December 2014 - galaxy-commits - lists.galaxyproject.org

commit/galaxy-central: natefoo: Update tag latest_2014.10.06 for changeset e416697be38e
by commits-noreply＠bitbucket.org 12 Dec '14

12 Dec '14

1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/6de18661cad2/ Changeset: 6de18661cad2 Branch: stable User: natefoo Date: 2014-12-12 14:00:15+00:00 Summary: Update tag latest_2014.10.06 for changeset e416697be38e Affected #: 1 file diff -r e416697be38e66f18be89a4cfca70457c9784294 -r 6de18661cad2ec5885bd5be11c4c6a533cf66115 .hgtags --- a/.hgtags +++ b/.hgtags @@ -20,4 +20,4 @@ ca45b78adb4152fc6e7395514d46eba6b7d0b838 release_2014.08.11 548ab24667d6206780237bd807f7d857a484c461 latest_2014.08.11 2092948937ac30ef82f71463a235c66d34987088 release_2014.10.06 -212e1d5e9be5a9a1e12c834bd545de504753c9fe latest_2014.10.06 +e416697be38e66f18be89a4cfca70457c9784294 latest_2014.10.06 Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: guerler: ToolForm: Activate individual dataset collection selector
by commits-noreply＠bitbucket.org 11 Dec '14

11 Dec '14

1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/78354a5f3dfa/ Changeset: 78354a5f3dfa User: guerler Date: 2014-12-12 04:42:45+00:00 Summary: ToolForm: Activate individual dataset collection selector Affected #: 5 files diff -r 42b5f213c92d395feb1f6d4d2ee691abeb134c42 -r 78354a5f3dfaaec619979cda46892abcd5722e9a client/galaxy/scripts/mvc/tools/tools-section.js --- a/client/galaxy/scripts/mvc/tools/tools-section.js +++ b/client/galaxy/scripts/mvc/tools/tools-section.js @@ -308,9 +308,9 @@ break; // collection selector - //case 'data_collection': - // field = this._fieldData(input_def); - // break; + case 'data_collection': + field = this._fieldData(input_def); + break; // data column case 'data_column': diff -r 42b5f213c92d395feb1f6d4d2ee691abeb134c42 -r 78354a5f3dfaaec619979cda46892abcd5722e9a lib/galaxy/tools/parameters/basic.py --- a/lib/galaxy/tools/parameters/basic.py +++ b/lib/galaxy/tools/parameters/basic.py @@ -2262,6 +2262,12 @@ elif isinstance( value, dict ) and 'src' in value and 'id' in value: if value['src'] == 'hdca': rval = trans.sa_session.query( trans.app.model.HistoryDatasetCollectionAssociation ).get( trans.app.security.decode_id(value['id']) ) + elif isinstance( value, list ): + if len( value ) > 0: + value = value[0] + if isinstance( value, dict ) and 'src' in value and 'id' in value: + if value['src'] == 'hdca': + rval = trans.sa_session.query( trans.app.model.HistoryDatasetCollectionAssociation ).get( trans.app.security.decode_id(value['id']) ) elif isinstance( value, basestring ): if value.startswith( "dce:" ): rval = trans.sa_session.query( trans.app.model.DatasetCollectionElement ).get( value[ len( "dce:"): ] ) @@ -2341,6 +2347,7 @@ def to_dict( self, trans, view='collection', value_mapper=None, other_values=None ): # create dictionary and fill default parameters d = super( DataCollectionToolParameter, self ).to_dict( trans ) + d['extensions'] = self.extensions d['multiple'] = self.multiple d['is_dynamic'] = False d['options'] = {'hda': [], 'hdca': []} diff -r 42b5f213c92d395feb1f6d4d2ee691abeb134c42 -r 78354a5f3dfaaec619979cda46892abcd5722e9a lib/galaxy/webapps/galaxy/api/tools.py --- a/lib/galaxy/webapps/galaxy/api/tools.py +++ b/lib/galaxy/webapps/galaxy/api/tools.py @@ -570,7 +570,7 @@ value = dict['value'] if 'value' in dict else None # identify lists - if dict['type'] == 'data': + if dict['type'] in ['data']: if isinstance(value, list): value = [ convert(v) for v in value ] else: diff -r 42b5f213c92d395feb1f6d4d2ee691abeb134c42 -r 78354a5f3dfaaec619979cda46892abcd5722e9a static/scripts/mvc/tools/tools-section.js --- a/static/scripts/mvc/tools/tools-section.js +++ b/static/scripts/mvc/tools/tools-section.js @@ -308,9 +308,9 @@ break; // collection selector - //case 'data_collection': - // field = this._fieldData(input_def); - // break; + case 'data_collection': + field = this._fieldData(input_def); + break; // data column case 'data_column': diff -r 42b5f213c92d395feb1f6d4d2ee691abeb134c42 -r 78354a5f3dfaaec619979cda46892abcd5722e9a static/scripts/packed/mvc/tools/tools-section.js --- a/static/scripts/packed/mvc/tools/tools-section.js +++ b/static/scripts/packed/mvc/tools/tools-section.js @@ -1,1 +1,1 @@ -define(["utils/utils","mvc/ui/ui-table","mvc/ui/ui-misc","mvc/tools/tools-repeat","mvc/tools/tools-select-content","mvc/tools/tools-input"],function(d,b,g,c,a,e){var f=Backbone.View.extend({initialize:function(i,h){this.app=i;this.inputs=h.inputs;h.cls_tr="section-row";this.table=new b.View(h);this.setElement(this.table.$el);this.render()},render:function(){this.table.delAll();for(var h in this.inputs){this._add(this.inputs[h])}},_add:function(j){var i=this;var h=jQuery.extend(true,{},j);h.id=j.id=d.uuid();this.app.input_list[h.id]=h;var k=h.type;switch(k){case"conditional":this._addConditional(h);break;case"repeat":this._addRepeat(h);break;default:this._addRow(h)}},_addConditional:function(h){var j=this;h.test_param.id=h.id;var m=this._addRow(h.test_param);m.options.onchange=function(t){var p=j.app.tree.matchCase(h,t);for(var r in h.cases){var w=h.cases[r];var u=h.id+"-section-"+r;var o=j.table.get(u);var v=false;for(var q in w.inputs){var s=w.inputs[q].type;if(s&&s!=="hidden"){v=true;break}}if(r==p&&v){o.fadeIn("fast")}else{o.hide()}}j.app.refresh()};for(var l in h.cases){var k=h.id+"-section-"+l;var n=new f(this.app,{inputs:h.cases[l].inputs,cls:"ui-table-plain"});n.$el.addClass("ui-table-form-section");this.table.add(n.$el);this.table.append(k)}m.trigger("change")},_addRepeat:function(o){var r=this;var p=0;function m(i,t){var s=o.id+"-section-"+(p++);var u=null;if(t){u=function(){k.del(s);k.retitle(o.title);r.app.rebuild();r.app.refresh()}}var v=new f(r.app,{inputs:i,cls:"ui-table-plain"});k.add({id:s,title:o.title,$el:v.$el,ondel:u});k.retitle(o.title)}var k=new c.View({title_new:o.title,max:o.max,onnew:function(){m(o.inputs,true);r.app.rebuild();r.app.refresh()}});var h=o.min;var q=_.size(o.cache);for(var l=0;l<Math.max(q,h);l++){var n=null;if(l<q){n=o.cache[l]}else{n=o.inputs}m(n,l>=h)}var j=new e(this.app,{label:o.title,help:o.help,field:k});j.$el.addClass("ui-table-form-section");this.table.add(j.$el);this.table.append(o.id)},_addRow:function(h){var k=h.id;var i=this._createField(h);if(h.is_dynamic){this.app.is_dynamic=true}this.app.field_list[k]=i;var j=new e(this.app,{label:h.label,optional:h.optional,help:h.help,field:i});this.app.element_list[k]=j;this.table.add(j.$el);this.table.append(k);return i},_createField:function(h){var i=null;switch(h.type){case"text":i=this._fieldText(h);break;case"select":i=this._fieldSelect(h);break;case"data":i=this._fieldData(h);break;case"data_column":h.error_text="Missing columns in referenced dataset.";i=this._fieldSelect(h);break;case"hidden":i=this._fieldHidden(h);break;case"integer":i=this._fieldSlider(h);break;case"float":i=this._fieldSlider(h);break;case"boolean":i=this._fieldBoolean(h);break;case"genomebuild":h.searchable=true;i=this._fieldSelect(h);break;case"drill_down":i=this._fieldDrilldown(h);break;case"baseurl":i=this._fieldHidden(h);break;default:this.app.incompatible=true;if(h.options){i=this._fieldSelect(h)}else{i=this._fieldText(h)}console.debug("tools-form::_addRow() : Auto matched field type ("+h.type+").")}if(h.value!==undefined){i.value(h.value)}return i},_fieldData:function(h){var i=this;return new a.View(this.app,{id:"field-"+h.id,extensions:h.extensions,multiple:h.multiple,type:h.type,data:h.options,onchange:function(){i.app.refresh()}})},_fieldSelect:function(h){var k=[];for(var l in h.options){var m=h.options[l];k.push({label:m[0],value:m[1]})}var n=g.Select;switch(h.display){case"checkboxes":n=g.Checkbox;break;case"radio":n=g.Radio;break}var j=this;return new n.View({id:"field-"+h.id,data:k,error_text:h.error_text||"No options available",multiple:h.multiple,searchable:h.searchable,onchange:function(){j.app.refresh()}})},_fieldDrilldown:function(h){var i=this;return new g.Drilldown.View({id:"field-"+h.id,data:h.options,display:h.display,onchange:function(){i.app.refresh()}})},_fieldText:function(h){var i=this;return new g.Input({id:"field-"+h.id,area:h.area,onchange:function(){i.app.refresh()}})},_fieldSlider:function(h){return new g.Slider.View({id:"field-"+h.id,precise:h.type=="float",min:h.min,max:h.max})},_fieldHidden:function(h){return new g.Hidden({id:"field-"+h.id})},_fieldBoolean:function(h){return new g.RadioButton.View({id:"field-"+h.id,data:[{label:"Yes",value:"true"},{label:"No",value:"false"}]})}});return{View:f}}); \ No newline at end of file +define(["utils/utils","mvc/ui/ui-table","mvc/ui/ui-misc","mvc/tools/tools-repeat","mvc/tools/tools-select-content","mvc/tools/tools-input"],function(d,b,g,c,a,e){var f=Backbone.View.extend({initialize:function(i,h){this.app=i;this.inputs=h.inputs;h.cls_tr="section-row";this.table=new b.View(h);this.setElement(this.table.$el);this.render()},render:function(){this.table.delAll();for(var h in this.inputs){this._add(this.inputs[h])}},_add:function(j){var i=this;var h=jQuery.extend(true,{},j);h.id=j.id=d.uuid();this.app.input_list[h.id]=h;var k=h.type;switch(k){case"conditional":this._addConditional(h);break;case"repeat":this._addRepeat(h);break;default:this._addRow(h)}},_addConditional:function(h){var j=this;h.test_param.id=h.id;var m=this._addRow(h.test_param);m.options.onchange=function(t){var p=j.app.tree.matchCase(h,t);for(var r in h.cases){var w=h.cases[r];var u=h.id+"-section-"+r;var o=j.table.get(u);var v=false;for(var q in w.inputs){var s=w.inputs[q].type;if(s&&s!=="hidden"){v=true;break}}if(r==p&&v){o.fadeIn("fast")}else{o.hide()}}j.app.refresh()};for(var l in h.cases){var k=h.id+"-section-"+l;var n=new f(this.app,{inputs:h.cases[l].inputs,cls:"ui-table-plain"});n.$el.addClass("ui-table-form-section");this.table.add(n.$el);this.table.append(k)}m.trigger("change")},_addRepeat:function(o){var r=this;var p=0;function m(i,t){var s=o.id+"-section-"+(p++);var u=null;if(t){u=function(){k.del(s);k.retitle(o.title);r.app.rebuild();r.app.refresh()}}var v=new f(r.app,{inputs:i,cls:"ui-table-plain"});k.add({id:s,title:o.title,$el:v.$el,ondel:u});k.retitle(o.title)}var k=new c.View({title_new:o.title,max:o.max,onnew:function(){m(o.inputs,true);r.app.rebuild();r.app.refresh()}});var h=o.min;var q=_.size(o.cache);for(var l=0;l<Math.max(q,h);l++){var n=null;if(l<q){n=o.cache[l]}else{n=o.inputs}m(n,l>=h)}var j=new e(this.app,{label:o.title,help:o.help,field:k});j.$el.addClass("ui-table-form-section");this.table.add(j.$el);this.table.append(o.id)},_addRow:function(h){var k=h.id;var i=this._createField(h);if(h.is_dynamic){this.app.is_dynamic=true}this.app.field_list[k]=i;var j=new e(this.app,{label:h.label,optional:h.optional,help:h.help,field:i});this.app.element_list[k]=j;this.table.add(j.$el);this.table.append(k);return i},_createField:function(h){var i=null;switch(h.type){case"text":i=this._fieldText(h);break;case"select":i=this._fieldSelect(h);break;case"data":i=this._fieldData(h);break;case"data_collection":i=this._fieldData(h);break;case"data_column":h.error_text="Missing columns in referenced dataset.";i=this._fieldSelect(h);break;case"hidden":i=this._fieldHidden(h);break;case"integer":i=this._fieldSlider(h);break;case"float":i=this._fieldSlider(h);break;case"boolean":i=this._fieldBoolean(h);break;case"genomebuild":h.searchable=true;i=this._fieldSelect(h);break;case"drill_down":i=this._fieldDrilldown(h);break;case"baseurl":i=this._fieldHidden(h);break;default:this.app.incompatible=true;if(h.options){i=this._fieldSelect(h)}else{i=this._fieldText(h)}console.debug("tools-form::_addRow() : Auto matched field type ("+h.type+").")}if(h.value!==undefined){i.value(h.value)}return i},_fieldData:function(h){var i=this;return new a.View(this.app,{id:"field-"+h.id,extensions:h.extensions,multiple:h.multiple,type:h.type,data:h.options,onchange:function(){i.app.refresh()}})},_fieldSelect:function(h){var k=[];for(var l in h.options){var m=h.options[l];k.push({label:m[0],value:m[1]})}var n=g.Select;switch(h.display){case"checkboxes":n=g.Checkbox;break;case"radio":n=g.Radio;break}var j=this;return new n.View({id:"field-"+h.id,data:k,error_text:h.error_text||"No options available",multiple:h.multiple,searchable:h.searchable,onchange:function(){j.app.refresh()}})},_fieldDrilldown:function(h){var i=this;return new g.Drilldown.View({id:"field-"+h.id,data:h.options,display:h.display,onchange:function(){i.app.refresh()}})},_fieldText:function(h){var i=this;return new g.Input({id:"field-"+h.id,area:h.area,onchange:function(){i.app.refresh()}})},_fieldSlider:function(h){return new g.Slider.View({id:"field-"+h.id,precise:h.type=="float",min:h.min,max:h.max})},_fieldHidden:function(h){return new g.Hidden({id:"field-"+h.id})},_fieldBoolean:function(h){return new g.RadioButton.View({id:"field-"+h.id,data:[{label:"Yes",value:"true"},{label:"No",value:"false"}]})}});return{View:f}}); \ No newline at end of file Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: jmchilton: Bug fix for collections 2dc383c.
by commits-noreply＠bitbucket.org 11 Dec '14

11 Dec '14

1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/42b5f213c92d/ Changeset: 42b5f213c92d User: jmchilton Date: 2014-12-11 19:44:18+00:00 Summary: Bug fix for collections 2dc383c. Affected #: 1 file diff -r 72143d1079be191695e7ce2171926e891795bd7a -r 42b5f213c92d395feb1f6d4d2ee691abeb134c42 lib/galaxy/tools/parameters/basic.py --- a/lib/galaxy/tools/parameters/basic.py +++ b/lib/galaxy/tools/parameters/basic.py @@ -2171,7 +2171,7 @@ def _history_query( self, trans ): dataset_collection_type_descriptions = trans.app.dataset_collections_service.collection_type_descriptions - return history_query.HistoryQuery.from_parameter_elem( self.elem, dataset_collection_type_descriptions ) + return history_query.HistoryQuery.from_parameter( self, dataset_collection_type_descriptions ) def get_html_field( self, trans=None, value=None, other_values={} ): # dropped refresh values, may be needed.. Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: 3 new changesets
by commits-noreply＠bitbucket.org 11 Dec '14

