kallithea Changeset - bacc854a3853

Changeset - bacc854a3853

Parent rev.

Child rev.

[Not reviewed]

default

0 4 0

Søren Løvborg - 9 years ago 2017-03-15 20:39:38
sorenl@unity3d.com

templates: addPermAction JS escaping bugfix (by eliminating expansion bugfix)

In 33b71a130b16, the addPermAction template was incorrectly escaped via
h.jshtml, where it should've been plain h.js.

Instead of merely fixing the escaping, refactor the code to completely
remove the need for escaping anything, by avoiding the template variable
expansion inside the JavaScript.

4 files changed with 21 insertions and 56 deletions:

kallithea/public/js/base.js

kallithea/templates/admin/repo_groups/repo_group_edit_perms.html

kallithea/templates/admin/repos/repo_edit_permissions.html

kallithea/templates/admin/user_groups/user_group_edit_perms.html

0 comments (0 inline, 0 general)

kallithea/public/js/base.js

➞

Show inline comments

@@ @@ -1312,52 +1312,65 @@ var removeReviewMember = function(review @@
 var PullRequestAutoComplete = function ($inputElement, $container, users_list) {
     var matchUsers = function (sQuery) {
         return autocompleteMatchUsers(sQuery, users_list);
     };
     var reviewerAC = autocompleteCreate($inputElement, $container, matchUsers);
     reviewerAC.suppressInputUpdate = true;
     // Handler for selection of an entry
     if(reviewerAC.itemSelectEvent){
         reviewerAC.itemSelectEvent.subscribe(function (sType, aArgs) {
             var myAC = aArgs[0]; // reference back to the AC instance
             var elLI = aArgs[1]; // reference to the selected LI element
             var oData = aArgs[2]; // object literal of selected item's result data
             addReviewMember(oData.id, oData.fname, oData.lname, oData.nname,
                             oData.gravatar_lnk, oData.gravatar_size);
             myAC.getInputEl().value = '';
         });
+    }
+}
 var addPermAction = function(_html, users_list, groups_list){
 function addPermAction(perm_type, users_list, groups_list) {
     var template =
         '<td><input type="radio" value="{1}.none" name="perm_new_member_{0}" id="perm_new_member_{0}"></td>' +
         '<td><input type="radio" value="{1}.read" checked="checked" name="perm_new_member_{0}" id="perm_new_member_{0}"></td>' +
         '<td><input type="radio" value="{1}.write" name="perm_new_member_{0}" id="perm_new_member_{0}"></td>' +
         '<td><input type="radio" value="{1}.admin" name="perm_new_member_{0}" id="perm_new_member_{0}"></td>' +
         '<td class="ac">' +
             '<div class="perm_ac" id="perm_ac_{0}">' +
                 '<input class="yui-ac-input" id="perm_new_member_name_{0}" name="perm_new_member_name_{0}" value="" type="text">' +
                 '<input id="perm_new_member_type_{0}" name="perm_new_member_type_{0}" value="" type="hidden">' +
                 '<div id="perm_container_{0}"></div>' +
             '</div>' +
         '</td>' +
         '<td></td>';
     var $last_node = $('.last_new_member').last(); // empty tr between last and add
     var next_id = $('.new_members').length;
-    $last_node.before($('<tr class="new_members">').append(_html.format(next_id)));
+    $last_node.before($('<tr class="new_members">').append(template.format(next_id, perm_type)));
     MembersAutoComplete($("#perm_new_member_name_"+next_id),
             $("#perm_container_"+next_id), users_list, groups_list);
+}
 function ajaxActionRevokePermission(url, obj_id, obj_type, field_id, extra_data) {
     var success = function (o) {
             $('#' + field_id).remove();
         };
     var failure = function (o) {
             alert(_TM['Failed to revoke permission'] + ": " + o.status);
         };
     var query_params = {};
     // put extra data into POST
     if (extra_data !== undefined && (typeof extra_data === 'object')){
         for(var k in extra_data){
             query_params[k] = extra_data[k];
+        }
+    }
     if (obj_type=='user'){
         query_params['user_id'] = obj_id;
         query_params['obj_type'] = 'user';
+    }
     else if (obj_type=='user_group'){

