Changeset - 9376ca7157f3
Parent rev.
Child rev.
[Not reviewed]
stable
0 2 0
Mads Kiilerich - 7 years ago 2019-02-27 02:30:58
mads@kiilerich.com
compare: correct display of special branch names in initial placeholder

When a branch name contains special characters like '<' or '>', and a
'compare' operation is performed with such branch as one of the two compare
sides, then the special branch name will be part of the URL, e.g.

http://localhost:5000/myrepo/compare/branch@master...branch@%3Cscript%3Eblabla%3C/script%3E?other_repo=myrepo

The encoded branch name is then used at page load as placeholders for the
branch selection dropdowns. But, the special characters, were escaped too
much, causing '<' to become &lt; in the display of the dropdown.

The placeholder was escaped via the default mako escape filter, before being
passed to make_revision_dropdown, thus too early. We want the raw value.
h.js() (copied from the default branch) gives us that, while still
formatting and escaping the string so it is safe inside the script tag.
2 files changed with 33 insertions and 2 deletions:
kallithea/lib/helpers.py
31
kallithea/templates/compare/compare_diff.html
2
2
0 comments (0 inline, 0 general)
kallithea/lib/helpers.py
Show inline comments
 
# -*- coding: utf-8 -*-
 
# This program is free software: you can redistribute it and/or modify
 
# it under the terms of the GNU General Public License as published by
 
# the Free Software Foundation, either version 3 of the License, or
 
# (at your option) any later version.
 
#
 
# This program is distributed in the hope that it will be useful,
 
# but WITHOUT ANY WARRANTY; without even the implied warranty of
 
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 
# GNU General Public License for more details.
 
#
 
# You should have received a copy of the GNU General Public License
 
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
"""
 
Helper functions
 

			




	
	
	
		
 
Consists of functions to typically be used within templates, but also

			




	
	
	
		
 
available to Controllers. This module is available to both as 'h'.

			




	
	
	
		
 
"""

			




	
	
	
		
 
import hashlib

			




	
	
	
		
 
import json

			




	
	
	
		
 
import StringIO

			




	
	
	
		
 
import math

			




	
	
	
		
 
import logging

			




	
	
	
		
 
import re

			




	
	
	
		
 
import urlparse

			




	
	
	
		
 
import textwrap

			




	
	
	
		
 

			




	
	
	
		
 
from pygments.formatters.html import HtmlFormatter

			




	
	
	
		
 
from pygments import highlight as code_highlight

			




	
	
	
		
 
from pylons import url

			




	
	
	
		
 
from pylons.i18n.translation import _, ungettext

			




	
	
	
		
 

			




	
	
	
		
 
from webhelpers.html import literal, HTML, escape

			




	
	
	
		
 
from webhelpers.html.tools import *

			




	
	
	
		
 
from webhelpers.html.builder import make_tag

			




	
	
	
		
 
from webhelpers.html.tags import auto_discovery_link, checkbox, css_classes, \

			




	
	
	
		
 
    end_form, file, hidden, image, javascript_link, link_to, \

			




	
	
	
		
 
    link_to_if, link_to_unless, ol, required_legend, select, stylesheet_link, \

			




	
	
	
		
 
    submit, text, password, textarea, title, ul, xml_declaration, radio, \

			




	
	
	
		
 
    form as insecure_form

			




	
	
	
		
 
from webhelpers.html.tools import auto_link, button_to, highlight, \

			




	
	
	
		
 
    js_obfuscate, mail_to, strip_links, strip_tags, tag_re

			




	
	
	
		
 
from webhelpers.number import format_byte_size, format_bit_size

			




	
	
	
		
 
from webhelpers.pylonslib import Flash as _Flash

			




	
	
		
 
@@ -79,48 +80,78 @@ def canonical_url(*args, **kargs):

			




	
	
	
		
 
    return url(*args, **kargs)

			




	
	
	
		
 

			




	
	
	
		
 
def canonical_hostname():

			




	
	
	
		
 
    '''Return canonical hostname of system'''

			




	
	
	
		
 
    from kallithea import CONFIG

			




	
	
	
		
 
    try:

			




	
	
	
		
 
        parts = CONFIG.get('canonical_url', '').split('://', 1)

			




	
	
	
		
 
        return parts[1].split('/', 1)[0]

			




	
	
	
		
 
    except IndexError:

			




	
	
	
		
 
        parts = url('home', qualified=True).split('://', 1)

			




	
	
	
		
 
        return parts[1].split('/', 1)[0]

			




	
	
	
		
 

			




	
	
	
		
 
def html_escape(s):

			




	
	
	
		
 
    """Return string with all html escaped.