11 Dec '14

3 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/daa0c69e8378/ Changeset: daa0c69e8378 Branch: next-stable User: davebgx Date: 2014-12-11 19:19:44+00:00 Summary: Merge stable changes to next-stable. Affected #: 67 files diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 .hgtags --- a/.hgtags +++ b/.hgtags @@ -20,4 +20,4 @@ ca45b78adb4152fc6e7395514d46eba6b7d0b838 release_2014.08.11 548ab24667d6206780237bd807f7d857a484c461 latest_2014.08.11 2092948937ac30ef82f71463a235c66d34987088 release_2014.10.06 -782cf1a1f6b56f8a9c0b3e5e9ffd29fd93b16ce3 latest_2014.10.06 +212e1d5e9be5a9a1e12c834bd545de504753c9fe latest_2014.10.06 diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 lib/galaxy/web/base/controllers/admin.py --- a/lib/galaxy/web/base/controllers/admin.py +++ b/lib/galaxy/web/base/controllers/admin.py @@ -7,6 +7,7 @@ from galaxy.web.form_builder import CheckboxField from string import punctuation as PUNCTUATION import galaxy.queue_worker +from markupsafe import escape from tool_shed.util import shed_util_common as suc @@ -28,7 +29,7 @@ @web.expose @web.require_admin def index( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if trans.webapp.name == 'galaxy': installed_repositories = trans.install_model.context.query( trans.install_model.ToolShedRepository ).first() @@ -46,7 +47,7 @@ @web.expose @web.require_admin def center( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if trans.webapp.name == 'galaxy': return trans.fill_template( '/webapps/galaxy/admin/center.mako', diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 lib/galaxy/webapps/demo_sequencer/controllers/common.py --- a/lib/galaxy/webapps/demo_sequencer/controllers/common.py +++ b/lib/galaxy/webapps/demo_sequencer/controllers/common.py @@ -4,6 +4,7 @@ import time, socket, urllib, urllib2, base64, copy from galaxy.util.json import * from urllib import quote_plus, unquote_plus +from markupsafe import escape import logging log = logging.getLogger( __name__ ) @@ -16,7 +17,7 @@ titles = util.listify( titles ) JobId = util.restore_text( kwd.get( 'JobId', '' ) ) sample_id = util.restore_text( kwd.get( 'sample_id', '' ) ) - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) redirect_delay = trans.app.sequencer_actions_registry.redirect_delay sequencer_redirects = copy.deepcopy( trans.app.sequencer_actions_registry.sequencer_redirects ) @@ -144,7 +145,7 @@ titles = util.restore_text( kwd.get( 'titles', '' ) ) JobId = util.restore_text( kwd.get( 'JobId', '' ) ) sample_id = util.restore_text( kwd.get( 'sample_id', '' ) ) - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) url, http_method, request_params, response_type = request_tup url = unquote_plus( url ) diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 lib/galaxy/webapps/galaxy/controllers/admin.py --- a/lib/galaxy/webapps/galaxy/controllers/admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/admin.py @@ -17,6 +17,7 @@ from galaxy.web.params import QuotaParamParser from tool_shed.util import common_util from tool_shed.util import encoding_util +from markupsafe import escape log = logging.getLogger( __name__ ) @@ -838,7 +839,7 @@ @web.expose @web.require_admin def review_tool_migration_stages( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) migration_stages_dict = odict() migration_modules = [] @@ -870,13 +871,13 @@ @web.expose @web.require_admin def view_datatypes_registry( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) return trans.fill_template( 'admin/view_datatypes_registry.mako', message=message, status=status ) @web.expose @web.require_admin def view_tool_data_tables( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) return trans.fill_template( 'admin/view_data_tables_registry.mako', message=message, status=status ) diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py --- a/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py +++ b/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py @@ -8,6 +8,7 @@ from galaxy.web.form_builder import CheckboxField from galaxy.util import json from galaxy.model.orm import or_ +from markupsafe import escape import tool_shed.repository_types.util as rt_util @@ -52,7 +53,7 @@ try: trans.app.installed_repository_manager.activate_repository( repository ) except Exception, e: - error_message = "Error activating repository %s: %s" % ( repository.name, str( e ) ) + error_message = "Error activating repository %s: %s" % ( escape( repository.name ), str( e ) ) log.exception( error_message ) message = '%s.<br/>You may be able to resolve this by uninstalling and then reinstalling the repository. Click <a href="%s">here</a> to uninstall the repository.' \ % ( error_message, web.url_for( controller='admin_toolshed', action='deactivate_or_uninstall_repository', id=trans.security.encode_id( repository.id ) ) ) @@ -62,7 +63,7 @@ id=repository_id, message=message, status=status ) ) - message = 'The <b>%s</b> repository has been activated.' % repository.name + message = 'The <b>%s</b> repository has been activated.' % escape( repository.name ) status = 'done' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -72,7 +73,7 @@ @web.expose @web.require_admin def browse_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = repository_util.get_installed_tool_shed_repository( trans.app, kwd[ 'id' ] ) return trans.fill_template( '/admin/tool_shed_repository/browse_repository.mako', @@ -141,7 +142,7 @@ action='reselect_tool_panel_section', **kwd ) ) else: - message = "Unable to get latest revision for repository <b>%s</b> from " % str( repository.name ) + message = "Unable to get latest revision for repository <b>%s</b> from " % escape( str( repository.name ) ) message += "the Tool Shed, so repository re-installation is not possible at this time." status = "error" return trans.response.send_redirect( web.url_for( controller='admin_toolshed', @@ -169,7 +170,7 @@ @web.expose @web.require_admin def browse_tool_dependency( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) tool_dependency = tool_dependency_util.get_tool_dependency( trans.app, tool_dependency_ids[ 0 ] ) @@ -197,7 +198,7 @@ @web.expose @web.require_admin def browse_tool_sheds( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.fill_template( '/webapps/galaxy/admin/tool_sheds.mako', message=message, @@ -230,7 +231,7 @@ require the same entry. For now we'll never delete entries from config.shed_tool_data_table_config, but we may choose to do so in the future if it becomes necessary. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) remove_from_disk = kwd.get( 'remove_from_disk', '' ) remove_from_disk_checked = CheckboxField.is_checked( remove_from_disk ) @@ -303,14 +304,14 @@ trans.install_model.context.add( tool_shed_repository ) trans.install_model.context.flush() if remove_from_disk_checked: - message = 'The repository named <b>%s</b> has been uninstalled. ' % tool_shed_repository.name + message = 'The repository named <b>%s</b> has been uninstalled. ' % escape( tool_shed_repository.name ) if errors: message += 'Attempting to uninstall tool dependencies resulted in errors: %s' % errors status = 'error' else: status = 'done' else: - message = 'The repository named <b>%s</b> has been deactivated. ' % tool_shed_repository.name + message = 'The repository named <b>%s</b> has been deactivated. ' % escape( tool_shed_repository.name ) status = 'done' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -442,7 +443,7 @@ @web.require_admin def import_workflow( self, trans, workflow_name, repository_id, **kwd ): """Import a workflow contained in an installed tool shed repository into Galaxy.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if workflow_name: workflow_name = encoding_util.tool_shed_decode( workflow_name ) @@ -453,7 +454,7 @@ workflow_name = encoding_util.tool_shed_encode( str( workflow.name ) ) else: message += 'Unable to locate a workflow named <b>%s</b> within the installed tool shed repository named <b>%s</b>' % \ - ( str( workflow_name ), str( repository.name ) ) + ( escape( str( workflow_name ) ), escape( str( repository.name ) ) ) status = 'error' else: message = 'Invalid repository id <b>%s</b> received.' % str( repository_id ) @@ -479,7 +480,7 @@ tool shed repository. """ # Get the tool_shed_repository from one of the tool_dependencies. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) err_msg = '' tool_shed_repository = tool_dependencies[ 0 ].tool_shed_repository @@ -512,7 +513,7 @@ @web.require_admin def install_latest_repository_revision( self, trans, **kwd ): """Install the latest installable revision of a repository that has been previously installed.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id is not None: @@ -589,7 +590,7 @@ updating_to_changeset_revision = kwd.get( 'updating_to_changeset_revision', None ) updating_to_ctx_rev = kwd.get( 'updating_to_ctx_rev', None ) encoded_updated_metadata = kwd.get( 'encoded_updated_metadata', None ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) install_tool_dependencies = CheckboxField.is_checked( kwd.get( 'install_tool_dependencies', '' ) ) if 'install_tool_dependencies_with_update_button' in kwd: @@ -609,7 +610,7 @@ relative_install_dir, set_status=False ) message = "The installed repository named '%s' has been updated to change set revision '%s'. " % \ - ( str( repository.name ), updating_to_changeset_revision ) + ( escape( str( repository.name ) ), updating_to_changeset_revision ) self.initiate_tool_dependency_installation( trans, tool_dependencies, message=message, status=status ) # Handle tool dependencies check box. if trans.app.config.tool_dependency_dir is None: @@ -665,7 +666,7 @@ @web.expose @web.require_admin def manage_repositories( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tsridslist = common_util.get_tool_shed_repository_ids( **kwd ) if 'operation' in kwd: @@ -744,7 +745,7 @@ @web.expose @web.require_admin def manage_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id is None: @@ -808,7 +809,7 @@ @web.expose @web.require_admin def manage_repository_tool_dependencies( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) if tool_dependency_ids: @@ -890,7 +891,7 @@ def manage_tool_dependencies( self, trans, **kwd ): # This method is called when tool dependencies are being installed. See the related manage_repository_tool_dependencies # method for managing the tool dependencies for a specified installed tool shed repository. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) repository_id = kwd.get( 'repository_id', None ) @@ -902,7 +903,7 @@ # The user must be on the manage_repository_tool_dependencies page and clicked the button to either install or uninstall a # tool dependency, but they didn't check any of the available tool dependencies on which to perform the action. tool_shed_repository = suc.get_tool_shed_repository_by_id( trans.app, repository_id ) - self.tool_dependency_grid.title = "Tool shed repository '%s' tool dependencies" % tool_shed_repository.name + self.tool_dependency_grid.title = "Tool shed repository '%s' tool dependencies" % escape( tool_shed_repository.name ) if 'operation' in kwd: operation = kwd[ 'operation' ].lower() if not tool_dependency_ids: @@ -978,7 +979,7 @@ message += 'of Galaxy Tool Shed repository tools into a local Galaxy instance</a> section of the Galaxy Tool ' message += 'Shed wiki for all of the details.' return trans.show_error_message( message ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) shed_tool_conf = kwd.get( 'shed_tool_conf', None ) tool_shed_url = kwd.get( 'tool_shed_url', '' ) @@ -1030,7 +1031,7 @@ # The Tool Shed cannot handle the get_repository_id request, so the code must be older than the # 04/2014 Galaxy release when it was introduced. It will be safest to error out and let the # Tool Shed admin update the Tool Shed to a later release. - message = 'The updates available for the repository <b>%s</b> ' % str( repository.name ) + message = 'The updates available for the repository <b>%s</b> ' % escape( str( repository.name ) ) message += 'include newly defined repository or tool dependency definitions, and attempting ' message += 'to update the repository resulted in the following error. Contact the Tool Shed ' message += 'administrator if necessary.<br/>%s' % str( e ) @@ -1314,7 +1315,7 @@ and tool dependencies of the repository. """ rdim = repository_dependency_manager.RepositoryDependencyInstallManager( trans.app ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd[ 'id' ] tool_shed_repository = repository_util.get_installed_tool_shed_repository( trans.app, repository_id ) @@ -1450,7 +1451,7 @@ Inspect the repository dependency hierarchy for a specified repository and attempt to make sure they are all properly installed as well as each repository's tool dependencies. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if not repository_id: @@ -1648,12 +1649,12 @@ no_changes_check_box = CheckboxField( 'no_changes', checked=True ) if original_section_name: message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel section <b>%s</b>. " \ - % ( tool_shed_repository.name, original_section_name ) + % ( escape( tool_shed_repository.name ), original_section_name ) message += "Uncheck the <b>No changes</b> check box and select a different tool panel section to load the tools in a " message += "different section in the tool panel. " status = 'warning' else: - message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel outside of any sections. " % tool_shed_repository.name + message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel outside of any sections. " % escape( tool_shed_repository.name ) message += "Uncheck the <b>No changes</b> check box and select a tool panel section to load the tools into that section. " status = 'warning' else: @@ -1715,7 +1716,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = irmm.reset_metadata_on_selected_repositories( trans.user, **kwd ) else: - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = irmm.build_repository_ids_select_field() return trans.fill_template( '/admin/tool_shed_repository/reset_metadata_on_selected_repositories.mako', @@ -1749,13 +1750,13 @@ irmm.update_in_shed_tool_config() trans.install_model.context.add( repository ) trans.install_model.context.flush() - message = 'Metadata has been reset on repository <b>%s</b>.' % repository.name + message = 'Metadata has been reset on repository <b>%s</b>.' % escape( repository.name ) status = 'done' else: - message = 'Metadata did not need to be reset on repository <b>%s</b>.' % repository.name + message = 'Metadata did not need to be reset on repository <b>%s</b>.' % escape( repository.name ) status = 'done' else: - message = 'Error locating installation directory for repository <b>%s</b>.' % repository.name + message = 'Error locating installation directory for repository <b>%s</b>.' % escape( repository.name ) status = 'error' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='manage_repository', @@ -1777,7 +1778,7 @@ uninstalled=False, remove_from_disk=True ) new_kwd = {} - new_kwd[ 'message' ] = "You can now attempt to install the repository named <b>%s</b> again." % str( repository.name ) + new_kwd[ 'message' ] = "You can now attempt to install the repository named <b>%s</b> again." % escape( str( repository.name ) ) new_kwd[ 'status' ] = "done" return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -1808,7 +1809,7 @@ message = "Tool versions have been set for all included tools." status = 'done' else: - message = "Version information for the tools included in the <b>%s</b> repository is missing. " % repository.name + message = "Version information for the tools included in the <b>%s</b> repository is missing. " % escape( repository.name ) message += "Reset all of this reppository's metadata in the tool shed, then set the installed tool versions " message ++ "from the installed repository's <b>Repository Actions</b> menu. " status = 'error' @@ -1852,7 +1853,7 @@ @web.expose @web.require_admin def uninstall_tool_dependencies( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) if not tool_dependency_ids: @@ -1897,7 +1898,7 @@ @web.require_admin def update_to_changeset_revision( self, trans, **kwd ): """Update a cloned repository to the latest revision possible.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_shed_url = kwd.get( 'tool_shed_url', '' ) # Handle protocol changes over time. @@ -2070,7 +2071,7 @@ @web.expose @web.require_admin def update_tool_shed_status_for_installed_repository( self, trans, all_installed_repositories=False, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if all_installed_repositories: success_count = 0 @@ -2083,7 +2084,7 @@ if ok: success_count += 1 else: - repository_names_not_updated.append( '<b>%s</b>' % str( repository.name ) ) + repository_names_not_updated.append( '<b>%s</b>' % escape( str( repository.name ) ) ) if updated: updated_count += 1 message = "Checked the status in the tool shed for %d repositories. " % success_count @@ -2098,11 +2099,11 @@ repository_util.check_or_update_tool_shed_status_for_installed_repository( trans.app, repository ) if ok: if updated: - message = "The tool shed status for repository <b>%s</b> has been updated." % str( repository.name ) + message = "The tool shed status for repository <b>%s</b> has been updated." % escape( str( repository.name ) ) else: - message = "The status has not changed in the tool shed for repository <b>%s</b>." % str( repository.name ) + message = "The status has not changed in the tool shed for repository <b>%s</b>." % escape( str( repository.name ) ) else: - message = "Unable to retrieve status from the tool shed for repository <b>%s</b>." % str( repository.name ) + message = "Unable to retrieve status from the tool shed for repository <b>%s</b>." % escape( str( repository.name ) ) status = 'error' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -2112,7 +2113,7 @@ @web.expose @web.require_admin def view_tool_metadata( self, trans, repository_id, tool_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = repository_util.get_installed_tool_shed_repository( trans.app, repository_id ) repository_metadata = repository.metadata @@ -2146,7 +2147,7 @@ @web.require_admin def view_workflow( self, trans, workflow_name=None, repository_id=None, **kwd ): """Retrieve necessary information about a workflow from the database so that it can be displayed in an svg image.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if workflow_name: workflow_name = encoding_util.tool_shed_decode( workflow_name ) diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 lib/galaxy/webapps/galaxy/controllers/library_admin.py --- a/lib/galaxy/webapps/galaxy/controllers/library_admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_admin.py @@ -5,8 +5,9 @@ from galaxy import web from galaxy.web.base.controller import BaseUIController -from galaxy.web.framework.helpers import escape, grids, time_ago +from galaxy.web.framework.helpers import grids, time_ago from library_common import get_comptypes, lucene_search, whoosh_search +from markupsafe import escape # from galaxy.model.orm import * log = logging.getLogger( __name__ ) @@ -148,7 +149,7 @@ @web.expose @web.require_admin def create_library( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if kwd.get( 'create_library_button', False ): name = kwd.get( 'name', 'No name' ) @@ -161,12 +162,12 @@ library.root_folder = root_folder trans.sa_session.add_all( ( library, root_folder ) ) trans.sa_session.flush() - message = "The new library named '%s' has been created" % library.name + message = "The new library named '%s' has been created" return trans.response.send_redirect( web.url_for( controller='library_common', action='browse_library', cntrller='library_admin', id=trans.security.encode_id( library.id ), - message=message, + message=escape( message ), status='done' ) ) return trans.fill_template( '/admin/library/new_library.mako', message=escape( message ), status=escape( status ) ) @web.expose diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 lib/galaxy/webapps/galaxy/controllers/library_common.py --- a/lib/galaxy/webapps/galaxy/controllers/library_common.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_common.py @@ -20,7 +20,7 @@ from galaxy.util.streamball import StreamBall from galaxy.web.base.controller import BaseUIController, UsesFormDefinitionsMixin, UsesExtendedMetadataMixin, UsesLibraryMixinItems from galaxy.web.form_builder import AddressField, CheckboxField, SelectField, build_select_field -from galaxy.web.framework.helpers import escape +from markupsafe import escape from galaxy.model.orm import and_, eagerload_all # Whoosh is compatible with Python 2.5+ Try to import Whoosh and set flag to indicate whether tool search is enabled. @@ -93,7 +93,7 @@ @web.expose def browse_library( self, trans, cntrller='library', **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # If use_panels is True, the library is being accessed via an external link # which did not originate from within the Galaxy instance, and the library will @@ -121,7 +121,7 @@ hidden_folder_ids = util.listify( kwd.get( 'hidden_folder_ids', '' ) ) if created_ldda_ids and not message: message = "%d datasets are uploading in the background to the library '%s' (each is selected). " % \ - ( len( created_ldda_ids.split( ',' ) ), library.name ) + ( len( created_ldda_ids.split( ',' ) ), escape( library.name ) ) message += "Don't navigate away from Galaxy or use the browser's \"stop\" or \"reload\" buttons (on this tab) until the " message += "message \"This job is running\" is cleared from the \"Information\" column below for each selected dataset." status = "info" @@ -152,7 +152,7 @@ message=escape( message ), status=escape( status ) ) except Exception, e: - message = 'Error attempting to display contents of library (%s): %s.' % ( str( library.name ), str( e ) ) + message = 'Error attempting to display contents of library (%s): %s.' % ( escape( str( library.name ) ), str( e ) ) status = 'error' default_action = kwd.get( 'default_action', None ) @@ -165,7 +165,7 @@ @web.expose def library_info( self, trans, cntrller, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) @@ -225,7 +225,7 @@ @web.expose def library_permissions( self, trans, cntrller, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) @@ -272,7 +272,7 @@ @web.expose def create_folder( self, trans, cntrller, parent_id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -349,7 +349,7 @@ @web.expose def folder_info( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -406,7 +406,7 @@ @web.expose def folder_permissions( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -456,7 +456,7 @@ @web.expose def ldda_edit_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -511,7 +511,7 @@ old_name = ldda.name new_name = kwd.get( 'name', '' ) new_info = kwd.get( 'info', '' ) - new_message = kwd.get( 'message', '' ) + new_message = escape( kwd.get( 'message', '' ) ) if not new_name: message = 'Enter a valid name' status = 'error' @@ -609,7 +609,7 @@ @web.expose def ldda_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) show_associated_hdas_and_lddas = util.string_as_bool( kwd.get( 'show_associated_hdas_and_lddas', False ) ) @@ -658,7 +658,7 @@ @web.expose def ldda_permissions( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -796,9 +796,9 @@ @web.expose def upload_library_dataset( self, trans, cntrller, library_id, folder_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - ldda_message = kwd.get( 'ldda_message', '' ) + ldda_message = escape( kwd.get( 'ldda_message', '' ) ) deleted = util.string_as_bool( kwd.get( 'deleted', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1056,7 +1056,7 @@ dataset_upload_inputs.append( input ) # Library-specific params show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) server_dir = kwd.get( 'server_dir', '' ) if replace_dataset not in [ None, 'None' ]: @@ -1271,9 +1271,9 @@ @web.expose def add_history_datasets_to_library( self, trans, cntrller, library_id, folder_id, hda_ids='', **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - ldda_message = kwd.get( 'ldda_message', '' ) + ldda_message = escape( kwd.get( 'ldda_message', '' ) ) show_deleted = kwd.get( 'show_deleted', False ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) replace_id = kwd.get( 'replace_id', None ) @@ -1567,7 +1567,7 @@ @web.expose def library_dataset_info( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1616,7 +1616,7 @@ @web.expose def library_dataset_permissions( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1664,7 +1664,7 @@ @web.expose def make_library_item_public( self, trans, cntrller, library_id, item_type, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1726,7 +1726,7 @@ rval += '%s %i %s%s %s\r\n' % ( crc, size, self.url_base, quoted_fname, relpath ) return rval # Perform an action on a list of library datasets. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -2002,7 +2002,7 @@ # - a select list option for acting on multiple selected datasets within a library # ( ldda_ids is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( ldda_ids is a comma separated string of ldda ids ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -2126,7 +2126,7 @@ def manage_template_inheritance( self, trans, cntrller, item_type, library_id, folder_id=None, ldda_id=None, **kwd ): show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) is_admin = ( trans.user_is_admin() and cntrller == 'library_admin' ) current_user_roles = trans.get_current_user_roles() @@ -2177,7 +2177,7 @@ # 'ldda' and item_id is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( item_type is 'ldda' and item_id is a # comma separated string of ldda ids ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -2760,7 +2760,7 @@ def lucene_search( trans, cntrller, search_term, search_url, **kwd ): """Return display of results from a full-text lucene search of data libraries.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) full_url = "%s/find?%s" % ( search_url, urllib.urlencode( { "kwd" : search_term } ) ) response = urllib2.urlopen( full_url ) @@ -2771,7 +2771,7 @@ def whoosh_search( trans, cntrller, search_term, **kwd ): """Return display of results from a full-text whoosh search of data libraries.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) ok = True if whoosh_search_enabled: diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 lib/galaxy/webapps/galaxy/controllers/user.py --- a/lib/galaxy/webapps/galaxy/controllers/user.py +++ b/lib/galaxy/webapps/galaxy/controllers/user.py @@ -29,6 +29,8 @@ UsesFormDefinitionsMixin) from galaxy.web.form_builder import build_select_field, CheckboxField from galaxy.web.framework.helpers import escape, grids, time_ago +from galaxy.web.framework.helpers import time_ago, grids +from markupsafe import escape log = logging.getLogger( __name__ ) @@ -252,7 +254,7 @@ if not trans.app.config.enable_openid: return trans.show_error_message( 'OpenID authentication is not enabled in this instance of Galaxy' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) email = kwd.get( 'email', '' ) username = kwd.get( 'username', '' ) @@ -498,7 +500,7 @@ def __validate_login( self, trans, **kwd ): """Validates numerous cases that might happen during the login time.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'error' ) email = kwd.get( 'email', '' ) password = kwd.get( 'password', '' ) @@ -713,7 +715,7 @@ email = util.restore_text( kwd.get( 'email', '' ) ) password = kwd.get( 'password', '' ) username = util.restore_text( kwd.get( 'username', '' ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) is_admin = cntrller == 'admin' and trans.user_is_admin() user = self.create_user( trans=trans, email=email, username=username, password=password ) @@ -1107,7 +1109,7 @@ """Reset the user's password. Send an email with the new password.""" if trans.app.config.smtp_server is None: return trans.show_error_message( "Mail is not configured for this Galaxy instance. Please contact your local Galaxy administrator." ) - message = util.sanitize_text(util.restore_text( kwd.get( 'message', '' ) )) + message = util.sanitize_text( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) if kwd.get( 'reset_password_button', False ): reset_user = trans.sa_session.query( trans.app.model.User ).filter( trans.app.model.User.table.c.email == email ).first() diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -22,7 +22,7 @@ from galaxy.web import error, url_for from galaxy.web.base.controller import BaseUIController, SharableMixin, UsesStoredWorkflowMixin from galaxy.web.framework.formbuilder import form -from galaxy.web.framework.helpers import grids, time_ago, to_unicode, escape +from galaxy.web.framework.helpers import grids, time_ago, to_unicode from galaxy.workflow.modules import WorkflowModuleInjector from galaxy.workflow.modules import MissingToolException from galaxy.workflow.modules import module_factory, is_tool_module_type @@ -37,6 +37,7 @@ order_workflow_steps_with_levels, ) from galaxy.workflow.render import WorkflowCanvas, MARGIN, LINE_SPACING +from markupsafe import escape class StoredWorkflowListGrid( grids.Grid ): @@ -1021,7 +1022,7 @@ """ url = kwd.get( 'url', '' ) workflow_text = kwd.get( 'workflow_text', '' ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) import_button = kwd.get( 'import_button', False ) # The special Galaxy integration landing page's URL on myExperiment diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 lib/galaxy/webapps/reports/controllers/users.py --- a/lib/galaxy/webapps/reports/controllers/users.py +++ b/lib/galaxy/webapps/reports/controllers/users.py @@ -9,17 +9,19 @@ pkg_resources.require( "SQLAlchemy >= 0.4" ) import sqlalchemy as sa import logging +from markupsafe import escape + log = logging.getLogger( __name__ ) class Users( BaseUIController ): @web.expose def registered_users( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) num_users = trans.sa_session.query( galaxy.model.User ).count() return trans.fill_template( '/webapps/reports/registered_users.mako', num_users=num_users, message=message ) @web.expose def registered_users_per_month( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) q = sa.select( ( sa.func.date_trunc( 'month', sa.func.date( galaxy.model.User.table.c.create_time ) ).label( 'date' ), sa.func.count( galaxy.model.User.table.c.id ).label( 'num_users' ) ), from_obj = [ galaxy.model.User.table ], @@ -36,7 +38,7 @@ message=message ) @web.expose def specified_month( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) # If specified_date is not received, we'll default to the current month specified_date = kwd.get( 'specified_date', datetime.utcnow().strftime( "%Y-%m-%d" ) ) specified_month = specified_date[ :7 ] @@ -66,7 +68,7 @@ message=message ) @web.expose def specified_date( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) # If specified_date is not received, we'll default to the current month specified_date = kwd.get( 'specified_date', datetime.utcnow().strftime( "%Y-%m-%d" ) ) year, month, day = map( int, specified_date.split( "-" ) ) @@ -95,7 +97,7 @@ message=message ) @web.expose def last_access_date( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) not_logged_in_for_days = kwd.get( 'not_logged_in_for_days', 90 ) if not not_logged_in_for_days: not_logged_in_for_days = 0 @@ -120,7 +122,7 @@ @web.expose def user_disk_usage( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) user_cutoff = int( kwd.get( 'user_cutoff', 60 ) ) # disk_usage isn't indexed users = sorted( trans.sa_session.query( galaxy.model.User ).all(), key=operator.attrgetter( 'disk_usage' ), reverse=True ) diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 lib/galaxy/webapps/tool_shed/controllers/admin.py --- a/lib/galaxy/webapps/tool_shed/controllers/admin.py +++ b/lib/galaxy/webapps/tool_shed/controllers/admin.py @@ -3,6 +3,7 @@ from galaxy import util from galaxy.util import inflector from galaxy import web +from markupsafe import escape from galaxy.web.base.controller import BaseUIController from galaxy.web.base.controllers.admin import Admin @@ -121,7 +122,7 @@ @web.expose @web.require_admin def create_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) name = kwd.get( 'name', '' ).strip() description = kwd.get( 'description', '' ).strip() @@ -154,7 +155,7 @@ @web.expose @web.require_admin def delete_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -197,7 +198,7 @@ @web.expose @web.require_admin def delete_repository_metadata( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -221,7 +222,7 @@ @web.expose @web.require_admin def edit_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -306,7 +307,7 @@ @web.expose @web.require_admin def regenerate_statistics( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'regenerate_statistics_button' in kwd: trans.app.shed_counter.generate_statistics() @@ -352,7 +353,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = rmm.reset_metadata_on_selected_repositories( **kwd ) else: - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = rmm.build_repository_ids_select_field( name='repository_ids', multiple=True, @@ -366,7 +367,7 @@ @web.expose @web.require_admin def undelete_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -417,7 +418,7 @@ # TODO: We should probably eliminate the Category.deleted column since it really makes no # sense to mark a category as deleted (category names and descriptions can be changed instead). # If we do this, and the following 2 methods can be eliminated. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -445,7 +446,7 @@ # This method should only be called for a Category that has previously been deleted. # Purging a deleted Category deletes all of the following from the database: # - RepoitoryCategoryAssociations where category_id == Category.id - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -473,7 +474,7 @@ @web.expose @web.require_admin def undelete_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 lib/galaxy/webapps/tool_shed/controllers/repository.py --- a/lib/galaxy/webapps/tool_shed/controllers/repository.py +++ b/lib/galaxy/webapps/tool_shed/controllers/repository.py @@ -6,6 +6,7 @@ from time import strftime from datetime import date from datetime import datetime +from markupsafe import escape from galaxy import util from galaxy import web @@ -385,7 +386,7 @@ action='reviewed_repositories_i_own' ) ) elif operation == "repositories_by_category": category_id = kwd.get( 'id', None ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.response.send_redirect( web.url_for( controller='repository', action='browse_repositories_in_category', @@ -721,9 +722,9 @@ @web.expose def browse_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Deleted selected files' ) + commit_message = escape( kwd.get( 'commit_message', 'Deleted selected files' ) ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) # Update repository files for browsing. @@ -891,7 +892,7 @@ @web.expose def check_for_updates( self, trans, **kwd ): """Handle a request from a local Galaxy instance.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # If the request originated with the UpdateRepositoryManager, it will not include a galaxy_url. galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) @@ -976,7 +977,7 @@ @web.expose def contact_owner( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) metadata = metadata_util.get_repository_metadata_by_repository_id_changeset_revision( trans.app, @@ -995,7 +996,7 @@ @web.expose def create_galaxy_docker_image( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_ids = util.listify( kwd.get( 'id', '' ) ) if 'operation' in kwd: @@ -1051,7 +1052,7 @@ @web.expose def create_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) categories = suc.get_categories( trans ) if not categories: @@ -1108,7 +1109,7 @@ # Marking a repository in the tool shed as deprecated has no effect on any downloadable changeset # revisions that may be associated with the repository. Revisions are not marked as not downlaodable # because those that have installed the repository must be allowed to get updates. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -1164,7 +1165,7 @@ @web.expose def display_tool( self, trans, repository_id, tool_config, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) tv = tool_validator.ToolValidator( trans.app ) @@ -1229,7 +1230,7 @@ @web.expose def export( self, trans, repository_id, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) export_repository_dependencies = kwd.get( 'export_repository_dependencies', '' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -1309,7 +1310,7 @@ @web.expose def find_tools( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) if 'operation' in kwd: @@ -1400,7 +1401,7 @@ @web.expose def find_workflows( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) if 'operation' in kwd: @@ -2020,13 +2021,13 @@ @web.expose def help( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.fill_template( '/webapps/tool_shed/repository/help.mako', message=message, status=status, **kwd ) @web.expose def import_capsule( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) capsule_file_name = kwd.get( 'capsule_file_name', None ) encoded_file_path = kwd.get( 'encoded_file_path', None ) @@ -2069,7 +2070,7 @@ @web.expose def index( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # See if there are any RepositoryMetadata records since menu items require them. repository_metadata = trans.sa_session.query( trans.model.RepositoryMetadata ).first() @@ -2151,7 +2152,7 @@ @web.expose def load_invalid_tool( self, trans, repository_id, tool_config, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'error' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) tv = tool_validator.ToolValidator( trans.app ) @@ -2203,7 +2204,7 @@ @web.expose @web.require_login( "manage email alerts" ) def manage_email_alerts( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) new_repo_alert = kwd.get( 'new_repo_alert', '' ) new_repo_alert_checked = CheckboxField.is_checked( new_repo_alert ) @@ -2234,7 +2235,7 @@ @web.expose @web.require_login( "manage repository" ) def manage_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repository_type = kwd.get( 'repository_type', str( repository.type ) ) @@ -2500,7 +2501,7 @@ @web.expose @web.require_login( "manage repository administrators" ) def manage_repository_admins( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) changeset_revision = kwd.get( 'changeset_revision', repository.tip( trans.app ) ) @@ -2558,7 +2559,7 @@ @web.expose @web.require_login( "multi select email alerts" ) def multi_select_email_alerts( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: operation = kwd[ 'operation' ].lower() @@ -2607,7 +2608,7 @@ @web.expose def preview_tools_in_changeset( self, trans, repository_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -2714,7 +2715,7 @@ @web.require_login( "rate repositories" ) def rate_repository( self, trans, **kwd ): """ Rate a repository and return updated rating data. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -2787,7 +2788,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = rmm.reset_metadata_on_selected_repositories( **kwd ) else: - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = rmm.build_repository_ids_select_field( name='repository_ids', multiple=True, @@ -2800,9 +2801,9 @@ @web.expose def select_files_to_delete( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Deleted selected files' ) + commit_message = escape( kwd.get( 'commit_message', 'Deleted selected files' ) ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo_dir = repository.repo_path( trans.app ) repo = hg_util.get_repo_for_repository( trans.app, repository=None, repo_path=repo_dir, create=False ) @@ -3145,7 +3146,7 @@ @web.expose def upload_capsule( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) url = kwd.get( 'url', '' ) if 'upload_capsule_button' in kwd: @@ -3175,7 +3176,7 @@ @web.expose def view_changelog( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3210,7 +3211,7 @@ @web.expose def view_changeset( self, trans, id, ctx_str, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3302,7 +3303,7 @@ @web.expose def view_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3390,7 +3391,7 @@ @web.expose def view_tool_metadata( self, trans, repository_id, changeset_revision, tool_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -3471,7 +3472,7 @@ @web.expose def view_workflow( self, trans, workflow_name, repository_metadata_id, **kwd ): """Retrieve necessary information about a workflow from the database so that it can be displayed in an svg image.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) if workflow_name: diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 lib/galaxy/webapps/tool_shed/controllers/repository_review.py --- a/lib/galaxy/webapps/tool_shed/controllers/repository_review.py +++ b/lib/galaxy/webapps/tool_shed/controllers/repository_review.py @@ -2,6 +2,7 @@ import os from sqlalchemy.sql.expression import func +from markupsafe import escape from galaxy import util from galaxy import web @@ -40,7 +41,7 @@ @web.require_login( "approve repository review" ) def approve_repository_review( self, trans, **kwd ): # The value of the received id is the encoded review id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) encoded_review_id = kwd[ 'id' ] review = review_util.get_review( trans.app, encoded_review_id ) @@ -74,7 +75,7 @@ @web.expose @web.require_login( "browse review" ) def browse_review( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) review = review_util.get_review( trans.app, kwd[ 'id' ] ) repository = review.repository @@ -105,7 +106,7 @@ @web.expose @web.require_login( "create component" ) def create_component( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) name = kwd.get( 'name', '' ) description = kwd.get( 'description', '' ) @@ -136,7 +137,7 @@ @web.require_login( "create review" ) def create_review( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) changeset_revision = kwd.get( 'changeset_revision', None ) @@ -201,7 +202,7 @@ @web.expose @web.require_login( "edit component" ) def edit_component( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -232,7 +233,7 @@ @web.require_login( "edit review" ) def edit_review( self, trans, **kwd ): # The value of the received id is the encoded review id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) review_id = kwd.get( 'id', None ) review = review_util.get_review( trans.app, review_id ) @@ -408,7 +409,7 @@ @web.require_login( "manage repositories reviewed by me" ) def manage_repositories_reviewed_by_me( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: kwd[ 'mine' ] = True @@ -475,7 +476,7 @@ @web.require_login( "manage repository reviews" ) def manage_repository_reviews( self, trans, mine=False, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id: @@ -524,7 +525,7 @@ @web.require_login( "manage repository reviews of revision" ) def manage_repository_reviews_of_revision( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) changeset_revision = kwd.get( 'changeset_revision', None ) @@ -547,7 +548,7 @@ @web.expose @web.require_login( "repository reviews by user" ) def repository_reviews_by_user( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: @@ -573,7 +574,7 @@ @web.expose @web.require_login( "reviewed repositories i own" ) def reviewed_repositories_i_own( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # The value of the received id is the encoded repository id. if 'operation' in kwd: @@ -592,7 +593,7 @@ @web.require_login( "select previous review" ) def select_previous_review( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, kwd[ 'id' ] ) changeset_revision = kwd.get( 'changeset_revision', None ) diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 lib/galaxy/webapps/tool_shed/controllers/upload.py --- a/lib/galaxy/webapps/tool_shed/controllers/upload.py +++ b/lib/galaxy/webapps/tool_shed/controllers/upload.py @@ -9,6 +9,7 @@ from galaxy import web from galaxy.datatypes import checkers from galaxy.web.base.controller import BaseUIController +from markupsafe import escape from tool_shed.dependencies import attribute_handlers from tool_shed.galaxy_install import dependency_display @@ -35,9 +36,9 @@ @web.expose @web.require_login( 'upload', use_panels=True ) def upload( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Uploaded' ) + commit_message = escape( kwd.get( 'commit_message', 'Uploaded' ) ) category_ids = util.listify( kwd.get( 'category_id', '' ) ) categories = suc.get_categories( trans.app ) repository_id = kwd.get( 'repository_id', '' ) diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 lib/tool_shed/util/repository_util.py --- a/lib/tool_shed/util/repository_util.py +++ b/lib/tool_shed/util/repository_util.py @@ -7,6 +7,7 @@ from galaxy import web from galaxy.web.form_builder import build_select_field from galaxy.webapps.tool_shed.model import directory_hash_id +from markupsafe import escape from tool_shed.dependencies.repository import relation_builder @@ -256,7 +257,7 @@ def handle_role_associations( app, role, repository, **kwd ): sa_session = app.model.context.current - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_owner = repository.user if kwd.get( 'manage_role_associations_button', False ): diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 templates/admin/dataset_security/group/group.mako --- a/templates/admin/dataset_security/group/group.mako +++ b/templates/admin/dataset_security/group/group.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Group '${group.name}'</div> + <div class="toolFormTitle">Group '${group.name|h}'</div><div class="toolFormBody"><form name="associate_group_role_user" id="associate_group_role_user" action="${h.url_for(controller='admin', action='manage_users_and_roles_for_group', id=trans.security.encode_id( group.id ) )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Roles associated with '${group.name}'</label> + <label>Roles associated with '${group.name|h}'</label> ${render_select( "in_roles", in_roles )}<br/><input type="submit" id="roles_remove_button" value=">>"/></div><div> - <label>Roles not associated with '${group.name}'</label> + <label>Roles not associated with '${group.name|h}'</label> ${render_select( "out_roles", out_roles )}<br/><input type="submit" id="roles_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${group.name}'</label> + <label>Users associated with '${group.name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${group.name}'</label> + <label>Users not associated with '${group.name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div> diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 templates/admin/dataset_security/group/group_create.mako --- a/templates/admin/dataset_security/group/group_create.mako +++ b/templates/admin/dataset_security/group/group_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -60,7 +60,7 @@ <form name="associate_group_role_user" id="associate_group_role_user" action="${h.url_for(controller='admin', action='create_group' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><div style="float: left; margin-right: 10px;"> diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 templates/admin/dataset_security/group/group_rename.mako --- a/templates/admin/dataset_security/group/group_rename.mako +++ b/templates/admin/dataset_security/group/group_rename.mako @@ -12,7 +12,7 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${group.name}" size="40"/> + <input type="text" name="name" value="${group.name|h}" size="40"/></div><div style="clear: both"></div></div> diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 templates/admin/dataset_security/role/role.mako --- a/templates/admin/dataset_security/role/role.mako +++ b/templates/admin/dataset_security/role/role.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Role '${role.name}'</div> + <div class="toolFormTitle">Role '${role.name|h}'</div><div class="toolFormBody"><form name="associate_role_user_group" id="associate_role_user_group" action="${h.url_for(controller='admin', action='manage_users_and_groups_for_role', id=trans.security.encode_id( role.id ) )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${role.name}'</label> + <label>Users associated with '${role.name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${role.name}'</label> + <label>Users not associated with '${role.name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Groups associated with '${role.name}'</label> + <label>Groups associated with '${role.name|h}'</label> ${render_select( "in_groups", in_groups )}<br/><input type="submit" id="groups_remove_button" value=">>"/></div><div> - <label>Groups not associated with '${role.name}'</label> + <label>Groups not associated with '${role.name|h}'</label> ${render_select( "out_groups", out_groups )}<br/><input type="submit" id="groups_add_button" value="<<"/></div> @@ -84,7 +84,7 @@ <br clear="left"/><br/> %if len( library_dataset_actions ) > 0: - <h3>Data library datasets associated with role '${role.name}'</h3> + <h3>Data library datasets associated with role '${role.name|h}'</h3><table class="manage-table colored" border="0" cellspacing="0" cellpadding="0" width="100%"><tr><td> @@ -92,16 +92,16 @@ %for ctr, library, in enumerate( library_dataset_actions.keys() ): <li><img src="${h.url_for( '/static/images/silk/book_open.png' )}" class="rowIcon"/> - ${library.name} + ${library.name|h} <ul> %for folder_path, permissions in library_dataset_actions[ library ].items(): <li><img src="/static/images/silk/folder_page.png" class="rowIcon"/> - ${folder_path} + ${folder_path|h} <ul> % for permission in permissions: <ul> - <li>${permission}</li> + <li>${permission|h}</li></ul> %endfor </ul> diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 templates/admin/dataset_security/role/role_create.mako --- a/templates/admin/dataset_security/role/role_create.mako +++ b/templates/admin/dataset_security/role/role_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -60,11 +60,11 @@ <form name="associate_role_group_user" id="associate_role_group_user" action="${h.url_for(controller='admin', action='create_role' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><label>Description:</label> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div class="form-row"><div style="float: left; margin-right: 10px;"> diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 templates/admin/dataset_security/role/role_rename.mako --- a/templates/admin/dataset_security/role/role_rename.mako +++ b/templates/admin/dataset_security/role/role_rename.mako @@ -12,14 +12,14 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${role.name}" size="40"/> + <input type="text" name="name" value="${role.name|h}" size="40"/></div><div style="clear: both"></div></div><div class="form-row"><label>Description:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input name="description" type="textfield" value="${role.description}" size=40"/> + <input name="description" type="textfield" value="${role.description|h}" size=40"/></div><div style="clear: both"></div></div> diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 templates/admin/external_service/create_external_service.mako --- a/templates/admin/external_service/create_external_service.mako +++ b/templates/admin/external_service/create_external_service.mako @@ -12,10 +12,10 @@ %if widgets: %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field['label']}:</label> + <label>${field['label']|h}:</label> ${field['widget'].get_html()} <div class="toolParamHelp" style="clear: both;"> - ${field['helptext']} + ${field['helptext']|h} </div><div style="clear: both"></div></div> diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 templates/admin/external_service/edit_external_service.mako --- a/templates/admin/external_service/edit_external_service.mako +++ b/templates/admin/external_service/edit_external_service.mako @@ -25,10 +25,10 @@ <div class="toolFormTitle">Edit external service</div> %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field['label']}:</label> + <label>${field['label']|h}:</label> ${field['widget'].get_html()} <div class="toolParamHelp" style="clear: both;"> - ${field['helptext']} + ${field['helptext']|h} </div><div style="clear: both"></div></div> diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 templates/admin/jobs.mako --- a/templates/admin/jobs.mako +++ b/templates/admin/jobs.mako @@ -63,12 +63,12 @@ </td><td>${job.id}</td> %if job.history and job.history.user: - <td>${job.history.user.email}</td> + <td>${job.history.user.email|h}</td> %else: <td>anonymous</td> %endif <td>${last_updated[job.id]} ago</td> - <td>${job.tool_id}</td> + <td>${job.tool_id|h}</td><td>${job.state}</td><% try: @@ -77,8 +77,8 @@ inputs = 'Unable to determine inputs' %><td>${inputs}</td> - <td>${job.command_line}</td> - <td>${job.job_runner_name}</td> + <td>${job.command_line|h}</td> + <td>${job.job_runner_name|h}</td><td>${job.job_runner_external_id}</td></tr> %endfor @@ -131,12 +131,12 @@ %for job in recent_jobs: <td><a href="${h.url_for( controller="admin", action="job_info" )}?jobid=${job.id}">${job.id}</a></td> %if job.history and job.history.user: - <td>${job.history.user.email}</td> + <td>${job.history.user.email|h}</td> %else: <td>anonymous</td> %endif <td>${finished[job.id]} ago</td> - <td>${job.tool_id}</td> + <td>${job.tool_id|h}</td><td>${job.state}</td><% try: @@ -145,9 +145,9 @@ inputs = 'Unable to determine inputs' %><td>${inputs}</td> - <td>${job.command_line}</td> - <td>${job.job_runner_name}</td> - <td>${job.job_runner_external_id}</td> + <td>${job.command_line|h}</td> + <td>${job.job_runner_name|h}</td> + <td>${job.job_runner_external_id|h}</td></tr> %endfor </table> diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 templates/admin/memdump.mako --- a/templates/admin/memdump.mako +++ b/templates/admin/memdump.mako @@ -55,7 +55,7 @@ <br/> You are here: ${breadcrumb}<br/> %if breadcrumb.endswith( 'theone' ): - ${heap} + ${heap|h} %else: <nobr> Sort: diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 templates/admin/package_tool.mako --- a/templates/admin/package_tool.mako +++ b/templates/admin/package_tool.mako @@ -28,9 +28,9 @@ <select name="tool_id"> %for key, val in toolbox.tool_panel.items(): %if isinstance( val, Tool ): - <option value="${val.id}">${val.name}</option> + <option value="${val.id|h}">${val.name|h}</option> %elif isinstance( val, ToolSection ): - <optgroup label="${val.name}"> + <optgroup label="${val.name|h}"><% section = val %> %for section_key, section_val in section.elems.items(): %if isinstance( section_val, Tool ): @@ -38,7 +38,7 @@ %if section_val.id == tool_id: <% selected_str = " selected=\"selected\"" %> %endif - <option value="${section_val.id}"${selected_str}>${section_val.name}</option> + <option value="${section_val.id|h}"${selected_str}>${section_val.name|h}</option> %endif %endfor %endif diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 templates/admin/quota/quota.mako --- a/templates/admin/quota/quota.mako +++ b/templates/admin/quota/quota.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Quota '${name}'</div> + <div class="toolFormTitle">Quota '${name|h}'</div><div class="toolFormBody"><form name="associate_quota_user_group" id="associate_quota_user_group" action="${h.url_for(controller='admin', action='manage_users_and_groups_for_quota', id=id )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${name}'</label> + <label>Users associated with '${name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${name}'</label> + <label>Users not associated with '${name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Groups associated with '${name}'</label> + <label>Groups associated with '${name|h}'</label> ${render_select( "in_groups", in_groups )}<br/><input type="submit" id="groups_remove_button" value=">>"/></div><div> - <label>Groups not associated with '${name}'</label> + <label>Groups not associated with '${name|h}'</label> ${render_select( "out_groups", out_groups )}<br/><input type="submit" id="groups_add_button" value="<<"/></div> diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 templates/admin/quota/quota_create.mako --- a/templates/admin/quota/quota_create.mako +++ b/templates/admin/quota/quota_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -69,15 +69,15 @@ <form name="associate_quota_group_user" id="associate_quota_group_user" action="${h.url_for(controller='admin', action='create_quota' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><label>Description:</label> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div class="form-row"><label>Amount</label> - <input name="amount" type="textfield" value="${amount}" size=40"/> + <input name="amount" type="textfield" value="${amount|h}" size=40"/><div class="toolParamHelp" style="clear: both;"> Examples: "10000MB", "99 gb", "0.2T", "unlimited" </div> diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 templates/admin/quota/quota_edit.mako --- a/templates/admin/quota/quota_edit.mako +++ b/templates/admin/quota/quota_edit.mako @@ -29,7 +29,7 @@ <input name="id" type="hidden" value="${id}"/><div class="form-row"><label>Amount</label> - <input name="amount" type="textfield" value="${display_amount}" size=40"/> + <input name="amount" type="textfield" value="${display_amount|h}" size=40"/><div class="toolParamHelp" style="clear: both;"> Examples: "10000MB", "99 gb", "0.2T", "unlimited" </div> diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 templates/admin/quota/quota_rename.mako --- a/templates/admin/quota/quota_rename.mako +++ b/templates/admin/quota/quota_rename.mako @@ -21,14 +21,14 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${name}" size="40"/> + <input type="text" name="name" value="${name|h}" size="40"/></div><div style="clear: both"></div></div><div class="form-row"><label>Description:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div style="clear: both"></div></div> diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 templates/admin/reload_tool.mako --- a/templates/admin/reload_tool.mako +++ b/templates/admin/reload_tool.mako @@ -28,9 +28,9 @@ <select name="tool_id"> %for key, val in toolbox.tool_panel.items(): %if isinstance( val, Tool ): - <option value="${val.id}">${val.name}</option> + <option value="${val.id}">${val.name|h}</option> %elif isinstance( val, ToolSection ): - <optgroup label="${val.name}"> + <optgroup label="${val.name|h}"><% section = val %> %for section_key, section_val in section.elems.items(): %if isinstance( section_val, Tool ): @@ -38,7 +38,7 @@ %if section_val.id == tool_id: <% selected_str = " selected=\"selected\"" %> %endif - <option value="${section_val.id}"${selected_str}>${section_val.name}</option> + <option value="${section_val.id}"${selected_str}>${section_val.name|h}</option> %endif %endfor %endif diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 templates/admin/review_tool_migration_stages.mako --- a/templates/admin/review_tool_migration_stages.mako +++ b/templates/admin/review_tool_migration_stages.mako @@ -4,7 +4,9 @@ %if message: ${render_msg( message, status )} %endif - +<% +from markupsafe import escape +%><div class="toolForm"><div class="toolFormTitle">Tool migrations that can be performed on this Galaxy instance</div><div class="toolFormBody"> @@ -51,7 +53,7 @@ repository_names.sort() repository_names = ', '.join( repository_names ) %> - <tr><td bgcolor="#D8D8D8"><b>Tool migration stage ${stage} - repositories: ${repository_names}</b></td></tr> + <tr><td bgcolor="#D8D8D8"><b>Tool migration stage ${stage} - repositories: ${repository_names|h}</b></td></tr><tr><td bgcolor="#FFFFCC"><div class="form-row"> @@ -59,11 +61,11 @@ <p> %if tool_dependencies: This migration stage includes tools that have tool dependencies that can be automatically installed. To install them, run:<br/> - <b>${install_dependencies}</b><br/><br/> + <b>${install_dependencies|h}</b><br/><br/> To skip tool dependency installation run:<br/> - <b>${migration_command}</b> + <b>${migration_command|h}</b> %else: - <b>${migration_command}</b> + <b>${migration_command|h}</b> %endif </p></div> @@ -74,7 +76,7 @@ <tr><td bgcolor="#DADFEF"><div class="form-row"> - <b>Repository:</b> ${repository_name} + <b>Repository:</b> ${repository_name|h} </div></td></tr> @@ -88,10 +90,10 @@ </tr> %for tool_dependencies_tup in tool_dependencies: <% - tool_dependency_name = tool_dependencies_tup[0] - tool_dependency_version = tool_dependencies_tup[1] - tool_dependency_type = tool_dependencies_tup[2] - installation_requirements = tool_dependencies_tup[3].replace( '\n', '<br/>' ) + tool_dependency_name = escape( tool_dependencies_tup[0] ) + tool_dependency_version = escape( tool_dependencies_tup[1] ) + tool_dependency_type = escape( tool_dependencies_tup[2] ) + installation_requirements = escape( tool_dependencies_tup[3] ).replace( '\n', '<br/>' ) %><tr><td> diff -r bce30adc75e94c99fc8fd53f3dee75a26b6c8e86 -r daa0c69e837855af94d2255999e732f1fec87550 templates/admin/tool_shed_repository/browse_repository.mako --- a/templates/admin/tool_shed_repository/browse_repository.mako +++ b/templates/admin/tool_shed_repository/browse_repository.mako @@ -21,7 +21,7 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Browse ${repository.name} revision ${repository.changeset_revision} files</div> + <div class="toolFormTitle">Browse ${repository.name|h} revision ${repository.changeset_revision} files</div><div class="toolFormBody"><div class="form-row" ><label>Contents:</label> This diff is so big that we needed to truncate the remainder. https://bitbucket.org/galaxy/galaxy-central/commits/72143d1079be/ Changeset: 72143d1079be User: davebgx Date: 2014-12-11 19:20:21+00:00 Summary: Merge next-stable changes to default. Affected #: 67 files diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a .hgtags --- a/.hgtags +++ b/.hgtags @@ -20,4 +20,4 @@ ca45b78adb4152fc6e7395514d46eba6b7d0b838 release_2014.08.11 548ab24667d6206780237bd807f7d857a484c461 latest_2014.08.11 2092948937ac30ef82f71463a235c66d34987088 release_2014.10.06 -782cf1a1f6b56f8a9c0b3e5e9ffd29fd93b16ce3 latest_2014.10.06 +212e1d5e9be5a9a1e12c834bd545de504753c9fe latest_2014.10.06 diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a lib/galaxy/web/base/controllers/admin.py --- a/lib/galaxy/web/base/controllers/admin.py +++ b/lib/galaxy/web/base/controllers/admin.py @@ -7,6 +7,7 @@ from galaxy.web.form_builder import CheckboxField from string import punctuation as PUNCTUATION import galaxy.queue_worker +from markupsafe import escape from tool_shed.util import shed_util_common as suc @@ -28,7 +29,7 @@ @web.expose @web.require_admin def index( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if trans.webapp.name == 'galaxy': installed_repositories = trans.install_model.context.query( trans.install_model.ToolShedRepository ).first() @@ -46,7 +47,7 @@ @web.expose @web.require_admin def center( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if trans.webapp.name == 'galaxy': return trans.fill_template( '/webapps/galaxy/admin/center.mako', diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a lib/galaxy/webapps/demo_sequencer/controllers/common.py --- a/lib/galaxy/webapps/demo_sequencer/controllers/common.py +++ b/lib/galaxy/webapps/demo_sequencer/controllers/common.py @@ -4,6 +4,7 @@ import time, socket, urllib, urllib2, base64, copy from galaxy.util.json import * from urllib import quote_plus, unquote_plus +from markupsafe import escape import logging log = logging.getLogger( __name__ ) @@ -16,7 +17,7 @@ titles = util.listify( titles ) JobId = util.restore_text( kwd.get( 'JobId', '' ) ) sample_id = util.restore_text( kwd.get( 'sample_id', '' ) ) - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) redirect_delay = trans.app.sequencer_actions_registry.redirect_delay sequencer_redirects = copy.deepcopy( trans.app.sequencer_actions_registry.sequencer_redirects ) @@ -144,7 +145,7 @@ titles = util.restore_text( kwd.get( 'titles', '' ) ) JobId = util.restore_text( kwd.get( 'JobId', '' ) ) sample_id = util.restore_text( kwd.get( 'sample_id', '' ) ) - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) url, http_method, request_params, response_type = request_tup url = unquote_plus( url ) diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a lib/galaxy/webapps/galaxy/controllers/admin.py --- a/lib/galaxy/webapps/galaxy/controllers/admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/admin.py @@ -17,6 +17,7 @@ from galaxy.web.params import QuotaParamParser from tool_shed.util import common_util from tool_shed.util import encoding_util +from markupsafe import escape log = logging.getLogger( __name__ ) @@ -838,7 +839,7 @@ @web.expose @web.require_admin def review_tool_migration_stages( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) migration_stages_dict = odict() migration_modules = [] @@ -870,13 +871,13 @@ @web.expose @web.require_admin def view_datatypes_registry( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) return trans.fill_template( 'admin/view_datatypes_registry.mako', message=message, status=status ) @web.expose @web.require_admin def view_tool_data_tables( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) return trans.fill_template( 'admin/view_data_tables_registry.mako', message=message, status=status ) diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py --- a/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py +++ b/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py @@ -8,6 +8,7 @@ from galaxy.web.form_builder import CheckboxField from galaxy.util import json from galaxy.model.orm import or_ +from markupsafe import escape import tool_shed.repository_types.util as rt_util @@ -52,7 +53,7 @@ try: trans.app.installed_repository_manager.activate_repository( repository ) except Exception, e: - error_message = "Error activating repository %s: %s" % ( repository.name, str( e ) ) + error_message = "Error activating repository %s: %s" % ( escape( repository.name ), str( e ) ) log.exception( error_message ) message = '%s.