kallithea/templates/admin/repo_groups/repo_group_edit_perms.html

➞

Show inline comments

@@ @@ -52,88 +52,72 @@ ${h.form(url('edit_repo_group_perms', gr @@
                 ## USER GROUPS
                 %for g2p in c.repo_group.users_group_to_perm:
                     <tr id="id${id(g2p.users_group.users_group_name)}">
                         <td>${h.radio('g_perm_%s' % g2p.users_group.users_group_name,'group.none')}</td>
                         <td>${h.radio('g_perm_%s' % g2p.users_group.users_group_name,'group.read')}</td>
                         <td>${h.radio('g_perm_%s' % g2p.users_group.users_group_name,'group.write')}</td>
                         <td>${h.radio('g_perm_%s' % g2p.users_group.users_group_name,'group.admin')}</td>
                         <td>
                             <i class="icon-users"></i>
                             %if h.HasPermissionAny('hg.admin')():
                              <a href="${h.url('edit_users_group',id=g2p.users_group.users_group_id)}">
                                  ${g2p.users_group.users_group_name}
                              </a>
                             %else:
                              ${g2p.users_group.users_group_name}
                             %endif
                         </td>
                         <td>
                             <span style="color:#da4f49" class="btn btn-default btn-xs" onclick="ajaxActionRevoke(${g2p.users_group.users_group_id}, 'user_group', '${'id%s'%id(g2p.users_group.users_group_name)}', '${g2p.users_group.users_group_name}')">
                             <i class="icon-minus-circled"></i> ${_('Revoke')}
                             </span>
                         </td>
                     </tr>
                 %endfor
                 <%
                 _tmpl = """\
                     <td><input type="radio" value="group.none" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \
                     <td><input type="radio" value="group.read" checked="checked" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \
                     <td><input type="radio" value="group.write" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \
                     <td><input type="radio" value="group.admin" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \
                     <td class="ac"> \
                         <div class="perm_ac" id="perm_ac_{0}"> \
                             <input class="yui-ac-input" id="perm_new_member_name_{0}" name="perm_new_member_name_{0}" value="" type="text"> \
                             <input id="perm_new_member_type_{0}" name="perm_new_member_type_{0}" value="" type="hidden">  \
                             <div id="perm_container_{0}"></div> \
                         </div> \
                     </td> \
                     <td></td>"""
                 %>
                 ## ADD HERE DYNAMICALLY NEW INPUTS FROM THE '_tmpl'
                 ## New entries added by addPermAction here.
                 <tr class="new_members last_new_member" id="add_perm_input"><td colspan="6"></td></tr>
                 <tr>
                     <td colspan="6">
                         <span id="add_perm" style="cursor: pointer;">
                             <i class="icon-plus"></i> ${_('Add new')}
                         </span>
                     </td>
                 </tr>
                 <tr>
                     <td colspan="6">
                        ${_('Apply to children')}:
                        ${h.radio('recursive', 'none', label=_('None'), checked="checked")}
                        ${h.radio('recursive', 'groups', label=_('Repository Groups'))}
                        ${h.radio('recursive', 'repos', label=_('Repositories'))}
                        ${h.radio('recursive', 'all', label=_('Both'))}
                        <span class="help-block">${_('Set or revoke permission to all children of that group, including non-private repositories and other groups if selected.')}</span>
                     </td>
                 </tr>
             </table>
         </div>
         <div class="buttons">
             ${h.submit('save',_('Save'),class_="btn btn-default")}
             ${h.reset('reset',_('Reset'),class_="btn btn-default")}
         </div>
     </div>
 </div>
 ${h.end_form()}
 <script type="text/javascript">
     function ajaxActionRevoke(obj_id, obj_type, field_id, obj_name) {
         url = ${h.jshtml(h.url('edit_repo_group_perms_delete', group_name=c.repo_group.group_name))};
         var revoke_msg = _TM['Confirm to revoke permission for {0}: {1} ?'].format(obj_type.replace('_', ' '), obj_name);
         if (confirm(revoke_msg)){
             var recursive = $('input[name=recursive]:checked').val();
             ajaxActionRevokePermission(url, obj_id, obj_type, field_id, {recursive:recursive});
+        }
     };
     $(document).ready(function () {
         if (!$('#perm_new_member_name').hasClass('error')) {
             $('#add_perm_input').hide();
+        }
         $('#add_perm').click(function () {
-            addPermAction(${h.jshtml(_tmpl)}, ${h.js(c.users_array)}, ${h.js(c.user_groups_array)});
+            addPermAction('group', ${h.js(c.users_array)}, ${h.js(c.user_groups_array)});
         });
     });
 </script>

