Changeset - 9376ca7157f3
Parent rev.
Child rev.
[Not reviewed]
stable
0 2 0
Mads Kiilerich - 7 years ago 2019-02-27 02:30:58
mads@kiilerich.com
compare: correct display of special branch names in initial placeholder

When a branch name contains special characters like '<' or '>', and a
'compare' operation is performed with such branch as one of the two compare
sides, then the special branch name will be part of the URL, e.g.

http://localhost:5000/myrepo/compare/branch@master...branch@%3Cscript%3Eblabla%3C/script%3E?other_repo=myrepo

The encoded branch name is then used at page load as placeholders for the
branch selection dropdowns. But, the special characters, were escaped too
much, causing '<' to become &lt; in the display of the dropdown.

The placeholder was escaped via the default mako escape filter, before being
passed to make_revision_dropdown, thus too early. We want the raw value.
h.js() (copied from the default branch) gives us that, while still
formatting and escaping the string so it is safe inside the script tag.
2 files changed with 33 insertions and 2 deletions:
kallithea/lib/helpers.py
31
kallithea/templates/compare/compare_diff.html
2
2
0 comments (0 inline, 0 general)
kallithea/lib/helpers.py
Show inline comments
 
@@ -15,12 +15,13 @@
 
Helper functions
 

			




	
	
	
		
 
Consists of functions to typically be used within templates, but also

			




	
	
	
		
 
available to Controllers. This module is available to both as 'h'.

			




	
	
	
		
 
"""

			




	
	
	
		
 
import hashlib

			




	
	
	
		
 
import json

			




	
	
	
		
 
import StringIO

			




	
	
	
		
 
import math

			




	
	
	
		
 
import logging

			




	
	
	
		
 
import re

			




	
	
	
		
 
import urlparse

			




	
	
	
		
 
import textwrap

			




	
	
		
 
@@ -97,12 +98,42 @@ def html_escape(s):

			




	
	
	
		
 
        .replace(">", "&gt;")

			




	
	
	
		
 
        .replace("<", "&lt;")

			




	
	
	
		
 
        .replace('"', "&quot;")

			




	
	
	
		
 
        .replace("'", "&apos;")

			




	
	
	
		
 
        )

			




	
	
	
		
 

			




	
	
	
		
 
def js(value):

			




	
	
	
		
 
    """Convert Python value to the corresponding JavaScript representation.

			




	
	
	
		
 

			




	
	
	
		
 
    This is necessary to safely insert arbitrary values into HTML <script>

			




	
	
	
		
 
    sections e.g. using Mako template expression substitution.

			




	
	
	
		
 

			




	
	
	
		
 
    Note: Rather than using this function, it's preferable to avoid the

			




	
	
	
		
 
    insertion of values into HTML <script> sections altogether. Instead,

			




	
	
	
		
 
    data should (to the extent possible) be passed to JavaScript using

			




	
	
	
		
 
    data attributes or AJAX calls, eliminating the need for JS specific

			




	
	
	
		
 
    escaping.

			




	
	
	
		
 

			




	
	
	
		
 
    Note: This is not safe for use in attributes (e.g. onclick), because

			




	
	
	
		
 
    quotes are not escaped.

			




	
	
	
		
 

			




	
	
	
		
 
    Because the rules for parsing <script> varies between XHTML (where

			




	
	
	
		
 
    normal rules apply for any special characters) and HTML (where

			




	
	
	
		
 
    entities are not interpreted, but the literal string "</script>"

			




	
	
	
		
 
    is forbidden), the function ensures that the result never contains

			




	
	
	
		
 
    '&', '<' and '>', thus making it safe in both those contexts (but

			




	
	
	
		
 
    not in attributes).

			




	
	
	
		
 
    """

			




	
	
	
		
 
    return literal(

			




	
	
	
		
 
        ('(' + json.dumps(value) + ')')

			




	
	
	
		
 
        # In JSON, the following can only appear in string literals.

			




	
	
	
		
 
        .replace('&', r'\x26')

			




	
	
	
		
 
        .replace('<', r'\x3c')

			




	
	
	
		
 
        .replace('>', r'\x3e')

			




	
	
	
		
 
    )

			




	
	
	
		
 

			




	
	
	
		
 
def shorter(s, size=20):

			




	
	
	
		
 
    postfix = '...'

			




	
	
	
		
 
    if len(s) > size:

			




	
	
	
		
 
        return s[:size - len(postfix)] + postfix

			




	
	
	
		
 
    return s

			




	
	
	
		
 

			




        

    


    
    

    

        

                

                    kallithea/templates/compare/compare_diff.html
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -137,14 +137,14 @@ ${self.repo_context_bar('changelog')}

			




	
	
	
		
 
              });

			




	
	
	
		
 
          }

			




	
	
	
		
 
        }

			




	
	
	
		
 
    });

			




	
	
	
		
 
    }

			




	
	
	
		
 

			




	
	
	
		
 
    make_revision_dropdown("#compare_org",   "${'%s@%s' % (c.a_repo.repo_name, c.a_ref_name)}",   "${c.a_repo.repo_name}",  'cache');

			




	
	
	
		
 
    make_revision_dropdown("#compare_other", "${'%s@%s' % (c.cs_repo.repo_name, c.cs_ref_name)}", "${c.cs_repo.repo_name}", 'cache2');

			




	
	
	
		
 
    make_revision_dropdown("#compare_org",   ${h.js('%s@%s' % (c.a_repo.repo_name, c.a_ref_name))},   "${c.a_repo.repo_name}",  'cache');

			




	
	
	
		
 
    make_revision_dropdown("#compare_other", ${h.js('%s@%s' % (c.cs_repo.repo_name, c.cs_ref_name))}, "${c.cs_repo.repo_name}", 'cache2');

			




	
	
	
		
 

			




	
	
	
		
 
    var values_changed = function() {

			




	
	
	
		
 
        var values = $('#compare_org').select2('data') && $('#compare_other').select2('data');

			




	
	
	
		
 
        if (values) {

			




	
	
	
		
 
             $('#compare_revs').removeClass("disabled");

			




	
	
	
		
 
             // TODO: the swap button ... if any

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.