<br/>You may be able to resolve this by uninstalling and then reinstalling the repository. Click <a href="%s">here</a> to uninstall the repository.' \ % ( error_message, web.url_for( controller='admin_toolshed', action='deactivate_or_uninstall_repository', id=trans.security.encode_id( repository.id ) ) ) @@ -62,7 +63,7 @@ id=repository_id, message=message, status=status ) ) - message = 'The <b>%s</b> repository has been activated.' % repository.name + message = 'The <b>%s</b> repository has been activated.' % escape( repository.name ) status = 'done' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -72,7 +73,7 @@ @web.expose @web.require_admin def browse_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = repository_util.get_installed_tool_shed_repository( trans.app, kwd[ 'id' ] ) return trans.fill_template( '/admin/tool_shed_repository/browse_repository.mako', @@ -141,7 +142,7 @@ action='reselect_tool_panel_section', **kwd ) ) else: - message = "Unable to get latest revision for repository <b>%s</b> from " % str( repository.name ) + message = "Unable to get latest revision for repository <b>%s</b> from " % escape( str( repository.name ) ) message += "the Tool Shed, so repository re-installation is not possible at this time." status = "error" return trans.response.send_redirect( web.url_for( controller='admin_toolshed', @@ -169,7 +170,7 @@ @web.expose @web.require_admin def browse_tool_dependency( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) tool_dependency = tool_dependency_util.get_tool_dependency( trans.app, tool_dependency_ids[ 0 ] ) @@ -197,7 +198,7 @@ @web.expose @web.require_admin def browse_tool_sheds( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.fill_template( '/webapps/galaxy/admin/tool_sheds.mako', message=message, @@ -230,7 +231,7 @@ require the same entry. For now we'll never delete entries from config.shed_tool_data_table_config, but we may choose to do so in the future if it becomes necessary. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) remove_from_disk = kwd.get( 'remove_from_disk', '' ) remove_from_disk_checked = CheckboxField.is_checked( remove_from_disk ) @@ -303,14 +304,14 @@ trans.install_model.context.add( tool_shed_repository ) trans.install_model.context.flush() if remove_from_disk_checked: - message = 'The repository named <b>%s</b> has been uninstalled. ' % tool_shed_repository.name + message = 'The repository named <b>%s</b> has been uninstalled. ' % escape( tool_shed_repository.name ) if errors: message += 'Attempting to uninstall tool dependencies resulted in errors: %s' % errors status = 'error' else: status = 'done' else: - message = 'The repository named <b>%s</b> has been deactivated. ' % tool_shed_repository.name + message = 'The repository named <b>%s</b> has been deactivated. ' % escape( tool_shed_repository.name ) status = 'done' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -442,7 +443,7 @@ @web.require_admin def import_workflow( self, trans, workflow_name, repository_id, **kwd ): """Import a workflow contained in an installed tool shed repository into Galaxy.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if workflow_name: workflow_name = encoding_util.tool_shed_decode( workflow_name ) @@ -453,7 +454,7 @@ workflow_name = encoding_util.tool_shed_encode( str( workflow.name ) ) else: message += 'Unable to locate a workflow named <b>%s</b> within the installed tool shed repository named <b>%s</b>' % \ - ( str( workflow_name ), str( repository.name ) ) + ( escape( str( workflow_name ) ), escape( str( repository.name ) ) ) status = 'error' else: message = 'Invalid repository id <b>%s</b> received.' % str( repository_id ) @@ -479,7 +480,7 @@ tool shed repository. """ # Get the tool_shed_repository from one of the tool_dependencies. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) err_msg = '' tool_shed_repository = tool_dependencies[ 0 ].tool_shed_repository @@ -512,7 +513,7 @@ @web.require_admin def install_latest_repository_revision( self, trans, **kwd ): """Install the latest installable revision of a repository that has been previously installed.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id is not None: @@ -589,7 +590,7 @@ updating_to_changeset_revision = kwd.get( 'updating_to_changeset_revision', None ) updating_to_ctx_rev = kwd.get( 'updating_to_ctx_rev', None ) encoded_updated_metadata = kwd.get( 'encoded_updated_metadata', None ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) install_tool_dependencies = CheckboxField.is_checked( kwd.get( 'install_tool_dependencies', '' ) ) if 'install_tool_dependencies_with_update_button' in kwd: @@ -609,7 +610,7 @@ relative_install_dir, set_status=False ) message = "The installed repository named '%s' has been updated to change set revision '%s'. " % \ - ( str( repository.name ), updating_to_changeset_revision ) + ( escape( str( repository.name ) ), updating_to_changeset_revision ) self.initiate_tool_dependency_installation( trans, tool_dependencies, message=message, status=status ) # Handle tool dependencies check box. if trans.app.config.tool_dependency_dir is None: @@ -665,7 +666,7 @@ @web.expose @web.require_admin def manage_repositories( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tsridslist = common_util.get_tool_shed_repository_ids( **kwd ) if 'operation' in kwd: @@ -744,7 +745,7 @@ @web.expose @web.require_admin def manage_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id is None: @@ -808,7 +809,7 @@ @web.expose @web.require_admin def manage_repository_tool_dependencies( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) if tool_dependency_ids: @@ -890,7 +891,7 @@ def manage_tool_dependencies( self, trans, **kwd ): # This method is called when tool dependencies are being installed. See the related manage_repository_tool_dependencies # method for managing the tool dependencies for a specified installed tool shed repository. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) repository_id = kwd.get( 'repository_id', None ) @@ -902,7 +903,7 @@ # The user must be on the manage_repository_tool_dependencies page and clicked the button to either install or uninstall a # tool dependency, but they didn't check any of the available tool dependencies on which to perform the action. tool_shed_repository = suc.get_tool_shed_repository_by_id( trans.app, repository_id ) - self.tool_dependency_grid.title = "Tool shed repository '%s' tool dependencies" % tool_shed_repository.name + self.tool_dependency_grid.title = "Tool shed repository '%s' tool dependencies" % escape( tool_shed_repository.name ) if 'operation' in kwd: operation = kwd[ 'operation' ].lower() if not tool_dependency_ids: @@ -978,7 +979,7 @@ message += 'of Galaxy Tool Shed repository tools into a local Galaxy instance</a> section of the Galaxy Tool ' message += 'Shed wiki for all of the details.' return trans.show_error_message( message ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) shed_tool_conf = kwd.get( 'shed_tool_conf', None ) tool_shed_url = kwd.get( 'tool_shed_url', '' ) @@ -1030,7 +1031,7 @@ # The Tool Shed cannot handle the get_repository_id request, so the code must be older than the # 04/2014 Galaxy release when it was introduced. It will be safest to error out and let the # Tool Shed admin update the Tool Shed to a later release. - message = 'The updates available for the repository <b>%s</b> ' % str( repository.name ) + message = 'The updates available for the repository <b>%s</b> ' % escape( str( repository.name ) ) message += 'include newly defined repository or tool dependency definitions, and attempting ' message += 'to update the repository resulted in the following error. Contact the Tool Shed ' message += 'administrator if necessary.<br/>%s' % str( e ) @@ -1314,7 +1315,7 @@ and tool dependencies of the repository. """ rdim = repository_dependency_manager.RepositoryDependencyInstallManager( trans.app ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd[ 'id' ] tool_shed_repository = repository_util.get_installed_tool_shed_repository( trans.app, repository_id ) @@ -1450,7 +1451,7 @@ Inspect the repository dependency hierarchy for a specified repository and attempt to make sure they are all properly installed as well as each repository's tool dependencies. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if not repository_id: @@ -1648,12 +1649,12 @@ no_changes_check_box = CheckboxField( 'no_changes', checked=True ) if original_section_name: message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel section <b>%s</b>. " \ - % ( tool_shed_repository.name, original_section_name ) + % ( escape( tool_shed_repository.name ), original_section_name ) message += "Uncheck the <b>No changes</b> check box and select a different tool panel section to load the tools in a " message += "different section in the tool panel. " status = 'warning' else: - message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel outside of any sections. " % tool_shed_repository.name + message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel outside of any sections. " % escape( tool_shed_repository.name ) message += "Uncheck the <b>No changes</b> check box and select a tool panel section to load the tools into that section. " status = 'warning' else: @@ -1715,7 +1716,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = irmm.reset_metadata_on_selected_repositories( trans.user, **kwd ) else: - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = irmm.build_repository_ids_select_field() return trans.fill_template( '/admin/tool_shed_repository/reset_metadata_on_selected_repositories.mako', @@ -1749,13 +1750,13 @@ irmm.update_in_shed_tool_config() trans.install_model.context.add( repository ) trans.install_model.context.flush() - message = 'Metadata has been reset on repository <b>%s</b>.' % repository.name + message = 'Metadata has been reset on repository <b>%s</b>.' % escape( repository.name ) status = 'done' else: - message = 'Metadata did not need to be reset on repository <b>%s</b>.' % repository.name + message = 'Metadata did not need to be reset on repository <b>%s</b>.' % escape( repository.name ) status = 'done' else: - message = 'Error locating installation directory for repository <b>%s</b>.' % repository.name + message = 'Error locating installation directory for repository <b>%s</b>.' % escape( repository.name ) status = 'error' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='manage_repository', @@ -1777,7 +1778,7 @@ uninstalled=False, remove_from_disk=True ) new_kwd = {} - new_kwd[ 'message' ] = "You can now attempt to install the repository named <b>%s</b> again." % str( repository.name ) + new_kwd[ 'message' ] = "You can now attempt to install the repository named <b>%s</b> again." % escape( str( repository.name ) ) new_kwd[ 'status' ] = "done" return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -1808,7 +1809,7 @@ message = "Tool versions have been set for all included tools." status = 'done' else: - message = "Version information for the tools included in the <b>%s</b> repository is missing. " % repository.name + message = "Version information for the tools included in the <b>%s</b> repository is missing. " % escape( repository.name ) message += "Reset all of this reppository's metadata in the tool shed, then set the installed tool versions " message ++ "from the installed repository's <b>Repository Actions</b> menu. " status = 'error' @@ -1852,7 +1853,7 @@ @web.expose @web.require_admin def uninstall_tool_dependencies( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) if not tool_dependency_ids: @@ -1897,7 +1898,7 @@ @web.require_admin def update_to_changeset_revision( self, trans, **kwd ): """Update a cloned repository to the latest revision possible.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_shed_url = kwd.get( 'tool_shed_url', '' ) # Handle protocol changes over time. @@ -2070,7 +2071,7 @@ @web.expose @web.require_admin def update_tool_shed_status_for_installed_repository( self, trans, all_installed_repositories=False, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if all_installed_repositories: success_count = 0 @@ -2083,7 +2084,7 @@ if ok: success_count += 1 else: - repository_names_not_updated.append( '<b>%s</b>' % str( repository.name ) ) + repository_names_not_updated.append( '<b>%s</b>' % escape( str( repository.name ) ) ) if updated: updated_count += 1 message = "Checked the status in the tool shed for %d repositories. " % success_count @@ -2098,11 +2099,11 @@ repository_util.check_or_update_tool_shed_status_for_installed_repository( trans.app, repository ) if ok: if updated: - message = "The tool shed status for repository <b>%s</b> has been updated." % str( repository.name ) + message = "The tool shed status for repository <b>%s</b> has been updated." % escape( str( repository.name ) ) else: - message = "The status has not changed in the tool shed for repository <b>%s</b>." % str( repository.name ) + message = "The status has not changed in the tool shed for repository <b>%s</b>." % escape( str( repository.name ) ) else: - message = "Unable to retrieve status from the tool shed for repository <b>%s</b>." % str( repository.name ) + message = "Unable to retrieve status from the tool shed for repository <b>%s</b>." % escape( str( repository.name ) ) status = 'error' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -2112,7 +2113,7 @@ @web.expose @web.require_admin def view_tool_metadata( self, trans, repository_id, tool_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = repository_util.get_installed_tool_shed_repository( trans.app, repository_id ) repository_metadata = repository.metadata @@ -2146,7 +2147,7 @@ @web.require_admin def view_workflow( self, trans, workflow_name=None, repository_id=None, **kwd ): """Retrieve necessary information about a workflow from the database so that it can be displayed in an svg image.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if workflow_name: workflow_name = encoding_util.tool_shed_decode( workflow_name ) diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a lib/galaxy/webapps/galaxy/controllers/library_admin.py --- a/lib/galaxy/webapps/galaxy/controllers/library_admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_admin.py @@ -5,8 +5,9 @@ from galaxy import web from galaxy.web.base.controller import BaseUIController -from galaxy.web.framework.helpers import escape, grids, time_ago +from galaxy.web.framework.helpers import grids, time_ago from library_common import get_comptypes, lucene_search, whoosh_search +from markupsafe import escape # from galaxy.model.orm import * log = logging.getLogger( __name__ ) @@ -148,7 +149,7 @@ @web.expose @web.require_admin def create_library( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if kwd.get( 'create_library_button', False ): name = kwd.get( 'name', 'No name' ) @@ -161,12 +162,12 @@ library.root_folder = root_folder trans.sa_session.add_all( ( library, root_folder ) ) trans.sa_session.flush() - message = "The new library named '%s' has been created" % library.name + message = "The new library named '%s' has been created" return trans.response.send_redirect( web.url_for( controller='library_common', action='browse_library', cntrller='library_admin', id=trans.security.encode_id( library.id ), - message=message, + message=escape( message ), status='done' ) ) return trans.fill_template( '/admin/library/new_library.mako', message=escape( message ), status=escape( status ) ) @web.expose diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a lib/galaxy/webapps/galaxy/controllers/library_common.py --- a/lib/galaxy/webapps/galaxy/controllers/library_common.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_common.py @@ -20,7 +20,7 @@ from galaxy.util.streamball import StreamBall from galaxy.web.base.controller import BaseUIController, UsesFormDefinitionsMixin, UsesExtendedMetadataMixin, UsesLibraryMixinItems from galaxy.web.form_builder import AddressField, CheckboxField, SelectField, build_select_field -from galaxy.web.framework.helpers import escape +from markupsafe import escape from galaxy.model.orm import and_, eagerload_all # Whoosh is compatible with Python 2.5+ Try to import Whoosh and set flag to indicate whether tool search is enabled. @@ -93,7 +93,7 @@ @web.expose def browse_library( self, trans, cntrller='library', **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # If use_panels is True, the library is being accessed via an external link # which did not originate from within the Galaxy instance, and the library will @@ -121,7 +121,7 @@ hidden_folder_ids = util.listify( kwd.get( 'hidden_folder_ids', '' ) ) if created_ldda_ids and not message: message = "%d datasets are uploading in the background to the library '%s' (each is selected). " % \ - ( len( created_ldda_ids.split( ',' ) ), library.name ) + ( len( created_ldda_ids.split( ',' ) ), escape( library.name ) ) message += "Don't navigate away from Galaxy or use the browser's \"stop\" or \"reload\" buttons (on this tab) until the " message += "message \"This job is running\" is cleared from the \"Information\" column below for each selected dataset." status = "info" @@ -152,7 +152,7 @@ message=escape( message ), status=escape( status ) ) except Exception, e: - message = 'Error attempting to display contents of library (%s): %s.' % ( str( library.name ), str( e ) ) + message = 'Error attempting to display contents of library (%s): %s.' % ( escape( str( library.name ) ), str( e ) ) status = 'error' default_action = kwd.get( 'default_action', None ) @@ -165,7 +165,7 @@ @web.expose def library_info( self, trans, cntrller, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) @@ -225,7 +225,7 @@ @web.expose def library_permissions( self, trans, cntrller, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) @@ -272,7 +272,7 @@ @web.expose def create_folder( self, trans, cntrller, parent_id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -349,7 +349,7 @@ @web.expose def folder_info( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -406,7 +406,7 @@ @web.expose def folder_permissions( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -456,7 +456,7 @@ @web.expose def ldda_edit_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -511,7 +511,7 @@ old_name = ldda.name new_name = kwd.get( 'name', '' ) new_info = kwd.get( 'info', '' ) - new_message = kwd.get( 'message', '' ) + new_message = escape( kwd.get( 'message', '' ) ) if not new_name: message = 'Enter a valid name' status = 'error' @@ -609,7 +609,7 @@ @web.expose def ldda_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) show_associated_hdas_and_lddas = util.string_as_bool( kwd.get( 'show_associated_hdas_and_lddas', False ) ) @@ -658,7 +658,7 @@ @web.expose def ldda_permissions( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -796,9 +796,9 @@ @web.expose def upload_library_dataset( self, trans, cntrller, library_id, folder_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - ldda_message = kwd.get( 'ldda_message', '' ) + ldda_message = escape( kwd.get( 'ldda_message', '' ) ) deleted = util.string_as_bool( kwd.get( 'deleted', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1056,7 +1056,7 @@ dataset_upload_inputs.append( input ) # Library-specific params show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) server_dir = kwd.get( 'server_dir', '' ) if replace_dataset not in [ None, 'None' ]: @@ -1271,9 +1271,9 @@ @web.expose def add_history_datasets_to_library( self, trans, cntrller, library_id, folder_id, hda_ids='', **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - ldda_message = kwd.get( 'ldda_message', '' ) + ldda_message = escape( kwd.get( 'ldda_message', '' ) ) show_deleted = kwd.get( 'show_deleted', False ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) replace_id = kwd.get( 'replace_id', None ) @@ -1567,7 +1567,7 @@ @web.expose def library_dataset_info( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1616,7 +1616,7 @@ @web.expose def library_dataset_permissions( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1664,7 +1664,7 @@ @web.expose def make_library_item_public( self, trans, cntrller, library_id, item_type, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1726,7 +1726,7 @@ rval += '%s %i %s%s %s\r\n' % ( crc, size, self.url_base, quoted_fname, relpath ) return rval # Perform an action on a list of library datasets. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -2002,7 +2002,7 @@ # - a select list option for acting on multiple selected datasets within a library # ( ldda_ids is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( ldda_ids is a comma separated string of ldda ids ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -2126,7 +2126,7 @@ def manage_template_inheritance( self, trans, cntrller, item_type, library_id, folder_id=None, ldda_id=None, **kwd ): show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) is_admin = ( trans.user_is_admin() and cntrller == 'library_admin' ) current_user_roles = trans.get_current_user_roles() @@ -2177,7 +2177,7 @@ # 'ldda' and item_id is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( item_type is 'ldda' and item_id is a # comma separated string of ldda ids ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -2760,7 +2760,7 @@ def lucene_search( trans, cntrller, search_term, search_url, **kwd ): """Return display of results from a full-text lucene search of data libraries.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) full_url = "%s/find?%s" % ( search_url, urllib.urlencode( { "kwd" : search_term } ) ) response = urllib2.urlopen( full_url ) @@ -2771,7 +2771,7 @@ def whoosh_search( trans, cntrller, search_term, **kwd ): """Return display of results from a full-text whoosh search of data libraries.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) ok = True if whoosh_search_enabled: diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a lib/galaxy/webapps/galaxy/controllers/user.py --- a/lib/galaxy/webapps/galaxy/controllers/user.py +++ b/lib/galaxy/webapps/galaxy/controllers/user.py @@ -29,6 +29,8 @@ UsesFormDefinitionsMixin) from galaxy.web.form_builder import build_select_field, CheckboxField from galaxy.web.framework.helpers import escape, grids, time_ago +from galaxy.web.framework.helpers import time_ago, grids +from markupsafe import escape log = logging.getLogger( __name__ ) @@ -252,7 +254,7 @@ if not trans.app.config.enable_openid: return trans.show_error_message( 'OpenID authentication is not enabled in this instance of Galaxy' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) email = kwd.get( 'email', '' ) username = kwd.get( 'username', '' ) @@ -498,7 +500,7 @@ def __validate_login( self, trans, **kwd ): """Validates numerous cases that might happen during the login time.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'error' ) email = kwd.get( 'email', '' ) password = kwd.get( 'password', '' ) @@ -713,7 +715,7 @@ email = util.restore_text( kwd.get( 'email', '' ) ) password = kwd.get( 'password', '' ) username = util.restore_text( kwd.get( 'username', '' ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) is_admin = cntrller == 'admin' and trans.user_is_admin() user = self.create_user( trans=trans, email=email, username=username, password=password ) diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -22,7 +22,7 @@ from galaxy.web import error, url_for from galaxy.web.base.controller import BaseUIController, SharableMixin, UsesStoredWorkflowMixin from galaxy.web.framework.formbuilder import form -from galaxy.web.framework.helpers import grids, time_ago, to_unicode, escape +from galaxy.web.framework.helpers import grids, time_ago, to_unicode from galaxy.workflow.modules import WorkflowModuleInjector from galaxy.workflow.modules import MissingToolException from galaxy.workflow.modules import module_factory, is_tool_module_type @@ -37,6 +37,7 @@ order_workflow_steps_with_levels, ) from galaxy.workflow.render import WorkflowCanvas, MARGIN, LINE_SPACING +from markupsafe import escape class StoredWorkflowListGrid( grids.Grid ): @@ -1000,7 +1001,7 @@ """ url = kwd.get( 'url', '' ) workflow_text = kwd.get( 'workflow_text', '' ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) import_button = kwd.get( 'import_button', False ) # The special Galaxy integration landing page's URL on myExperiment diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a lib/galaxy/webapps/reports/controllers/users.py --- a/lib/galaxy/webapps/reports/controllers/users.py +++ b/lib/galaxy/webapps/reports/controllers/users.py @@ -9,17 +9,19 @@ pkg_resources.require( "SQLAlchemy >= 0.4" ) import sqlalchemy as sa import logging +from markupsafe import escape + log = logging.getLogger( __name__ ) class Users( BaseUIController ): @web.expose def registered_users( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) num_users = trans.sa_session.query( galaxy.model.User ).count() return trans.fill_template( '/webapps/reports/registered_users.mako', num_users=num_users, message=message ) @web.expose def registered_users_per_month( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) q = sa.select( ( sa.func.date_trunc( 'month', sa.func.date( galaxy.model.User.table.c.create_time ) ).label( 'date' ), sa.func.count( galaxy.model.User.table.c.id ).label( 'num_users' ) ), from_obj = [ galaxy.model.User.table ], @@ -36,7 +38,7 @@ message=message ) @web.expose def specified_month( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) # If specified_date is not received, we'll default to the current month specified_date = kwd.get( 'specified_date', datetime.utcnow().strftime( "%Y-%m-%d" ) ) specified_month = specified_date[ :7 ] @@ -66,7 +68,7 @@ message=message ) @web.expose def specified_date( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) # If specified_date is not received, we'll default to the current month specified_date = kwd.get( 'specified_date', datetime.utcnow().strftime( "%Y-%m-%d" ) ) year, month, day = map( int, specified_date.split( "-" ) ) @@ -95,7 +97,7 @@ message=message ) @web.expose def last_access_date( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) not_logged_in_for_days = kwd.get( 'not_logged_in_for_days', 90 ) if not not_logged_in_for_days: not_logged_in_for_days = 0 @@ -120,7 +122,7 @@ @web.expose def user_disk_usage( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) user_cutoff = int( kwd.get( 'user_cutoff', 60 ) ) # disk_usage isn't indexed users = sorted( trans.sa_session.query( galaxy.model.User ).all(), key=operator.attrgetter( 'disk_usage' ), reverse=True ) diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a lib/galaxy/webapps/tool_shed/controllers/admin.py --- a/lib/galaxy/webapps/tool_shed/controllers/admin.py +++ b/lib/galaxy/webapps/tool_shed/controllers/admin.py @@ -3,6 +3,7 @@ from galaxy import util from galaxy.util import inflector from galaxy import web +from markupsafe import escape from galaxy.web.base.controller import BaseUIController from galaxy.web.base.controllers.admin import Admin @@ -121,7 +122,7 @@ @web.expose @web.require_admin def create_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) name = kwd.get( 'name', '' ).strip() description = kwd.get( 'description', '' ).strip() @@ -154,7 +155,7 @@ @web.expose @web.require_admin def delete_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -197,7 +198,7 @@ @web.expose @web.require_admin def delete_repository_metadata( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -221,7 +222,7 @@ @web.expose @web.require_admin def edit_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -306,7 +307,7 @@ @web.expose @web.require_admin def regenerate_statistics( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'regenerate_statistics_button' in kwd: trans.app.shed_counter.generate_statistics() @@ -352,7 +353,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = rmm.reset_metadata_on_selected_repositories( **kwd ) else: - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = rmm.build_repository_ids_select_field( name='repository_ids', multiple=True, @@ -366,7 +367,7 @@ @web.expose @web.require_admin def undelete_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -417,7 +418,7 @@ # TODO: We should probably eliminate the Category.deleted column since it really makes no # sense to mark a category as deleted (category names and descriptions can be changed instead). # If we do this, and the following 2 methods can be eliminated. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -445,7 +446,7 @@ # This method should only be called for a Category that has previously been deleted. # Purging a deleted Category deletes all of the following from the database: # - RepoitoryCategoryAssociations where category_id == Category.id - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -473,7 +474,7 @@ @web.expose @web.require_admin def undelete_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a lib/galaxy/webapps/tool_shed/controllers/repository.py --- a/lib/galaxy/webapps/tool_shed/controllers/repository.py +++ b/lib/galaxy/webapps/tool_shed/controllers/repository.py @@ -6,6 +6,7 @@ from time import strftime from datetime import date from datetime import datetime +from markupsafe import escape from galaxy import util from galaxy import web @@ -385,7 +386,7 @@ action='reviewed_repositories_i_own' ) ) elif operation == "repositories_by_category": category_id = kwd.get( 'id', None ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.response.send_redirect( web.url_for( controller='repository', action='browse_repositories_in_category', @@ -721,9 +722,9 @@ @web.expose def browse_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Deleted selected files' ) + commit_message = escape( kwd.get( 'commit_message', 'Deleted selected files' ) ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) # Update repository files for browsing. @@ -891,7 +892,7 @@ @web.expose def check_for_updates( self, trans, **kwd ): """Handle a request from a local Galaxy instance.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # If the request originated with the UpdateRepositoryManager, it will not include a galaxy_url. galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) @@ -976,7 +977,7 @@ @web.expose def contact_owner( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) metadata = metadata_util.get_repository_metadata_by_repository_id_changeset_revision( trans.app, @@ -995,7 +996,7 @@ @web.expose def create_galaxy_docker_image( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_ids = util.listify( kwd.get( 'id', '' ) ) if 'operation' in kwd: @@ -1051,7 +1052,7 @@ @web.expose def create_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) categories = suc.get_categories( trans ) if not categories: @@ -1114,7 +1115,7 @@ # Marking a repository in the tool shed as deprecated has no effect on any downloadable changeset # revisions that may be associated with the repository. Revisions are not marked as not downlaodable # because those that have installed the repository must be allowed to get updates. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -1170,7 +1171,7 @@ @web.expose def display_tool( self, trans, repository_id, tool_config, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) tv = tool_validator.ToolValidator( trans.app ) @@ -1235,7 +1236,7 @@ @web.expose def export( self, trans, repository_id, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) export_repository_dependencies = kwd.get( 'export_repository_dependencies', '' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -1315,7 +1316,7 @@ @web.expose def find_tools( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) if 'operation' in kwd: @@ -1406,7 +1407,7 @@ @web.expose def find_workflows( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) if 'operation' in kwd: @@ -2026,13 +2027,13 @@ @web.expose def help( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.fill_template( '/webapps/tool_shed/repository/help.mako', message=message, status=status, **kwd ) @web.expose def import_capsule( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) capsule_file_name = kwd.get( 'capsule_file_name', None ) encoded_file_path = kwd.get( 'encoded_file_path', None ) @@ -2075,7 +2076,7 @@ @web.expose def index( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # See if there are any RepositoryMetadata records since menu items require them. repository_metadata = trans.sa_session.query( trans.model.RepositoryMetadata ).first() @@ -2157,7 +2158,7 @@ @web.expose def load_invalid_tool( self, trans, repository_id, tool_config, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'error' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) tv = tool_validator.ToolValidator( trans.app ) @@ -2209,7 +2210,7 @@ @web.expose @web.require_login( "manage email alerts" ) def manage_email_alerts( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) new_repo_alert = kwd.get( 'new_repo_alert', '' ) new_repo_alert_checked = CheckboxField.is_checked( new_repo_alert ) @@ -2240,7 +2241,7 @@ @web.expose @web.require_login( "manage repository" ) def manage_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repository_type = kwd.get( 'repository_type', str( repository.type ) ) @@ -2516,7 +2517,7 @@ @web.expose @web.require_login( "manage repository administrators" ) def manage_repository_admins( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) changeset_revision = kwd.get( 'changeset_revision', repository.tip( trans.app ) ) @@ -2574,7 +2575,7 @@ @web.expose @web.require_login( "multi select email alerts" ) def multi_select_email_alerts( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: operation = kwd[ 'operation' ].lower() @@ -2623,7 +2624,7 @@ @web.expose def preview_tools_in_changeset( self, trans, repository_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -2730,7 +2731,7 @@ @web.require_login( "rate repositories" ) def rate_repository( self, trans, **kwd ): """ Rate a repository and return updated rating data. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -2803,7 +2804,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = rmm.reset_metadata_on_selected_repositories( **kwd ) else: - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = rmm.build_repository_ids_select_field( name='repository_ids', multiple=True, @@ -2816,9 +2817,9 @@ @web.expose def select_files_to_delete( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Deleted selected files' ) + commit_message = escape( kwd.get( 'commit_message', 'Deleted selected files' ) ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo_dir = repository.repo_path( trans.app ) repo = hg_util.get_repo_for_repository( trans.app, repository=None, repo_path=repo_dir, create=False ) @@ -3161,7 +3162,7 @@ @web.expose def upload_capsule( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) url = kwd.get( 'url', '' ) if 'upload_capsule_button' in kwd: @@ -3191,7 +3192,7 @@ @web.expose def view_changelog( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3226,7 +3227,7 @@ @web.expose def view_changeset( self, trans, id, ctx_str, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3318,7 +3319,7 @@ @web.expose def view_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3406,7 +3407,7 @@ @web.expose def view_tool_metadata( self, trans, repository_id, changeset_revision, tool_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -3487,7 +3488,7 @@ @web.expose def view_workflow( self, trans, workflow_name, repository_metadata_id, **kwd ): """Retrieve necessary information about a workflow from the database so that it can be displayed in an svg image.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) if workflow_name: diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a lib/galaxy/webapps/tool_shed/controllers/repository_review.py --- a/lib/galaxy/webapps/tool_shed/controllers/repository_review.py +++ b/lib/galaxy/webapps/tool_shed/controllers/repository_review.py @@ -2,6 +2,7 @@ import os from sqlalchemy.sql.expression import func +from markupsafe import escape from galaxy import util from galaxy import web @@ -40,7 +41,7 @@ @web.require_login( "approve repository review" ) def approve_repository_review( self, trans, **kwd ): # The value of the received id is the encoded review id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) encoded_review_id = kwd[ 'id' ] review = review_util.get_review( trans.app, encoded_review_id ) @@ -74,7 +75,7 @@ @web.expose @web.require_login( "browse review" ) def browse_review( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) review = review_util.get_review( trans.app, kwd[ 'id' ] ) repository = review.repository @@ -105,7 +106,7 @@ @web.expose @web.require_login( "create component" ) def create_component( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) name = kwd.get( 'name', '' ) description = kwd.get( 'description', '' ) @@ -136,7 +137,7 @@ @web.require_login( "create review" ) def create_review( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) changeset_revision = kwd.get( 'changeset_revision', None ) @@ -201,7 +202,7 @@ @web.expose @web.require_login( "edit component" ) def edit_component( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -232,7 +233,7 @@ @web.require_login( "edit review" ) def edit_review( self, trans, **kwd ): # The value of the received id is the encoded review id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) review_id = kwd.get( 'id', None ) review = review_util.get_review( trans.app, review_id ) @@ -408,7 +409,7 @@ @web.require_login( "manage repositories reviewed by me" ) def manage_repositories_reviewed_by_me( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: kwd[ 'mine' ] = True @@ -475,7 +476,7 @@ @web.require_login( "manage repository reviews" ) def manage_repository_reviews( self, trans, mine=False, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id: @@ -524,7 +525,7 @@ @web.require_login( "manage repository reviews of revision" ) def manage_repository_reviews_of_revision( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) changeset_revision = kwd.get( 'changeset_revision', None ) @@ -547,7 +548,7 @@ @web.expose @web.require_login( "repository reviews by user" ) def repository_reviews_by_user( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: @@ -573,7 +574,7 @@ @web.expose @web.require_login( "reviewed repositories i own" ) def reviewed_repositories_i_own( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # The value of the received id is the encoded repository id. if 'operation' in kwd: @@ -592,7 +593,7 @@ @web.require_login( "select previous review" ) def select_previous_review( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, kwd[ 'id' ] ) changeset_revision = kwd.get( 'changeset_revision', None ) diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a lib/galaxy/webapps/tool_shed/controllers/upload.py --- a/lib/galaxy/webapps/tool_shed/controllers/upload.py +++ b/lib/galaxy/webapps/tool_shed/controllers/upload.py @@ -9,6 +9,7 @@ from galaxy import web from galaxy.datatypes import checkers from galaxy.web.base.controller import BaseUIController +from markupsafe import escape from tool_shed.dependencies import attribute_handlers from tool_shed.galaxy_install import dependency_display @@ -35,9 +36,9 @@ @web.expose @web.require_login( 'upload', use_panels=True ) def upload( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Uploaded' ) + commit_message = escape( kwd.get( 'commit_message', 'Uploaded' ) ) category_ids = util.listify( kwd.get( 'category_id', '' ) ) categories = suc.get_categories( trans.app ) repository_id = kwd.get( 'repository_id', '' ) diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a lib/tool_shed/util/repository_util.py --- a/lib/tool_shed/util/repository_util.py +++ b/lib/tool_shed/util/repository_util.py @@ -7,6 +7,7 @@ from galaxy import web from galaxy.web.form_builder import build_select_field from galaxy.webapps.tool_shed.model import directory_hash_id +from markupsafe import escape from tool_shed.dependencies.repository import relation_builder @@ -259,7 +260,7 @@ def handle_role_associations( app, role, repository, **kwd ): sa_session = app.model.context.current - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_owner = repository.user if kwd.get( 'manage_role_associations_button', False ): diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a templates/admin/dataset_security/group/group.mako --- a/templates/admin/dataset_security/group/group.mako +++ b/templates/admin/dataset_security/group/group.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Group '${group.name}'</div> + <div class="toolFormTitle">Group '${group.name|h}'</div><div class="toolFormBody"><form name="associate_group_role_user" id="associate_group_role_user" action="${h.url_for(controller='admin', action='manage_users_and_roles_for_group', id=trans.security.encode_id( group.id ) )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Roles associated with '${group.name}'</label> + <label>Roles associated with '${group.name|h}'</label> ${render_select( "in_roles", in_roles )}<br/><input type="submit" id="roles_remove_button" value=">>"/></div><div> - <label>Roles not associated with '${group.name}'</label> + <label>Roles not associated with '${group.name|h}'</label> ${render_select( "out_roles", out_roles )}<br/><input type="submit" id="roles_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${group.name}'</label> + <label>Users associated with '${group.name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${group.name}'</label> + <label>Users not associated with '${group.name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div> diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a templates/admin/dataset_security/group/group_create.mako --- a/templates/admin/dataset_security/group/group_create.mako +++ b/templates/admin/dataset_security/group/group_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -60,7 +60,7 @@ <form name="associate_group_role_user" id="associate_group_role_user" action="${h.url_for(controller='admin', action='create_group' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><div style="float: left; margin-right: 10px;"> diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a templates/admin/dataset_security/group/group_rename.mako --- a/templates/admin/dataset_security/group/group_rename.mako +++ b/templates/admin/dataset_security/group/group_rename.mako @@ -12,7 +12,7 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${group.name}" size="40"/> + <input type="text" name="name" value="${group.name|h}" size="40"/></div><div style="clear: both"></div></div> diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a templates/admin/dataset_security/role/role.mako --- a/templates/admin/dataset_security/role/role.mako +++ b/templates/admin/dataset_security/role/role.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Role '${role.name}'</div> + <div class="toolFormTitle">Role '${role.name|h}'</div><div class="toolFormBody"><form name="associate_role_user_group" id="associate_role_user_group" action="${h.url_for(controller='admin', action='manage_users_and_groups_for_role', id=trans.security.encode_id( role.id ) )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${role.name}'</label> + <label>Users associated with '${role.name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${role.name}'</label> + <label>Users not associated with '${role.name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Groups associated with '${role.name}'</label> + <label>Groups associated with '${role.name|h}'</label> ${render_select( "in_groups", in_groups )}<br/><input type="submit" id="groups_remove_button" value=">>"/></div><div> - <label>Groups not associated with '${role.name}'</label> + <label>Groups not associated with '${role.name|h}'</label> ${render_select( "out_groups", out_groups )}<br/><input type="submit" id="groups_add_button" value="<<"/></div> @@ -84,7 +84,7 @@ <br clear="left"/><br/> %if len( library_dataset_actions ) > 0: - <h3>Data library datasets associated with role '${role.name}'</h3> + <h3>Data library datasets associated with role '${role.name|h}'</h3><table class="manage-table colored" border="0" cellspacing="0" cellpadding="0" width="100%"><tr><td> @@ -92,16 +92,16 @@ %for ctr, library, in enumerate( library_dataset_actions.keys() ): <li><img src="${h.url_for( '/static/images/silk/book_open.png' )}" class="rowIcon"/> - ${library.name} + ${library.name|h} <ul> %for folder_path, permissions in library_dataset_actions[ library ].items(): <li><img src="/static/images/silk/folder_page.png" class="rowIcon"/> - ${folder_path} + ${folder_path|h} <ul> % for permission in permissions: <ul> - <li>${permission}</li> + <li>${permission|h}</li></ul> %endfor </ul> diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a templates/admin/dataset_security/role/role_create.mako --- a/templates/admin/dataset_security/role/role_create.mako +++ b/templates/admin/dataset_security/role/role_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -60,11 +60,11 @@ <form name="associate_role_group_user" id="associate_role_group_user" action="${h.url_for(controller='admin', action='create_role' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><label>Description:</label> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div class="form-row"><div style="float: left; margin-right: 10px;"> diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a templates/admin/dataset_security/role/role_rename.mako --- a/templates/admin/dataset_security/role/role_rename.mako +++ b/templates/admin/dataset_security/role/role_rename.mako @@ -12,14 +12,14 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${role.name}" size="40"/> + <input type="text" name="name" value="${role.name|h}" size="40"/></div><div style="clear: both"></div></div><div class="form-row"><label>Description:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input name="description" type="textfield" value="${role.description}" size=40"/> + <input name="description" type="textfield" value="${role.description|h}" size=40"/></div><div style="clear: both"></div></div> diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a templates/admin/external_service/create_external_service.mako --- a/templates/admin/external_service/create_external_service.mako +++ b/templates/admin/external_service/create_external_service.mako @@ -12,10 +12,10 @@ %if widgets: %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field['label']}:</label> + <label>${field['label']|h}:</label> ${field['widget'].get_html()} <div class="toolParamHelp" style="clear: both;"> - ${field['helptext']} + ${field['helptext']|h} </div><div style="clear: both"></div></div> diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a templates/admin/external_service/edit_external_service.mako --- a/templates/admin/external_service/edit_external_service.mako +++ b/templates/admin/external_service/edit_external_service.mako @@ -25,10 +25,10 @@ <div class="toolFormTitle">Edit external service</div> %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field['label']}:</label> + <label>${field['label']|h}:</label> ${field['widget'].get_html()} <div class="toolParamHelp" style="clear: both;"> - ${field['helptext']} + ${field['helptext']|h} </div><div style="clear: both"></div></div> diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a templates/admin/jobs.mako --- a/templates/admin/jobs.mako +++ b/templates/admin/jobs.mako @@ -63,12 +63,12 @@ </td><td>${job.id}</td> %if job.history and job.history.user: - <td>${job.history.user.email}</td> + <td>${job.history.user.email|h}</td> %else: <td>anonymous</td> %endif <td>${last_updated[job.id]} ago</td> - <td>${job.tool_id}</td> + <td>${job.tool_id|h}</td><td>${job.state}</td><% try: @@ -77,8 +77,8 @@ inputs = 'Unable to determine inputs' %><td>${inputs}</td> - <td>${job.command_line}</td> - <td>${job.job_runner_name}</td> + <td>${job.command_line|h}</td> + <td>${job.job_runner_name|h}</td><td>${job.job_runner_external_id}</td></tr> %endfor @@ -131,12 +131,12 @@ %for job in recent_jobs: <td><a href="${h.url_for( controller="admin", action="job_info" )}?jobid=${job.id}">${job.id}</a></td> %if job.history and job.history.user: - <td>${job.history.user.email}</td> + <td>${job.history.user.email|h}</td> %else: <td>anonymous</td> %endif <td>${finished[job.id]} ago</td> - <td>${job.tool_id}</td> + <td>${job.tool_id|h}</td><td>${job.state}</td><% try: @@ -145,9 +145,9 @@ inputs = 'Unable to determine inputs' %><td>${inputs}</td> - <td>${job.command_line}</td> - <td>${job.job_runner_name}</td> - <td>${job.job_runner_external_id}</td> + <td>${job.command_line|h}</td> + <td>${job.job_runner_name|h}</td> + <td>${job.job_runner_external_id|h}</td></tr> %endfor </table> diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a templates/admin/memdump.mako --- a/templates/admin/memdump.mako +++ b/templates/admin/memdump.mako @@ -55,7 +55,7 @@ <br/> You are here: ${breadcrumb}<br/> %if breadcrumb.endswith( 'theone' ): - ${heap} + ${heap|h} %else: <nobr> Sort: diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a templates/admin/package_tool.mako --- a/templates/admin/package_tool.mako +++ b/templates/admin/package_tool.mako @@ -28,9 +28,9 @@ <select name="tool_id"> %for key, val in toolbox.tool_panel.items(): %if isinstance( val, Tool ): - <option value="${val.id}">${val.name}</option> + <option value="${val.id|h}">${val.name|h}</option> %elif isinstance( val, ToolSection ): - <optgroup label="${val.name}"> + <optgroup label="${val.name|h}"><% section = val %> %for section_key, section_val in section.elems.items(): %if isinstance( section_val, Tool ): @@ -38,7 +38,7 @@ %if section_val.id == tool_id: <% selected_str = " selected=\"selected\"" %> %endif - <option value="${section_val.id}"${selected_str}>${section_val.name}</option> + <option value="${section_val.id|h}"${selected_str}>${section_val.name|h}</option> %endif %endfor %endif diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a templates/admin/quota/quota.mako --- a/templates/admin/quota/quota.mako +++ b/templates/admin/quota/quota.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Quota '${name}'</div> + <div class="toolFormTitle">Quota '${name|h}'</div><div class="toolFormBody"><form name="associate_quota_user_group" id="associate_quota_user_group" action="${h.url_for(controller='admin', action='manage_users_and_groups_for_quota', id=id )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${name}'</label> + <label>Users associated with '${name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${name}'</label> + <label>Users not associated with '${name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Groups associated with '${name}'</label> + <label>Groups associated with '${name|h}'</label> ${render_select( "in_groups", in_groups )}<br/><input type="submit" id="groups_remove_button" value=">>"/></div><div> - <label>Groups not associated with '${name}'</label> + <label>Groups not associated with '${name|h}'</label> ${render_select( "out_groups", out_groups )}<br/><input type="submit" id="groups_add_button" value="<<"/></div> diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a templates/admin/quota/quota_create.mako --- a/templates/admin/quota/quota_create.mako +++ b/templates/admin/quota/quota_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -69,15 +69,15 @@ <form name="associate_quota_group_user" id="associate_quota_group_user" action="${h.url_for(controller='admin', action='create_quota' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><label>Description:</label> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div class="form-row"><label>Amount</label> - <input name="amount" type="textfield" value="${amount}" size=40"/> + <input name="amount" type="textfield" value="${amount|h}" size=40"/><div class="toolParamHelp" style="clear: both;"> Examples: "10000MB", "99 gb", "0.2T", "unlimited" </div> diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a templates/admin/quota/quota_edit.mako --- a/templates/admin/quota/quota_edit.mako +++ b/templates/admin/quota/quota_edit.mako @@ -29,7 +29,7 @@ <input name="id" type="hidden" value="${id}"/><div class="form-row"><label>Amount</label> - <input name="amount" type="textfield" value="${display_amount}" size=40"/> + <input name="amount" type="textfield" value="${display_amount|h}" size=40"/><div class="toolParamHelp" style="clear: both;"> Examples: "10000MB", "99 gb", "0.2T", "unlimited" </div> diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a templates/admin/quota/quota_rename.mako --- a/templates/admin/quota/quota_rename.mako +++ b/templates/admin/quota/quota_rename.mako @@ -21,14 +21,14 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${name}" size="40"/> + <input type="text" name="name" value="${name|h}" size="40"/></div><div style="clear: both"></div></div><div class="form-row"><label>Description:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div style="clear: both"></div></div> diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a templates/admin/reload_tool.mako --- a/templates/admin/reload_tool.mako +++ b/templates/admin/reload_tool.mako @@ -28,9 +28,9 @@ <select name="tool_id"> %for key, val in toolbox.tool_panel.items(): %if isinstance( val, Tool ): - <option value="${val.id}">${val.name}</option> + <option value="${val.id}">${val.name|h}</option> %elif isinstance( val, ToolSection ): - <optgroup label="${val.name}"> + <optgroup label="${val.name|h}"><% section = val %> %for section_key, section_val in section.elems.items(): %if isinstance( section_val, Tool ): @@ -38,7 +38,7 @@ %if section_val.id == tool_id: <% selected_str = " selected=\"selected\"" %> %endif - <option value="${section_val.id}"${selected_str}>${section_val.name}</option> + <option value="${section_val.id}"${selected_str}>${section_val.name|h}</option> %endif %endfor %endif diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a templates/admin/review_tool_migration_stages.mako --- a/templates/admin/review_tool_migration_stages.mako +++ b/templates/admin/review_tool_migration_stages.mako @@ -4,7 +4,9 @@ %if message: ${render_msg( message, status )} %endif - +<% +from markupsafe import escape +%><div class="toolForm"><div class="toolFormTitle">Tool migrations that can be performed on this Galaxy instance</div><div class="toolFormBody"> @@ -51,7 +53,7 @@ repository_names.sort() repository_names = ', '.join( repository_names ) %> - <tr><td bgcolor="#D8D8D8"><b>Tool migration stage ${stage} - repositories: ${repository_names}</b></td></tr> + <tr><td bgcolor="#D8D8D8"><b>Tool migration stage ${stage} - repositories: ${repository_names|h}</b></td></tr><tr><td bgcolor="#FFFFCC"><div class="form-row"> @@ -59,11 +61,11 @@ <p> %if tool_dependencies: This migration stage includes tools that have tool dependencies that can be automatically installed. To install them, run:<br/> - <b>${install_dependencies}</b><br/><br/> + <b>${install_dependencies|h}</b><br/><br/> To skip tool dependency installation run:<br/> - <b>${migration_command}</b> + <b>${migration_command|h}</b> %else: - <b>${migration_command}</b> + <b>${migration_command|h}</b> %endif </p></div> @@ -74,7 +76,7 @@ <tr><td bgcolor="#DADFEF"><div class="form-row"> - <b>Repository:</b> ${repository_name} + <b>Repository:</b> ${repository_name|h} </div></td></tr> @@ -88,10 +90,10 @@ </tr> %for tool_dependencies_tup in tool_dependencies: <% - tool_dependency_name = tool_dependencies_tup[0] - tool_dependency_version = tool_dependencies_tup[1] - tool_dependency_type = tool_dependencies_tup[2] - installation_requirements = tool_dependencies_tup[3].replace( '\n', '<br/>' ) + tool_dependency_name = escape( tool_dependencies_tup[0] ) + tool_dependency_version = escape( tool_dependencies_tup[1] ) + tool_dependency_type = escape( tool_dependencies_tup[2] ) + installation_requirements = escape( tool_dependencies_tup[3] ).replace( '\n', '<br/>' ) %><tr><td> diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a templates/admin/tool_shed_repository/browse_repository.mako --- a/templates/admin/tool_shed_repository/browse_repository.mako +++ b/templates/admin/tool_shed_repository/browse_repository.mako @@ -21,7 +21,7 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Browse ${repository.name} revision ${repository.changeset_revision} files</div> + <div class="toolFormTitle">Browse ${repository.name|h} revision ${repository.changeset_revision} files</div><div class="toolFormBody"><div class="form-row" ><label>Contents:</label> diff -r 2dc383cbb700f9d8d6a30eb976b70e8dcf1832db -r 72143d1079be191695e7ce2171926e891795bd7a templates/admin/tool_shed_repository/browse_tool_dependency.mako --- a/templates/admin/tool_shed_repository/browse_tool_dependency.mako +++ b/templates/admin/tool_shed_repository/browse_tool_dependency.mako @@ -23,33 +23,33 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Browse tool dependency ${tool_dependency.name} installation directory</div> + <div class="toolFormTitle">Browse tool dependency ${tool_dependency.name|h} installation directory</div><div class="toolFormBody"><div class="form-row" ><label>Tool shed repository:</label> - ${repository.name} + ${repository.name|h} <div style="clear: both"></div></div><div class="form-row" ><label>Tool shed repository changeset revision:</label> - ${repository.changeset_revision} + ${repository.changeset_revision|h} <div style="clear: both"></div></div><div class="form-row" ><label>Tool dependency status:</label> - ${tool_dependency.status} + ${tool_dependency.status|h} <div style="clear: both"></div></div> %if tool_dependency.in_error_state: <div class="form-row" ><label>Tool dependency installation error:</label> - ${tool_dependency.error_message} + ${tool_dependency.error_message|h} <div style="clear: both"></div></div> %endif <div class="form-row" ><label>Tool dependency installation directory:</label> - ${tool_dependency.installation_directory( trans.app )} + ${tool_dependency.installation_directory( trans.app )|h} <div style="clear: both"></div></div><div class="form-row" > This diff is so big that we needed to truncate the remainder. https://bitbucket.org/galaxy/galaxy-central/commits/ba401d5b9aa0/ Changeset: ba401d5b9aa0 Branch: peterjc/clearer-error-messages-where-parameter-v-1418233351514 User: davebgx Date: 2014-12-11 19:23:18+00:00 Summary: Close branch peterjc/clearer-error-messages-where-parameter-v-1418233351514. Affected #: 0 files Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: martenson: Merged in davebgx/galaxy-central/stable (pull request #606)
by commits-noreply＠bitbucket.org 11 Dec '14