			




	
	
	
		
 
    This is also safe for javascript in html but not necessarily correct.

			




	
	
	
		
 
    """

			




	
	
	
		
 
    return (s

			




	
	
	
		
 
        .replace('&', '&amp;')

			




	
	
	
		
 
        .replace(">", "&gt;")

			




	
	
	
		
 
        .replace("<", "&lt;")

			




	
	
	
		
 
        .replace('"', "&quot;")

			




	
	
	
		
 
        .replace("'", "&apos;")

			




	
	
	
		
 
        )

			




	
	
	
		
 

			




	
	
	
		
 
def js(value):

			




	
	
	
		
 
    """Convert Python value to the corresponding JavaScript representation.

			




	
	
	
		
 

			




	
	
	
		
 
    This is necessary to safely insert arbitrary values into HTML <script>

			




	
	
	
		
 
    sections e.g. using Mako template expression substitution.

			




	
	
	
		
 

			




	
	
	
		
 
    Note: Rather than using this function, it's preferable to avoid the

			




	
	
	
		
 
    insertion of values into HTML <script> sections altogether. Instead,

			




	
	
	
		
 
    data should (to the extent possible) be passed to JavaScript using

			




	
	
	
		
 
    data attributes or AJAX calls, eliminating the need for JS specific

			




	
	
	
		
 
    escaping.

			




	
	
	
		
 

			




	
	
	
		
 
    Note: This is not safe for use in attributes (e.g. onclick), because

			




	
	
	
		
 
    quotes are not escaped.

			




	
	
	
		
 

			




	
	
	
		
 
    Because the rules for parsing <script> varies between XHTML (where

			




	
	
	
		
 
    normal rules apply for any special characters) and HTML (where

			




	
	
	
		
 
    entities are not interpreted, but the literal string "</script>"

			




	
	
	
		
 
    is forbidden), the function ensures that the result never contains

			




	
	
	
		
 
    '&', '<' and '>', thus making it safe in both those contexts (but

			




	
	
	
		
 
    not in attributes).

			




	
	
	
		
 
    """

			




	
	
	
		
 
    return literal(

			




	
	
	
		
 
        ('(' + json.dumps(value) + ')')

			




	
	
	
		
 
        # In JSON, the following can only appear in string literals.

			




	
	
	
		
 
        .replace('&', r'\x26')

			




	
	
	
		
 
        .replace('<', r'\x3c')

			




	
	
	
		
 
        .replace('>', r'\x3e')

			




	
	
	
		
 
    )

			




	
	
	
		
 

			




	
	
	
		
 
def shorter(s, size=20):

			




	
	
	
		
 
    postfix = '...'

			




	
	
	
		
 
    if len(s) > size:

			




	
	
	
		
 
        return s[:size - len(postfix)] + postfix

			




	
	
	
		
 
    return s

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def _reset(name, value=None, id=NotGiven, type="reset", **attrs):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Reset button

			




	
	
	
		
 
    """

			




	
	
	
		
 
    _set_input_attrs(attrs, type, name, value)

			




	
	
	
		
 
    _set_id_attr(attrs, id, name)

			




	
	
	
		
 
    convert_boolean_attrs(attrs, ["disabled"])

			




	
	
	
		
 
    return HTML.input(**attrs)

			




	
	
	
		
 

			




	
	
	
		
 
reset = _reset

			




	
	
	
		
 
safeid = _make_safe_id_component

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def FID(raw_id, path):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Creates a unique ID for filenode based on it's hash of path and revision

			




	
	
