li>
               %if h.HasRepoPermissionLevel('write')(c.repo_name) and c.db_repo.enable_locking:
                 %if c.db_repo.locked[0]:
                   <li><a href="${h.url('toggle_locking', repo_name=c.repo_name)}"><i class="icon-lock"></i>${_('Unlock')}</a></li>
                 %else:
                   <li><a href="${h.url('toggle_locking', repo_name=c.repo_name)}"><i class="icon-lock-open-alt"></i>${_('Lock')}</a></li>
                 %endif
               %endif
               ## TODO: this check feels wrong, it would be better to have a check for permissions
               ## also it feels like a job for the controller
               %if request.authuser.username != 'default':
                   <li>
                    <a href="#" class="${'following' if c.repository_following else 'follow'}" onclick="toggleFollowingRepo(this, ${c.db_repo.repo_id});">
                     <span class="show-follow"><i class="icon-heart-empty"></i>${_('Follow')}</span>
                     <span class="show-following"><i class="icon-heart"></i>${_('Unfollow')}</span>
                    </a>
                   </li>
                   <li><a href="${h.url('repo_fork_home',repo_name=c.repo_name)}"><i class="icon-git-pull-request"></i>${_('Fork')}</a></li>
                   <li><a href="${h.url('pullrequest_home',repo_name=c.repo_name)}"><i class="icon-git-pull-request"></i>${_('Create Pull Request')}</a></li>
               %endif
              </ul>
         </li>
     </ul>
     </div>
     </div>
   </nav>
   <script type="text/javascript">
     $(document).ready(function() {
       var bcache = {};
       var branch_switcher_placeholder = '<i class="icon-exchange"></i>' + ${h.jshtml(_('Switch To'))} + ' <span class="caret"></span>';
       $("#branch_switcher").select2({
-          placeholder: '<i class="icon-exchange"></i>' + ${h.jshtml(_('Switch To'))} + ' <span class="caret"></span>',
+          placeholder: branch_switcher_placeholder,
           dropdownAutoWidth: true,
           sortResults: prefixFirstSort,
           formatResult: function(obj) {
               return obj.text;
           },
           formatSelection: function(obj) {
               return obj.text;
           },
           formatNoMatches: function(term) {
               return ${h.jshtml(_('No matches found'))};
           },
           escapeMarkup: function(m) {
               // don't escape our custom placeholder
               if (m.substr(0, 25) == '<i class="icon-exchange">') {
                   return m;
+              }
               if (m == branch_switcher_placeholder)
                   return branch_switcher_placeholder;
               return Select2.util.escapeMarkup(m);
           },
           containerCssClass: "branch-switcher",
           dropdownCssClass: "repo-switcher-dropdown",
           query: function(query) {
               var key = 'cache';
               var cached = bcache[key];
               if (cached) {
                   var data = {
                       results: []
                   };
                   // filter results
                   $.each(cached.results, function() {
                       var section = this.text;
                       var children = [];
                       $.each(this.children, function() {
                           if (query.term.length === 0 || this.text.toUpperCase().indexOf(query.term.toUpperCase()) >= 0) {
                               children.push({
                                   'id': this.id,
                                   'text': this.text,
                                   'type': this.type,
                                   'obj': this.obj
                               });
+                          }
                       });
                       if (children.length !== 0) {
                           data.results.push({
                               'text': section,
                               'children': children
                           });
+                      }
                   });
                   query.callback(data);
               } else {
                   $.ajax({
                       url: pyroutes.url('repo_refs_data', {
                           'repo_name': ${h.js(c.repo_name)}
                       }),
                       data: {},
                       dataType: 'json',
                       type: 'GET',
                       success: function(data) {
                           bcache[key] = data;
                           query.callback(data);
+                      }
                   });
+              }
@@ @@ -370,141 +368,139 @@ @@
             ${h.form(h.url('login_home', came_from=request.path_qs), class_='form clearfix')}
                 <h4 id="quick_login_h">${_('Login to Your Account')}</h4>
                 <label>
                     ${_('Username')}:
                     ${h.text('username',class_='form-control')}
                 </label>
                 <label>
                     ${_('Password')}:
                     ${h.password('password',class_='form-control')}
                 </label>
                 <div class="password_forgotten">
                     ${h.link_to(_('Forgot password?'),h.url('reset_password'))}
                 </div>
                 <div class="register">
                     %if h.HasPermissionAny('hg.admin', 'hg.register.auto_activate', 'hg.register.manual_activate')():
                         ${h.link_to(_("Don't have an account?"),h.url('register'))}
                     %endif
                 </div>
                 <div class="submit">
                     ${h.submit('sign_in',_('Log In'),class_="btn btn-default btn-xs")}
                 </div>
             ${h.end_form()}
           %else:
             <div class="pull-left">
                 ${h.gravatar_div(request.authuser.email, size=48, div_class="big_gravatar")}
                 <b class="full_name">${request.authuser.full_name_or_username}</b>
                 <div class="email">${request.authuser.email}</div>
             </div>
             <div id="quick_login_h" class="pull-right list-group text-right">
               ${h.link_to(_('My Account'),h.url('my_account'),class_='list-group-item')}
               %if not request.authuser.is_external_auth:
                 ## Cannot log out if using external (container) authentication.
                 ${h.link_to(_('Log Out'), h.url('logout_home'),class_='list-group-item')}
               %endif
             </div>
           %endif
         </div>
       </div>
     </li>
   </ul>
     <script type="text/javascript">
         $(document).ready(function(){
             var visual_show_public_icon = ${h.js(c.visual.show_public_icon)};
             var cache = {}
             /*format the look of items in the list*/
             var format = function(state){
                 if (!state.id){
                   return state.text; // optgroup
+                  return state.text.html_escape(); // optgroup
+                }
                 var obj_dict = state.obj;
                 var tmpl = '';
                 if(obj_dict && state.type == 'repo'){
                     tmpl += '<span class="repo-icons">';
                     if(obj_dict['repo_type'] === 'hg'){
                         tmpl += '<span class="label label-repo" title="${_('Mercurial repository')}">hg</span> ';
+                    }
                     else if(obj_dict['repo_type'] === 'git'){
                         tmpl += '<span class="label label-repo" title="${_('Git repository')}">git</span> ';
+                    }
                     if(obj_dict['private']){
                         tmpl += '<i class="icon-lock"></i>';
+                    }
                     else if(visual_show_public_icon){
                         tmpl += '<i class="icon-globe"></i>';
+                    }
                     tmpl += '</span>';
+                }
                 if(obj_dict && state.type == 'group'){
                         tmpl += '<i class="icon-folder"></i>';
+                }
                 tmpl += state.text;
+                tmpl += state.text.html_escape();
                 return tmpl;
+            }
             var repo_switcher_placeholder = '<i class="icon-database"></i>' + ${h.jshtml(_('Repositories'))} + ' <span class="caret"></span>';
             $("#repo_switcher").select2({
-                placeholder: '<i class="icon-database"></i>' + ${h.jshtml(_('Repositories'))} + ' <span class="caret"></span>',
+                placeholder: repo_switcher_placeholder,
                 dropdownAutoWidth: true,
                 sortResults: prefixFirstSort,
                 formatResult: format,
                 formatSelection: format,
                 formatNoMatches: function(term){
                     return ${h.jshtml(_('No matches found'))};
                 },
                 containerCssClass: "repo-switcher",
                 dropdownCssClass: "repo-switcher-dropdown",
                 escapeMarkup: function(m){
                     // don't escape our custom placeholder
                     if(m.substr(0,29) == '<i class="icon-database"></i>'){
                         return m;
+                    }
                     if (m == repo_switcher_placeholder)
                         return repo_switcher_placeholder;
                     return Select2.util.escapeMarkup(m);
                 },
                 query: function(query){
                   var key = 'cache';
                   var cached = cache[key] ;
                   if(cached) {
                     var data = {results: []};
                     //filter results
                     $.each(cached.results, function(){
                         var section = this.text;
                         var children = [];
                         $.each(this.children, function(){
                             if(query.term.length == 0 || this.text.toUpperCase().indexOf(query.term.toUpperCase()) >= 0 ){
                                 children.push({'id': this.id, 'text': this.text, 'type': this.type, 'obj': this.obj});
+                            }
                         });
                         if(children.length !== 0){
                             data.results.push({'text': section, 'children': children});
+                        }
                     });
                     query.callback(data);
                   }else{
                       $.ajax({
                         url: ${h.js(h.url('repo_switcher_data'))},
                         data: {},
                         dataType: 'json',
                         type: 'GET',
                         success: function(data) {
                           cache[key] = data;
                           query.callback({results: data.results});
+                        }
                       });
+                  }
+                }
             });
             $("#repo_switcher").on('select2-selecting', function(e){
                 e.preventDefault();
                 window.location = pyroutes.url('summary_home', {'repo_name': e.val});
             });
             $(document).on('shown.bs.dropdown', function(event) {
                 var dropdown = $(event.target);
                 dropdown.attr('aria-expanded', true);
                 dropdown.find('.dropdown-menu').attr('aria-hidden', false);
             });

0 comments (0 inline, 0 general)