11 Dec '14

1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/e416697be38e/ Changeset: e416697be38e Branch: stable User: martenson Date: 2014-12-11 18:08:35+00:00 Summary: Merged in davebgx/galaxy-central/stable (pull request #606) [STABLE] Escape instances of message passed in through kwd before pushing them back out to mako. Affected #: 14 files diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/web/base/controllers/admin.py --- a/lib/galaxy/web/base/controllers/admin.py +++ b/lib/galaxy/web/base/controllers/admin.py @@ -7,6 +7,7 @@ from galaxy.web.form_builder import CheckboxField from string import punctuation as PUNCTUATION import galaxy.queue_worker +from markupsafe import escape from tool_shed.util import shed_util_common as suc @@ -28,7 +29,7 @@ @web.expose @web.require_admin def index( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if trans.webapp.name == 'galaxy': installed_repositories = trans.install_model.context.query( trans.install_model.ToolShedRepository ).first() @@ -46,7 +47,7 @@ @web.expose @web.require_admin def center( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if trans.webapp.name == 'galaxy': return trans.fill_template( '/webapps/galaxy/admin/center.mako', diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/demo_sequencer/controllers/common.py --- a/lib/galaxy/webapps/demo_sequencer/controllers/common.py +++ b/lib/galaxy/webapps/demo_sequencer/controllers/common.py @@ -4,6 +4,7 @@ import time, socket, urllib, urllib2, base64, copy from galaxy.util.json import * from urllib import quote_plus, unquote_plus +from markupsafe import escape import logging log = logging.getLogger( __name__ ) @@ -16,7 +17,7 @@ titles = util.listify( titles ) JobId = util.restore_text( kwd.get( 'JobId', '' ) ) sample_id = util.restore_text( kwd.get( 'sample_id', '' ) ) - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) redirect_delay = trans.app.sequencer_actions_registry.redirect_delay sequencer_redirects = copy.deepcopy( trans.app.sequencer_actions_registry.sequencer_redirects ) @@ -144,7 +145,7 @@ titles = util.restore_text( kwd.get( 'titles', '' ) ) JobId = util.restore_text( kwd.get( 'JobId', '' ) ) sample_id = util.restore_text( kwd.get( 'sample_id', '' ) ) - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) url, http_method, request_params, response_type = request_tup url = unquote_plus( url ) diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/galaxy/controllers/admin.py --- a/lib/galaxy/webapps/galaxy/controllers/admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/admin.py @@ -17,6 +17,7 @@ from galaxy.web.params import QuotaParamParser from tool_shed.util import common_util from tool_shed.util import encoding_util +from markupsafe import escape log = logging.getLogger( __name__ ) @@ -838,7 +839,7 @@ @web.expose @web.require_admin def review_tool_migration_stages( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) migration_stages_dict = odict() migration_modules = [] @@ -870,13 +871,13 @@ @web.expose @web.require_admin def view_datatypes_registry( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) return trans.fill_template( 'admin/view_datatypes_registry.mako', message=message, status=status ) @web.expose @web.require_admin def view_tool_data_tables( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) return trans.fill_template( 'admin/view_data_tables_registry.mako', message=message, status=status ) diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py --- a/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py +++ b/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py @@ -8,6 +8,7 @@ from galaxy.web.form_builder import CheckboxField from galaxy.util import json from galaxy.model.orm import or_ +from markupsafe import escape import tool_shed.repository_types.util as rt_util @@ -52,7 +53,7 @@ try: trans.app.installed_repository_manager.activate_repository( repository ) except Exception, e: - error_message = "Error activating repository %s: %s" % ( repository.name, str( e ) ) + error_message = "Error activating repository %s: %s" % ( escape( repository.name ), str( e ) ) log.exception( error_message ) message = '%s.<br/>You may be able to resolve this by uninstalling and then reinstalling the repository. Click <a href="%s">here</a> to uninstall the repository.' \ % ( error_message, web.url_for( controller='admin_toolshed', action='deactivate_or_uninstall_repository', id=trans.security.encode_id( repository.id ) ) ) @@ -62,7 +63,7 @@ id=repository_id, message=message, status=status ) ) - message = 'The <b>%s</b> repository has been activated.' % repository.name + message = 'The <b>%s</b> repository has been activated.' % escape( repository.name ) status = 'done' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -72,7 +73,7 @@ @web.expose @web.require_admin def browse_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = repository_util.get_installed_tool_shed_repository( trans.app, kwd[ 'id' ] ) return trans.fill_template( '/admin/tool_shed_repository/browse_repository.mako', @@ -141,7 +142,7 @@ action='reselect_tool_panel_section', **kwd ) ) else: - message = "Unable to get latest revision for repository <b>%s</b> from " % str( repository.name ) + message = "Unable to get latest revision for repository <b>%s</b> from " % escape( str( repository.name ) ) message += "the Tool Shed, so repository re-installation is not possible at this time." status = "error" return trans.response.send_redirect( web.url_for( controller='admin_toolshed', @@ -169,7 +170,7 @@ @web.expose @web.require_admin def browse_tool_dependency( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) tool_dependency = tool_dependency_util.get_tool_dependency( trans.app, tool_dependency_ids[ 0 ] ) @@ -197,7 +198,7 @@ @web.expose @web.require_admin def browse_tool_sheds( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.fill_template( '/webapps/galaxy/admin/tool_sheds.mako', message=message, @@ -230,7 +231,7 @@ require the same entry. For now we'll never delete entries from config.shed_tool_data_table_config, but we may choose to do so in the future if it becomes necessary. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) remove_from_disk = kwd.get( 'remove_from_disk', '' ) remove_from_disk_checked = CheckboxField.is_checked( remove_from_disk ) @@ -303,14 +304,14 @@ trans.install_model.context.add( tool_shed_repository ) trans.install_model.context.flush() if remove_from_disk_checked: - message = 'The repository named <b>%s</b> has been uninstalled. ' % tool_shed_repository.name + message = 'The repository named <b>%s</b> has been uninstalled. ' % escape( tool_shed_repository.name ) if errors: message += 'Attempting to uninstall tool dependencies resulted in errors: %s' % errors status = 'error' else: status = 'done' else: - message = 'The repository named <b>%s</b> has been deactivated. ' % tool_shed_repository.name + message = 'The repository named <b>%s</b> has been deactivated. ' % escape( tool_shed_repository.name ) status = 'done' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -442,7 +443,7 @@ @web.require_admin def import_workflow( self, trans, workflow_name, repository_id, **kwd ): """Import a workflow contained in an installed tool shed repository into Galaxy.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if workflow_name: workflow_name = encoding_util.tool_shed_decode( workflow_name ) @@ -453,7 +454,7 @@ workflow_name = encoding_util.tool_shed_encode( str( workflow.name ) ) else: message += 'Unable to locate a workflow named <b>%s</b> within the installed tool shed repository named <b>%s</b>' % \ - ( str( workflow_name ), str( repository.name ) ) + ( escape( str( workflow_name ) ), escape( str( repository.name ) ) ) status = 'error' else: message = 'Invalid repository id <b>%s</b> received.' % str( repository_id ) @@ -479,7 +480,7 @@ tool shed repository. """ # Get the tool_shed_repository from one of the tool_dependencies. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) err_msg = '' tool_shed_repository = tool_dependencies[ 0 ].tool_shed_repository @@ -512,7 +513,7 @@ @web.require_admin def install_latest_repository_revision( self, trans, **kwd ): """Install the latest installable revision of a repository that has been previously installed.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id is not None: @@ -589,7 +590,7 @@ updating_to_changeset_revision = kwd.get( 'updating_to_changeset_revision', None ) updating_to_ctx_rev = kwd.get( 'updating_to_ctx_rev', None ) encoded_updated_metadata = kwd.get( 'encoded_updated_metadata', None ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) install_tool_dependencies = CheckboxField.is_checked( kwd.get( 'install_tool_dependencies', '' ) ) if 'install_tool_dependencies_with_update_button' in kwd: @@ -609,7 +610,7 @@ relative_install_dir, set_status=False ) message = "The installed repository named '%s' has been updated to change set revision '%s'. " % \ - ( str( repository.name ), updating_to_changeset_revision ) + ( escape( str( repository.name ) ), updating_to_changeset_revision ) self.initiate_tool_dependency_installation( trans, tool_dependencies, message=message, status=status ) # Handle tool dependencies check box. if trans.app.config.tool_dependency_dir is None: @@ -665,7 +666,7 @@ @web.expose @web.require_admin def manage_repositories( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tsridslist = common_util.get_tool_shed_repository_ids( **kwd ) if 'operation' in kwd: @@ -744,7 +745,7 @@ @web.expose @web.require_admin def manage_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id is None: @@ -808,7 +809,7 @@ @web.expose @web.require_admin def manage_repository_tool_dependencies( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) if tool_dependency_ids: @@ -890,7 +891,7 @@ def manage_tool_dependencies( self, trans, **kwd ): # This method is called when tool dependencies are being installed. See the related manage_repository_tool_dependencies # method for managing the tool dependencies for a specified installed tool shed repository. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) repository_id = kwd.get( 'repository_id', None ) @@ -902,7 +903,7 @@ # The user must be on the manage_repository_tool_dependencies page and clicked the button to either install or uninstall a # tool dependency, but they didn't check any of the available tool dependencies on which to perform the action. tool_shed_repository = suc.get_tool_shed_repository_by_id( trans.app, repository_id ) - self.tool_dependency_grid.title = "Tool shed repository '%s' tool dependencies" % tool_shed_repository.name + self.tool_dependency_grid.title = "Tool shed repository '%s' tool dependencies" % escape( tool_shed_repository.name ) if 'operation' in kwd: operation = kwd[ 'operation' ].lower() if not tool_dependency_ids: @@ -978,7 +979,7 @@ message += 'of Galaxy Tool Shed repository tools into a local Galaxy instance</a> section of the Galaxy Tool ' message += 'Shed wiki for all of the details.' return trans.show_error_message( message ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) shed_tool_conf = kwd.get( 'shed_tool_conf', None ) tool_shed_url = kwd.get( 'tool_shed_url', '' ) @@ -1030,7 +1031,7 @@ # The Tool Shed cannot handle the get_repository_id request, so the code must be older than the # 04/2014 Galaxy release when it was introduced. It will be safest to error out and let the # Tool Shed admin update the Tool Shed to a later release. - message = 'The updates available for the repository <b>%s</b> ' % str( repository.name ) + message = 'The updates available for the repository <b>%s</b> ' % escape( str( repository.name ) ) message += 'include newly defined repository or tool dependency definitions, and attempting ' message += 'to update the repository resulted in the following error. Contact the Tool Shed ' message += 'administrator if necessary.<br/>%s' % str( e ) @@ -1314,7 +1315,7 @@ and tool dependencies of the repository. """ rdim = repository_dependency_manager.RepositoryDependencyInstallManager( trans.app ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd[ 'id' ] tool_shed_repository = repository_util.get_installed_tool_shed_repository( trans.app, repository_id ) @@ -1450,7 +1451,7 @@ Inspect the repository dependency hierarchy for a specified repository and attempt to make sure they are all properly installed as well as each repository's tool dependencies. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if not repository_id: @@ -1648,12 +1649,12 @@ no_changes_check_box = CheckboxField( 'no_changes', checked=True ) if original_section_name: message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel section <b>%s</b>. " \ - % ( tool_shed_repository.name, original_section_name ) + % ( escape( tool_shed_repository.name ), original_section_name ) message += "Uncheck the <b>No changes</b> check box and select a different tool panel section to load the tools in a " message += "different section in the tool panel. " status = 'warning' else: - message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel outside of any sections. " % tool_shed_repository.name + message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel outside of any sections. " % escape( tool_shed_repository.name ) message += "Uncheck the <b>No changes</b> check box and select a tool panel section to load the tools into that section. " status = 'warning' else: @@ -1715,7 +1716,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = irmm.reset_metadata_on_selected_repositories( trans.user, **kwd ) else: - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = irmm.build_repository_ids_select_field() return trans.fill_template( '/admin/tool_shed_repository/reset_metadata_on_selected_repositories.mako', @@ -1749,13 +1750,13 @@ irmm.update_in_shed_tool_config() trans.install_model.context.add( repository ) trans.install_model.context.flush() - message = 'Metadata has been reset on repository <b>%s</b>.' % repository.name + message = 'Metadata has been reset on repository <b>%s</b>.' % escape( repository.name ) status = 'done' else: - message = 'Metadata did not need to be reset on repository <b>%s</b>.' % repository.name + message = 'Metadata did not need to be reset on repository <b>%s</b>.' % escape( repository.name ) status = 'done' else: - message = 'Error locating installation directory for repository <b>%s</b>.' % repository.name + message = 'Error locating installation directory for repository <b>%s</b>.' % escape( repository.name ) status = 'error' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='manage_repository', @@ -1777,7 +1778,7 @@ uninstalled=False, remove_from_disk=True ) new_kwd = {} - new_kwd[ 'message' ] = "You can now attempt to install the repository named <b>%s</b> again." % str( repository.name ) + new_kwd[ 'message' ] = "You can now attempt to install the repository named <b>%s</b> again." % escape( str( repository.name ) ) new_kwd[ 'status' ] = "done" return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -1808,7 +1809,7 @@ message = "Tool versions have been set for all included tools." status = 'done' else: - message = "Version information for the tools included in the <b>%s</b> repository is missing. " % repository.name + message = "Version information for the tools included in the <b>%s</b> repository is missing. " % escape( repository.name ) message += "Reset all of this reppository's metadata in the tool shed, then set the installed tool versions " message ++ "from the installed repository's <b>Repository Actions</b> menu. " status = 'error' @@ -1852,7 +1853,7 @@ @web.expose @web.require_admin def uninstall_tool_dependencies( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) if not tool_dependency_ids: @@ -1897,7 +1898,7 @@ @web.require_admin def update_to_changeset_revision( self, trans, **kwd ): """Update a cloned repository to the latest revision possible.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_shed_url = kwd.get( 'tool_shed_url', '' ) # Handle protocol changes over time. @@ -2070,7 +2071,7 @@ @web.expose @web.require_admin def update_tool_shed_status_for_installed_repository( self, trans, all_installed_repositories=False, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if all_installed_repositories: success_count = 0 @@ -2083,7 +2084,7 @@ if ok: success_count += 1 else: - repository_names_not_updated.append( '<b>%s</b>' % str( repository.name ) ) + repository_names_not_updated.append( '<b>%s</b>' % escape( str( repository.name ) ) ) if updated: updated_count += 1 message = "Checked the status in the tool shed for %d repositories. " % success_count @@ -2098,11 +2099,11 @@ repository_util.check_or_update_tool_shed_status_for_installed_repository( trans.app, repository ) if ok: if updated: - message = "The tool shed status for repository <b>%s</b> has been updated." % str( repository.name ) + message = "The tool shed status for repository <b>%s</b> has been updated." % escape( str( repository.name ) ) else: - message = "The status has not changed in the tool shed for repository <b>%s</b>." % str( repository.name ) + message = "The status has not changed in the tool shed for repository <b>%s</b>." % escape( str( repository.name ) ) else: - message = "Unable to retrieve status from the tool shed for repository <b>%s</b>." % str( repository.name ) + message = "Unable to retrieve status from the tool shed for repository <b>%s</b>." % escape( str( repository.name ) ) status = 'error' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -2112,7 +2113,7 @@ @web.expose @web.require_admin def view_tool_metadata( self, trans, repository_id, tool_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = repository_util.get_installed_tool_shed_repository( trans.app, repository_id ) repository_metadata = repository.metadata @@ -2146,7 +2147,7 @@ @web.require_admin def view_workflow( self, trans, workflow_name=None, repository_id=None, **kwd ): """Retrieve necessary information about a workflow from the database so that it can be displayed in an svg image.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if workflow_name: workflow_name = encoding_util.tool_shed_decode( workflow_name ) diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/galaxy/controllers/library_admin.py --- a/lib/galaxy/webapps/galaxy/controllers/library_admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_admin.py @@ -5,8 +5,9 @@ from galaxy import web from galaxy.web.base.controller import BaseUIController -from galaxy.web.framework.helpers import escape, grids, time_ago +from galaxy.web.framework.helpers import grids, time_ago from library_common import get_comptypes, lucene_search, whoosh_search +from markupsafe import escape # from galaxy.model.orm import * log = logging.getLogger( __name__ ) @@ -148,7 +149,7 @@ @web.expose @web.require_admin def create_library( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if kwd.get( 'create_library_button', False ): name = kwd.get( 'name', 'No name' ) @@ -161,12 +162,12 @@ library.root_folder = root_folder trans.sa_session.add_all( ( library, root_folder ) ) trans.sa_session.flush() - message = "The new library named '%s' has been created" % library.name + message = "The new library named '%s' has been created" return trans.response.send_redirect( web.url_for( controller='library_common', action='browse_library', cntrller='library_admin', id=trans.security.encode_id( library.id ), - message=message, + message=escape( message ), status='done' ) ) return trans.fill_template( '/admin/library/new_library.mako', message=escape( message ), status=escape( status ) ) @web.expose diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/galaxy/controllers/library_common.py --- a/lib/galaxy/webapps/galaxy/controllers/library_common.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_common.py @@ -20,7 +20,7 @@ from galaxy.util.streamball import StreamBall from galaxy.web.base.controller import BaseUIController, UsesFormDefinitionsMixin, UsesExtendedMetadataMixin, UsesLibraryMixinItems from galaxy.web.form_builder import AddressField, CheckboxField, SelectField, build_select_field -from galaxy.web.framework.helpers import escape +from markupsafe import escape from galaxy.model.orm import and_, eagerload_all # Whoosh is compatible with Python 2.5+ Try to import Whoosh and set flag to indicate whether tool search is enabled. @@ -93,7 +93,7 @@ @web.expose def browse_library( self, trans, cntrller='library', **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # If use_panels is True, the library is being accessed via an external link # which did not originate from within the Galaxy instance, and the library will @@ -121,7 +121,7 @@ hidden_folder_ids = util.listify( kwd.get( 'hidden_folder_ids', '' ) ) if created_ldda_ids and not message: message = "%d datasets are uploading in the background to the library '%s' (each is selected). " % \ - ( len( created_ldda_ids.split( ',' ) ), library.name ) + ( len( created_ldda_ids.split( ',' ) ), escape( library.name ) ) message += "Don't navigate away from Galaxy or use the browser's \"stop\" or \"reload\" buttons (on this tab) until the " message += "message \"This job is running\" is cleared from the \"Information\" column below for each selected dataset." status = "info" @@ -152,7 +152,7 @@ message=escape( message ), status=escape( status ) ) except Exception, e: - message = 'Error attempting to display contents of library (%s): %s.' % ( str( library.name ), str( e ) ) + message = 'Error attempting to display contents of library (%s): %s.' % ( escape( str( library.name ) ), str( e ) ) status = 'error' default_action = kwd.get( 'default_action', None ) @@ -164,7 +164,7 @@ status=status ) ) @web.expose def library_info( self, trans, cntrller, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) @@ -223,7 +223,7 @@ status=escape( status ) ) @web.expose def library_permissions( self, trans, cntrller, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) @@ -269,7 +269,7 @@ status=escape( status ) ) @web.expose def create_folder( self, trans, cntrller, parent_id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -345,7 +345,7 @@ status=escape( status ) ) @web.expose def folder_info( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -401,7 +401,7 @@ status=escape( status ) ) @web.expose def folder_permissions( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -450,7 +450,7 @@ status=escape( status ) ) @web.expose def ldda_edit_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -505,7 +505,7 @@ old_name = ldda.name new_name = kwd.get( 'name', '' ) new_info = kwd.get( 'info', '' ) - new_message = kwd.get( 'message', '' ) + new_message = escape( kwd.get( 'message', '' ) ) if not new_name: message = 'Enter a valid name' status = 'error' @@ -602,7 +602,7 @@ status=escape( status ) ) @web.expose def ldda_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) show_associated_hdas_and_lddas = util.string_as_bool( kwd.get( 'show_associated_hdas_and_lddas', False ) ) @@ -650,7 +650,7 @@ status=escape( status ) ) @web.expose def ldda_permissions( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -787,9 +787,9 @@ status=escape( status ) ) @web.expose def upload_library_dataset( self, trans, cntrller, library_id, folder_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - ldda_message = kwd.get( 'ldda_message', '' ) + ldda_message = escape( kwd.get( 'ldda_message', '' ) ) deleted = util.string_as_bool( kwd.get( 'deleted', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1046,7 +1046,7 @@ dataset_upload_inputs.append( input ) # Library-specific params show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) server_dir = kwd.get( 'server_dir', '' ) if replace_dataset not in [ None, 'None' ]: @@ -1256,9 +1256,9 @@ @web.expose def add_history_datasets_to_library( self, trans, cntrller, library_id, folder_id, hda_ids='', **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - ldda_message = kwd.get( 'ldda_message', '' ) + ldda_message = escape( kwd.get( 'ldda_message', '' ) ) show_deleted = kwd.get( 'show_deleted', False ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) replace_id = kwd.get( 'replace_id', None ) @@ -1547,7 +1547,7 @@ status='error' ) ) @web.expose def library_dataset_info( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1595,7 +1595,7 @@ status=escape( status ) ) @web.expose def library_dataset_permissions( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1642,7 +1642,7 @@ status=escape( status ) ) @web.expose def make_library_item_public( self, trans, cntrller, library_id, item_type, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1703,7 +1703,7 @@ rval += '%s %i %s%s %s\r\n' % ( crc, size, self.url_base, quoted_fname, relpath ) return rval # Perform an action on a list of library datasets. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1979,7 +1979,7 @@ # - a select list option for acting on multiple selected datasets within a library # ( ldda_ids is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( ldda_ids is a comma separated string of ldda ids ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -2102,7 +2102,7 @@ def manage_template_inheritance( self, trans, cntrller, item_type, library_id, folder_id=None, ldda_id=None, **kwd ): show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) is_admin = ( trans.user_is_admin() and cntrller == 'library_admin' ) current_user_roles = trans.get_current_user_roles() @@ -2152,7 +2152,7 @@ # 'ldda' and item_id is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( item_type is 'ldda' and item_id is a # comma separated string of ldda ids ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -2723,7 +2723,7 @@ return map( operator.getitem, intermed, ( -1, ) * len( intermed ) ) def lucene_search( trans, cntrller, search_term, search_url, **kwd ): """Return display of results from a full-text lucene search of data libraries.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) full_url = "%s/find?%s" % ( search_url, urllib.urlencode( { "kwd" : search_term } ) ) response = urllib2.urlopen( full_url ) @@ -2733,7 +2733,7 @@ return status, message, get_sorted_accessible_library_items( trans, cntrller, lddas, 'name' ) def whoosh_search( trans, cntrller, search_term, **kwd ): """Return display of results from a full-text whoosh search of data libraries.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) ok = True if whoosh_search_enabled: diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/galaxy/controllers/user.py --- a/lib/galaxy/webapps/galaxy/controllers/user.py +++ b/lib/galaxy/webapps/galaxy/controllers/user.py @@ -28,9 +28,10 @@ from galaxy.web.base.controller import CreatesApiKeysMixin from galaxy.web.form_builder import CheckboxField from galaxy.web.form_builder import build_select_field -from galaxy.web.framework.helpers import time_ago, grids, escape +from galaxy.web.framework.helpers import time_ago, grids from datetime import datetime, timedelta from galaxy.util import hash_util, biostar +from markupsafe import escape log = logging.getLogger( __name__ ) @@ -254,7 +255,7 @@ if not trans.app.config.enable_openid: return trans.show_error_message( 'OpenID authentication is not enabled in this instance of Galaxy' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) email = kwd.get( 'email', '' ) username = kwd.get( 'username', '' ) @@ -502,7 +503,7 @@ """ Function validates numerous cases that might happen during the login time. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'error' ) email = kwd.get( 'email', '' ) password = kwd.get( 'password', '' ) @@ -719,7 +720,7 @@ email = util.restore_text( kwd.get( 'email', '' ) ) password = kwd.get( 'password', '' ) username = util.restore_text( kwd.get( 'username', '' ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) is_admin = cntrller == 'admin' and trans.user_is_admin() user = self.create_user( trans=trans, email=email, username=username, password=password ) @@ -1093,7 +1094,7 @@ def reset_password( self, trans, email=None, **kwd ): if trans.app.config.smtp_server is None: return trans.show_error_message( "Mail is not configured for this Galaxy instance. Please contact your local Galaxy administrator." ) - message = util.sanitize_text(util.restore_text( kwd.get( 'message', '' ) )) + message = util.sanitize_text( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) if kwd.get( 'reset_password_button', False ): reset_user = trans.sa_session.query( trans.app.model.User ).filter( trans.app.model.User.table.c.email == email ).first() diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -22,7 +22,7 @@ from galaxy.web import error, url_for from galaxy.web.base.controller import BaseUIController, SharableMixin, UsesStoredWorkflowMixin from galaxy.web.framework.formbuilder import form -from galaxy.web.framework.helpers import grids, time_ago, to_unicode, escape +from galaxy.web.framework.helpers import grids, time_ago, to_unicode from galaxy.workflow.modules import WorkflowModuleInjector from galaxy.workflow.modules import MissingToolException from galaxy.workflow.modules import module_factory, is_tool_module_type @@ -37,6 +37,7 @@ order_workflow_steps_with_levels, ) from galaxy.workflow.render import WorkflowCanvas, MARGIN, LINE_SPACING +from markupsafe import escape class StoredWorkflowListGrid( grids.Grid ): @@ -1021,7 +1022,7 @@ """ url = kwd.get( 'url', '' ) workflow_text = kwd.get( 'workflow_text', '' ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) import_button = kwd.get( 'import_button', False ) # The special Galaxy integration landing page's URL on myExperiment diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/reports/controllers/users.py --- a/lib/galaxy/webapps/reports/controllers/users.py +++ b/lib/galaxy/webapps/reports/controllers/users.py @@ -9,17 +9,19 @@ pkg_resources.require( "SQLAlchemy >= 0.4" ) import sqlalchemy as sa import logging +from markupsafe import escape + log = logging.getLogger( __name__ ) class Users( BaseUIController ): @web.expose def registered_users( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) num_users = trans.sa_session.query( galaxy.model.User ).count() return trans.fill_template( '/webapps/reports/registered_users.mako', num_users=num_users, message=message ) @web.expose def registered_users_per_month( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) q = sa.select( ( sa.func.date_trunc( 'month', sa.func.date( galaxy.model.User.table.c.create_time ) ).label( 'date' ), sa.func.count( galaxy.model.User.table.c.id ).label( 'num_users' ) ), from_obj = [ galaxy.model.User.table ], @@ -36,7 +38,7 @@ message=message ) @web.expose def specified_month( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) # If specified_date is not received, we'll default to the current month specified_date = kwd.get( 'specified_date', datetime.utcnow().strftime( "%Y-%m-%d" ) ) specified_month = specified_date[ :7 ] @@ -66,7 +68,7 @@ message=message ) @web.expose def specified_date( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) # If specified_date is not received, we'll default to the current month specified_date = kwd.get( 'specified_date', datetime.utcnow().strftime( "%Y-%m-%d" ) ) year, month, day = map( int, specified_date.split( "-" ) ) @@ -95,7 +97,7 @@ message=message ) @web.expose def last_access_date( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) not_logged_in_for_days = kwd.get( 'not_logged_in_for_days', 90 ) if not not_logged_in_for_days: not_logged_in_for_days = 0 @@ -120,7 +122,7 @@ @web.expose def user_disk_usage( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) user_cutoff = int( kwd.get( 'user_cutoff', 60 ) ) # disk_usage isn't indexed users = sorted( trans.sa_session.query( galaxy.model.User ).all(), key=operator.attrgetter( 'disk_usage' ), reverse=True ) diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/tool_shed/controllers/admin.py --- a/lib/galaxy/webapps/tool_shed/controllers/admin.py +++ b/lib/galaxy/webapps/tool_shed/controllers/admin.py @@ -3,6 +3,7 @@ from galaxy import util from galaxy.util import inflector from galaxy import web +from markupsafe import escape from galaxy.web.base.controller import BaseUIController from galaxy.web.base.controllers.admin import Admin @@ -121,7 +122,7 @@ @web.expose @web.require_admin def create_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) name = kwd.get( 'name', '' ).strip() description = kwd.get( 'description', '' ).strip() @@ -154,7 +155,7 @@ @web.expose @web.require_admin def delete_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -197,7 +198,7 @@ @web.expose @web.require_admin def delete_repository_metadata( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -221,7 +222,7 @@ @web.expose @web.require_admin def edit_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -306,7 +307,7 @@ @web.expose @web.require_admin def regenerate_statistics( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'regenerate_statistics_button' in kwd: trans.app.shed_counter.generate_statistics() @@ -352,7 +353,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = rmm.reset_metadata_on_selected_repositories( **kwd ) else: - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = rmm.build_repository_ids_select_field( name='repository_ids', multiple=True, @@ -366,7 +367,7 @@ @web.expose @web.require_admin def undelete_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -417,7 +418,7 @@ # TODO: We should probably eliminate the Category.deleted column since it really makes no # sense to mark a category as deleted (category names and descriptions can be changed instead). # If we do this, and the following 2 methods can be eliminated. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -445,7 +446,7 @@ # This method should only be called for a Category that has previously been deleted. # Purging a deleted Category deletes all of the following from the database: # - RepoitoryCategoryAssociations where category_id == Category.id - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -473,7 +474,7 @@ @web.expose @web.require_admin def undelete_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/tool_shed/controllers/repository.py --- a/lib/galaxy/webapps/tool_shed/controllers/repository.py +++ b/lib/galaxy/webapps/tool_shed/controllers/repository.py @@ -6,6 +6,7 @@ from time import strftime from datetime import date from datetime import datetime +from markupsafe import escape from galaxy import util from galaxy import web @@ -385,7 +386,7 @@ action='reviewed_repositories_i_own' ) ) elif operation == "repositories_by_category": category_id = kwd.get( 'id', None ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.response.send_redirect( web.url_for( controller='repository', action='browse_repositories_in_category', @@ -721,9 +722,9 @@ @web.expose def browse_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Deleted selected files' ) + commit_message = escape( kwd.get( 'commit_message', 'Deleted selected files' ) ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) # Update repository files for browsing. @@ -891,7 +892,7 @@ @web.expose def check_for_updates( self, trans, **kwd ): """Handle a request from a local Galaxy instance.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # If the request originated with the UpdateRepositoryManager, it will not include a galaxy_url. galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) @@ -976,7 +977,7 @@ @web.expose def contact_owner( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) metadata = metadata_util.get_repository_metadata_by_repository_id_changeset_revision( trans.app, @@ -995,7 +996,7 @@ @web.expose def create_galaxy_docker_image( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_ids = util.listify( kwd.get( 'id', '' ) ) if 'operation' in kwd: @@ -1051,7 +1052,7 @@ @web.expose def create_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) categories = suc.get_categories( trans ) if not categories: @@ -1108,7 +1109,7 @@ # Marking a repository in the tool shed as deprecated has no effect on any downloadable changeset # revisions that may be associated with the repository. Revisions are not marked as not downlaodable # because those that have installed the repository must be allowed to get updates. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -1164,7 +1165,7 @@ @web.expose def display_tool( self, trans, repository_id, tool_config, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) tv = tool_validator.ToolValidator( trans.app ) @@ -1229,7 +1230,7 @@ @web.expose def export( self, trans, repository_id, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) export_repository_dependencies = kwd.get( 'export_repository_dependencies', '' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -1309,7 +1310,7 @@ @web.expose def find_tools( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) if 'operation' in kwd: @@ -1400,7 +1401,7 @@ @web.expose def find_workflows( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) if 'operation' in kwd: @@ -2020,13 +2021,13 @@ @web.expose def help( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.fill_template( '/webapps/tool_shed/repository/help.mako', message=message, status=status, **kwd ) @web.expose def import_capsule( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) capsule_file_name = kwd.get( 'capsule_file_name', None ) encoded_file_path = kwd.get( 'encoded_file_path', None ) @@ -2069,7 +2070,7 @@ @web.expose def index( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # See if there are any RepositoryMetadata records since menu items require them. repository_metadata = trans.sa_session.query( trans.model.RepositoryMetadata ).first() @@ -2151,7 +2152,7 @@ @web.expose def load_invalid_tool( self, trans, repository_id, tool_config, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'error' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) tv = tool_validator.ToolValidator( trans.app ) @@ -2203,7 +2204,7 @@ @web.expose @web.require_login( "manage email alerts" ) def manage_email_alerts( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) new_repo_alert = kwd.get( 'new_repo_alert', '' ) new_repo_alert_checked = CheckboxField.is_checked( new_repo_alert ) @@ -2234,7 +2235,7 @@ @web.expose @web.require_login( "manage repository" ) def manage_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repository_type = kwd.get( 'repository_type', str( repository.type ) ) @@ -2500,7 +2501,7 @@ @web.expose @web.require_login( "manage repository administrators" ) def manage_repository_admins( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) changeset_revision = kwd.get( 'changeset_revision', repository.tip( trans.app ) ) @@ -2558,7 +2559,7 @@ @web.expose @web.require_login( "multi select email alerts" ) def multi_select_email_alerts( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: operation = kwd[ 'operation' ].lower() @@ -2607,7 +2608,7 @@ @web.expose def preview_tools_in_changeset( self, trans, repository_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -2714,7 +2715,7 @@ @web.require_login( "rate repositories" ) def rate_repository( self, trans, **kwd ): """ Rate a repository and return updated rating data. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -2787,7 +2788,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = rmm.reset_metadata_on_selected_repositories( **kwd ) else: - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = rmm.build_repository_ids_select_field( name='repository_ids', multiple=True, @@ -2800,9 +2801,9 @@ @web.expose def select_files_to_delete( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Deleted selected files' ) + commit_message = escape( kwd.get( 'commit_message', 'Deleted selected files' ) ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo_dir = repository.repo_path( trans.app ) repo = hg_util.get_repo_for_repository( trans.app, repository=None, repo_path=repo_dir, create=False ) @@ -3145,7 +3146,7 @@ @web.expose def upload_capsule( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) url = kwd.get( 'url', '' ) if 'upload_capsule_button' in kwd: @@ -3175,7 +3176,7 @@ @web.expose def view_changelog( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3210,7 +3211,7 @@ @web.expose def view_changeset( self, trans, id, ctx_str, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3302,7 +3303,7 @@ @web.expose def view_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3390,7 +3391,7 @@ @web.expose def view_tool_metadata( self, trans, repository_id, changeset_revision, tool_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -3471,7 +3472,7 @@ @web.expose def view_workflow( self, trans, workflow_name, repository_metadata_id, **kwd ): """Retrieve necessary information about a workflow from the database so that it can be displayed in an svg image.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) if workflow_name: diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/tool_shed/controllers/repository_review.py --- a/lib/galaxy/webapps/tool_shed/controllers/repository_review.py +++ b/lib/galaxy/webapps/tool_shed/controllers/repository_review.py @@ -2,6 +2,7 @@ import os from sqlalchemy.sql.expression import func +from markupsafe import escape from galaxy import util from galaxy import web @@ -40,7 +41,7 @@ @web.require_login( "approve repository review" ) def approve_repository_review( self, trans, **kwd ): # The value of the received id is the encoded review id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) encoded_review_id = kwd[ 'id' ] review = review_util.get_review( trans.app, encoded_review_id ) @@ -74,7 +75,7 @@ @web.expose @web.require_login( "browse review" ) def browse_review( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) review = review_util.get_review( trans.app, kwd[ 'id' ] ) repository = review.repository @@ -105,7 +106,7 @@ @web.expose @web.require_login( "create component" ) def create_component( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) name = kwd.get( 'name', '' ) description = kwd.get( 'description', '' ) @@ -136,7 +137,7 @@ @web.require_login( "create review" ) def create_review( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) changeset_revision = kwd.get( 'changeset_revision', None ) @@ -201,7 +202,7 @@ @web.expose @web.require_login( "edit component" ) def edit_component( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -232,7 +233,7 @@ @web.require_login( "edit review" ) def edit_review( self, trans, **kwd ): # The value of the received id is the encoded review id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) review_id = kwd.get( 'id', None ) review = review_util.get_review( trans.app, review_id ) @@ -408,7 +409,7 @@ @web.require_login( "manage repositories reviewed by me" ) def manage_repositories_reviewed_by_me( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: kwd[ 'mine' ] = True @@ -475,7 +476,7 @@ @web.require_login( "manage repository reviews" ) def manage_repository_reviews( self, trans, mine=False, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id: @@ -524,7 +525,7 @@ @web.require_login( "manage repository reviews of revision" ) def manage_repository_reviews_of_revision( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) changeset_revision = kwd.get( 'changeset_revision', None ) @@ -547,7 +548,7 @@ @web.expose @web.require_login( "repository reviews by user" ) def repository_reviews_by_user( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: @@ -573,7 +574,7 @@ @web.expose @web.require_login( "reviewed repositories i own" ) def reviewed_repositories_i_own( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # The value of the received id is the encoded repository id. if 'operation' in kwd: @@ -592,7 +593,7 @@ @web.require_login( "select previous review" ) def select_previous_review( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, kwd[ 'id' ] ) changeset_revision = kwd.get( 'changeset_revision', None ) diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/tool_shed/controllers/upload.py --- a/lib/galaxy/webapps/tool_shed/controllers/upload.py +++ b/lib/galaxy/webapps/tool_shed/controllers/upload.py @@ -9,6 +9,7 @@ from galaxy import web from galaxy.datatypes import checkers from galaxy.web.base.controller import BaseUIController +from markupsafe import escape from tool_shed.dependencies import attribute_handlers from tool_shed.galaxy_install import dependency_display @@ -34,9 +35,9 @@ @web.expose @web.require_login( 'upload', use_panels=True ) def upload( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Uploaded' ) + commit_message = escape( kwd.get( 'commit_message', 'Uploaded' ) ) category_ids = util.listify( kwd.get( 'category_id', '' ) ) categories = suc.get_categories( trans.app ) repository_id = kwd.get( 'repository_id', '' ) diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/tool_shed/util/repository_util.py --- a/lib/tool_shed/util/repository_util.py +++ b/lib/tool_shed/util/repository_util.py @@ -7,6 +7,7 @@ from galaxy import web from galaxy.web.form_builder import build_select_field from galaxy.webapps.tool_shed.model import directory_hash_id +from markupsafe import escape from tool_shed.dependencies.repository import relation_builder @@ -256,7 +257,7 @@ def handle_role_associations( app, role, repository, **kwd ): sa_session = app.model.context.current - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_owner = repository.user if kwd.get( 'manage_role_associations_button', False ): Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: 4 new changesets
by commits-noreply＠bitbucket.org 11 Dec '14

