Changeset - c9cfaeb1cdfe
Parent rev.
Child rev.
[Not reviewed]
stable
0 3 0
Mads Kiilerich - 10 years ago 2015-07-07 02:09:35
madski@unity3d.com
tooltips: fix unsafe insertion of userdata into the DOM as html

This fixes js injection in the admin journal ... and probably also in other places.

Tooltips are used both with hardcoded strings (which is safe and simple) and
with user provided strings wrapped in html formatting (which requires careful
escaping before being put into the DOM as html). The templating will
automatically take care of one level of escaping, but here it requires two
levels to do it correctly ... and that was not always done correctly.

Instead, by default, just insert it into the DOM as text, not as html.

The few places where we know the tooltip contains safe html are handled
specially - the element is given the safe-html-title class. That is the case in
file annotation and in display of tip revision in repo lists.
3 files changed with 13 insertions and 7 deletions:
kallithea/lib/helpers.py
3
3
kallithea/public/js/base.js
9
3
kallithea/templates/data_table/_dt_elements.html
1
1
0 comments (0 inline, 0 general)
kallithea/lib/helpers.py
Show inline comments
 
@@ -349,28 +349,28 @@ def pygmentize_annotation(repo_name, fil
 
            col = color_dict[cs] = cgenerator.next()
 
        return "color: rgb(%s)! important;" % (', '.join(col))
 

			




	
	
	
		
 
    def url_func(repo_name):

			




	
	
	
		
 

			




	
	
	
		
 
        def _url_func(changeset):

			




	
	
	
		
 
            author = changeset.author

			




	
	
	
		
 
            author = escape(changeset.author)

			




	
	
	
		
 
            date = changeset.date

			




	
	
	
		
 
            message = tooltip(changeset.message)

			




	
	
	
		
 
            message = escape(changeset.message)

			




	
	
	
		
 

			




	
	
	
		
 
            tooltip_html = ("<div style='font-size:0.8em'><b>Author:</b>"

			




	
	
	
		
 
                            " %s<br/><b>Date:</b> %s</b><br/><b>Message:"

			




	
	
	
		
 
                            "</b> %s<br/></div>")

			




	
	
	
		
 

			




	
	
	
		
 
            tooltip_html = tooltip_html % (author, date, message)

			




	
	
	
		
 
            lnk_format = show_id(changeset)

			




	
	
	
		
 
            uri = link_to(

			




	
	
	
		
 
                    lnk_format,

			




	
	
	
		
 
                    url('changeset_home', repo_name=repo_name,

			




	
	
	
		
 
                        revision=changeset.raw_id),

			




	
	
	
		
 
                    style=get_color_string(changeset.raw_id),

			




	
	
	
		
 
                    class_='tooltip',

			




	
	
	
		
 
                    class_='tooltip safe-html-title',

			




	
	
	
		
 
                    title=tooltip_html

			




	
	
	
		
 
                  )

			




	
	
	
		
 

			




	
	
	
		
 
            uri += '\n'

			




	
	
	
		
 
            return uri

			




	
	
	
		
 
        return _url_func

			




        

    


    
    

    

        

                

                    kallithea/public/js/base.js
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -507,31 +507,37 @@ var _init_tooltip = function(){

			




	
	
	
		
 
    $tipBox.css('position', 'absolute');

			




	
	
	
		
 
    $tipBox.css('max-width', '600px');

			




	
	
	
		
 

			




	
	
	
		
 
    _activate_tooltip($('.tooltip'));

			




	
	
	
		
 
};

			




	
	
	
		
 

			




	
	
	
		
 
var _show_tooltip = function(e, tipText){

			




	
	
	
		
 
var _show_tooltip = function(e, tipText, safe){

			




	
	
	
		
 
    e.stopImmediatePropagation();

			




	
	
	
		
 
    var el = e.currentTarget;

			




	
	
	
		
 
    var $el = $(el);

			




	
	
	
		
 
    if(tipText){

			




	
	
	
		
 
        // just use it

			




	
	
	
		
 
    } else if(el.tagName.toLowerCase() === 'img'){

			




	
	
	
		
 
        tipText = el.alt ? el.alt : '';

			




	
	
	
		
 
    } else {

			




	
	
	
		
 
        tipText = el.title ? el.title : '';

			




	
	
	
		
 
        safe = safe || $el.hasClass("safe-html-title");

			




	
	
	
		
 
    }

			




	
	
	
		
 

			




	
	
	
		
 
    if(tipText !== ''){

			




	
	
	
		
 
        // save org title

			




	
	
	
		
 
        $(el).attr('tt_title', tipText);

			




	
	
	
		
 
        $el.attr('tt_title', tipText);

			




	
	
	
		
 
        // reset title to not show org tooltips

			




	
	
	
		
 
        $(el).attr('title', '');

			




	
	
	
		
 
        $el.attr('title', '');

			




	
	
	
		
 

			




	
	
	
		
 
        var $tipBox = $('#tip-box');

			




	
	
	
		
 
        if (safe) {

			




	
	
	
		
 
        $tipBox.html(tipText);

			




	
	
	
		
 
        } else {

			




	
	
	
		
 
            $tipBox.text(tipText);

			




	
	
	
		
 
        }

			




	
	
	
		
 
        $tipBox.css('display', 'block');

			




	
	
	
		
 
    }

			




	
	
	
		
 
};

			




	
	
	
		
 

			




	
	
	
		
 
var _move_tooltip = function(e){

			




	
	
	
		
 
    e.stopImmediatePropagation();

			




        

    


    
    

    

        

                

                    kallithea/templates/data_table/_dt_elements.html
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -90,13 +90,13 @@

			




	
	
	
		
 
  <span class="tooltip" date="${last_change}" title="${h.tooltip(h.fmt_date(last_change))}">${h.age(last_change)}</span>

			




	
	
	
		
 
</%def>

			




	
	
	
		
 

			




	
	
	
		
 
<%def name="revision(name,rev,tip,author,last_msg)">

			




	
	
	
		
 
  <div>

			




	
	
	
		
 
  %if rev >= 0:

			




	
	
	
		
 
      <a title="${h.tooltip('%s:\n\n%s' % (author,last_msg))}" class="tooltip revision-link" href="${h.url('changeset_home',repo_name=name,revision=tip)}">${'r%s:%s' % (rev,h.short_id(tip))}</a>

			




	
	
	
		
 
      <a title="${h.tooltip('%s:\n\n%s' % (author,last_msg))}" class="tooltip revision-link safe-html-title" href="${h.url('changeset_home',repo_name=name,revision=tip)}">${'r%s:%s' % (rev,h.short_id(tip))}</a>

			




	
	
	
		
 
  %else:

			




	
	
	
		
 
      ${_('No changesets yet')}

			




	
	
	
		
 
  %endif

			




	
	
	
		
 
  </div>

			




	
	
	
		
 
</%def>

			




	
	
	
		
 

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.