	
		
 
    it's safe to use in urls

			




        

    


    
    

    

        

                

                    kallithea/templates/compare/compare_diff.html
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -119,50 +119,50 @@ ${self.repo_context_bar('changelog')}

			




	
	
	
		
 
                    }

			




	
	
	
		
 
                });

			




	
	
	
		
 
                data.results.push({'text': section, 'children': children});

			




	
	
	
		
 
            });

			




	
	
	
		
 
            //push the typed in changeset

			




	
	
	
		
 
            data.results.push({'text':_TM['Specify changeset'],

			




	
	
	
		
 
                               'children': [{'id': query.term, 'text': query.term, 'type': 'rev'}]});

			




	
	
	
		
 
            query.callback(data);

			




	
	
	
		
 
          }else{

			




	
	
	
		
 
              $.ajax({

			




	
	
	
		
 
                url: pyroutes.url('repo_refs_data', {'repo_name': repo_name}),

			




	
	
	
		
 
                data: {},

			




	
	
	
		
 
                dataType: 'json',

			




	
	
	
		
 
                type: 'GET',

			




	
	
	
		
 
                success: function(data) {

			




	
	
	
		
 
                  cache[key] = data;

			




	
	
	
		
 
                  query.callback(data);

			




	
	
	
		
 
                }

			




	
	
	
		
 
              });

			




	
	
	
		
 
          }

			




	
	
	
		
 
        }

			




	
	
	
		
 
    });

			




	
	
	
		
 
    }

			




	
	
	
		
 

			




	
	
	
		
 
    make_revision_dropdown("#compare_org",   "${'%s@%s' % (c.a_repo.repo_name, c.a_ref_name)}",   "${c.a_repo.repo_name}",  'cache');

			




	
	
	
		
 
    make_revision_dropdown("#compare_other", "${'%s@%s' % (c.cs_repo.repo_name, c.cs_ref_name)}", "${c.cs_repo.repo_name}", 'cache2');

			




	
	
	
		
 
    make_revision_dropdown("#compare_org",   ${h.js('%s@%s' % (c.a_repo.repo_name, c.a_ref_name))},   "${c.a_repo.repo_name}",  'cache');

			




	
	
	
		
 
    make_revision_dropdown("#compare_other", ${h.js('%s@%s' % (c.cs_repo.repo_name, c.cs_ref_name))}, "${c.cs_repo.repo_name}", 'cache2');

			




	
	
	
		
 

			




	
	
	
		
 
    var values_changed = function() {

			




	
	
	
		
 
        var values = $('#compare_org').select2('data') && $('#compare_other').select2('data');

			




	
	
	
		
 
        if (values) {

			




	
	
	
		
 
             $('#compare_revs').removeClass("disabled");

			




	
	
	
		
 
             // TODO: the swap button ... if any

			




	
	
	
		
 
        } else {

			




	
	
	
		
 
             $('#compare_revs').addClass("disabled");

			




	
	
	
		
 
             // TODO: the swap button ... if any

			




	
	
	
		
 
        }

			




	
	
	
		
 
    }

			




	
	
	
		
 
    values_changed();

			




	
	
	
		
 
    $('#compare_org').change(values_changed);

			




	
	
	
		
 
    $('#compare_other').change(values_changed);

			




	
	
	
		
 
    $('#compare_revs').on('click', function(e){

			




	
	
	
		
 
        var org = $('#compare_org').select2('data');

			




	
	
	
		
 
        var other = $('#compare_other').select2('data');

			




	
	
	
		
 
        if (!org || !other) {

			




	
	
	
		
 
            return;

			




	
	
	
		
 
        }

			




	
	
	
		
 

			




	
	
	
		
 
        var compare_url = "${h.url('compare_url',repo_name=c.repo_name,org_ref_type='__other_ref_type__',org_ref_name='__org__',other_ref_type='__org_ref_type__',other_ref_name='__other__', other_repo=c.cs_repo.repo_name)}";

			




	
	
	
		
 
        var u = compare_url.replace('__other_ref_type__',org.type)

			




	
	
	
		
 
                           .replace('__org__',org.text)

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.