11 Dec '14

4 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/c2bed0a496f8/ Changeset: c2bed0a496f8 Branch: stable User: davebgx Date: 2014-12-11 16:10:30+00:00 Summary: Escape messages passed in through kwd. Affected #: 14 files diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/web/base/controllers/admin.py --- a/lib/galaxy/web/base/controllers/admin.py +++ b/lib/galaxy/web/base/controllers/admin.py @@ -7,6 +7,7 @@ from galaxy.web.form_builder import CheckboxField from string import punctuation as PUNCTUATION import galaxy.queue_worker +from markupsafe import escape from tool_shed.util import shed_util_common as suc @@ -28,7 +29,7 @@ @web.expose @web.require_admin def index( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if trans.webapp.name == 'galaxy': installed_repositories = trans.install_model.context.query( trans.install_model.ToolShedRepository ).first() @@ -46,7 +47,7 @@ @web.expose @web.require_admin def center( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if trans.webapp.name == 'galaxy': return trans.fill_template( '/webapps/galaxy/admin/center.mako', diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/demo_sequencer/controllers/common.py --- a/lib/galaxy/webapps/demo_sequencer/controllers/common.py +++ b/lib/galaxy/webapps/demo_sequencer/controllers/common.py @@ -4,6 +4,7 @@ import time, socket, urllib, urllib2, base64, copy from galaxy.util.json import * from urllib import quote_plus, unquote_plus +from markupsafe import escape import logging log = logging.getLogger( __name__ ) @@ -16,7 +17,7 @@ titles = util.listify( titles ) JobId = util.restore_text( kwd.get( 'JobId', '' ) ) sample_id = util.restore_text( kwd.get( 'sample_id', '' ) ) - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) redirect_delay = trans.app.sequencer_actions_registry.redirect_delay sequencer_redirects = copy.deepcopy( trans.app.sequencer_actions_registry.sequencer_redirects ) @@ -144,7 +145,7 @@ titles = util.restore_text( kwd.get( 'titles', '' ) ) JobId = util.restore_text( kwd.get( 'JobId', '' ) ) sample_id = util.restore_text( kwd.get( 'sample_id', '' ) ) - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) url, http_method, request_params, response_type = request_tup url = unquote_plus( url ) diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/galaxy/controllers/admin.py --- a/lib/galaxy/webapps/galaxy/controllers/admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/admin.py @@ -17,6 +17,7 @@ from galaxy.web.params import QuotaParamParser from tool_shed.util import common_util from tool_shed.util import encoding_util +from markupsafe import escape log = logging.getLogger( __name__ ) @@ -838,7 +839,7 @@ @web.expose @web.require_admin def review_tool_migration_stages( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) migration_stages_dict = odict() migration_modules = [] @@ -870,13 +871,13 @@ @web.expose @web.require_admin def view_datatypes_registry( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) return trans.fill_template( 'admin/view_datatypes_registry.mako', message=message, status=status ) @web.expose @web.require_admin def view_tool_data_tables( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) return trans.fill_template( 'admin/view_data_tables_registry.mako', message=message, status=status ) diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py --- a/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py +++ b/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py @@ -8,6 +8,7 @@ from galaxy.web.form_builder import CheckboxField from galaxy.util import json from galaxy.model.orm import or_ +from markupsafe import escape import tool_shed.repository_types.util as rt_util @@ -72,7 +73,7 @@ @web.expose @web.require_admin def browse_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = repository_util.get_installed_tool_shed_repository( trans.app, kwd[ 'id' ] ) return trans.fill_template( '/admin/tool_shed_repository/browse_repository.mako', @@ -169,7 +170,7 @@ @web.expose @web.require_admin def browse_tool_dependency( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) tool_dependency = tool_dependency_util.get_tool_dependency( trans.app, tool_dependency_ids[ 0 ] ) @@ -197,7 +198,7 @@ @web.expose @web.require_admin def browse_tool_sheds( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.fill_template( '/webapps/galaxy/admin/tool_sheds.mako', message=message, @@ -230,7 +231,7 @@ require the same entry. For now we'll never delete entries from config.shed_tool_data_table_config, but we may choose to do so in the future if it becomes necessary. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) remove_from_disk = kwd.get( 'remove_from_disk', '' ) remove_from_disk_checked = CheckboxField.is_checked( remove_from_disk ) @@ -442,7 +443,7 @@ @web.require_admin def import_workflow( self, trans, workflow_name, repository_id, **kwd ): """Import a workflow contained in an installed tool shed repository into Galaxy.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if workflow_name: workflow_name = encoding_util.tool_shed_decode( workflow_name ) @@ -479,7 +480,7 @@ tool shed repository. """ # Get the tool_shed_repository from one of the tool_dependencies. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) err_msg = '' tool_shed_repository = tool_dependencies[ 0 ].tool_shed_repository @@ -512,7 +513,7 @@ @web.require_admin def install_latest_repository_revision( self, trans, **kwd ): """Install the latest installable revision of a repository that has been previously installed.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id is not None: @@ -589,7 +590,7 @@ updating_to_changeset_revision = kwd.get( 'updating_to_changeset_revision', None ) updating_to_ctx_rev = kwd.get( 'updating_to_ctx_rev', None ) encoded_updated_metadata = kwd.get( 'encoded_updated_metadata', None ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) install_tool_dependencies = CheckboxField.is_checked( kwd.get( 'install_tool_dependencies', '' ) ) if 'install_tool_dependencies_with_update_button' in kwd: @@ -665,7 +666,7 @@ @web.expose @web.require_admin def manage_repositories( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tsridslist = common_util.get_tool_shed_repository_ids( **kwd ) if 'operation' in kwd: @@ -744,7 +745,7 @@ @web.expose @web.require_admin def manage_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id is None: @@ -808,7 +809,7 @@ @web.expose @web.require_admin def manage_repository_tool_dependencies( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) if tool_dependency_ids: @@ -890,7 +891,7 @@ def manage_tool_dependencies( self, trans, **kwd ): # This method is called when tool dependencies are being installed. See the related manage_repository_tool_dependencies # method for managing the tool dependencies for a specified installed tool shed repository. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) repository_id = kwd.get( 'repository_id', None ) @@ -978,7 +979,7 @@ message += 'of Galaxy Tool Shed repository tools into a local Galaxy instance</a> section of the Galaxy Tool ' message += 'Shed wiki for all of the details.' return trans.show_error_message( message ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) shed_tool_conf = kwd.get( 'shed_tool_conf', None ) tool_shed_url = kwd.get( 'tool_shed_url', '' ) @@ -1314,7 +1315,7 @@ and tool dependencies of the repository. """ rdim = repository_dependency_manager.RepositoryDependencyInstallManager( trans.app ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd[ 'id' ] tool_shed_repository = repository_util.get_installed_tool_shed_repository( trans.app, repository_id ) @@ -1450,7 +1451,7 @@ Inspect the repository dependency hierarchy for a specified repository and attempt to make sure they are all properly installed as well as each repository's tool dependencies. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if not repository_id: @@ -1715,7 +1716,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = irmm.reset_metadata_on_selected_repositories( trans.user, **kwd ) else: - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = irmm.build_repository_ids_select_field() return trans.fill_template( '/admin/tool_shed_repository/reset_metadata_on_selected_repositories.mako', @@ -1852,7 +1853,7 @@ @web.expose @web.require_admin def uninstall_tool_dependencies( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) if not tool_dependency_ids: @@ -1897,7 +1898,7 @@ @web.require_admin def update_to_changeset_revision( self, trans, **kwd ): """Update a cloned repository to the latest revision possible.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_shed_url = kwd.get( 'tool_shed_url', '' ) # Handle protocol changes over time. @@ -2070,7 +2071,7 @@ @web.expose @web.require_admin def update_tool_shed_status_for_installed_repository( self, trans, all_installed_repositories=False, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if all_installed_repositories: success_count = 0 @@ -2112,7 +2113,7 @@ @web.expose @web.require_admin def view_tool_metadata( self, trans, repository_id, tool_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = repository_util.get_installed_tool_shed_repository( trans.app, repository_id ) repository_metadata = repository.metadata @@ -2146,7 +2147,7 @@ @web.require_admin def view_workflow( self, trans, workflow_name=None, repository_id=None, **kwd ): """Retrieve necessary information about a workflow from the database so that it can be displayed in an svg image.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if workflow_name: workflow_name = encoding_util.tool_shed_decode( workflow_name ) diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/galaxy/controllers/library_admin.py --- a/lib/galaxy/webapps/galaxy/controllers/library_admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_admin.py @@ -5,8 +5,9 @@ from galaxy import web from galaxy.web.base.controller import BaseUIController -from galaxy.web.framework.helpers import escape, grids, time_ago +from galaxy.web.framework.helpers import grids, time_ago from library_common import get_comptypes, lucene_search, whoosh_search +from markupsafe import escape # from galaxy.model.orm import * log = logging.getLogger( __name__ ) @@ -148,7 +149,7 @@ @web.expose @web.require_admin def create_library( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if kwd.get( 'create_library_button', False ): name = kwd.get( 'name', 'No name' ) diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/galaxy/controllers/library_common.py --- a/lib/galaxy/webapps/galaxy/controllers/library_common.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_common.py @@ -20,7 +20,7 @@ from galaxy.util.streamball import StreamBall from galaxy.web.base.controller import BaseUIController, UsesFormDefinitionsMixin, UsesExtendedMetadataMixin, UsesLibraryMixinItems from galaxy.web.form_builder import AddressField, CheckboxField, SelectField, build_select_field -from galaxy.web.framework.helpers import escape +from markupsafe import escape from galaxy.model.orm import and_, eagerload_all # Whoosh is compatible with Python 2.5+ Try to import Whoosh and set flag to indicate whether tool search is enabled. @@ -93,7 +93,7 @@ @web.expose def browse_library( self, trans, cntrller='library', **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # If use_panels is True, the library is being accessed via an external link # which did not originate from within the Galaxy instance, and the library will @@ -121,7 +121,7 @@ hidden_folder_ids = util.listify( kwd.get( 'hidden_folder_ids', '' ) ) if created_ldda_ids and not message: message = "%d datasets are uploading in the background to the library '%s' (each is selected). " % \ - ( len( created_ldda_ids.split( ',' ) ), library.name ) + ( len( created_ldda_ids.split( ',' ) ), escape( library.name ) ) message += "Don't navigate away from Galaxy or use the browser's \"stop\" or \"reload\" buttons (on this tab) until the " message += "message \"This job is running\" is cleared from the \"Information\" column below for each selected dataset." status = "info" @@ -152,7 +152,7 @@ message=escape( message ), status=escape( status ) ) except Exception, e: - message = 'Error attempting to display contents of library (%s): %s.' % ( str( library.name ), str( e ) ) + message = 'Error attempting to display contents of library (%s): %s.' % ( escape( str( library.name ) ), str( e ) ) status = 'error' default_action = kwd.get( 'default_action', None ) @@ -164,7 +164,7 @@ status=status ) ) @web.expose def library_info( self, trans, cntrller, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) @@ -223,7 +223,7 @@ status=escape( status ) ) @web.expose def library_permissions( self, trans, cntrller, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) @@ -269,7 +269,7 @@ status=escape( status ) ) @web.expose def create_folder( self, trans, cntrller, parent_id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -345,7 +345,7 @@ status=escape( status ) ) @web.expose def folder_info( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -401,7 +401,7 @@ status=escape( status ) ) @web.expose def folder_permissions( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -450,7 +450,7 @@ status=escape( status ) ) @web.expose def ldda_edit_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -505,7 +505,7 @@ old_name = ldda.name new_name = kwd.get( 'name', '' ) new_info = kwd.get( 'info', '' ) - new_message = kwd.get( 'message', '' ) + new_message = escape( kwd.get( 'message', '' ) ) if not new_name: message = 'Enter a valid name' status = 'error' @@ -602,7 +602,7 @@ status=escape( status ) ) @web.expose def ldda_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) show_associated_hdas_and_lddas = util.string_as_bool( kwd.get( 'show_associated_hdas_and_lddas', False ) ) @@ -650,7 +650,7 @@ status=escape( status ) ) @web.expose def ldda_permissions( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -787,9 +787,9 @@ status=escape( status ) ) @web.expose def upload_library_dataset( self, trans, cntrller, library_id, folder_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - ldda_message = kwd.get( 'ldda_message', '' ) + ldda_message = escape( kwd.get( 'ldda_message', '' ) ) deleted = util.string_as_bool( kwd.get( 'deleted', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1046,7 +1046,7 @@ dataset_upload_inputs.append( input ) # Library-specific params show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) server_dir = kwd.get( 'server_dir', '' ) if replace_dataset not in [ None, 'None' ]: @@ -1256,9 +1256,9 @@ @web.expose def add_history_datasets_to_library( self, trans, cntrller, library_id, folder_id, hda_ids='', **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - ldda_message = kwd.get( 'ldda_message', '' ) + ldda_message = escape( kwd.get( 'ldda_message', '' ) ) show_deleted = kwd.get( 'show_deleted', False ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) replace_id = kwd.get( 'replace_id', None ) @@ -1547,7 +1547,7 @@ status='error' ) ) @web.expose def library_dataset_info( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1595,7 +1595,7 @@ status=escape( status ) ) @web.expose def library_dataset_permissions( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1642,7 +1642,7 @@ status=escape( status ) ) @web.expose def make_library_item_public( self, trans, cntrller, library_id, item_type, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1703,7 +1703,7 @@ rval += '%s %i %s%s %s\r\n' % ( crc, size, self.url_base, quoted_fname, relpath ) return rval # Perform an action on a list of library datasets. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1979,7 +1979,7 @@ # - a select list option for acting on multiple selected datasets within a library # ( ldda_ids is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( ldda_ids is a comma separated string of ldda ids ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -2102,7 +2102,7 @@ def manage_template_inheritance( self, trans, cntrller, item_type, library_id, folder_id=None, ldda_id=None, **kwd ): show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) is_admin = ( trans.user_is_admin() and cntrller == 'library_admin' ) current_user_roles = trans.get_current_user_roles() @@ -2152,7 +2152,7 @@ # 'ldda' and item_id is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( item_type is 'ldda' and item_id is a # comma separated string of ldda ids ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -2723,7 +2723,7 @@ return map( operator.getitem, intermed, ( -1, ) * len( intermed ) ) def lucene_search( trans, cntrller, search_term, search_url, **kwd ): """Return display of results from a full-text lucene search of data libraries.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) full_url = "%s/find?%s" % ( search_url, urllib.urlencode( { "kwd" : search_term } ) ) response = urllib2.urlopen( full_url ) @@ -2733,7 +2733,7 @@ return status, message, get_sorted_accessible_library_items( trans, cntrller, lddas, 'name' ) def whoosh_search( trans, cntrller, search_term, **kwd ): """Return display of results from a full-text whoosh search of data libraries.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) ok = True if whoosh_search_enabled: diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/galaxy/controllers/user.py --- a/lib/galaxy/webapps/galaxy/controllers/user.py +++ b/lib/galaxy/webapps/galaxy/controllers/user.py @@ -28,9 +28,10 @@ from galaxy.web.base.controller import CreatesApiKeysMixin from galaxy.web.form_builder import CheckboxField from galaxy.web.form_builder import build_select_field -from galaxy.web.framework.helpers import time_ago, grids, escape +from galaxy.web.framework.helpers import time_ago, grids from datetime import datetime, timedelta from galaxy.util import hash_util, biostar +from markupsafe import escape log = logging.getLogger( __name__ ) @@ -254,7 +255,7 @@ if not trans.app.config.enable_openid: return trans.show_error_message( 'OpenID authentication is not enabled in this instance of Galaxy' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) email = kwd.get( 'email', '' ) username = kwd.get( 'username', '' ) @@ -502,7 +503,7 @@ """ Function validates numerous cases that might happen during the login time. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'error' ) email = kwd.get( 'email', '' ) password = kwd.get( 'password', '' ) @@ -719,7 +720,7 @@ email = util.restore_text( kwd.get( 'email', '' ) ) password = kwd.get( 'password', '' ) username = util.restore_text( kwd.get( 'username', '' ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) is_admin = cntrller == 'admin' and trans.user_is_admin() user = self.create_user( trans=trans, email=email, username=username, password=password ) @@ -1093,7 +1094,7 @@ def reset_password( self, trans, email=None, **kwd ): if trans.app.config.smtp_server is None: return trans.show_error_message( "Mail is not configured for this Galaxy instance. Please contact your local Galaxy administrator." ) - message = util.sanitize_text(util.restore_text( kwd.get( 'message', '' ) )) + message = util.sanitize_text( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) if kwd.get( 'reset_password_button', False ): reset_user = trans.sa_session.query( trans.app.model.User ).filter( trans.app.model.User.table.c.email == email ).first() diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -22,7 +22,7 @@ from galaxy.web import error, url_for from galaxy.web.base.controller import BaseUIController, SharableMixin, UsesStoredWorkflowMixin from galaxy.web.framework.formbuilder import form -from galaxy.web.framework.helpers import grids, time_ago, to_unicode, escape +from galaxy.web.framework.helpers import grids, time_ago, to_unicode from galaxy.workflow.modules import WorkflowModuleInjector from galaxy.workflow.modules import MissingToolException from galaxy.workflow.modules import module_factory, is_tool_module_type @@ -37,6 +37,7 @@ order_workflow_steps_with_levels, ) from galaxy.workflow.render import WorkflowCanvas, MARGIN, LINE_SPACING +from markupsafe import escape class StoredWorkflowListGrid( grids.Grid ): @@ -1021,7 +1022,7 @@ """ url = kwd.get( 'url', '' ) workflow_text = kwd.get( 'workflow_text', '' ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) import_button = kwd.get( 'import_button', False ) # The special Galaxy integration landing page's URL on myExperiment diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/reports/controllers/users.py --- a/lib/galaxy/webapps/reports/controllers/users.py +++ b/lib/galaxy/webapps/reports/controllers/users.py @@ -9,17 +9,19 @@ pkg_resources.require( "SQLAlchemy >= 0.4" ) import sqlalchemy as sa import logging +from markupsafe import escape + log = logging.getLogger( __name__ ) class Users( BaseUIController ): @web.expose def registered_users( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) num_users = trans.sa_session.query( galaxy.model.User ).count() return trans.fill_template( '/webapps/reports/registered_users.mako', num_users=num_users, message=message ) @web.expose def registered_users_per_month( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) q = sa.select( ( sa.func.date_trunc( 'month', sa.func.date( galaxy.model.User.table.c.create_time ) ).label( 'date' ), sa.func.count( galaxy.model.User.table.c.id ).label( 'num_users' ) ), from_obj = [ galaxy.model.User.table ], @@ -36,7 +38,7 @@ message=message ) @web.expose def specified_month( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) # If specified_date is not received, we'll default to the current month specified_date = kwd.get( 'specified_date', datetime.utcnow().strftime( "%Y-%m-%d" ) ) specified_month = specified_date[ :7 ] @@ -66,7 +68,7 @@ message=message ) @web.expose def specified_date( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) # If specified_date is not received, we'll default to the current month specified_date = kwd.get( 'specified_date', datetime.utcnow().strftime( "%Y-%m-%d" ) ) year, month, day = map( int, specified_date.split( "-" ) ) @@ -95,7 +97,7 @@ message=message ) @web.expose def last_access_date( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) not_logged_in_for_days = kwd.get( 'not_logged_in_for_days', 90 ) if not not_logged_in_for_days: not_logged_in_for_days = 0 @@ -120,7 +122,7 @@ @web.expose def user_disk_usage( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) user_cutoff = int( kwd.get( 'user_cutoff', 60 ) ) # disk_usage isn't indexed users = sorted( trans.sa_session.query( galaxy.model.User ).all(), key=operator.attrgetter( 'disk_usage' ), reverse=True ) diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/tool_shed/controllers/admin.py --- a/lib/galaxy/webapps/tool_shed/controllers/admin.py +++ b/lib/galaxy/webapps/tool_shed/controllers/admin.py @@ -3,6 +3,7 @@ from galaxy import util from galaxy.util import inflector from galaxy import web +from markupsafe import escape from galaxy.web.base.controller import BaseUIController from galaxy.web.base.controllers.admin import Admin @@ -121,7 +122,7 @@ @web.expose @web.require_admin def create_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) name = kwd.get( 'name', '' ).strip() description = kwd.get( 'description', '' ).strip() @@ -154,7 +155,7 @@ @web.expose @web.require_admin def delete_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -197,7 +198,7 @@ @web.expose @web.require_admin def delete_repository_metadata( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -221,7 +222,7 @@ @web.expose @web.require_admin def edit_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -306,7 +307,7 @@ @web.expose @web.require_admin def regenerate_statistics( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'regenerate_statistics_button' in kwd: trans.app.shed_counter.generate_statistics() @@ -352,7 +353,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = rmm.reset_metadata_on_selected_repositories( **kwd ) else: - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = rmm.build_repository_ids_select_field( name='repository_ids', multiple=True, @@ -366,7 +367,7 @@ @web.expose @web.require_admin def undelete_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -417,7 +418,7 @@ # TODO: We should probably eliminate the Category.deleted column since it really makes no # sense to mark a category as deleted (category names and descriptions can be changed instead). # If we do this, and the following 2 methods can be eliminated. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -445,7 +446,7 @@ # This method should only be called for a Category that has previously been deleted. # Purging a deleted Category deletes all of the following from the database: # - RepoitoryCategoryAssociations where category_id == Category.id - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -473,7 +474,7 @@ @web.expose @web.require_admin def undelete_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/tool_shed/controllers/repository.py --- a/lib/galaxy/webapps/tool_shed/controllers/repository.py +++ b/lib/galaxy/webapps/tool_shed/controllers/repository.py @@ -6,6 +6,7 @@ from time import strftime from datetime import date from datetime import datetime +from markupsafe import escape from galaxy import util from galaxy import web @@ -385,7 +386,7 @@ action='reviewed_repositories_i_own' ) ) elif operation == "repositories_by_category": category_id = kwd.get( 'id', None ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.response.send_redirect( web.url_for( controller='repository', action='browse_repositories_in_category', @@ -721,9 +722,9 @@ @web.expose def browse_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Deleted selected files' ) + commit_message = escape( kwd.get( 'commit_message', 'Deleted selected files' ) ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) # Update repository files for browsing. @@ -891,7 +892,7 @@ @web.expose def check_for_updates( self, trans, **kwd ): """Handle a request from a local Galaxy instance.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # If the request originated with the UpdateRepositoryManager, it will not include a galaxy_url. galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) @@ -976,7 +977,7 @@ @web.expose def contact_owner( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) metadata = metadata_util.get_repository_metadata_by_repository_id_changeset_revision( trans.app, @@ -995,7 +996,7 @@ @web.expose def create_galaxy_docker_image( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_ids = util.listify( kwd.get( 'id', '' ) ) if 'operation' in kwd: @@ -1051,7 +1052,7 @@ @web.expose def create_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) categories = suc.get_categories( trans ) if not categories: @@ -1108,7 +1109,7 @@ # Marking a repository in the tool shed as deprecated has no effect on any downloadable changeset # revisions that may be associated with the repository. Revisions are not marked as not downlaodable # because those that have installed the repository must be allowed to get updates. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -1164,7 +1165,7 @@ @web.expose def display_tool( self, trans, repository_id, tool_config, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) tv = tool_validator.ToolValidator( trans.app ) @@ -1229,7 +1230,7 @@ @web.expose def export( self, trans, repository_id, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) export_repository_dependencies = kwd.get( 'export_repository_dependencies', '' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -1309,7 +1310,7 @@ @web.expose def find_tools( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) if 'operation' in kwd: @@ -1400,7 +1401,7 @@ @web.expose def find_workflows( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) if 'operation' in kwd: @@ -2020,13 +2021,13 @@ @web.expose def help( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.fill_template( '/webapps/tool_shed/repository/help.mako', message=message, status=status, **kwd ) @web.expose def import_capsule( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) capsule_file_name = kwd.get( 'capsule_file_name', None ) encoded_file_path = kwd.get( 'encoded_file_path', None ) @@ -2069,7 +2070,7 @@ @web.expose def index( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # See if there are any RepositoryMetadata records since menu items require them. repository_metadata = trans.sa_session.query( trans.model.RepositoryMetadata ).first() @@ -2151,7 +2152,7 @@ @web.expose def load_invalid_tool( self, trans, repository_id, tool_config, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'error' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) tv = tool_validator.ToolValidator( trans.app ) @@ -2203,7 +2204,7 @@ @web.expose @web.require_login( "manage email alerts" ) def manage_email_alerts( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) new_repo_alert = kwd.get( 'new_repo_alert', '' ) new_repo_alert_checked = CheckboxField.is_checked( new_repo_alert ) @@ -2234,7 +2235,7 @@ @web.expose @web.require_login( "manage repository" ) def manage_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repository_type = kwd.get( 'repository_type', str( repository.type ) ) @@ -2500,7 +2501,7 @@ @web.expose @web.require_login( "manage repository administrators" ) def manage_repository_admins( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) changeset_revision = kwd.get( 'changeset_revision', repository.tip( trans.app ) ) @@ -2558,7 +2559,7 @@ @web.expose @web.require_login( "multi select email alerts" ) def multi_select_email_alerts( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: operation = kwd[ 'operation' ].lower() @@ -2607,7 +2608,7 @@ @web.expose def preview_tools_in_changeset( self, trans, repository_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -2714,7 +2715,7 @@ @web.require_login( "rate repositories" ) def rate_repository( self, trans, **kwd ): """ Rate a repository and return updated rating data. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -2787,7 +2788,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = rmm.reset_metadata_on_selected_repositories( **kwd ) else: - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = rmm.build_repository_ids_select_field( name='repository_ids', multiple=True, @@ -2800,9 +2801,9 @@ @web.expose def select_files_to_delete( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Deleted selected files' ) + commit_message = escape( kwd.get( 'commit_message', 'Deleted selected files' ) ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo_dir = repository.repo_path( trans.app ) repo = hg_util.get_repo_for_repository( trans.app, repository=None, repo_path=repo_dir, create=False ) @@ -3145,7 +3146,7 @@ @web.expose def upload_capsule( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) url = kwd.get( 'url', '' ) if 'upload_capsule_button' in kwd: @@ -3175,7 +3176,7 @@ @web.expose def view_changelog( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3210,7 +3211,7 @@ @web.expose def view_changeset( self, trans, id, ctx_str, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3302,7 +3303,7 @@ @web.expose def view_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3390,7 +3391,7 @@ @web.expose def view_tool_metadata( self, trans, repository_id, changeset_revision, tool_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -3471,7 +3472,7 @@ @web.expose def view_workflow( self, trans, workflow_name, repository_metadata_id, **kwd ): """Retrieve necessary information about a workflow from the database so that it can be displayed in an svg image.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) if workflow_name: diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/tool_shed/controllers/repository_review.py --- a/lib/galaxy/webapps/tool_shed/controllers/repository_review.py +++ b/lib/galaxy/webapps/tool_shed/controllers/repository_review.py @@ -2,6 +2,7 @@ import os from sqlalchemy.sql.expression import func +from markupsafe import escape from galaxy import util from galaxy import web @@ -40,7 +41,7 @@ @web.require_login( "approve repository review" ) def approve_repository_review( self, trans, **kwd ): # The value of the received id is the encoded review id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) encoded_review_id = kwd[ 'id' ] review = review_util.get_review( trans.app, encoded_review_id ) @@ -74,7 +75,7 @@ @web.expose @web.require_login( "browse review" ) def browse_review( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) review = review_util.get_review( trans.app, kwd[ 'id' ] ) repository = review.repository @@ -105,7 +106,7 @@ @web.expose @web.require_login( "create component" ) def create_component( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) name = kwd.get( 'name', '' ) description = kwd.get( 'description', '' ) @@ -136,7 +137,7 @@ @web.require_login( "create review" ) def create_review( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) changeset_revision = kwd.get( 'changeset_revision', None ) @@ -201,7 +202,7 @@ @web.expose @web.require_login( "edit component" ) def edit_component( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -232,7 +233,7 @@ @web.require_login( "edit review" ) def edit_review( self, trans, **kwd ): # The value of the received id is the encoded review id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) review_id = kwd.get( 'id', None ) review = review_util.get_review( trans.app, review_id ) @@ -408,7 +409,7 @@ @web.require_login( "manage repositories reviewed by me" ) def manage_repositories_reviewed_by_me( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: kwd[ 'mine' ] = True @@ -475,7 +476,7 @@ @web.require_login( "manage repository reviews" ) def manage_repository_reviews( self, trans, mine=False, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id: @@ -524,7 +525,7 @@ @web.require_login( "manage repository reviews of revision" ) def manage_repository_reviews_of_revision( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) changeset_revision = kwd.get( 'changeset_revision', None ) @@ -547,7 +548,7 @@ @web.expose @web.require_login( "repository reviews by user" ) def repository_reviews_by_user( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: @@ -573,7 +574,7 @@ @web.expose @web.require_login( "reviewed repositories i own" ) def reviewed_repositories_i_own( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # The value of the received id is the encoded repository id. if 'operation' in kwd: @@ -592,7 +593,7 @@ @web.require_login( "select previous review" ) def select_previous_review( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, kwd[ 'id' ] ) changeset_revision = kwd.get( 'changeset_revision', None ) diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/tool_shed/controllers/upload.py --- a/lib/galaxy/webapps/tool_shed/controllers/upload.py +++ b/lib/galaxy/webapps/tool_shed/controllers/upload.py @@ -9,6 +9,7 @@ from galaxy import web from galaxy.datatypes import checkers from galaxy.web.base.controller import BaseUIController +from markupsafe import escape from tool_shed.dependencies import attribute_handlers from tool_shed.galaxy_install import dependency_display @@ -34,9 +35,9 @@ @web.expose @web.require_login( 'upload', use_panels=True ) def upload( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Uploaded' ) + commit_message = escape( kwd.get( 'commit_message', 'Uploaded' ) ) category_ids = util.listify( kwd.get( 'category_id', '' ) ) categories = suc.get_categories( trans.app ) repository_id = kwd.get( 'repository_id', '' ) diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/tool_shed/util/repository_util.py --- a/lib/tool_shed/util/repository_util.py +++ b/lib/tool_shed/util/repository_util.py @@ -7,6 +7,7 @@ from galaxy import web from galaxy.web.form_builder import build_select_field from galaxy.webapps.tool_shed.model import directory_hash_id +from markupsafe import escape from tool_shed.dependencies.repository import relation_builder @@ -256,7 +257,7 @@ def handle_role_associations( app, role, repository, **kwd ): sa_session = app.model.context.current - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_owner = repository.user if kwd.get( 'manage_role_associations_button', False ): https://bitbucket.org/galaxy/galaxy-central/commits/8d371e7b28dc/ Changeset: 8d371e7b28dc Branch: stable User: davebgx Date: 2014-12-11 16:36:55+00:00 Summary: Also escape repository names, just in case. Affected #: 1 file diff -r c2bed0a496f8fee8685977df733b06dfeac763e6 -r 8d371e7b28dc02d732d59f6477adb48d651a97ac lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py --- a/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py +++ b/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py @@ -53,7 +53,7 @@ try: trans.app.installed_repository_manager.activate_repository( repository ) except Exception, e: - error_message = "Error activating repository %s: %s" % ( repository.name, str( e ) ) + error_message = "Error activating repository %s: %s" % ( escape( repository.name ), str( e ) ) log.exception( error_message ) message = '%s.<br/>You may be able to resolve this by uninstalling and then reinstalling the repository. Click <a href="%s">here</a> to uninstall the repository.' \ % ( error_message, web.url_for( controller='admin_toolshed', action='deactivate_or_uninstall_repository', id=trans.security.encode_id( repository.id ) ) ) @@ -63,7 +63,7 @@ id=repository_id, message=message, status=status ) ) - message = 'The <b>%s</b> repository has been activated.' % repository.name + message = 'The <b>%s</b> repository has been activated.' % escape( repository.name ) status = 'done' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -142,7 +142,7 @@ action='reselect_tool_panel_section', **kwd ) ) else: - message = "Unable to get latest revision for repository <b>%s</b> from " % str( repository.name ) + message = "Unable to get latest revision for repository <b>%s</b> from " % escape( str( repository.name ) ) message += "the Tool Shed, so repository re-installation is not possible at this time." status = "error" return trans.response.send_redirect( web.url_for( controller='admin_toolshed', @@ -304,14 +304,14 @@ trans.install_model.context.add( tool_shed_repository ) trans.install_model.context.flush() if remove_from_disk_checked: - message = 'The repository named <b>%s</b> has been uninstalled. ' % tool_shed_repository.name + message = 'The repository named <b>%s</b> has been uninstalled. ' % escape( tool_shed_repository.name ) if errors: message += 'Attempting to uninstall tool dependencies resulted in errors: %s' % errors status = 'error' else: status = 'done' else: - message = 'The repository named <b>%s</b> has been deactivated. ' % tool_shed_repository.name + message = 'The repository named <b>%s</b> has been deactivated. ' % escape( tool_shed_repository.name ) status = 'done' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -454,7 +454,7 @@ workflow_name = encoding_util.tool_shed_encode( str( workflow.name ) ) else: message += 'Unable to locate a workflow named <b>%s</b> within the installed tool shed repository named <b>%s</b>' % \ - ( str( workflow_name ), str( repository.name ) ) + ( escape( str( workflow_name ) ), escape( str( repository.name ) ) ) status = 'error' else: message = 'Invalid repository id <b>%s</b> received.' % str( repository_id ) @@ -610,7 +610,7 @@ relative_install_dir, set_status=False ) message = "The installed repository named '%s' has been updated to change set revision '%s'. " % \ - ( str( repository.name ), updating_to_changeset_revision ) + ( escape( str( repository.name ) ), updating_to_changeset_revision ) self.initiate_tool_dependency_installation( trans, tool_dependencies, message=message, status=status ) # Handle tool dependencies check box. if trans.app.config.tool_dependency_dir is None: @@ -903,7 +903,7 @@ # The user must be on the manage_repository_tool_dependencies page and clicked the button to either install or uninstall a # tool dependency, but they didn't check any of the available tool dependencies on which to perform the action. tool_shed_repository = suc.get_tool_shed_repository_by_id( trans.app, repository_id ) - self.tool_dependency_grid.title = "Tool shed repository '%s' tool dependencies" % tool_shed_repository.name + self.tool_dependency_grid.title = "Tool shed repository '%s' tool dependencies" % escape( tool_shed_repository.name ) if 'operation' in kwd: operation = kwd[ 'operation' ].lower() if not tool_dependency_ids: @@ -1031,7 +1031,7 @@ # The Tool Shed cannot handle the get_repository_id request, so the code must be older than the # 04/2014 Galaxy release when it was introduced. It will be safest to error out and let the # Tool Shed admin update the Tool Shed to a later release. - message = 'The updates available for the repository <b>%s</b> ' % str( repository.name ) + message = 'The updates available for the repository <b>%s</b> ' % escape( str( repository.name ) ) message += 'include newly defined repository or tool dependency definitions, and attempting ' message += 'to update the repository resulted in the following error. Contact the Tool Shed ' message += 'administrator if necessary.<br/>%s' % str( e ) @@ -1649,12 +1649,12 @@ no_changes_check_box = CheckboxField( 'no_changes', checked=True ) if original_section_name: message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel section <b>%s</b>. " \ - % ( tool_shed_repository.name, original_section_name ) + % ( escape( tool_shed_repository.name ), original_section_name ) message += "Uncheck the <b>No changes</b> check box and select a different tool panel section to load the tools in a " message += "different section in the tool panel. " status = 'warning' else: - message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel outside of any sections. " % tool_shed_repository.name + message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel outside of any sections. " % escape( tool_shed_repository.name ) message += "Uncheck the <b>No changes</b> check box and select a tool panel section to load the tools into that section. " status = 'warning' else: @@ -1750,13 +1750,13 @@ irmm.update_in_shed_tool_config() trans.install_model.context.add( repository ) trans.install_model.context.flush() - message = 'Metadata has been reset on repository <b>%s</b>.' % repository.name + message = 'Metadata has been reset on repository <b>%s</b>.' % escape( repository.name ) status = 'done' else: - message = 'Metadata did not need to be reset on repository <b>%s</b>.' % repository.name + message = 'Metadata did not need to be reset on repository <b>%s</b>.' % escape( repository.name ) status = 'done' else: - message = 'Error locating installation directory for repository <b>%s</b>.' % repository.name + message = 'Error locating installation directory for repository <b>%s</b>.' % escape( repository.name ) status = 'error' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='manage_repository', @@ -1778,7 +1778,7 @@ uninstalled=False, remove_from_disk=True ) new_kwd = {} - new_kwd[ 'message' ] = "You can now attempt to install the repository named <b>%s</b> again." % str( repository.name ) + new_kwd[ 'message' ] = "You can now attempt to install the repository named <b>%s</b> again." % escape( str( repository.name ) ) new_kwd[ 'status' ] = "done" return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -1809,7 +1809,7 @@ message = "Tool versions have been set for all included tools." status = 'done' else: - message = "Version information for the tools included in the <b>%s</b> repository is missing. " % repository.name + message = "Version information for the tools included in the <b>%s</b> repository is missing. " % escape( repository.name ) message += "Reset all of this reppository's metadata in the tool shed, then set the installed tool versions " message ++ "from the installed repository's <b>Repository Actions</b> menu. " status = 'error' @@ -2084,7 +2084,7 @@ if ok: success_count += 1 else: - repository_names_not_updated.append( '<b>%s</b>' % str( repository.name ) ) + repository_names_not_updated.append( '<b>%s</b>' % escape( str( repository.name ) ) ) if updated: updated_count += 1 message = "Checked the status in the tool shed for %d repositories. " % success_count @@ -2099,11 +2099,11 @@ repository_util.check_or_update_tool_shed_status_for_installed_repository( trans.app, repository ) if ok: if updated: - message = "The tool shed status for repository <b>%s</b> has been updated." % str( repository.name ) + message = "The tool shed status for repository <b>%s</b> has been updated." % escape( str( repository.name ) ) else: - message = "The status has not changed in the tool shed for repository <b>%s</b>." % str( repository.name ) + message = "The status has not changed in the tool shed for repository <b>%s</b>." % escape( str( repository.name ) ) else: - message = "Unable to retrieve status from the tool shed for repository <b>%s</b>." % str( repository.name ) + message = "Unable to retrieve status from the tool shed for repository <b>%s</b>." % escape( str( repository.name ) ) status = 'error' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', https://bitbucket.org/galaxy/galaxy-central/commits/77528372d36c/ Changeset: 77528372d36c Branch: stable User: davebgx Date: 2014-12-11 16:39:50+00:00 Summary: One message was left unescaped. Affected #: 1 file diff -r 8d371e7b28dc02d732d59f6477adb48d651a97ac -r 77528372d36c367e5af62f2185d0b332cb901d97 lib/galaxy/webapps/galaxy/controllers/library_admin.py --- a/lib/galaxy/webapps/galaxy/controllers/library_admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_admin.py @@ -162,12 +162,12 @@ library.root_folder = root_folder trans.sa_session.add_all( ( library, root_folder ) ) trans.sa_session.flush() - message = "The new library named '%s' has been created" % library.name + message = "The new library named '%s' has been created" return trans.response.send_redirect( web.url_for( controller='library_common', action='browse_library', cntrller='library_admin', id=trans.security.encode_id( library.id ), - message=message, + message=escape( message ), status='done' ) ) return trans.fill_template( '/admin/library/new_library.mako', message=escape( message ), status=escape( status ) ) @web.expose https://bitbucket.org/galaxy/galaxy-central/commits/e416697be38e/ Changeset: e416697be38e Branch: stable User: martenson Date: 2014-12-11 18:08:35+00:00 Summary: Merged in davebgx/galaxy-central/stable (pull request #606) [STABLE] Escape instances of message passed in through kwd before pushing them back out to mako. Affected #: 14 files diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/web/base/controllers/admin.py --- a/lib/galaxy/web/base/controllers/admin.py +++ b/lib/galaxy/web/base/controllers/admin.py @@ -7,6 +7,7 @@ from galaxy.web.form_builder import CheckboxField from string import punctuation as PUNCTUATION import galaxy.queue_worker +from markupsafe import escape from tool_shed.util import shed_util_common as suc @@ -28,7 +29,7 @@ @web.expose @web.require_admin def index( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if trans.webapp.name == 'galaxy': installed_repositories = trans.install_model.context.query( trans.install_model.ToolShedRepository ).first() @@ -46,7 +47,7 @@ @web.expose @web.require_admin def center( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if trans.webapp.name == 'galaxy': return trans.fill_template( '/webapps/galaxy/admin/center.mako', diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/demo_sequencer/controllers/common.py --- a/lib/galaxy/webapps/demo_sequencer/controllers/common.py +++ b/lib/galaxy/webapps/demo_sequencer/controllers/common.py @@ -4,6 +4,7 @@ import time, socket, urllib, urllib2, base64, copy from galaxy.util.json import * from urllib import quote_plus, unquote_plus +from markupsafe import escape import logging log = logging.getLogger( __name__ ) @@ -16,7 +17,7 @@ titles = util.listify( titles ) JobId = util.restore_text( kwd.get( 'JobId', '' ) ) sample_id = util.restore_text( kwd.get( 'sample_id', '' ) ) - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) redirect_delay = trans.app.sequencer_actions_registry.redirect_delay sequencer_redirects = copy.deepcopy( trans.app.sequencer_actions_registry.sequencer_redirects ) @@ -144,7 +145,7 @@ titles = util.restore_text( kwd.get( 'titles', '' ) ) JobId = util.restore_text( kwd.get( 'JobId', '' ) ) sample_id = util.restore_text( kwd.get( 'sample_id', '' ) ) - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) url, http_method, request_params, response_type = request_tup url = unquote_plus( url ) diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/galaxy/controllers/admin.py --- a/lib/galaxy/webapps/galaxy/controllers/admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/admin.py @@ -17,6 +17,7 @@ from galaxy.web.params import QuotaParamParser from tool_shed.util import common_util from tool_shed.util import encoding_util +from markupsafe import escape log = logging.getLogger( __name__ ) @@ -838,7 +839,7 @@ @web.expose @web.require_admin def review_tool_migration_stages( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) migration_stages_dict = odict() migration_modules = [] @@ -870,13 +871,13 @@ @web.expose @web.require_admin def view_datatypes_registry( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) return trans.fill_template( 'admin/view_datatypes_registry.mako', message=message, status=status ) @web.expose @web.require_admin def view_tool_data_tables( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) return trans.fill_template( 'admin/view_data_tables_registry.mako', message=message, status=status ) diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py --- a/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py +++ b/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py @@ -8,6 +8,7 @@ from galaxy.web.form_builder import CheckboxField from galaxy.util import json from galaxy.model.orm import or_ +from markupsafe import escape import tool_shed.repository_types.util as rt_util @@ -52,7 +53,7 @@ try: trans.app.installed_repository_manager.activate_repository( repository ) except Exception, e: - error_message = "Error activating repository %s: %s" % ( repository.name, str( e ) ) + error_message = "Error activating repository %s: %s" % ( escape( repository.name ), str( e ) ) log.exception( error_message ) message = '%s.