kallithea/templates/admin/repos/repo_edit_permissions.html

➞

Show inline comments

@@ @@ -49,77 +49,61 @@ ${h.form(url('edit_repo_perms_update', r @@
                 %endfor
                 ## USER GROUPS
                 %for g2p in sorted(c.repo_info.users_group_to_perm, key=lambda x:x.users_group.users_group_name):
                     <tr id="id${id(g2p.users_group.users_group_name)}">
                         <td>${h.radio('g_perm_%s' % g2p.users_group.users_group_name,'repository.none')}</td>
                         <td>${h.radio('g_perm_%s' % g2p.users_group.users_group_name,'repository.read')}</td>
                         <td>${h.radio('g_perm_%s' % g2p.users_group.users_group_name,'repository.write')}</td>
                         <td>${h.radio('g_perm_%s' % g2p.users_group.users_group_name,'repository.admin')}</td>
                         <td>
                             <i class="icon-users"></i>
                             %if h.HasPermissionAny('hg.admin')():
                              <a href="${h.url('edit_users_group',id=g2p.users_group.users_group_id)}">${g2p.users_group.users_group_name}</a>
                             %else:
                              ${g2p.users_group.users_group_name}
                             %endif
                         </td>
                         <td>
                             <span style="color:#da4f49" class="btn btn-default btn-xs" onclick="ajaxActionRevoke(${g2p.users_group.users_group_id}, 'user_group', '${'id%s'%id(g2p.users_group.users_group_name)}', '${g2p.users_group.users_group_name}')">
                             <i class="icon-minus-circled"></i> ${_('Revoke')}
                             </span>
                         </td>
                     </tr>
                 %endfor
                 <%
                 _tmpl = """\
                     <td><input type="radio" value="repository.none" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \
                     <td><input type="radio" value="repository.read" checked="checked" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \
                     <td><input type="radio" value="repository.write" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \
                     <td><input type="radio" value="repository.admin" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \
                     <td class="ac"> \
                         <div class="perm_ac" id="perm_ac_{0}"> \
                             <input class="yui-ac-input" id="perm_new_member_name_{0}" name="perm_new_member_name_{0}" value="" type="text"> \
                             <input id="perm_new_member_type_{0}" name="perm_new_member_type_{0}" value="" type="hidden">  \
                             <div id="perm_container_{0}"></div> \
                         </div> \
                     </td> \
                     <td></td>"""
                 %>
                 ## ADD HERE DYNAMICALLY NEW INPUTS FROM THE '_tmpl'
                 ## New entries added by addPermAction here.
                 <tr class="new_members last_new_member" id="add_perm_input"><td colspan="6"></td></tr>
                 <tr>
                     <td colspan="6">
                         <span id="add_perm" style="cursor: pointer;">
                             <i class="icon-plus"></i> ${_('Add new')}
                         </span>
                     </td>
                 </tr>
             </table>
         </div>
         <div class="form-group">
             ${h.submit('save',_('Save'),class_="btn btn-default")}
             ${h.reset('reset',_('Reset'),class_="btn btn-default")}
         </div>
     </div>
 </div>
 ${h.end_form()}
 <script type="text/javascript">
     function ajaxActionRevoke(obj_id, obj_type, field_id, obj_name) {
         url = ${h.js(h.url('edit_repo_perms_revoke',repo_name=c.repo_name))};
         var revoke_msg = _TM['Confirm to revoke permission for {0}: {1} ?'].format(obj_type.replace('_', ' '), obj_name);
         if (confirm(revoke_msg)){
             ajaxActionRevokePermission(url, obj_id, obj_type, field_id);
+        }
     };
     $(document).ready(function () {
         if (!$('#perm_new_member_name').hasClass('error')) {
             $('#add_perm_input').hide();
+        }
         $('#add_perm').click(function () {
-            addPermAction(${h.jshtml(_tmpl)}, ${h.js(c.users_array)}, ${h.js(c.user_groups_array)});
+            addPermAction('repository', ${h.js(c.users_array)}, ${h.js(c.user_groups_array)});
         });
     });
 </script>