<br/>You may be able to resolve this by uninstalling and then reinstalling the repository. Click <a href="%s">here</a> to uninstall the repository.' \ % ( error_message, web.url_for( controller='admin_toolshed', action='deactivate_or_uninstall_repository', id=trans.security.encode_id( repository.id ) ) ) @@ -62,7 +63,7 @@ id=repository_id, message=message, status=status ) ) - message = 'The <b>%s</b> repository has been activated.' % repository.name + message = 'The <b>%s</b> repository has been activated.' % escape( repository.name ) status = 'done' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -72,7 +73,7 @@ @web.expose @web.require_admin def browse_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = repository_util.get_installed_tool_shed_repository( trans.app, kwd[ 'id' ] ) return trans.fill_template( '/admin/tool_shed_repository/browse_repository.mako', @@ -141,7 +142,7 @@ action='reselect_tool_panel_section', **kwd ) ) else: - message = "Unable to get latest revision for repository <b>%s</b> from " % str( repository.name ) + message = "Unable to get latest revision for repository <b>%s</b> from " % escape( str( repository.name ) ) message += "the Tool Shed, so repository re-installation is not possible at this time." status = "error" return trans.response.send_redirect( web.url_for( controller='admin_toolshed', @@ -169,7 +170,7 @@ @web.expose @web.require_admin def browse_tool_dependency( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) tool_dependency = tool_dependency_util.get_tool_dependency( trans.app, tool_dependency_ids[ 0 ] ) @@ -197,7 +198,7 @@ @web.expose @web.require_admin def browse_tool_sheds( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.fill_template( '/webapps/galaxy/admin/tool_sheds.mako', message=message, @@ -230,7 +231,7 @@ require the same entry. For now we'll never delete entries from config.shed_tool_data_table_config, but we may choose to do so in the future if it becomes necessary. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) remove_from_disk = kwd.get( 'remove_from_disk', '' ) remove_from_disk_checked = CheckboxField.is_checked( remove_from_disk ) @@ -303,14 +304,14 @@ trans.install_model.context.add( tool_shed_repository ) trans.install_model.context.flush() if remove_from_disk_checked: - message = 'The repository named <b>%s</b> has been uninstalled. ' % tool_shed_repository.name + message = 'The repository named <b>%s</b> has been uninstalled. ' % escape( tool_shed_repository.name ) if errors: message += 'Attempting to uninstall tool dependencies resulted in errors: %s' % errors status = 'error' else: status = 'done' else: - message = 'The repository named <b>%s</b> has been deactivated. ' % tool_shed_repository.name + message = 'The repository named <b>%s</b> has been deactivated. ' % escape( tool_shed_repository.name ) status = 'done' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -442,7 +443,7 @@ @web.require_admin def import_workflow( self, trans, workflow_name, repository_id, **kwd ): """Import a workflow contained in an installed tool shed repository into Galaxy.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if workflow_name: workflow_name = encoding_util.tool_shed_decode( workflow_name ) @@ -453,7 +454,7 @@ workflow_name = encoding_util.tool_shed_encode( str( workflow.name ) ) else: message += 'Unable to locate a workflow named <b>%s</b> within the installed tool shed repository named <b>%s</b>' % \ - ( str( workflow_name ), str( repository.name ) ) + ( escape( str( workflow_name ) ), escape( str( repository.name ) ) ) status = 'error' else: message = 'Invalid repository id <b>%s</b> received.' % str( repository_id ) @@ -479,7 +480,7 @@ tool shed repository. """ # Get the tool_shed_repository from one of the tool_dependencies. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) err_msg = '' tool_shed_repository = tool_dependencies[ 0 ].tool_shed_repository @@ -512,7 +513,7 @@ @web.require_admin def install_latest_repository_revision( self, trans, **kwd ): """Install the latest installable revision of a repository that has been previously installed.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id is not None: @@ -589,7 +590,7 @@ updating_to_changeset_revision = kwd.get( 'updating_to_changeset_revision', None ) updating_to_ctx_rev = kwd.get( 'updating_to_ctx_rev', None ) encoded_updated_metadata = kwd.get( 'encoded_updated_metadata', None ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) install_tool_dependencies = CheckboxField.is_checked( kwd.get( 'install_tool_dependencies', '' ) ) if 'install_tool_dependencies_with_update_button' in kwd: @@ -609,7 +610,7 @@ relative_install_dir, set_status=False ) message = "The installed repository named '%s' has been updated to change set revision '%s'. " % \ - ( str( repository.name ), updating_to_changeset_revision ) + ( escape( str( repository.name ) ), updating_to_changeset_revision ) self.initiate_tool_dependency_installation( trans, tool_dependencies, message=message, status=status ) # Handle tool dependencies check box. if trans.app.config.tool_dependency_dir is None: @@ -665,7 +666,7 @@ @web.expose @web.require_admin def manage_repositories( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tsridslist = common_util.get_tool_shed_repository_ids( **kwd ) if 'operation' in kwd: @@ -744,7 +745,7 @@ @web.expose @web.require_admin def manage_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id is None: @@ -808,7 +809,7 @@ @web.expose @web.require_admin def manage_repository_tool_dependencies( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) if tool_dependency_ids: @@ -890,7 +891,7 @@ def manage_tool_dependencies( self, trans, **kwd ): # This method is called when tool dependencies are being installed. See the related manage_repository_tool_dependencies # method for managing the tool dependencies for a specified installed tool shed repository. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) repository_id = kwd.get( 'repository_id', None ) @@ -902,7 +903,7 @@ # The user must be on the manage_repository_tool_dependencies page and clicked the button to either install or uninstall a # tool dependency, but they didn't check any of the available tool dependencies on which to perform the action. tool_shed_repository = suc.get_tool_shed_repository_by_id( trans.app, repository_id ) - self.tool_dependency_grid.title = "Tool shed repository '%s' tool dependencies" % tool_shed_repository.name + self.tool_dependency_grid.title = "Tool shed repository '%s' tool dependencies" % escape( tool_shed_repository.name ) if 'operation' in kwd: operation = kwd[ 'operation' ].lower() if not tool_dependency_ids: @@ -978,7 +979,7 @@ message += 'of Galaxy Tool Shed repository tools into a local Galaxy instance</a> section of the Galaxy Tool ' message += 'Shed wiki for all of the details.' return trans.show_error_message( message ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) shed_tool_conf = kwd.get( 'shed_tool_conf', None ) tool_shed_url = kwd.get( 'tool_shed_url', '' ) @@ -1030,7 +1031,7 @@ # The Tool Shed cannot handle the get_repository_id request, so the code must be older than the # 04/2014 Galaxy release when it was introduced. It will be safest to error out and let the # Tool Shed admin update the Tool Shed to a later release. - message = 'The updates available for the repository <b>%s</b> ' % str( repository.name ) + message = 'The updates available for the repository <b>%s</b> ' % escape( str( repository.name ) ) message += 'include newly defined repository or tool dependency definitions, and attempting ' message += 'to update the repository resulted in the following error. Contact the Tool Shed ' message += 'administrator if necessary.<br/>%s' % str( e ) @@ -1314,7 +1315,7 @@ and tool dependencies of the repository. """ rdim = repository_dependency_manager.RepositoryDependencyInstallManager( trans.app ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd[ 'id' ] tool_shed_repository = repository_util.get_installed_tool_shed_repository( trans.app, repository_id ) @@ -1450,7 +1451,7 @@ Inspect the repository dependency hierarchy for a specified repository and attempt to make sure they are all properly installed as well as each repository's tool dependencies. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if not repository_id: @@ -1648,12 +1649,12 @@ no_changes_check_box = CheckboxField( 'no_changes', checked=True ) if original_section_name: message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel section <b>%s</b>. " \ - % ( tool_shed_repository.name, original_section_name ) + % ( escape( tool_shed_repository.name ), original_section_name ) message += "Uncheck the <b>No changes</b> check box and select a different tool panel section to load the tools in a " message += "different section in the tool panel. " status = 'warning' else: - message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel outside of any sections. " % tool_shed_repository.name + message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel outside of any sections. " % escape( tool_shed_repository.name ) message += "Uncheck the <b>No changes</b> check box and select a tool panel section to load the tools into that section. " status = 'warning' else: @@ -1715,7 +1716,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = irmm.reset_metadata_on_selected_repositories( trans.user, **kwd ) else: - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = irmm.build_repository_ids_select_field() return trans.fill_template( '/admin/tool_shed_repository/reset_metadata_on_selected_repositories.mako', @@ -1749,13 +1750,13 @@ irmm.update_in_shed_tool_config() trans.install_model.context.add( repository ) trans.install_model.context.flush() - message = 'Metadata has been reset on repository <b>%s</b>.' % repository.name + message = 'Metadata has been reset on repository <b>%s</b>.' % escape( repository.name ) status = 'done' else: - message = 'Metadata did not need to be reset on repository <b>%s</b>.' % repository.name + message = 'Metadata did not need to be reset on repository <b>%s</b>.' % escape( repository.name ) status = 'done' else: - message = 'Error locating installation directory for repository <b>%s</b>.' % repository.name + message = 'Error locating installation directory for repository <b>%s</b>.' % escape( repository.name ) status = 'error' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='manage_repository', @@ -1777,7 +1778,7 @@ uninstalled=False, remove_from_disk=True ) new_kwd = {} - new_kwd[ 'message' ] = "You can now attempt to install the repository named <b>%s</b> again." % str( repository.name ) + new_kwd[ 'message' ] = "You can now attempt to install the repository named <b>%s</b> again." % escape( str( repository.name ) ) new_kwd[ 'status' ] = "done" return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -1808,7 +1809,7 @@ message = "Tool versions have been set for all included tools." status = 'done' else: - message = "Version information for the tools included in the <b>%s</b> repository is missing. " % repository.name + message = "Version information for the tools included in the <b>%s</b> repository is missing. " % escape( repository.name ) message += "Reset all of this reppository's metadata in the tool shed, then set the installed tool versions " message ++ "from the installed repository's <b>Repository Actions</b> menu. " status = 'error' @@ -1852,7 +1853,7 @@ @web.expose @web.require_admin def uninstall_tool_dependencies( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) if not tool_dependency_ids: @@ -1897,7 +1898,7 @@ @web.require_admin def update_to_changeset_revision( self, trans, **kwd ): """Update a cloned repository to the latest revision possible.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_shed_url = kwd.get( 'tool_shed_url', '' ) # Handle protocol changes over time. @@ -2070,7 +2071,7 @@ @web.expose @web.require_admin def update_tool_shed_status_for_installed_repository( self, trans, all_installed_repositories=False, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if all_installed_repositories: success_count = 0 @@ -2083,7 +2084,7 @@ if ok: success_count += 1 else: - repository_names_not_updated.append( '<b>%s</b>' % str( repository.name ) ) + repository_names_not_updated.append( '<b>%s</b>' % escape( str( repository.name ) ) ) if updated: updated_count += 1 message = "Checked the status in the tool shed for %d repositories. " % success_count @@ -2098,11 +2099,11 @@ repository_util.check_or_update_tool_shed_status_for_installed_repository( trans.app, repository ) if ok: if updated: - message = "The tool shed status for repository <b>%s</b> has been updated." % str( repository.name ) + message = "The tool shed status for repository <b>%s</b> has been updated." % escape( str( repository.name ) ) else: - message = "The status has not changed in the tool shed for repository <b>%s</b>." % str( repository.name ) + message = "The status has not changed in the tool shed for repository <b>%s</b>." % escape( str( repository.name ) ) else: - message = "Unable to retrieve status from the tool shed for repository <b>%s</b>." % str( repository.name ) + message = "Unable to retrieve status from the tool shed for repository <b>%s</b>." % escape( str( repository.name ) ) status = 'error' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -2112,7 +2113,7 @@ @web.expose @web.require_admin def view_tool_metadata( self, trans, repository_id, tool_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = repository_util.get_installed_tool_shed_repository( trans.app, repository_id ) repository_metadata = repository.metadata @@ -2146,7 +2147,7 @@ @web.require_admin def view_workflow( self, trans, workflow_name=None, repository_id=None, **kwd ): """Retrieve necessary information about a workflow from the database so that it can be displayed in an svg image.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if workflow_name: workflow_name = encoding_util.tool_shed_decode( workflow_name ) diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/galaxy/controllers/library_admin.py --- a/lib/galaxy/webapps/galaxy/controllers/library_admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_admin.py @@ -5,8 +5,9 @@ from galaxy import web from galaxy.web.base.controller import BaseUIController -from galaxy.web.framework.helpers import escape, grids, time_ago +from galaxy.web.framework.helpers import grids, time_ago from library_common import get_comptypes, lucene_search, whoosh_search +from markupsafe import escape # from galaxy.model.orm import * log = logging.getLogger( __name__ ) @@ -148,7 +149,7 @@ @web.expose @web.require_admin def create_library( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if kwd.get( 'create_library_button', False ): name = kwd.get( 'name', 'No name' ) @@ -161,12 +162,12 @@ library.root_folder = root_folder trans.sa_session.add_all( ( library, root_folder ) ) trans.sa_session.flush() - message = "The new library named '%s' has been created" % library.name + message = "The new library named '%s' has been created" return trans.response.send_redirect( web.url_for( controller='library_common', action='browse_library', cntrller='library_admin', id=trans.security.encode_id( library.id ), - message=message, + message=escape( message ), status='done' ) ) return trans.fill_template( '/admin/library/new_library.mako', message=escape( message ), status=escape( status ) ) @web.expose diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/galaxy/controllers/library_common.py --- a/lib/galaxy/webapps/galaxy/controllers/library_common.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_common.py @@ -20,7 +20,7 @@ from galaxy.util.streamball import StreamBall from galaxy.web.base.controller import BaseUIController, UsesFormDefinitionsMixin, UsesExtendedMetadataMixin, UsesLibraryMixinItems from galaxy.web.form_builder import AddressField, CheckboxField, SelectField, build_select_field -from galaxy.web.framework.helpers import escape +from markupsafe import escape from galaxy.model.orm import and_, eagerload_all # Whoosh is compatible with Python 2.5+ Try to import Whoosh and set flag to indicate whether tool search is enabled. @@ -93,7 +93,7 @@ @web.expose def browse_library( self, trans, cntrller='library', **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # If use_panels is True, the library is being accessed via an external link # which did not originate from within the Galaxy instance, and the library will @@ -121,7 +121,7 @@ hidden_folder_ids = util.listify( kwd.get( 'hidden_folder_ids', '' ) ) if created_ldda_ids and not message: message = "%d datasets are uploading in the background to the library '%s' (each is selected). " % \ - ( len( created_ldda_ids.split( ',' ) ), library.name ) + ( len( created_ldda_ids.split( ',' ) ), escape( library.name ) ) message += "Don't navigate away from Galaxy or use the browser's \"stop\" or \"reload\" buttons (on this tab) until the " message += "message \"This job is running\" is cleared from the \"Information\" column below for each selected dataset." status = "info" @@ -152,7 +152,7 @@ message=escape( message ), status=escape( status ) ) except Exception, e: - message = 'Error attempting to display contents of library (%s): %s.' % ( str( library.name ), str( e ) ) + message = 'Error attempting to display contents of library (%s): %s.' % ( escape( str( library.name ) ), str( e ) ) status = 'error' default_action = kwd.get( 'default_action', None ) @@ -164,7 +164,7 @@ status=status ) ) @web.expose def library_info( self, trans, cntrller, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) @@ -223,7 +223,7 @@ status=escape( status ) ) @web.expose def library_permissions( self, trans, cntrller, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) @@ -269,7 +269,7 @@ status=escape( status ) ) @web.expose def create_folder( self, trans, cntrller, parent_id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -345,7 +345,7 @@ status=escape( status ) ) @web.expose def folder_info( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -401,7 +401,7 @@ status=escape( status ) ) @web.expose def folder_permissions( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -450,7 +450,7 @@ status=escape( status ) ) @web.expose def ldda_edit_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -505,7 +505,7 @@ old_name = ldda.name new_name = kwd.get( 'name', '' ) new_info = kwd.get( 'info', '' ) - new_message = kwd.get( 'message', '' ) + new_message = escape( kwd.get( 'message', '' ) ) if not new_name: message = 'Enter a valid name' status = 'error' @@ -602,7 +602,7 @@ status=escape( status ) ) @web.expose def ldda_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) show_associated_hdas_and_lddas = util.string_as_bool( kwd.get( 'show_associated_hdas_and_lddas', False ) ) @@ -650,7 +650,7 @@ status=escape( status ) ) @web.expose def ldda_permissions( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -787,9 +787,9 @@ status=escape( status ) ) @web.expose def upload_library_dataset( self, trans, cntrller, library_id, folder_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - ldda_message = kwd.get( 'ldda_message', '' ) + ldda_message = escape( kwd.get( 'ldda_message', '' ) ) deleted = util.string_as_bool( kwd.get( 'deleted', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1046,7 +1046,7 @@ dataset_upload_inputs.append( input ) # Library-specific params show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) server_dir = kwd.get( 'server_dir', '' ) if replace_dataset not in [ None, 'None' ]: @@ -1256,9 +1256,9 @@ @web.expose def add_history_datasets_to_library( self, trans, cntrller, library_id, folder_id, hda_ids='', **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - ldda_message = kwd.get( 'ldda_message', '' ) + ldda_message = escape( kwd.get( 'ldda_message', '' ) ) show_deleted = kwd.get( 'show_deleted', False ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) replace_id = kwd.get( 'replace_id', None ) @@ -1547,7 +1547,7 @@ status='error' ) ) @web.expose def library_dataset_info( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1595,7 +1595,7 @@ status=escape( status ) ) @web.expose def library_dataset_permissions( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1642,7 +1642,7 @@ status=escape( status ) ) @web.expose def make_library_item_public( self, trans, cntrller, library_id, item_type, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1703,7 +1703,7 @@ rval += '%s %i %s%s %s\r\n' % ( crc, size, self.url_base, quoted_fname, relpath ) return rval # Perform an action on a list of library datasets. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1979,7 +1979,7 @@ # - a select list option for acting on multiple selected datasets within a library # ( ldda_ids is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( ldda_ids is a comma separated string of ldda ids ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -2102,7 +2102,7 @@ def manage_template_inheritance( self, trans, cntrller, item_type, library_id, folder_id=None, ldda_id=None, **kwd ): show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) is_admin = ( trans.user_is_admin() and cntrller == 'library_admin' ) current_user_roles = trans.get_current_user_roles() @@ -2152,7 +2152,7 @@ # 'ldda' and item_id is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( item_type is 'ldda' and item_id is a # comma separated string of ldda ids ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -2723,7 +2723,7 @@ return map( operator.getitem, intermed, ( -1, ) * len( intermed ) ) def lucene_search( trans, cntrller, search_term, search_url, **kwd ): """Return display of results from a full-text lucene search of data libraries.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) full_url = "%s/find?%s" % ( search_url, urllib.urlencode( { "kwd" : search_term } ) ) response = urllib2.urlopen( full_url ) @@ -2733,7 +2733,7 @@ return status, message, get_sorted_accessible_library_items( trans, cntrller, lddas, 'name' ) def whoosh_search( trans, cntrller, search_term, **kwd ): """Return display of results from a full-text whoosh search of data libraries.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) ok = True if whoosh_search_enabled: diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/galaxy/controllers/user.py --- a/lib/galaxy/webapps/galaxy/controllers/user.py +++ b/lib/galaxy/webapps/galaxy/controllers/user.py @@ -28,9 +28,10 @@ from galaxy.web.base.controller import CreatesApiKeysMixin from galaxy.web.form_builder import CheckboxField from galaxy.web.form_builder import build_select_field -from galaxy.web.framework.helpers import time_ago, grids, escape +from galaxy.web.framework.helpers import time_ago, grids from datetime import datetime, timedelta from galaxy.util import hash_util, biostar +from markupsafe import escape log = logging.getLogger( __name__ ) @@ -254,7 +255,7 @@ if not trans.app.config.enable_openid: return trans.show_error_message( 'OpenID authentication is not enabled in this instance of Galaxy' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) email = kwd.get( 'email', '' ) username = kwd.get( 'username', '' ) @@ -502,7 +503,7 @@ """ Function validates numerous cases that might happen during the login time. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'error' ) email = kwd.get( 'email', '' ) password = kwd.get( 'password', '' ) @@ -719,7 +720,7 @@ email = util.restore_text( kwd.get( 'email', '' ) ) password = kwd.get( 'password', '' ) username = util.restore_text( kwd.get( 'username', '' ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) is_admin = cntrller == 'admin' and trans.user_is_admin() user = self.create_user( trans=trans, email=email, username=username, password=password ) @@ -1093,7 +1094,7 @@ def reset_password( self, trans, email=None, **kwd ): if trans.app.config.smtp_server is None: return trans.show_error_message( "Mail is not configured for this Galaxy instance. Please contact your local Galaxy administrator." ) - message = util.sanitize_text(util.restore_text( kwd.get( 'message', '' ) )) + message = util.sanitize_text( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) if kwd.get( 'reset_password_button', False ): reset_user = trans.sa_session.query( trans.app.model.User ).filter( trans.app.model.User.table.c.email == email ).first() diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -22,7 +22,7 @@ from galaxy.web import error, url_for from galaxy.web.base.controller import BaseUIController, SharableMixin, UsesStoredWorkflowMixin from galaxy.web.framework.formbuilder import form -from galaxy.web.framework.helpers import grids, time_ago, to_unicode, escape +from galaxy.web.framework.helpers import grids, time_ago, to_unicode from galaxy.workflow.modules import WorkflowModuleInjector from galaxy.workflow.modules import MissingToolException from galaxy.workflow.modules import module_factory, is_tool_module_type @@ -37,6 +37,7 @@ order_workflow_steps_with_levels, ) from galaxy.workflow.render import WorkflowCanvas, MARGIN, LINE_SPACING +from markupsafe import escape class StoredWorkflowListGrid( grids.Grid ): @@ -1021,7 +1022,7 @@ """ url = kwd.get( 'url', '' ) workflow_text = kwd.get( 'workflow_text', '' ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) import_button = kwd.get( 'import_button', False ) # The special Galaxy integration landing page's URL on myExperiment diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/reports/controllers/users.py --- a/lib/galaxy/webapps/reports/controllers/users.py +++ b/lib/galaxy/webapps/reports/controllers/users.py @@ -9,17 +9,19 @@ pkg_resources.require( "SQLAlchemy >= 0.4" ) import sqlalchemy as sa import logging +from markupsafe import escape + log = logging.getLogger( __name__ ) class Users( BaseUIController ): @web.expose def registered_users( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) num_users = trans.sa_session.query( galaxy.model.User ).count() return trans.fill_template( '/webapps/reports/registered_users.mako', num_users=num_users, message=message ) @web.expose def registered_users_per_month( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) q = sa.select( ( sa.func.date_trunc( 'month', sa.func.date( galaxy.model.User.table.c.create_time ) ).label( 'date' ), sa.func.count( galaxy.model.User.table.c.id ).label( 'num_users' ) ), from_obj = [ galaxy.model.User.table ], @@ -36,7 +38,7 @@ message=message ) @web.expose def specified_month( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) # If specified_date is not received, we'll default to the current month specified_date = kwd.get( 'specified_date', datetime.utcnow().strftime( "%Y-%m-%d" ) ) specified_month = specified_date[ :7 ] @@ -66,7 +68,7 @@ message=message ) @web.expose def specified_date( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) # If specified_date is not received, we'll default to the current month specified_date = kwd.get( 'specified_date', datetime.utcnow().strftime( "%Y-%m-%d" ) ) year, month, day = map( int, specified_date.split( "-" ) ) @@ -95,7 +97,7 @@ message=message ) @web.expose def last_access_date( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) not_logged_in_for_days = kwd.get( 'not_logged_in_for_days', 90 ) if not not_logged_in_for_days: not_logged_in_for_days = 0 @@ -120,7 +122,7 @@ @web.expose def user_disk_usage( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) user_cutoff = int( kwd.get( 'user_cutoff', 60 ) ) # disk_usage isn't indexed users = sorted( trans.sa_session.query( galaxy.model.User ).all(), key=operator.attrgetter( 'disk_usage' ), reverse=True ) diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/tool_shed/controllers/admin.py --- a/lib/galaxy/webapps/tool_shed/controllers/admin.py +++ b/lib/galaxy/webapps/tool_shed/controllers/admin.py @@ -3,6 +3,7 @@ from galaxy import util from galaxy.util import inflector from galaxy import web +from markupsafe import escape from galaxy.web.base.controller import BaseUIController from galaxy.web.base.controllers.admin import Admin @@ -121,7 +122,7 @@ @web.expose @web.require_admin def create_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) name = kwd.get( 'name', '' ).strip() description = kwd.get( 'description', '' ).strip() @@ -154,7 +155,7 @@ @web.expose @web.require_admin def delete_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -197,7 +198,7 @@ @web.expose @web.require_admin def delete_repository_metadata( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -221,7 +222,7 @@ @web.expose @web.require_admin def edit_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -306,7 +307,7 @@ @web.expose @web.require_admin def regenerate_statistics( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'regenerate_statistics_button' in kwd: trans.app.shed_counter.generate_statistics() @@ -352,7 +353,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = rmm.reset_metadata_on_selected_repositories( **kwd ) else: - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = rmm.build_repository_ids_select_field( name='repository_ids', multiple=True, @@ -366,7 +367,7 @@ @web.expose @web.require_admin def undelete_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -417,7 +418,7 @@ # TODO: We should probably eliminate the Category.deleted column since it really makes no # sense to mark a category as deleted (category names and descriptions can be changed instead). # If we do this, and the following 2 methods can be eliminated. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -445,7 +446,7 @@ # This method should only be called for a Category that has previously been deleted. # Purging a deleted Category deletes all of the following from the database: # - RepoitoryCategoryAssociations where category_id == Category.id - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -473,7 +474,7 @@ @web.expose @web.require_admin def undelete_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/tool_shed/controllers/repository.py --- a/lib/galaxy/webapps/tool_shed/controllers/repository.py +++ b/lib/galaxy/webapps/tool_shed/controllers/repository.py @@ -6,6 +6,7 @@ from time import strftime from datetime import date from datetime import datetime +from markupsafe import escape from galaxy import util from galaxy import web @@ -385,7 +386,7 @@ action='reviewed_repositories_i_own' ) ) elif operation == "repositories_by_category": category_id = kwd.get( 'id', None ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.response.send_redirect( web.url_for( controller='repository', action='browse_repositories_in_category', @@ -721,9 +722,9 @@ @web.expose def browse_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Deleted selected files' ) + commit_message = escape( kwd.get( 'commit_message', 'Deleted selected files' ) ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) # Update repository files for browsing. @@ -891,7 +892,7 @@ @web.expose def check_for_updates( self, trans, **kwd ): """Handle a request from a local Galaxy instance.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # If the request originated with the UpdateRepositoryManager, it will not include a galaxy_url. galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) @@ -976,7 +977,7 @@ @web.expose def contact_owner( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) metadata = metadata_util.get_repository_metadata_by_repository_id_changeset_revision( trans.app, @@ -995,7 +996,7 @@ @web.expose def create_galaxy_docker_image( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_ids = util.listify( kwd.get( 'id', '' ) ) if 'operation' in kwd: @@ -1051,7 +1052,7 @@ @web.expose def create_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) categories = suc.get_categories( trans ) if not categories: @@ -1108,7 +1109,7 @@ # Marking a repository in the tool shed as deprecated has no effect on any downloadable changeset # revisions that may be associated with the repository. Revisions are not marked as not downlaodable # because those that have installed the repository must be allowed to get updates. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -1164,7 +1165,7 @@ @web.expose def display_tool( self, trans, repository_id, tool_config, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) tv = tool_validator.ToolValidator( trans.app ) @@ -1229,7 +1230,7 @@ @web.expose def export( self, trans, repository_id, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) export_repository_dependencies = kwd.get( 'export_repository_dependencies', '' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -1309,7 +1310,7 @@ @web.expose def find_tools( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) if 'operation' in kwd: @@ -1400,7 +1401,7 @@ @web.expose def find_workflows( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) if 'operation' in kwd: @@ -2020,13 +2021,13 @@ @web.expose def help( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.fill_template( '/webapps/tool_shed/repository/help.mako', message=message, status=status, **kwd ) @web.expose def import_capsule( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) capsule_file_name = kwd.get( 'capsule_file_name', None ) encoded_file_path = kwd.get( 'encoded_file_path', None ) @@ -2069,7 +2070,7 @@ @web.expose def index( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # See if there are any RepositoryMetadata records since menu items require them. repository_metadata = trans.sa_session.query( trans.model.RepositoryMetadata ).first() @@ -2151,7 +2152,7 @@ @web.expose def load_invalid_tool( self, trans, repository_id, tool_config, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'error' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) tv = tool_validator.ToolValidator( trans.app ) @@ -2203,7 +2204,7 @@ @web.expose @web.require_login( "manage email alerts" ) def manage_email_alerts( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) new_repo_alert = kwd.get( 'new_repo_alert', '' ) new_repo_alert_checked = CheckboxField.is_checked( new_repo_alert ) @@ -2234,7 +2235,7 @@ @web.expose @web.require_login( "manage repository" ) def manage_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repository_type = kwd.get( 'repository_type', str( repository.type ) ) @@ -2500,7 +2501,7 @@ @web.expose @web.require_login( "manage repository administrators" ) def manage_repository_admins( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) changeset_revision = kwd.get( 'changeset_revision', repository.tip( trans.app ) ) @@ -2558,7 +2559,7 @@ @web.expose @web.require_login( "multi select email alerts" ) def multi_select_email_alerts( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: operation = kwd[ 'operation' ].lower() @@ -2607,7 +2608,7 @@ @web.expose def preview_tools_in_changeset( self, trans, repository_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -2714,7 +2715,7 @@ @web.require_login( "rate repositories" ) def rate_repository( self, trans, **kwd ): """ Rate a repository and return updated rating data. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -2787,7 +2788,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = rmm.reset_metadata_on_selected_repositories( **kwd ) else: - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = rmm.build_repository_ids_select_field( name='repository_ids', multiple=True, @@ -2800,9 +2801,9 @@ @web.expose def select_files_to_delete( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Deleted selected files' ) + commit_message = escape( kwd.get( 'commit_message', 'Deleted selected files' ) ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo_dir = repository.repo_path( trans.app ) repo = hg_util.get_repo_for_repository( trans.app, repository=None, repo_path=repo_dir, create=False ) @@ -3145,7 +3146,7 @@ @web.expose def upload_capsule( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) url = kwd.get( 'url', '' ) if 'upload_capsule_button' in kwd: @@ -3175,7 +3176,7 @@ @web.expose def view_changelog( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3210,7 +3211,7 @@ @web.expose def view_changeset( self, trans, id, ctx_str, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3302,7 +3303,7 @@ @web.expose def view_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3390,7 +3391,7 @@ @web.expose def view_tool_metadata( self, trans, repository_id, changeset_revision, tool_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -3471,7 +3472,7 @@ @web.expose def view_workflow( self, trans, workflow_name, repository_metadata_id, **kwd ): """Retrieve necessary information about a workflow from the database so that it can be displayed in an svg image.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) if workflow_name: diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/tool_shed/controllers/repository_review.py --- a/lib/galaxy/webapps/tool_shed/controllers/repository_review.py +++ b/lib/galaxy/webapps/tool_shed/controllers/repository_review.py @@ -2,6 +2,7 @@ import os from sqlalchemy.sql.expression import func +from markupsafe import escape from galaxy import util from galaxy import web @@ -40,7 +41,7 @@ @web.require_login( "approve repository review" ) def approve_repository_review( self, trans, **kwd ): # The value of the received id is the encoded review id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) encoded_review_id = kwd[ 'id' ] review = review_util.get_review( trans.app, encoded_review_id ) @@ -74,7 +75,7 @@ @web.expose @web.require_login( "browse review" ) def browse_review( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) review = review_util.get_review( trans.app, kwd[ 'id' ] ) repository = review.repository @@ -105,7 +106,7 @@ @web.expose @web.require_login( "create component" ) def create_component( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) name = kwd.get( 'name', '' ) description = kwd.get( 'description', '' ) @@ -136,7 +137,7 @@ @web.require_login( "create review" ) def create_review( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) changeset_revision = kwd.get( 'changeset_revision', None ) @@ -201,7 +202,7 @@ @web.expose @web.require_login( "edit component" ) def edit_component( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -232,7 +233,7 @@ @web.require_login( "edit review" ) def edit_review( self, trans, **kwd ): # The value of the received id is the encoded review id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) review_id = kwd.get( 'id', None ) review = review_util.get_review( trans.app, review_id ) @@ -408,7 +409,7 @@ @web.require_login( "manage repositories reviewed by me" ) def manage_repositories_reviewed_by_me( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: kwd[ 'mine' ] = True @@ -475,7 +476,7 @@ @web.require_login( "manage repository reviews" ) def manage_repository_reviews( self, trans, mine=False, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id: @@ -524,7 +525,7 @@ @web.require_login( "manage repository reviews of revision" ) def manage_repository_reviews_of_revision( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) changeset_revision = kwd.get( 'changeset_revision', None ) @@ -547,7 +548,7 @@ @web.expose @web.require_login( "repository reviews by user" ) def repository_reviews_by_user( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: @@ -573,7 +574,7 @@ @web.expose @web.require_login( "reviewed repositories i own" ) def reviewed_repositories_i_own( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # The value of the received id is the encoded repository id. if 'operation' in kwd: @@ -592,7 +593,7 @@ @web.require_login( "select previous review" ) def select_previous_review( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, kwd[ 'id' ] ) changeset_revision = kwd.get( 'changeset_revision', None ) diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/tool_shed/controllers/upload.py --- a/lib/galaxy/webapps/tool_shed/controllers/upload.py +++ b/lib/galaxy/webapps/tool_shed/controllers/upload.py @@ -9,6 +9,7 @@ from galaxy import web from galaxy.datatypes import checkers from galaxy.web.base.controller import BaseUIController +from markupsafe import escape from tool_shed.dependencies import attribute_handlers from tool_shed.galaxy_install import dependency_display @@ -34,9 +35,9 @@ @web.expose @web.require_login( 'upload', use_panels=True ) def upload( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Uploaded' ) + commit_message = escape( kwd.get( 'commit_message', 'Uploaded' ) ) category_ids = util.listify( kwd.get( 'category_id', '' ) ) categories = suc.get_categories( trans.app ) repository_id = kwd.get( 'repository_id', '' ) diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/tool_shed/util/repository_util.py --- a/lib/tool_shed/util/repository_util.py +++ b/lib/tool_shed/util/repository_util.py @@ -7,6 +7,7 @@ from galaxy import web from galaxy.web.form_builder import build_select_field from galaxy.webapps.tool_shed.model import directory_hash_id +from markupsafe import escape from tool_shed.dependencies.repository import relation_builder @@ -256,7 +257,7 @@ def handle_role_associations( app, role, repository, **kwd ): sa_session = app.model.context.current - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_owner = repository.user if kwd.get( 'manage_role_associations_button', False ): Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: martenson: Merged in martenson/galaxy-central-marten/stable (pull request #599)
by commits-noreply＠bitbucket.org 11 Dec '14

11 Dec '14

1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/0ac7297b5849/ Changeset: 0ac7297b5849 Branch: stable User: martenson Date: 2014-12-11 18:01:22+00:00 Summary: Merged in martenson/galaxy-central-marten/stable (pull request #599) [STABLE] encode dataset, ldda, folder and library IDs properly in some more places Affected #: 5 files diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r 0ac7297b58491d542948ae3976732dd2c3450b89 templates/webapps/galaxy/library/common/browse_library.mako --- a/templates/webapps/galaxy/library/common/browse_library.mako +++ b/templates/webapps/galaxy/library/common/browse_library.mako @@ -238,7 +238,7 @@ %if parent is not None: parent="${parent | h}" %endif - id="libraryItem-${ldda.id | h}"> + id="libraryItem-${ trans.security.encode_id( ldda.id ) | h}"><td style="padding-left: ${pad+20}px;"><input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${trans.security.encode_id( ldda.id ) | h}" %if selected: @@ -248,7 +248,7 @@ %if simple: <label for="${trans.security.encode_id( ldda.id ) | h}">${ util.unicodify( ldda.name ) | h}</label> %else: - <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id | h}-popup"> + <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup"><a class="view-info" href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}"> %if ldda.library_dataset.deleted: <div class="libraryItem-error">${util.unicodify( ldda.name ) | h}</div> @@ -258,7 +258,7 @@ </a></div> %if not library.deleted: - <div popupmenu="dataset-${ldda.id | h}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup"> %if not branch_deleted( folder ) and not ldda.library_dataset.deleted and can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a><a class="action-button" href="${h.url_for( controller='library_common', action='move_library_item', cntrller=cntrller, item_type='ldda', item_id=trans.security.encode_id( ldda.id ), source_library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Move this dataset</a> @@ -364,7 +364,7 @@ <td style="padding-left: ${folder_pad | h}px;"><input type="checkbox" class="folderCheckbox"/><span class="expandLink folder-${encoded_id | h}-click"> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id | h}-popup"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"><a class="folder-${encoded_id | h}-click" href="javascript:void(0);"><span class="rowIcon"></span> %if folder.deleted: @@ -376,7 +376,7 @@ </div></span> %if not library.deleted: - <div popupmenu="folder_img-${folder.id | h}-popup"> + <div popupmenu="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> @@ -512,8 +512,8 @@ <li><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( library.root_folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add folder</a></li> %endif %if ( ( not library.deleted ) and ( can_modify or can_manage ) ) or ( can_modify and not library.purged ) or ( library.purged ): - <li><a class="action-button" id="library-${library.id}-popup" class="menubutton">Library Actions</a></li> - <div popupmenu="library-${library.id}-popup"> + <li><a class="action-button" id="library-${ trans.security.encode_id( library.id ) }-popup" class="menubutton">Library Actions</a></li> + <div popupmenu="library-${ trans.security.encode_id( library.id ) }-popup"> %if not library.deleted: %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='library_info', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r 0ac7297b58491d542948ae3976732dd2c3450b89 templates/webapps/galaxy/library/common/browse_library_opt.mako --- a/templates/webapps/galaxy/library/common/browse_library_opt.mako +++ b/templates/webapps/galaxy/library/common/browse_library_opt.mako @@ -230,9 +230,9 @@ %if parent is not None: parent="${parent | h}" %endif - id="libraryItem-${ldda.id | h}"> + id="libraryItem-${ trans.security.encode_id( ldda.id ) | h }"><td style="padding-left: ${pad+20}px;"> - <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${trans.security.encode_id( ldda.id ) | h}" + <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${ trans.security.encode_id( ldda.id ) | h }" %if selected: checked="checked" %endif @@ -240,7 +240,7 @@ %if simple: <label for="${trans.security.encode_id( ldda.id ) | h}">${ util.unicodify( ldda.name ) | h}</label> %else: - <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id | h}-popup"> + <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ trans.security.encode_id( ldda.id ) | h }-popup"><a class="view-info" href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}"> %if ldda.library_dataset.deleted: <div class="libraryItem-error">${util.unicodify( ldda.name ) | h}</div> @@ -250,7 +250,7 @@ </a></div> %if not library.deleted: - <div popupmenu="dataset-${ldda.id | h}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( ldda.id ) | h }-popup"> %if not branch_deleted( folder ) and not ldda.library_dataset.deleted and can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a><a class="action-button" href="${h.url_for( controller='library_common', action='move_library_item', cntrller=cntrller, item_type='ldda', item_id=trans.security.encode_id( ldda.id ), source_library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Move this dataset</a> @@ -371,7 +371,7 @@ <td style="padding-left: ${folder_pad | h}px;"><input type="checkbox" class="folderCheckbox"/><span class="expandLink folder-${encoded_id | h}-click"> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id | h}-popup"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"><a class="folder-${encoded_id | h}-click" href="javascript:void(0);"><span class="rowIcon"></span> %if folder.deleted: @@ -383,7 +383,7 @@ </div></span> %if not library.deleted: - <div popupmenu="folder_img-${folder.id | h}-popup"> + <div popupmenu="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> @@ -515,8 +515,8 @@ <li><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( library.root_folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add folder</a></li> %endif %if ( ( not library.deleted ) and ( can_modify or can_manage ) ) or ( can_modify and not library.purged ) or ( library.purged ): - <li><a class="action-button" id="library-${library.id | h}-popup" class="menubutton">Library Actions</a></li> - <div popupmenu="library-${library.id | h}-popup"> + <li><a class="action-button" id="library-${ trans.security.encode_id( library.id ) | h}-popup" class="menubutton">Library Actions</a></li> + <div popupmenu="library-${ trans.security.encode_id( library.id ) | h}-popup"> %if not library.deleted: %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='library_info', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r 0ac7297b58491d542948ae3976732dd2c3450b89 templates/webapps/galaxy/library/common/ldda_info.mako --- a/templates/webapps/galaxy/library/common/ldda_info.mako +++ b/templates/webapps/galaxy/library/common/ldda_info.mako @@ -47,9 +47,9 @@ <div class="toolForm"><div class="toolFormTitle"> - Information about <div class="menubutton popup" id="dataset-${ldda.id | h}-popup">${util.unicodify( ldda.name ) | h}</div> + Information about <div class="menubutton popup" id="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup">${util.unicodify( ldda.name ) | h}</div> %if not library.deleted and not branch_deleted( ldda.library_dataset.folder ) and not ldda.library_dataset.deleted: - <div popupmenu="dataset-${ldda.id | h}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup"> %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> %if not info_association: @@ -168,9 +168,9 @@ %endfor %if ldda.peek != "no peek": <div class="form-row"> - <div id="info${ldda.id | h}" class="historyItemBody"> + <div id="info${ trans.security.encode_id( ldda.id ) | h}" class="historyItemBody"><label>Peek:</label> - <div><pre id="peek${ldda.id | h}" class="peek">${util.unicodify( ldda.display_peek() )}</pre></div> + <div><pre id="peek${ trans.security.encode_id( ldda.id ) | h}" class="peek">${util.unicodify( ldda.display_peek() )}</pre></div></div></div> %endif diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r 0ac7297b58491d542948ae3976732dd2c3450b89 templates/webapps/galaxy/library/common/library_info.mako --- a/templates/webapps/galaxy/library/common/library_info.mako +++ b/templates/webapps/galaxy/library/common/library_info.mako @@ -34,11 +34,11 @@ <div class="toolForm"><div class="toolFormTitle"> - <div class="menubutton split popup" id="library-${library.id}-popup"> + <div class="menubutton split popup" id="library-${trans.security.encode_id( library.id ) | h }-popup"><a href="${h.url_for( controller='library_common', action='browse_library', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">${library.name[:50] | h}</a></div> %if can_add or can_modify or can_manage: - <div popupmenu="library-${library.id | h}-popup"> + <div popupmenu="library-${ trans.security.encode_id( library.id ) | h }-popup"> %if not library.deleted: %if can_add and not library.info_association: <a class="action-button" href="${h.url_for( controller='library_common', action='add_template', cntrller=cntrller, item_type='library', form_type=trans.model.FormDefinition.types.LIBRARY_INFO_TEMPLATE, library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Use template</a> diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r 0ac7297b58491d542948ae3976732dd2c3450b89 templates/webapps/galaxy/requests/common/common.mako --- a/templates/webapps/galaxy/requests/common/common.mako +++ b/templates/webapps/galaxy/requests/common/common.mako @@ -694,11 +694,11 @@ <td> %if is_admin: <span class="expandLink dataset-${dataset}-click"><span class="rowIcon"></span> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="dataset-${dataset.id}-popup"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="dataset-${ trans.security.encode_id( dataset.id ) }-popup"><a class="dataset-${encoded_id}-click" href="${h.url_for( controller='requests_admin', action='manage_datasets', operation='view', id=trans.security.encode_id( dataset.id ) )}">${dataset.name | h}</a></div></span> - <div popupmenu="dataset-${dataset.id}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( dataset.id ) }-popup"> %if can_transfer_datasets and dataset in sample.untransferred_dataset_files: <li><a class="action-button" href="${h.url_for( controller='requests_admin', action='initiate_data_transfer', sample_id=trans.security.encode_id( sample.id ), sample_dataset_id=trans.security.encode_id( dataset.id ) )}">Transfer</a></li> %endif Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: 6 new changesets
by commits-noreply＠bitbucket.org 11 Dec '14

11 Dec '14

6 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/7dad1a27eda3/ Changeset: 7dad1a27eda3 Branch: stable User: martenson Date: 2014-12-08 21:02:12+00:00 Summary: encode dataset, ldda, folder and library IDs properly in some more places Affected #: 5 files diff -r 07404a82972d877b5529fffaeb3e7e05b69a02a3 -r 7dad1a27eda301e019d143ef1fefed73036addd9 templates/webapps/galaxy/library/common/browse_library.mako --- a/templates/webapps/galaxy/library/common/browse_library.mako +++ b/templates/webapps/galaxy/library/common/browse_library.mako @@ -238,7 +238,7 @@ %if parent is not None: parent="${parent | h}" %endif - id="libraryItem-${ldda.id | h}"> + id="libraryItem-${ trans.security.encode_id( ldda.id ) | h}"><td style="padding-left: ${pad+20}px;"><input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${trans.security.encode_id( ldda.id ) | h}" %if selected: @@ -248,7 +248,7 @@ %if simple: <label for="${trans.security.encode_id( ldda.id ) | h}">${ util.unicodify( ldda.name ) | h}</label> %else: - <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id | h}-popup"> + <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup"><a class="view-info" href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}"> %if ldda.library_dataset.deleted: <div class="libraryItem-error">${util.unicodify( ldda.name ) | h}</div> @@ -258,7 +258,7 @@ </a></div> %if not library.deleted: - <div popupmenu="dataset-${ldda.id | h}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup"> %if not branch_deleted( folder ) and not ldda.library_dataset.deleted and can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a><a class="action-button" href="${h.url_for( controller='library_common', action='move_library_item', cntrller=cntrller, item_type='ldda', item_id=trans.security.encode_id( ldda.id ), source_library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Move this dataset</a> @@ -364,7 +364,7 @@ <td style="padding-left: ${folder_pad | h}px;"><input type="checkbox" class="folderCheckbox"/><span class="expandLink folder-${encoded_id | h}-click"> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id | h}-popup"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"><a class="folder-${encoded_id | h}-click" href="javascript:void(0);"><span class="rowIcon"></span> %if folder.deleted: @@ -376,7 +376,7 @@ </div></span> %if not library.deleted: - <div popupmenu="folder_img-${folder.id | h}-popup"> + <div popupmenu="folder_img-${ 'F' + trans.security.encode_id( folder.id ) } | h}-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> @@ -512,8 +512,8 @@ <li><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( library.root_folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add folder</a></li> %endif %if ( ( not library.deleted ) and ( can_modify or can_manage ) ) or ( can_modify and not library.purged ) or ( library.purged ): - <li><a class="action-button" id="library-${library.id}-popup" class="menubutton">Library Actions</a></li> - <div popupmenu="library-${library.id}-popup"> + <li><a class="action-button" id="library-${ trans.security.encode_id( library.id ) }-popup" class="menubutton">Library Actions</a></li> + <div popupmenu="library-${ trans.security.encode_id( library.id ) }-popup"> %if not library.deleted: %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='library_info', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> diff -r 07404a82972d877b5529fffaeb3e7e05b69a02a3 -r 7dad1a27eda301e019d143ef1fefed73036addd9 templates/webapps/galaxy/library/common/browse_library_opt.mako --- a/templates/webapps/galaxy/library/common/browse_library_opt.mako +++ b/templates/webapps/galaxy/library/common/browse_library_opt.mako @@ -230,9 +230,9 @@ %if parent is not None: parent="${parent | h}" %endif - id="libraryItem-${ldda.id | h}"> + id="libraryItem-${ trans.security.encode_id( ldda.id ) | h }"><td style="padding-left: ${pad+20}px;"> - <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${trans.security.encode_id( ldda.id ) | h}" + <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${ trans.security.encode_id( ldda.id ) | h }" %if selected: checked="checked" %endif @@ -240,7 +240,7 @@ %if simple: <label for="${trans.security.encode_id( ldda.id ) | h}">${ util.unicodify( ldda.name ) | h}</label> %else: - <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id | h}-popup"> + <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ trans.security.encode_id( ldda.id ) | h }-popup"><a class="view-info" href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}"> %if ldda.library_dataset.deleted: <div class="libraryItem-error">${util.unicodify( ldda.name ) | h}</div> @@ -250,7 +250,7 @@ </a></div> %if not library.deleted: - <div popupmenu="dataset-${ldda.id | h}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( ldda.id ) | h }-popup"> %if not branch_deleted( folder ) and not ldda.library_dataset.deleted and can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a><a class="action-button" href="${h.url_for( controller='library_common', action='move_library_item', cntrller=cntrller, item_type='ldda', item_id=trans.security.encode_id( ldda.id ), source_library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Move this dataset</a> @@ -371,7 +371,7 @@ <td style="padding-left: ${folder_pad | h}px;"><input type="checkbox" class="folderCheckbox"/><span class="expandLink folder-${encoded_id | h}-click"> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id | h}-popup"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"><a class="folder-${encoded_id | h}-click" href="javascript:void(0);"><span class="rowIcon"></span> %if folder.deleted: @@ -383,7 +383,7 @@ </div></span> %if not library.deleted: - <div popupmenu="folder_img-${folder.id | h}-popup"> + <div popupmenu="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> @@ -515,8 +515,8 @@ <li><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( library.root_folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add folder</a></li> %endif %if ( ( not library.deleted ) and ( can_modify or can_manage ) ) or ( can_modify and not library.purged ) or ( library.purged ): - <li><a class="action-button" id="library-${library.id | h}-popup" class="menubutton">Library Actions</a></li> - <div popupmenu="library-${library.id | h}-popup"> + <li><a class="action-button" id="library-${ trans.security.encode_id( library.id ) | h}-popup" class="menubutton">Library Actions</a></li> + <div popupmenu="library-${ trans.security.encode_id( library.id ) | h}-popup"> %if not library.deleted: %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='library_info', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> diff -r 07404a82972d877b5529fffaeb3e7e05b69a02a3 -r 7dad1a27eda301e019d143ef1fefed73036addd9 templates/webapps/galaxy/library/common/ldda_info.mako --- a/templates/webapps/galaxy/library/common/ldda_info.mako +++ b/templates/webapps/galaxy/library/common/ldda_info.mako @@ -47,9 +47,9 @@ <div class="toolForm"><div class="toolFormTitle"> - Information about <div class="menubutton popup" id="dataset-${ldda.id | h}-popup">${util.unicodify( ldda.name ) | h}</div> + Information about <div class="menubutton popup" id="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup">${util.unicodify( ldda.name ) | h}</div> %if not library.deleted and not branch_deleted( ldda.library_dataset.folder ) and not ldda.library_dataset.deleted: - <div popupmenu="dataset-${ldda.id | h}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup"> %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> %if not info_association: @@ -168,9 +168,9 @@ %endfor %if ldda.peek != "no peek": <div class="form-row"> - <div id="info${ldda.id | h}" class="historyItemBody"> + <div id="info${ trans.security.encode_id( ldda.id ) | h}" class="historyItemBody"><label>Peek:</label> - <div><pre id="peek${ldda.id | h}" class="peek">${util.unicodify( ldda.display_peek() )}</pre></div> + <div><pre id="peek${ trans.security.encode_id( ldda.id ) | h}" class="peek">${util.unicodify( ldda.display_peek() )}</pre></div></div></div> %endif diff -r 07404a82972d877b5529fffaeb3e7e05b69a02a3 -r 7dad1a27eda301e019d143ef1fefed73036addd9 templates/webapps/galaxy/library/common/library_info.mako --- a/templates/webapps/galaxy/library/common/library_info.mako +++ b/templates/webapps/galaxy/library/common/library_info.mako @@ -34,11 +34,11 @@ <div class="toolForm"><div class="toolFormTitle"> - <div class="menubutton split popup" id="library-${library.id}-popup"> + <div class="menubutton split popup" id="library-${trans.security.encode_id( library.id ) | h }-popup"><a href="${h.url_for( controller='library_common', action='browse_library', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">${library.name[:50] | h}</a></div> %if can_add or can_modify or can_manage: - <div popupmenu="library-${library.id | h}-popup"> + <div popupmenu="library-${ trans.security.encode_id( library.id ) | h }-popup"> %if not library.deleted: %if can_add and not library.info_association: <a class="action-button" href="${h.url_for( controller='library_common', action='add_template', cntrller=cntrller, item_type='library', form_type=trans.model.FormDefinition.types.LIBRARY_INFO_TEMPLATE, library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Use template</a> diff -r 07404a82972d877b5529fffaeb3e7e05b69a02a3 -r 7dad1a27eda301e019d143ef1fefed73036addd9 templates/webapps/galaxy/requests/common/common.mako --- a/templates/webapps/galaxy/requests/common/common.mako +++ b/templates/webapps/galaxy/requests/common/common.mako @@ -694,11 +694,11 @@ <td> %if is_admin: <span class="expandLink dataset-${dataset}-click"><span class="rowIcon"></span> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="dataset-${dataset.id}-popup"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="dataset-${ trans.security.encode_id( dataset.id ) }-popup"><a class="dataset-${encoded_id}-click" href="${h.url_for( controller='requests_admin', action='manage_datasets', operation='view', id=trans.security.encode_id( dataset.id ) )}">${dataset.name | h}</a></div></span> - <div popupmenu="dataset-${dataset.id}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( dataset.id ) }-popup"> %if can_transfer_datasets and dataset in sample.untransferred_dataset_files: <li><a class="action-button" href="${h.url_for( controller='requests_admin', action='initiate_data_transfer', sample_id=trans.security.encode_id( sample.id ), sample_dataset_id=trans.security.encode_id( dataset.id ) )}">Transfer</a></li> %endif https://bitbucket.org/galaxy/galaxy-central/commits/81e7210a53c0/ Changeset: 81e7210a53c0 Branch: stable User: martenson Date: 2014-12-08 21:27:18+00:00 Summary: typo in escaping Affected #: 1 file diff -r 7dad1a27eda301e019d143ef1fefed73036addd9 -r 81e7210a53c0ff8d650ea6040c09053c370600e6 templates/webapps/galaxy/library/common/browse_library.mako --- a/templates/webapps/galaxy/library/common/browse_library.mako +++ b/templates/webapps/galaxy/library/common/browse_library.mako @@ -376,7 +376,7 @@ </div></span> %if not library.deleted: - <div popupmenu="folder_img-${ 'F' + trans.security.encode_id( folder.id ) } | h}-popup"> + <div popupmenu="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> https://bitbucket.org/galaxy/galaxy-central/commits/3a4113a5bde8/ Changeset: 3a4113a5bde8 Branch: stable User: martenson Date: 2014-12-08 22:10:20+00:00 Summary: Merge Affected #: 5 files diff -r 782cf1a1f6b56f8a9c0b3e5e9ffd29fd93b16ce3 -r 3a4113a5bde8e7b7c0a26dcaf8f5242892c40dff templates/webapps/galaxy/library/common/browse_library.mako --- a/templates/webapps/galaxy/library/common/browse_library.mako +++ b/templates/webapps/galaxy/library/common/browse_library.mako @@ -238,7 +238,7 @@ %if parent is not None: parent="${parent | h}" %endif - id="libraryItem-${ldda.id | h}"> + id="libraryItem-${ trans.security.encode_id( ldda.id ) | h}"><td style="padding-left: ${pad+20}px;"><input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${trans.security.encode_id( ldda.id ) | h}" %if selected: @@ -248,7 +248,7 @@ %if simple: <label for="${trans.security.encode_id( ldda.id ) | h}">${ util.unicodify( ldda.name ) | h}</label> %else: - <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id | h}-popup"> + <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup"><a class="view-info" href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}"> %if ldda.library_dataset.deleted: <div class="libraryItem-error">${util.unicodify( ldda.name ) | h}</div> @@ -258,7 +258,7 @@ </a></div> %if not library.deleted: - <div popupmenu="dataset-${ldda.id | h}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup"> %if not branch_deleted( folder ) and not ldda.library_dataset.deleted and can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a><a class="action-button" href="${h.url_for( controller='library_common', action='move_library_item', cntrller=cntrller, item_type='ldda', item_id=trans.security.encode_id( ldda.id ), source_library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Move this dataset</a> @@ -364,7 +364,7 @@ <td style="padding-left: ${folder_pad | h}px;"><input type="checkbox" class="folderCheckbox"/><span class="expandLink folder-${encoded_id | h}-click"> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id | h}-popup"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"><a class="folder-${encoded_id | h}-click" href="javascript:void(0);"><span class="rowIcon"></span> %if folder.deleted: @@ -376,7 +376,7 @@ </div></span> %if not library.deleted: - <div popupmenu="folder_img-${folder.id | h}-popup"> + <div popupmenu="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> @@ -512,8 +512,8 @@ <li><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( library.root_folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add folder</a></li> %endif %if ( ( not library.deleted ) and ( can_modify or can_manage ) ) or ( can_modify and not library.purged ) or ( library.purged ): - <li><a class="action-button" id="library-${library.id}-popup" class="menubutton">Library Actions</a></li> - <div popupmenu="library-${library.id}-popup"> + <li><a class="action-button" id="library-${ trans.security.encode_id( library.id ) }-popup" class="menubutton">Library Actions</a></li> + <div popupmenu="library-${ trans.security.encode_id( library.id ) }-popup"> %if not library.deleted: %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='library_info', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> diff -r 782cf1a1f6b56f8a9c0b3e5e9ffd29fd93b16ce3 -r 3a4113a5bde8e7b7c0a26dcaf8f5242892c40dff templates/webapps/galaxy/library/common/browse_library_opt.mako --- a/templates/webapps/galaxy/library/common/browse_library_opt.mako +++ b/templates/webapps/galaxy/library/common/browse_library_opt.mako @@ -230,9 +230,9 @@ %if parent is not None: parent="${parent | h}" %endif - id="libraryItem-${ldda.id | h}"> + id="libraryItem-${ trans.security.encode_id( ldda.id ) | h }"><td style="padding-left: ${pad+20}px;"> - <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${trans.security.encode_id( ldda.id ) | h}" + <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${ trans.security.encode_id( ldda.id ) | h }" %if selected: checked="checked" %endif @@ -240,7 +240,7 @@ %if simple: <label for="${trans.security.encode_id( ldda.id ) | h}">${ util.unicodify( ldda.name ) | h}</label> %else: - <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id | h}-popup"> + <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ trans.security.encode_id( ldda.id ) | h }-popup"><a class="view-info" href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}"> %if ldda.library_dataset.deleted: <div class="libraryItem-error">${util.unicodify( ldda.name ) | h}</div> @@ -250,7 +250,7 @@ </a></div> %if not library.deleted: - <div popupmenu="dataset-${ldda.id | h}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( ldda.id ) | h }-popup"> %if not branch_deleted( folder ) and not ldda.library_dataset.deleted and can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a><a class="action-button" href="${h.url_for( controller='library_common', action='move_library_item', cntrller=cntrller, item_type='ldda', item_id=trans.security.encode_id( ldda.id ), source_library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Move this dataset</a> @@ -371,7 +371,7 @@ <td style="padding-left: ${folder_pad | h}px;"><input type="checkbox" class="folderCheckbox"/><span class="expandLink folder-${encoded_id | h}-click"> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id | h}-popup"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"><a class="folder-${encoded_id | h}-click" href="javascript:void(0);"><span class="rowIcon"></span> %if folder.deleted: @@ -383,7 +383,7 @@ </div></span> %if not library.deleted: - <div popupmenu="folder_img-${folder.id | h}-popup"> + <div popupmenu="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> @@ -515,8 +515,8 @@ <li><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( library.root_folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add folder</a></li> %endif %if ( ( not library.deleted ) and ( can_modify or can_manage ) ) or ( can_modify and not library.purged ) or ( library.purged ): - <li><a class="action-button" id="library-${library.id | h}-popup" class="menubutton">Library Actions</a></li> - <div popupmenu="library-${library.id | h}-popup"> + <li><a class="action-button" id="library-${ trans.security.encode_id( library.id ) | h}-popup" class="menubutton">Library Actions</a></li> + <div popupmenu="library-${ trans.security.encode_id( library.id ) | h}-popup"> %if not library.deleted: %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='library_info', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> diff -r 782cf1a1f6b56f8a9c0b3e5e9ffd29fd93b16ce3 -r 3a4113a5bde8e7b7c0a26dcaf8f5242892c40dff templates/webapps/galaxy/library/common/ldda_info.mako --- a/templates/webapps/galaxy/library/common/ldda_info.mako +++ b/templates/webapps/galaxy/library/common/ldda_info.mako @@ -47,9 +47,9 @@ <div class="toolForm"><div class="toolFormTitle"> - Information about <div class="menubutton popup" id="dataset-${ldda.id | h}-popup">${util.unicodify( ldda.name ) | h}</div> + Information about <div class="menubutton popup" id="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup">${util.unicodify( ldda.name ) | h}</div> %if not library.deleted and not branch_deleted( ldda.library_dataset.folder ) and not ldda.library_dataset.deleted: - <div popupmenu="dataset-${ldda.id | h}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup"> %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> %if not info_association: @@ -168,9 +168,9 @@ %endfor %if ldda.peek != "no peek": <div class="form-row"> - <div id="info${ldda.id | h}" class="historyItemBody"> + <div id="info${ trans.security.encode_id( ldda.id ) | h}" class="historyItemBody"><label>Peek:</label> - <div><pre id="peek${ldda.id | h}" class="peek">${util.unicodify( ldda.display_peek() )}</pre></div> + <div><pre id="peek${ trans.security.encode_id( ldda.id ) | h}" class="peek">${util.unicodify( ldda.display_peek() )}</pre></div></div></div> %endif diff -r 782cf1a1f6b56f8a9c0b3e5e9ffd29fd93b16ce3 -r 3a4113a5bde8e7b7c0a26dcaf8f5242892c40dff templates/webapps/galaxy/library/common/library_info.mako --- a/templates/webapps/galaxy/library/common/library_info.mako +++ b/templates/webapps/galaxy/library/common/library_info.mako @@ -34,11 +34,11 @@ <div class="toolForm"><div class="toolFormTitle"> - <div class="menubutton split popup" id="library-${library.id}-popup"> + <div class="menubutton split popup" id="library-${trans.security.encode_id( library.id ) | h }-popup"><a href="${h.url_for( controller='library_common', action='browse_library', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">${library.name[:50] | h}</a></div> %if can_add or can_modify or can_manage: - <div popupmenu="library-${library.id | h}-popup"> + <div popupmenu="library-${ trans.security.encode_id( library.id ) | h }-popup"> %if not library.deleted: %if can_add and not library.info_association: <a class="action-button" href="${h.url_for( controller='library_common', action='add_template', cntrller=cntrller, item_type='library', form_type=trans.model.FormDefinition.types.LIBRARY_INFO_TEMPLATE, library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Use template</a> diff -r 782cf1a1f6b56f8a9c0b3e5e9ffd29fd93b16ce3 -r 3a4113a5bde8e7b7c0a26dcaf8f5242892c40dff templates/webapps/galaxy/requests/common/common.mako --- a/templates/webapps/galaxy/requests/common/common.mako +++ b/templates/webapps/galaxy/requests/common/common.mako @@ -694,11 +694,11 @@ <td> %if is_admin: <span class="expandLink dataset-${dataset}-click"><span class="rowIcon"></span> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="dataset-${dataset.id}-popup"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="dataset-${ trans.security.encode_id( dataset.id ) }-popup"><a class="dataset-${encoded_id}-click" href="${h.url_for( controller='requests_admin', action='manage_datasets', operation='view', id=trans.security.encode_id( dataset.id ) )}">${dataset.name | h}</a></div></span> - <div popupmenu="dataset-${dataset.id}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( dataset.id ) }-popup"> %if can_transfer_datasets and dataset in sample.untransferred_dataset_files: <li><a class="action-button" href="${h.url_for( controller='requests_admin', action='initiate_data_transfer', sample_id=trans.security.encode_id( sample.id ), sample_dataset_id=trans.security.encode_id( dataset.id ) )}">Transfer</a></li> %endif https://bitbucket.org/galaxy/galaxy-central/commits/2954ae5e46f5/ Changeset: 2954ae5e46f5 Branch: stable User: martenson Date: 2014-12-09 18:41:41+00:00 Summary: Merge Affected #: 5 files diff -r 3e7adbbe91a06d30a96e7a7101707e040376aba1 -r 2954ae5e46f59b11193b69ebcb0415c73dcda06b templates/webapps/galaxy/library/common/browse_library.mako --- a/templates/webapps/galaxy/library/common/browse_library.mako +++ b/templates/webapps/galaxy/library/common/browse_library.mako @@ -238,7 +238,7 @@ %if parent is not None: parent="${parent | h}" %endif - id="libraryItem-${ldda.id | h}"> + id="libraryItem-${ trans.security.encode_id( ldda.id ) | h}"><td style="padding-left: ${pad+20}px;"><input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${trans.security.encode_id( ldda.id ) | h}" %if selected: @@ -248,7 +248,7 @@ %if simple: <label for="${trans.security.encode_id( ldda.id ) | h}">${ util.unicodify( ldda.name ) | h}</label> %else: - <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id | h}-popup"> + <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup"><a class="view-info" href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}"> %if ldda.library_dataset.deleted: <div class="libraryItem-error">${util.unicodify( ldda.name ) | h}</div> @@ -258,7 +258,7 @@ </a></div> %if not library.deleted: - <div popupmenu="dataset-${ldda.id | h}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup"> %if not branch_deleted( folder ) and not ldda.library_dataset.deleted and can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a><a class="action-button" href="${h.url_for( controller='library_common', action='move_library_item', cntrller=cntrller, item_type='ldda', item_id=trans.security.encode_id( ldda.id ), source_library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Move this dataset</a> @@ -364,7 +364,7 @@ <td style="padding-left: ${folder_pad | h}px;"><input type="checkbox" class="folderCheckbox"/><span class="expandLink folder-${encoded_id | h}-click"> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id | h}-popup"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"><a class="folder-${encoded_id | h}-click" href="javascript:void(0);"><span class="rowIcon"></span> %if folder.deleted: @@ -376,7 +376,7 @@ </div></span> %if not library.deleted: - <div popupmenu="folder_img-${folder.id | h}-popup"> + <div popupmenu="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> @@ -512,8 +512,8 @@ <li><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( library.root_folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add folder</a></li> %endif %if ( ( not library.deleted ) and ( can_modify or can_manage ) ) or ( can_modify and not library.purged ) or ( library.purged ): - <li><a class="action-button" id="library-${library.id}-popup" class="menubutton">Library Actions</a></li> - <div popupmenu="library-${library.id}-popup"> + <li><a class="action-button" id="library-${ trans.security.encode_id( library.id ) }-popup" class="menubutton">Library Actions</a></li> + <div popupmenu="library-${ trans.security.encode_id( library.id ) }-popup"> %if not library.deleted: %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='library_info', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> diff -r 3e7adbbe91a06d30a96e7a7101707e040376aba1 -r 2954ae5e46f59b11193b69ebcb0415c73dcda06b templates/webapps/galaxy/library/common/browse_library_opt.mako --- a/templates/webapps/galaxy/library/common/browse_library_opt.mako +++ b/templates/webapps/galaxy/library/common/browse_library_opt.mako @@ -230,9 +230,9 @@ %if parent is not None: parent="${parent | h}" %endif - id="libraryItem-${ldda.id | h}"> + id="libraryItem-${ trans.security.encode_id( ldda.id ) | h }"><td style="padding-left: ${pad+20}px;"> - <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${trans.security.encode_id( ldda.id ) | h}" + <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${ trans.security.encode_id( ldda.id ) | h }" %if selected: checked="checked" %endif @@ -240,7 +240,7 @@ %if simple: <label for="${trans.security.encode_id( ldda.id ) | h}">${ util.unicodify( ldda.name ) | h}</label> %else: - <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id | h}-popup"> + <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ trans.security.encode_id( ldda.id ) | h }-popup"><a class="view-info" href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}"> %if ldda.library_dataset.deleted: <div class="libraryItem-error">${util.unicodify( ldda.name ) | h}</div> @@ -250,7 +250,7 @@ </a></div> %if not library.deleted: - <div popupmenu="dataset-${ldda.id | h}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( ldda.id ) | h }-popup"> %if not branch_deleted( folder ) and not ldda.library_dataset.deleted and can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a><a class="action-button" href="${h.url_for( controller='library_common', action='move_library_item', cntrller=cntrller, item_type='ldda', item_id=trans.security.encode_id( ldda.id ), source_library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Move this dataset</a> @@ -371,7 +371,7 @@ <td style="padding-left: ${folder_pad | h}px;"><input type="checkbox" class="folderCheckbox"/><span class="expandLink folder-${encoded_id | h}-click"> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id | h}-popup"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"><a class="folder-${encoded_id | h}-click" href="javascript:void(0);"><span class="rowIcon"></span> %if folder.deleted: @@ -383,7 +383,7 @@ </div></span> %if not library.deleted: - <div popupmenu="folder_img-${folder.id | h}-popup"> + <div popupmenu="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> @@ -515,8 +515,8 @@ <li><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( library.root_folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add folder</a></li> %endif %if ( ( not library.deleted ) and ( can_modify or can_manage ) ) or ( can_modify and not library.purged ) or ( library.purged ): - <li><a class="action-button" id="library-${library.id | h}-popup" class="menubutton">Library Actions</a></li> - <div popupmenu="library-${library.id | h}-popup"> + <li><a class="action-button" id="library-${ trans.security.encode_id( library.id ) | h}-popup" class="menubutton">Library Actions</a></li> + <div popupmenu="library-${ trans.security.encode_id( library.id ) | h}-popup"> %if not library.deleted: %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='library_info', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> diff -r 3e7adbbe91a06d30a96e7a7101707e040376aba1 -r 2954ae5e46f59b11193b69ebcb0415c73dcda06b templates/webapps/galaxy/library/common/ldda_info.mako --- a/templates/webapps/galaxy/library/common/ldda_info.mako +++ b/templates/webapps/galaxy/library/common/ldda_info.mako @@ -47,9 +47,9 @@ <div class="toolForm"><div class="toolFormTitle"> - Information about <div class="menubutton popup" id="dataset-${ldda.id | h}-popup">${util.unicodify( ldda.name ) | h}</div> + Information about <div class="menubutton popup" id="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup">${util.unicodify( ldda.name ) | h}</div> %if not library.deleted and not branch_deleted( ldda.library_dataset.folder ) and not ldda.library_dataset.deleted: - <div popupmenu="dataset-${ldda.id | h}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup"> %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> %if not info_association: @@ -168,9 +168,9 @@ %endfor %if ldda.peek != "no peek": <div class="form-row"> - <div id="info${ldda.id | h}" class="historyItemBody"> + <div id="info${ trans.security.encode_id( ldda.id ) | h}" class="historyItemBody"><label>Peek:</label> - <div><pre id="peek${ldda.id | h}" class="peek">${util.unicodify( ldda.display_peek() )}</pre></div> + <div><pre id="peek${ trans.security.encode_id( ldda.id ) | h}" class="peek">${util.unicodify( ldda.display_peek() )}</pre></div></div></div> %endif diff -r 3e7adbbe91a06d30a96e7a7101707e040376aba1 -r 2954ae5e46f59b11193b69ebcb0415c73dcda06b templates/webapps/galaxy/library/common/library_info.mako --- a/templates/webapps/galaxy/library/common/library_info.mako +++ b/templates/webapps/galaxy/library/common/library_info.mako @@ -34,11 +34,11 @@ <div class="toolForm"><div class="toolFormTitle"> - <div class="menubutton split popup" id="library-${library.id}-popup"> + <div class="menubutton split popup" id="library-${trans.security.encode_id( library.id ) | h }-popup"><a href="${h.url_for( controller='library_common', action='browse_library', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">${library.name[:50] | h}</a></div> %if can_add or can_modify or can_manage: - <div popupmenu="library-${library.id | h}-popup"> + <div popupmenu="library-${ trans.security.encode_id( library.id ) | h }-popup"> %if not library.deleted: %if can_add and not library.info_association: <a class="action-button" href="${h.url_for( controller='library_common', action='add_template', cntrller=cntrller, item_type='library', form_type=trans.model.FormDefinition.types.LIBRARY_INFO_TEMPLATE, library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Use template</a> diff -r 3e7adbbe91a06d30a96e7a7101707e040376aba1 -r 2954ae5e46f59b11193b69ebcb0415c73dcda06b templates/webapps/galaxy/requests/common/common.mako --- a/templates/webapps/galaxy/requests/common/common.mako +++ b/templates/webapps/galaxy/requests/common/common.mako @@ -694,11 +694,11 @@ <td> %if is_admin: <span class="expandLink dataset-${dataset}-click"><span class="rowIcon"></span> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="dataset-${dataset.id}-popup"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="dataset-${ trans.security.encode_id( dataset.id ) }-popup"><a class="dataset-${encoded_id}-click" href="${h.url_for( controller='requests_admin', action='manage_datasets', operation='view', id=trans.security.encode_id( dataset.id ) )}">${dataset.name | h}</a></div></span> - <div popupmenu="dataset-${dataset.id}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( dataset.id ) }-popup"> %if can_transfer_datasets and dataset in sample.untransferred_dataset_files: <li><a class="action-button" href="${h.url_for( controller='requests_admin', action='initiate_data_transfer', sample_id=trans.security.encode_id( sample.id ), sample_dataset_id=trans.security.encode_id( dataset.id ) )}">Transfer</a></li> %endif https://bitbucket.org/galaxy/galaxy-central/commits/0a1379bb7f1e/ Changeset: 0a1379bb7f1e Branch: stable User: martenson Date: 2014-12-10 23:28:45+00:00 Summary: Merge Affected #: 5 files diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r 0a1379bb7f1e1664a76da1c321584e3bbd2842cd templates/webapps/galaxy/library/common/browse_library.mako --- a/templates/webapps/galaxy/library/common/browse_library.mako +++ b/templates/webapps/galaxy/library/common/browse_library.mako @@ -238,7 +238,7 @@ %if parent is not None: parent="${parent | h}" %endif - id="libraryItem-${ldda.id | h}"> + id="libraryItem-${ trans.security.encode_id( ldda.id ) | h}"><td style="padding-left: ${pad+20}px;"><input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${trans.security.encode_id( ldda.id ) | h}" %if selected: @@ -248,7 +248,7 @@ %if simple: <label for="${trans.security.encode_id( ldda.id ) | h}">${ util.unicodify( ldda.name ) | h}</label> %else: - <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id | h}-popup"> + <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup"><a class="view-info" href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}"> %if ldda.library_dataset.deleted: <div class="libraryItem-error">${util.unicodify( ldda.name ) | h}</div> @@ -258,7 +258,7 @@ </a></div> %if not library.deleted: - <div popupmenu="dataset-${ldda.id | h}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup"> %if not branch_deleted( folder ) and not ldda.library_dataset.deleted and can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a><a class="action-button" href="${h.url_for( controller='library_common', action='move_library_item', cntrller=cntrller, item_type='ldda', item_id=trans.security.encode_id( ldda.id ), source_library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Move this dataset</a> @@ -364,7 +364,7 @@ <td style="padding-left: ${folder_pad | h}px;"><input type="checkbox" class="folderCheckbox"/><span class="expandLink folder-${encoded_id | h}-click"> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id | h}-popup"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"><a class="folder-${encoded_id | h}-click" href="javascript:void(0);"><span class="rowIcon"></span> %if folder.deleted: @@ -376,7 +376,7 @@ </div></span> %if not library.deleted: - <div popupmenu="folder_img-${folder.id | h}-popup"> + <div popupmenu="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> @@ -512,8 +512,8 @@ <li><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( library.root_folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add folder</a></li> %endif %if ( ( not library.deleted ) and ( can_modify or can_manage ) ) or ( can_modify and not library.purged ) or ( library.purged ): - <li><a class="action-button" id="library-${library.id}-popup" class="menubutton">Library Actions</a></li> - <div popupmenu="library-${library.id}-popup"> + <li><a class="action-button" id="library-${ trans.security.encode_id( library.id ) }-popup" class="menubutton">Library Actions</a></li> + <div popupmenu="library-${ trans.security.encode_id( library.id ) }-popup"> %if not library.deleted: %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='library_info', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r 0a1379bb7f1e1664a76da1c321584e3bbd2842cd templates/webapps/galaxy/library/common/browse_library_opt.mako --- a/templates/webapps/galaxy/library/common/browse_library_opt.mako +++ b/templates/webapps/galaxy/library/common/browse_library_opt.mako @@ -230,9 +230,9 @@ %if parent is not None: parent="${parent | h}" %endif - id="libraryItem-${ldda.id | h}"> + id="libraryItem-${ trans.security.encode_id( ldda.id ) | h }"><td style="padding-left: ${pad+20}px;"> - <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${trans.security.encode_id( ldda.id ) | h}" + <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${ trans.security.encode_id( ldda.id ) | h }" %if selected: checked="checked" %endif @@ -240,7 +240,7 @@ %if simple: <label for="${trans.security.encode_id( ldda.id ) | h}">${ util.unicodify( ldda.name ) | h}</label> %else: - <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id | h}-popup"> + <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ trans.security.encode_id( ldda.id ) | h }-popup"><a class="view-info" href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}"> %if ldda.library_dataset.deleted: <div class="libraryItem-error">${util.unicodify( ldda.name ) | h}</div> @@ -250,7 +250,7 @@ </a></div> %if not library.deleted: - <div popupmenu="dataset-${ldda.id | h}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( ldda.id ) | h }-popup"> %if not branch_deleted( folder ) and not ldda.library_dataset.deleted and can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a><a class="action-button" href="${h.url_for( controller='library_common', action='move_library_item', cntrller=cntrller, item_type='ldda', item_id=trans.security.encode_id( ldda.id ), source_library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Move this dataset</a> @@ -371,7 +371,7 @@ <td style="padding-left: ${folder_pad | h}px;"><input type="checkbox" class="folderCheckbox"/><span class="expandLink folder-${encoded_id | h}-click"> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id | h}-popup"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"><a class="folder-${encoded_id | h}-click" href="javascript:void(0);"><span class="rowIcon"></span> %if folder.deleted: @@ -383,7 +383,7 @@ </div></span> %if not library.deleted: - <div popupmenu="folder_img-${folder.id | h}-popup"> + <div popupmenu="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> @@ -515,8 +515,8 @@ <li><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( library.root_folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add folder</a></li> %endif %if ( ( not library.deleted ) and ( can_modify or can_manage ) ) or ( can_modify and not library.purged ) or ( library.purged ): - <li><a class="action-button" id="library-${library.id | h}-popup" class="menubutton">Library Actions</a></li> - <div popupmenu="library-${library.id | h}-popup"> + <li><a class="action-button" id="library-${ trans.security.encode_id( library.id ) | h}-popup" class="menubutton">Library Actions</a></li> + <div popupmenu="library-${ trans.security.encode_id( library.id ) | h}-popup"> %if not library.deleted: %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='library_info', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r 0a1379bb7f1e1664a76da1c321584e3bbd2842cd templates/webapps/galaxy/library/common/ldda_info.mako --- a/templates/webapps/galaxy/library/common/ldda_info.mako +++ b/templates/webapps/galaxy/library/common/ldda_info.mako @@ -47,9 +47,9 @@ <div class="toolForm"><div class="toolFormTitle"> - Information about <div class="menubutton popup" id="dataset-${ldda.id | h}-popup">${util.unicodify( ldda.name ) | h}</div> + Information about <div class="menubutton popup" id="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup">${util.unicodify( ldda.name ) | h}</div> %if not library.deleted and not branch_deleted( ldda.library_dataset.folder ) and not ldda.library_dataset.deleted: - <div popupmenu="dataset-${ldda.id | h}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup"> %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> %if not info_association: @@ -168,9 +168,9 @@ %endfor %if ldda.peek != "no peek": <div class="form-row"> - <div id="info${ldda.id | h}" class="historyItemBody"> + <div id="info${ trans.security.encode_id( ldda.id ) | h}" class="historyItemBody"><label>Peek:</label> - <div><pre id="peek${ldda.id | h}" class="peek">${util.unicodify( ldda.display_peek() )}</pre></div> + <div><pre id="peek${ trans.security.encode_id( ldda.id ) | h}" class="peek">${util.unicodify( ldda.display_peek() )}</pre></div></div></div> %endif diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r 0a1379bb7f1e1664a76da1c321584e3bbd2842cd templates/webapps/galaxy/library/common/library_info.mako --- a/templates/webapps/galaxy/library/common/library_info.mako +++ b/templates/webapps/galaxy/library/common/library_info.mako @@ -34,11 +34,11 @@ <div class="toolForm"><div class="toolFormTitle"> - <div class="menubutton split popup" id="library-${library.id}-popup"> + <div class="menubutton split popup" id="library-${trans.security.encode_id( library.id ) | h }-popup"><a href="${h.url_for( controller='library_common', action='browse_library', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">${library.name[:50] | h}</a></div> %if can_add or can_modify or can_manage: - <div popupmenu="library-${library.id | h}-popup"> + <div popupmenu="library-${ trans.security.encode_id( library.id ) | h }-popup"> %if not library.deleted: %if can_add and not library.info_association: <a class="action-button" href="${h.url_for( controller='library_common', action='add_template', cntrller=cntrller, item_type='library', form_type=trans.model.FormDefinition.types.LIBRARY_INFO_TEMPLATE, library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Use template</a> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r 0a1379bb7f1e1664a76da1c321584e3bbd2842cd templates/webapps/galaxy/requests/common/common.mako --- a/templates/webapps/galaxy/requests/common/common.mako +++ b/templates/webapps/galaxy/requests/common/common.mako @@ -694,11 +694,11 @@ <td> %if is_admin: <span class="expandLink dataset-${dataset}-click"><span class="rowIcon"></span> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="dataset-${dataset.id}-popup"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="dataset-${ trans.security.encode_id( dataset.id ) }-popup"><a class="dataset-${encoded_id}-click" href="${h.url_for( controller='requests_admin', action='manage_datasets', operation='view', id=trans.security.encode_id( dataset.id ) )}">${dataset.name | h}</a></div></span> - <div popupmenu="dataset-${dataset.id}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( dataset.id ) }-popup"> %if can_transfer_datasets and dataset in sample.untransferred_dataset_files: <li><a class="action-button" href="${h.url_for( controller='requests_admin', action='initiate_data_transfer', sample_id=trans.security.encode_id( sample.id ), sample_dataset_id=trans.security.encode_id( dataset.id ) )}">Transfer</a></li> %endif https://bitbucket.org/galaxy/galaxy-central/commits/0ac7297b5849/ Changeset: 0ac7297b5849 Branch: stable User: martenson Date: 2014-12-11 18:01:22+00:00 Summary: Merged in martenson/galaxy-central-marten/stable (pull request #599) [STABLE] encode dataset, ldda, folder and library IDs properly in some more places Affected #: 5 files diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r 0ac7297b58491d542948ae3976732dd2c3450b89 templates/webapps/galaxy/library/common/browse_library.mako --- a/templates/webapps/galaxy/library/common/browse_library.mako +++ b/templates/webapps/galaxy/library/common/browse_library.mako @@ -238,7 +238,7 @@ %if parent is not None: parent="${parent | h}" %endif - id="libraryItem-${ldda.id | h}"> + id="libraryItem-${ trans.security.encode_id( ldda.id ) | h}"><td style="padding-left: ${pad+20}px;"><input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${trans.security.encode_id( ldda.id ) | h}" %if selected: @@ -248,7 +248,7 @@ %if simple: <label for="${trans.security.encode_id( ldda.id ) | h}">${ util.unicodify( ldda.name ) | h}</label> %else: - <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id | h}-popup"> + <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup"><a class="view-info" href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}"> %if ldda.library_dataset.deleted: <div class="libraryItem-error">${util.unicodify( ldda.name ) | h}</div> @@ -258,7 +258,7 @@ </a></div> %if not library.deleted: - <div popupmenu="dataset-${ldda.id | h}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup"> %if not branch_deleted( folder ) and not ldda.library_dataset.deleted and can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a><a class="action-button" href="${h.url_for( controller='library_common', action='move_library_item', cntrller=cntrller, item_type='ldda', item_id=trans.security.encode_id( ldda.id ), source_library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Move this dataset</a> @@ -364,7 +364,7 @@ <td style="padding-left: ${folder_pad | h}px;"><input type="checkbox" class="folderCheckbox"/><span class="expandLink folder-${encoded_id | h}-click"> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id | h}-popup"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"><a class="folder-${encoded_id | h}-click" href="javascript:void(0);"><span class="rowIcon"></span> %if folder.deleted: @@ -376,7 +376,7 @@ </div></span> %if not library.deleted: - <div popupmenu="folder_img-${folder.id | h}-popup"> + <div popupmenu="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> @@ -512,8 +512,8 @@ <li><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( library.root_folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add folder</a></li> %endif %if ( ( not library.deleted ) and ( can_modify or can_manage ) ) or ( can_modify and not library.purged ) or ( library.purged ): - <li><a class="action-button" id="library-${library.id}-popup" class="menubutton">Library Actions</a></li> - <div popupmenu="library-${library.id}-popup"> + <li><a class="action-button" id="library-${ trans.security.encode_id( library.id ) }-popup" class="menubutton">Library Actions</a></li> + <div popupmenu="library-${ trans.security.encode_id( library.id ) }-popup"> %if not library.deleted: %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='library_info', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r 0ac7297b58491d542948ae3976732dd2c3450b89 templates/webapps/galaxy/library/common/browse_library_opt.mako --- a/templates/webapps/galaxy/library/common/browse_library_opt.mako +++ b/templates/webapps/galaxy/library/common/browse_library_opt.mako @@ -230,9 +230,9 @@ %if parent is not None: parent="${parent | h}" %endif - id="libraryItem-${ldda.id | h}"> + id="libraryItem-${ trans.security.encode_id( ldda.id ) | h }"><td style="padding-left: ${pad+20}px;"> - <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${trans.security.encode_id( ldda.id ) | h}" + <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${ trans.security.encode_id( ldda.id ) | h }" %if selected: checked="checked" %endif @@ -240,7 +240,7 @@ %if simple: <label for="${trans.security.encode_id( ldda.id ) | h}">${ util.unicodify( ldda.name ) | h}</label> %else: - <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id | h}-popup"> + <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ trans.security.encode_id( ldda.id ) | h }-popup"><a class="view-info" href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}"> %if ldda.library_dataset.deleted: <div class="libraryItem-error">${util.unicodify( ldda.name ) | h}</div> @@ -250,7 +250,7 @@ </a></div> %if not library.deleted: - <div popupmenu="dataset-${ldda.id | h}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( ldda.id ) | h }-popup"> %if not branch_deleted( folder ) and not ldda.library_dataset.deleted and can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a><a class="action-button" href="${h.url_for( controller='library_common', action='move_library_item', cntrller=cntrller, item_type='ldda', item_id=trans.security.encode_id( ldda.id ), source_library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Move this dataset</a> @@ -371,7 +371,7 @@ <td style="padding-left: ${folder_pad | h}px;"><input type="checkbox" class="folderCheckbox"/><span class="expandLink folder-${encoded_id | h}-click"> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id | h}-popup"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"><a class="folder-${encoded_id | h}-click" href="javascript:void(0);"><span class="rowIcon"></span> %if folder.deleted: @@ -383,7 +383,7 @@ </div></span> %if not library.deleted: - <div popupmenu="folder_img-${folder.id | h}-popup"> + <div popupmenu="folder_img-${ 'F' + trans.security.encode_id( folder.id ) }-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> @@ -515,8 +515,8 @@ <li><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( library.root_folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add folder</a></li> %endif %if ( ( not library.deleted ) and ( can_modify or can_manage ) ) or ( can_modify and not library.purged ) or ( library.purged ): - <li><a class="action-button" id="library-${library.id | h}-popup" class="menubutton">Library Actions</a></li> - <div popupmenu="library-${library.id | h}-popup"> + <li><a class="action-button" id="library-${ trans.security.encode_id( library.id ) | h}-popup" class="menubutton">Library Actions</a></li> + <div popupmenu="library-${ trans.security.encode_id( library.id ) | h}-popup"> %if not library.deleted: %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='library_info', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r 0ac7297b58491d542948ae3976732dd2c3450b89 templates/webapps/galaxy/library/common/ldda_info.mako --- a/templates/webapps/galaxy/library/common/ldda_info.mako +++ b/templates/webapps/galaxy/library/common/ldda_info.mako @@ -47,9 +47,9 @@ <div class="toolForm"><div class="toolFormTitle"> - Information about <div class="menubutton popup" id="dataset-${ldda.id | h}-popup">${util.unicodify( ldda.name ) | h}</div> + Information about <div class="menubutton popup" id="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup">${util.unicodify( ldda.name ) | h}</div> %if not library.deleted and not branch_deleted( ldda.library_dataset.folder ) and not ldda.library_dataset.deleted: - <div popupmenu="dataset-${ldda.id | h}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( ldda.id ) | h}-popup"> %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> %if not info_association: @@ -168,9 +168,9 @@ %endfor %if ldda.peek != "no peek": <div class="form-row"> - <div id="info${ldda.id | h}" class="historyItemBody"> + <div id="info${ trans.security.encode_id( ldda.id ) | h}" class="historyItemBody"><label>Peek:</label> - <div><pre id="peek${ldda.id | h}" class="peek">${util.unicodify( ldda.display_peek() )}</pre></div> + <div><pre id="peek${ trans.security.encode_id( ldda.id ) | h}" class="peek">${util.unicodify( ldda.display_peek() )}</pre></div></div></div> %endif diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r 0ac7297b58491d542948ae3976732dd2c3450b89 templates/webapps/galaxy/library/common/library_info.mako --- a/templates/webapps/galaxy/library/common/library_info.mako +++ b/templates/webapps/galaxy/library/common/library_info.mako @@ -34,11 +34,11 @@ <div class="toolForm"><div class="toolFormTitle"> - <div class="menubutton split popup" id="library-${library.id}-popup"> + <div class="menubutton split popup" id="library-${trans.security.encode_id( library.id ) | h }-popup"><a href="${h.url_for( controller='library_common', action='browse_library', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">${library.name[:50] | h}</a></div> %if can_add or can_modify or can_manage: - <div popupmenu="library-${library.id | h}-popup"> + <div popupmenu="library-${ trans.security.encode_id( library.id ) | h }-popup"> %if not library.deleted: %if can_add and not library.info_association: <a class="action-button" href="${h.url_for( controller='library_common', action='add_template', cntrller=cntrller, item_type='library', form_type=trans.model.FormDefinition.types.LIBRARY_INFO_TEMPLATE, library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Use template</a> diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r 0ac7297b58491d542948ae3976732dd2c3450b89 templates/webapps/galaxy/requests/common/common.mako --- a/templates/webapps/galaxy/requests/common/common.mako +++ b/templates/webapps/galaxy/requests/common/common.mako @@ -694,11 +694,11 @@ <td> %if is_admin: <span class="expandLink dataset-${dataset}-click"><span class="rowIcon"></span> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="dataset-${dataset.id}-popup"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="dataset-${ trans.security.encode_id( dataset.id ) }-popup"><a class="dataset-${encoded_id}-click" href="${h.url_for( controller='requests_admin', action='manage_datasets', operation='view', id=trans.security.encode_id( dataset.id ) )}">${dataset.name | h}</a></div></span> - <div popupmenu="dataset-${dataset.id}-popup"> + <div popupmenu="dataset-${ trans.security.encode_id( dataset.id ) }-popup"> %if can_transfer_datasets and dataset in sample.untransferred_dataset_files: <li><a class="action-button" href="${h.url_for( controller='requests_admin', action='initiate_data_transfer', sample_id=trans.security.encode_id( sample.id ), sample_dataset_id=trans.security.encode_id( dataset.id ) )}">Transfer</a></li> %endif Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: dannon: Merged in davebgx/galaxy-central/stable (pull request #603)
by commits-noreply＠bitbucket.org 11 Dec '14