kallithea/templates/admin/user_groups/user_group_edit_perms.html

➞

Show inline comments

@@ @@ -52,77 +52,61 @@ ${h.form(url('edit_user_group_perms_upda @@
                 ## USER GROUPS
                 %for g2p in c.user_group.user_group_user_group_to_perm:
                     <tr id="id${id(g2p.user_group.users_group_name)}">
                         <td>${h.radio('g_perm_%s' % g2p.user_group.users_group_name,'usergroup.none')}</td>
                         <td>${h.radio('g_perm_%s' % g2p.user_group.users_group_name,'usergroup.read')}</td>
                         <td>${h.radio('g_perm_%s' % g2p.user_group.users_group_name,'usergroup.write')}</td>
                         <td>${h.radio('g_perm_%s' % g2p.user_group.users_group_name,'usergroup.admin')}</td>
                         <td>
                             <i class="icon-users"></i>
                             %if h.HasPermissionAny('hg.admin')():
                              <a href="${h.url('edit_users_group',id=g2p.user_group.users_group_id)}">
                                  ${g2p.user_group.users_group_name}
                              </a>
                             %else:
                              ${g2p.user_group.users_group_name}
                             %endif
                         </td>
                         <td>
                             <span style="color:#da4f49" class="btn btn-default btn-xs" onclick="ajaxActionRevoke(${g2p.user_group.users_group_id}, 'user_group', '${'id%s'%id(g2p.user_group.users_group_name)}', '${g2p.user_group.users_group_name}')">
                             <i class="icon-minus-circled"></i> ${_('Revoke')}
                             </span>
                         </td>
                     </tr>
                 %endfor
                 <%
                 _tmpl = """\
                     <td><input type="radio" value="usergroup.none" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \
                     <td><input type="radio" value="usergroup.read" checked="checked" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \
                     <td><input type="radio" value="usergroup.write" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \
                     <td><input type="radio" value="usergroup.admin" name="perm_new_member_{0}" id="perm_new_member_{0}"></td> \
                     <td class="ac"> \
                         <div class="perm_ac" id="perm_ac_{0}"> \
                             <input class="yui-ac-input" id="perm_new_member_name_{0}" name="perm_new_member_name_{0}" value="" type="text"> \
                             <input id="perm_new_member_type_{0}" name="perm_new_member_type_{0}" value="" type="hidden">  \
                             <div id="perm_container_{0}"></div> \
                         </div> \
                     </td> \
                     <td></td>"""
                 %>
                 ## ADD HERE DYNAMICALLY NEW INPUTS FROM THE '_tmpl'
                 ## New entries added by addPermAction here.
                 <tr class="new_members last_new_member" id="add_perm_input"><td colspan="6"></td></tr>
                 <tr>
                     <td colspan="6">
                         <span id="add_perm" class="btn">
                             <i class="icon-plus"></i> ${_('Add new')}
                         </span>
                     </td>
                 </tr>
             </table>
         </div>
         <div class="buttons">
             ${h.submit('save',_('Save'),class_="btn btn-default")}
             ${h.reset('reset',_('Reset'),class_="btn btn-default")}
         </div>
    </div>
 </div>
 ${h.end_form()}
 <script type="text/javascript">
     function ajaxActionRevoke(obj_id, obj_type, field_id, obj_name) {
         url = ${h.js(h.url('edit_user_group_perms_delete', id=c.user_group.users_group_id))};
         var revoke_msg = _TM['Confirm to revoke permission for {0}: {1} ?'].format(obj_type.replace('_', ' '), obj_name);
         if (confirm(revoke_msg)){
             ajaxActionRevokePermission(url, obj_id, obj_type, field_id);
+        }
     };
     $(document).ready(function () {
         if (!$('#perm_new_member_name').hasClass('error')) {
             $('#add_perm_input').hide();
+        }
         $('#add_perm').click(function () {
-            addPermAction(${h.jshtml(_tmpl)}, ${h.js(c.users_array)}, ${h.js(c.user_groups_array)});
+            addPermAction('usergroup', ${h.js(c.users_array)}, ${h.js(c.user_groups_array)});
         });
     });
 </script>

0 comments (0 inline, 0 general)