11 Dec '14

1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/f0f1f78b54c5/ Changeset: f0f1f78b54c5 Branch: stable User: dannon Date: 2014-12-11 14:50:35+00:00 Summary: Merged in davebgx/galaxy-central/stable (pull request #603) [STABLE] Escape anything that could be user input in my assigned mako templates, add markupsafe.escape to username and email in users API controller. Affected #: 46 files diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/dataset_security/group/group.mako --- a/templates/admin/dataset_security/group/group.mako +++ b/templates/admin/dataset_security/group/group.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Group '${group.name}'</div> + <div class="toolFormTitle">Group '${group.name|h}'</div><div class="toolFormBody"><form name="associate_group_role_user" id="associate_group_role_user" action="${h.url_for(controller='admin', action='manage_users_and_roles_for_group', id=trans.security.encode_id( group.id ) )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Roles associated with '${group.name}'</label> + <label>Roles associated with '${group.name|h}'</label> ${render_select( "in_roles", in_roles )}<br/><input type="submit" id="roles_remove_button" value=">>"/></div><div> - <label>Roles not associated with '${group.name}'</label> + <label>Roles not associated with '${group.name|h}'</label> ${render_select( "out_roles", out_roles )}<br/><input type="submit" id="roles_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${group.name}'</label> + <label>Users associated with '${group.name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${group.name}'</label> + <label>Users not associated with '${group.name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/dataset_security/group/group_create.mako --- a/templates/admin/dataset_security/group/group_create.mako +++ b/templates/admin/dataset_security/group/group_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -60,7 +60,7 @@ <form name="associate_group_role_user" id="associate_group_role_user" action="${h.url_for(controller='admin', action='create_group' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><div style="float: left; margin-right: 10px;"> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/dataset_security/group/group_rename.mako --- a/templates/admin/dataset_security/group/group_rename.mako +++ b/templates/admin/dataset_security/group/group_rename.mako @@ -12,7 +12,7 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${group.name}" size="40"/> + <input type="text" name="name" value="${group.name|h}" size="40"/></div><div style="clear: both"></div></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/dataset_security/role/role.mako --- a/templates/admin/dataset_security/role/role.mako +++ b/templates/admin/dataset_security/role/role.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Role '${role.name}'</div> + <div class="toolFormTitle">Role '${role.name|h}'</div><div class="toolFormBody"><form name="associate_role_user_group" id="associate_role_user_group" action="${h.url_for(controller='admin', action='manage_users_and_groups_for_role', id=trans.security.encode_id( role.id ) )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${role.name}'</label> + <label>Users associated with '${role.name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${role.name}'</label> + <label>Users not associated with '${role.name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Groups associated with '${role.name}'</label> + <label>Groups associated with '${role.name|h}'</label> ${render_select( "in_groups", in_groups )}<br/><input type="submit" id="groups_remove_button" value=">>"/></div><div> - <label>Groups not associated with '${role.name}'</label> + <label>Groups not associated with '${role.name|h}'</label> ${render_select( "out_groups", out_groups )}<br/><input type="submit" id="groups_add_button" value="<<"/></div> @@ -84,7 +84,7 @@ <br clear="left"/><br/> %if len( library_dataset_actions ) > 0: - <h3>Data library datasets associated with role '${role.name}'</h3> + <h3>Data library datasets associated with role '${role.name|h}'</h3><table class="manage-table colored" border="0" cellspacing="0" cellpadding="0" width="100%"><tr><td> @@ -92,16 +92,16 @@ %for ctr, library, in enumerate( library_dataset_actions.keys() ): <li><img src="${h.url_for( '/static/images/silk/book_open.png' )}" class="rowIcon"/> - ${library.name} + ${library.name|h} <ul> %for folder_path, permissions in library_dataset_actions[ library ].items(): <li><img src="/static/images/silk/folder_page.png" class="rowIcon"/> - ${folder_path} + ${folder_path|h} <ul> % for permission in permissions: <ul> - <li>${permission}</li> + <li>${permission|h}</li></ul> %endfor </ul> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/dataset_security/role/role_create.mako --- a/templates/admin/dataset_security/role/role_create.mako +++ b/templates/admin/dataset_security/role/role_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -60,11 +60,11 @@ <form name="associate_role_group_user" id="associate_role_group_user" action="${h.url_for(controller='admin', action='create_role' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><label>Description:</label> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div class="form-row"><div style="float: left; margin-right: 10px;"> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/dataset_security/role/role_rename.mako --- a/templates/admin/dataset_security/role/role_rename.mako +++ b/templates/admin/dataset_security/role/role_rename.mako @@ -12,14 +12,14 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${role.name}" size="40"/> + <input type="text" name="name" value="${role.name|h}" size="40"/></div><div style="clear: both"></div></div><div class="form-row"><label>Description:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input name="description" type="textfield" value="${role.description}" size=40"/> + <input name="description" type="textfield" value="${role.description|h}" size=40"/></div><div style="clear: both"></div></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/external_service/create_external_service.mako --- a/templates/admin/external_service/create_external_service.mako +++ b/templates/admin/external_service/create_external_service.mako @@ -12,10 +12,10 @@ %if widgets: %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field['label']}:</label> + <label>${field['label']|h}:</label> ${field['widget'].get_html()} <div class="toolParamHelp" style="clear: both;"> - ${field['helptext']} + ${field['helptext']|h} </div><div style="clear: both"></div></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/external_service/edit_external_service.mako --- a/templates/admin/external_service/edit_external_service.mako +++ b/templates/admin/external_service/edit_external_service.mako @@ -25,10 +25,10 @@ <div class="toolFormTitle">Edit external service</div> %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field['label']}:</label> + <label>${field['label']|h}:</label> ${field['widget'].get_html()} <div class="toolParamHelp" style="clear: both;"> - ${field['helptext']} + ${field['helptext']|h} </div><div style="clear: both"></div></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/jobs.mako --- a/templates/admin/jobs.mako +++ b/templates/admin/jobs.mako @@ -63,12 +63,12 @@ </td><td>${job.id}</td> %if job.history and job.history.user: - <td>${job.history.user.email}</td> + <td>${job.history.user.email|h}</td> %else: <td>anonymous</td> %endif <td>${last_updated[job.id]} ago</td> - <td>${job.tool_id}</td> + <td>${job.tool_id|h}</td><td>${job.state}</td><% try: @@ -77,8 +77,8 @@ inputs = 'Unable to determine inputs' %><td>${inputs}</td> - <td>${job.command_line}</td> - <td>${job.job_runner_name}</td> + <td>${job.command_line|h}</td> + <td>${job.job_runner_name|h}</td><td>${job.job_runner_external_id}</td></tr> %endfor @@ -131,12 +131,12 @@ %for job in recent_jobs: <td><a href="${h.url_for( controller="admin", action="job_info" )}?jobid=${job.id}">${job.id}</a></td> %if job.history and job.history.user: - <td>${job.history.user.email}</td> + <td>${job.history.user.email|h}</td> %else: <td>anonymous</td> %endif <td>${finished[job.id]} ago</td> - <td>${job.tool_id}</td> + <td>${job.tool_id|h}</td><td>${job.state}</td><% try: @@ -145,9 +145,9 @@ inputs = 'Unable to determine inputs' %><td>${inputs}</td> - <td>${job.command_line}</td> - <td>${job.job_runner_name}</td> - <td>${job.job_runner_external_id}</td> + <td>${job.command_line|h}</td> + <td>${job.job_runner_name|h}</td> + <td>${job.job_runner_external_id|h}</td></tr> %endfor </table> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/memdump.mako --- a/templates/admin/memdump.mako +++ b/templates/admin/memdump.mako @@ -55,7 +55,7 @@ <br/> You are here: ${breadcrumb}<br/> %if breadcrumb.endswith( 'theone' ): - ${heap} + ${heap|h} %else: <nobr> Sort: diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/package_tool.mako --- a/templates/admin/package_tool.mako +++ b/templates/admin/package_tool.mako @@ -28,9 +28,9 @@ <select name="tool_id"> %for key, val in toolbox.tool_panel.items(): %if isinstance( val, Tool ): - <option value="${val.id}">${val.name}</option> + <option value="${val.id|h}">${val.name|h}</option> %elif isinstance( val, ToolSection ): - <optgroup label="${val.name}"> + <optgroup label="${val.name|h}"><% section = val %> %for section_key, section_val in section.elems.items(): %if isinstance( section_val, Tool ): @@ -38,7 +38,7 @@ %if section_val.id == tool_id: <% selected_str = " selected=\"selected\"" %> %endif - <option value="${section_val.id}"${selected_str}>${section_val.name}</option> + <option value="${section_val.id|h}"${selected_str}>${section_val.name|h}</option> %endif %endfor %endif diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/quota/quota.mako --- a/templates/admin/quota/quota.mako +++ b/templates/admin/quota/quota.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Quota '${name}'</div> + <div class="toolFormTitle">Quota '${name|h}'</div><div class="toolFormBody"><form name="associate_quota_user_group" id="associate_quota_user_group" action="${h.url_for(controller='admin', action='manage_users_and_groups_for_quota', id=id )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${name}'</label> + <label>Users associated with '${name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${name}'</label> + <label>Users not associated with '${name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Groups associated with '${name}'</label> + <label>Groups associated with '${name|h}'</label> ${render_select( "in_groups", in_groups )}<br/><input type="submit" id="groups_remove_button" value=">>"/></div><div> - <label>Groups not associated with '${name}'</label> + <label>Groups not associated with '${name|h}'</label> ${render_select( "out_groups", out_groups )}<br/><input type="submit" id="groups_add_button" value="<<"/></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/quota/quota_create.mako --- a/templates/admin/quota/quota_create.mako +++ b/templates/admin/quota/quota_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -69,15 +69,15 @@ <form name="associate_quota_group_user" id="associate_quota_group_user" action="${h.url_for(controller='admin', action='create_quota' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><label>Description:</label> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div class="form-row"><label>Amount</label> - <input name="amount" type="textfield" value="${amount}" size=40"/> + <input name="amount" type="textfield" value="${amount|h}" size=40"/><div class="toolParamHelp" style="clear: both;"> Examples: "10000MB", "99 gb", "0.2T", "unlimited" </div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/quota/quota_edit.mako --- a/templates/admin/quota/quota_edit.mako +++ b/templates/admin/quota/quota_edit.mako @@ -29,7 +29,7 @@ <input name="id" type="hidden" value="${id}"/><div class="form-row"><label>Amount</label> - <input name="amount" type="textfield" value="${display_amount}" size=40"/> + <input name="amount" type="textfield" value="${display_amount|h}" size=40"/><div class="toolParamHelp" style="clear: both;"> Examples: "10000MB", "99 gb", "0.2T", "unlimited" </div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/quota/quota_rename.mako --- a/templates/admin/quota/quota_rename.mako +++ b/templates/admin/quota/quota_rename.mako @@ -21,14 +21,14 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${name}" size="40"/> + <input type="text" name="name" value="${name|h}" size="40"/></div><div style="clear: both"></div></div><div class="form-row"><label>Description:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div style="clear: both"></div></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/reload_tool.mako --- a/templates/admin/reload_tool.mako +++ b/templates/admin/reload_tool.mako @@ -28,9 +28,9 @@ <select name="tool_id"> %for key, val in toolbox.tool_panel.items(): %if isinstance( val, Tool ): - <option value="${val.id}">${val.name}</option> + <option value="${val.id}">${val.name|h}</option> %elif isinstance( val, ToolSection ): - <optgroup label="${val.name}"> + <optgroup label="${val.name|h}"><% section = val %> %for section_key, section_val in section.elems.items(): %if isinstance( section_val, Tool ): @@ -38,7 +38,7 @@ %if section_val.id == tool_id: <% selected_str = " selected=\"selected\"" %> %endif - <option value="${section_val.id}"${selected_str}>${section_val.name}</option> + <option value="${section_val.id}"${selected_str}>${section_val.name|h}</option> %endif %endfor %endif diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/review_tool_migration_stages.mako --- a/templates/admin/review_tool_migration_stages.mako +++ b/templates/admin/review_tool_migration_stages.mako @@ -4,7 +4,9 @@ %if message: ${render_msg( message, status )} %endif - +<% +from markupsafe import escape +%><div class="toolForm"><div class="toolFormTitle">Tool migrations that can be performed on this Galaxy instance</div><div class="toolFormBody"> @@ -51,7 +53,7 @@ repository_names.sort() repository_names = ', '.join( repository_names ) %> - <tr><td bgcolor="#D8D8D8"><b>Tool migration stage ${stage} - repositories: ${repository_names}</b></td></tr> + <tr><td bgcolor="#D8D8D8"><b>Tool migration stage ${stage} - repositories: ${repository_names|h}</b></td></tr><tr><td bgcolor="#FFFFCC"><div class="form-row"> @@ -59,11 +61,11 @@ <p> %if tool_dependencies: This migration stage includes tools that have tool dependencies that can be automatically installed. To install them, run:<br/> - <b>${install_dependencies}</b><br/><br/> + <b>${install_dependencies|h}</b><br/><br/> To skip tool dependency installation run:<br/> - <b>${migration_command}</b> + <b>${migration_command|h}</b> %else: - <b>${migration_command}</b> + <b>${migration_command|h}</b> %endif </p></div> @@ -74,7 +76,7 @@ <tr><td bgcolor="#DADFEF"><div class="form-row"> - <b>Repository:</b> ${repository_name} + <b>Repository:</b> ${repository_name|h} </div></td></tr> @@ -88,10 +90,10 @@ </tr> %for tool_dependencies_tup in tool_dependencies: <% - tool_dependency_name = tool_dependencies_tup[0] - tool_dependency_version = tool_dependencies_tup[1] - tool_dependency_type = tool_dependencies_tup[2] - installation_requirements = tool_dependencies_tup[3].replace( '\n', '<br/>' ) + tool_dependency_name = escape( tool_dependencies_tup[0] ) + tool_dependency_version = escape( tool_dependencies_tup[1] ) + tool_dependency_type = escape( tool_dependencies_tup[2] ) + installation_requirements = escape( tool_dependencies_tup[3] ).replace( '\n', '<br/>' ) %><tr><td> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/browse_repository.mako --- a/templates/admin/tool_shed_repository/browse_repository.mako +++ b/templates/admin/tool_shed_repository/browse_repository.mako @@ -21,7 +21,7 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Browse ${repository.name} revision ${repository.changeset_revision} files</div> + <div class="toolFormTitle">Browse ${repository.name|h} revision ${repository.changeset_revision} files</div><div class="toolFormBody"><div class="form-row" ><label>Contents:</label> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/browse_tool_dependency.mako --- a/templates/admin/tool_shed_repository/browse_tool_dependency.mako +++ b/templates/admin/tool_shed_repository/browse_tool_dependency.mako @@ -23,33 +23,33 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Browse tool dependency ${tool_dependency.name} installation directory</div> + <div class="toolFormTitle">Browse tool dependency ${tool_dependency.name|h} installation directory</div><div class="toolFormBody"><div class="form-row" ><label>Tool shed repository:</label> - ${repository.name} + ${repository.name|h} <div style="clear: both"></div></div><div class="form-row" ><label>Tool shed repository changeset revision:</label> - ${repository.changeset_revision} + ${repository.changeset_revision|h} <div style="clear: both"></div></div><div class="form-row" ><label>Tool dependency status:</label> - ${tool_dependency.status} + ${tool_dependency.status|h} <div style="clear: both"></div></div> %if tool_dependency.in_error_state: <div class="form-row" ><label>Tool dependency installation error:</label> - ${tool_dependency.error_message} + ${tool_dependency.error_message|h} <div style="clear: both"></div></div> %endif <div class="form-row" ><label>Tool dependency installation directory:</label> - ${tool_dependency.installation_directory( trans.app )} + ${tool_dependency.installation_directory( trans.app )|h} <div style="clear: both"></div></div><div class="form-row" > diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/common.mako --- a/templates/admin/tool_shed_repository/common.mako +++ b/templates/admin/tool_shed_repository/common.mako @@ -8,7 +8,7 @@ }); // --- Initialize sample trees $("#tree").dynatree({ - title: "${title_text}", + title: "${title_text|h}", rootVisible: true, minExpandLevel: 0, // 1: root node is not collapsible persist: false, @@ -24,7 +24,7 @@ // initAjax is hard to fake, so we pass the children as object array: initAjax: {url: "${h.url_for( controller='admin_toolshed', action='open_folder' )}", dataType: "json", - data: { folder_path: "${directory_path}" }, + data: { folder_path: "${directory_path|h}" }, }, onLazyRead: function(dtnode){ dtnode.appendAjax({ @@ -45,7 +45,7 @@ var cell = $("#file_contents"); var selected_value; if (dtnode.data.key == 'root') { - selected_value = "${directory_path}/"; + selected_value = "${directory_path|h}/"; } else { selected_value = dtnode.data.key; }; @@ -81,6 +81,7 @@ line-break:strict; } </style><% + from markupsafe import escape class RowCounter( object ): def __init__( self ): self.count = 0 @@ -96,7 +97,7 @@ env_settings_heaader_row_displayed = False package_header_row_displayed = False if revision_label: - revision_label_str = ' revision <b>%s</b> of ' % str( revision_label ) + revision_label_str = ' revision <b>%s</b> of ' % escape( str( revision_label ) ) else: revision_label_str = ' ' %> @@ -104,7 +105,7 @@ <div class="toolParamHelp" style="clear: both;"><p> %if export: - The following additional repositories are required by${revision_label_str}the <b>${repository.name}</b> repository + The following additional repositories are required by${revision_label_str}the <b>${repository.name|h}</b> repository and they can be exported as well. %else: These dependencies can be automatically handled with${revision_label_str}the installed repository, providing significant diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/deactivate_or_uninstall_repository.mako --- a/templates/admin/tool_shed_repository/deactivate_or_uninstall_repository.mako +++ b/templates/admin/tool_shed_repository/deactivate_or_uninstall_repository.mako @@ -10,30 +10,30 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">${repository.name}</div> + <div class="toolFormTitle">${repository.name|h}</div><div class="toolFormBody"><form name="deactivate_or_uninstall_repository" id="deactivate_or_uninstall_repository" action="${h.url_for( controller='admin_toolshed', action='deactivate_or_uninstall_repository', id=trans.security.encode_id( repository.id ) )}" method="post" ><div class="form-row"><label>Description:</label> - ${repository.description} + ${repository.description|h} <div style="clear: both"></div></div><div class="form-row"><label>Revision:</label> - ${repository.changeset_revision}</a> + ${repository.changeset_revision|h}</a></div><div class="form-row"><label>Tool shed:</label> - ${repository.tool_shed} + ${repository.tool_shed|h} <div style="clear: both"></div></div><div class="form-row"><label>Owner:</label> - ${repository.owner} + ${repository.owner|h} </div><div class="form-row"><label>Deleted:</label> - ${repository.deleted} + ${repository.deleted|h} </div><div class="form-row"><% @@ -186,7 +186,7 @@ ##hack to mimic check box <input type="hidden" name="remove_from_disk" value="true"/><input type="hidden" name="remove_from_disk" value="true"/> %endif - <input type="submit" name="deactivate_or_uninstall_repository_button" value="${deactivate_uninstall_button_text}"/> + <input type="submit" name="deactivate_or_uninstall_repository_button" value="${deactivate_uninstall_button_text|h}"/></div></form></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/initiate_repository_installation.mako --- a/templates/admin/tool_shed_repository/initiate_repository_installation.mako +++ b/templates/admin/tool_shed_repository/initiate_repository_installation.mako @@ -53,18 +53,18 @@ <td> %if link_to_manage_tool_dependencies: <a class="view-info" href="${h.url_for( controller='admin_toolshed', action='manage_tool_dependencies', tool_dependency_ids=ids_of_tool_dependencies_missing_or_being_installed )}"> - ${tool_shed_repository.name} + ${tool_shed_repository.name|h} </a> %else: <a class="view-info" href="${h.url_for( controller='admin_toolshed', action='manage_repository', id=encoded_repository_id )}"> - ${tool_shed_repository.name} + ${tool_shed_repository.name|h} </a> %endif </td><td>${tool_shed_repository.description}</td><td>${tool_shed_repository.owner}</td><td>${tool_shed_repository.changeset_revision}</td> - <td><div id="RepositoryStatus-${encoded_repository_id}">${tool_shed_repository.status}</div></td> + <td><div id="RepositoryStatus-${encoded_repository_id}">${tool_shed_repository.status|h}</div></td></tr> %endfor </table> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/install_tool_dependencies_with_update.mako --- a/templates/admin/tool_shed_repository/install_tool_dependencies_with_update.mako +++ b/templates/admin/tool_shed_repository/install_tool_dependencies_with_update.mako @@ -20,12 +20,12 @@ <div class="toolForm"><div class="toolFormBody"><form name="install_tool_dependencies_with_update" id="install_tool_dependencies_with_update" action="${h.url_for( controller='admin_toolshed', action='install_tool_dependencies_with_update' )}" method="post" > - <input type="hidden" name="updating_repository_id" value="${updating_repository_id}"/> - <input type="hidden" name="updating_to_ctx_rev" value="${updating_to_ctx_rev}"/> - <input type="hidden" name="updating_to_changeset_revision" value="${updating_to_changeset_revision}"/> - <input type="hidden" name="encoded_updated_metadata" value="${encoded_updated_metadata}"/> - <input type="hidden" name="encoded_relative_install_dir" value="${encoded_relative_install_dir}"/> - <input type="hidden" name="encoded_tool_dependencies_dict" value="${encoded_tool_dependencies_dict}"/> + <input type="hidden" name="updating_repository_id" value="${updating_repository_id|h}"/> + <input type="hidden" name="updating_to_ctx_rev" value="${updating_to_ctx_rev|h}"/> + <input type="hidden" name="updating_to_changeset_revision" value="${updating_to_changeset_revision|h}"/> + <input type="hidden" name="encoded_updated_metadata" value="${encoded_updated_metadata|h}"/> + <input type="hidden" name="encoded_relative_install_dir" value="${encoded_relative_install_dir|h}"/> + <input type="hidden" name="encoded_tool_dependencies_dict" value="${encoded_tool_dependencies_dict|h}"/> %if tool_dependencies_dict: %if install_tool_dependencies_check_box is not None: <div class="form-row"> @@ -71,12 +71,12 @@ %> %if not os.path.exists( install_dir ): <tr> - <td>${key_name}</td> - <td>${key_version}</td> - <td>${install_dir}</td> + <td>${key_name|h}</td> + <td>${key_version|h}</td> + <td>${install_dir|h}</td></tr> %if readme_text: - <tr><td colspan="4" bgcolor="#FFFFCC">${key_name} ${key_version} requirements and installation information</td></tr> + <tr><td colspan="4" bgcolor="#FFFFCC">${key_name|h} ${key_version|h} requirements and installation information</td></tr><tr><td colspan="4"><pre>${readme_text}</pre></td></tr> %endif %endif diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/manage_repository.mako --- a/templates/admin/tool_shed_repository/manage_repository.mako +++ b/templates/admin/tool_shed_repository/manage_repository.mako @@ -22,50 +22,50 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Installed tool shed repository '${repository.name}'</div> + <div class="toolFormTitle">Installed tool shed repository '${repository.name|h}'</div><div class="toolFormBody"><form name="edit_repository" id="edit_repository" action="${h.url_for( controller='admin_toolshed', action='manage_repository', id=trans.security.encode_id( repository.id ) )}" method="post" ><div class="form-row"><label>Tool shed:</label> - ${repository.tool_shed} + ${repository.tool_shed|h} <div style="clear: both"></div></div><div class="form-row"><label>Name:</label> - ${repository.name} + ${repository.name|h} <div style="clear: both"></div></div><div class="form-row"><label>Description:</label> %if in_error_state: - ${description} + ${description|h} %else: - <input name="description" type="textfield" value="${description}" size="80"/> + <input name="description" type="textfield" value="${description|h}" size="80"/> %endif <div style="clear: both"></div></div><div class="form-row"><label>Revision:</label> - ${repository.changeset_revision} + ${repository.changeset_revision|h} </div><div class="form-row"><label>Owner:</label> - ${repository.owner} + ${repository.owner|h} </div> %if in_error_state: <div class="form-row"><label>Repository installation error:</label> - ${repository.error_message} + ${repository.error_message|h} </div> %else: <div class="form-row"><label>Location:</label> - ${repo_files_dir} + ${repo_files_dir|h} </div> %endif <div class="form-row"><label>Deleted:</label> - ${repository.deleted} + ${repository.deleted|h} </div> %if not in_error_state: <div class="form-row"> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/manage_repository_tool_dependencies.mako --- a/templates/admin/tool_shed_repository/manage_repository_tool_dependencies.mako +++ b/templates/admin/tool_shed_repository/manage_repository_tool_dependencies.mako @@ -20,7 +20,7 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Tool shed repository '${repository.name}' tool dependencies</div> + <div class="toolFormTitle">Tool shed repository '${repository.name|h}' tool dependencies</div><% can_install = False can_uninstall = False @@ -48,16 +48,16 @@ <td> %if tool_dependency.status not in [ trans.install_model.ToolDependency.installation_status.UNINSTALLED ]: <a target="galaxy_main" href="${h.url_for( controller='admin_toolshed', action='manage_repository_tool_dependencies', operation='browse', tool_dependency_ids=trans.security.encode_id( tool_dependency.id ), repository_id=trans.security.encode_id( repository.id ) )}"> - ${tool_dependency.name} + ${tool_dependency.name|h} </a> %else: - ${tool_dependency.name} + ${tool_dependency.name|h} %endif </td> - <td>${tool_dependency.version}</td> - <td>${tool_dependency.type}</td> - <td>${tool_dependency.status}</td> - <td>${error_message}</td> + <td>${tool_dependency.version|h}</td> + <td>${tool_dependency.type|h}</td> + <td>${tool_dependency.status|h}</td> + <td>${error_message|h}</td></tr> %endfor </table> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/purge_repository_confirmation.mako --- a/templates/admin/tool_shed_repository/purge_repository_confirmation.mako +++ b/templates/admin/tool_shed_repository/purge_repository_confirmation.mako @@ -19,14 +19,14 @@ <div class="warningmessage"><p> - Purging the repository named <b>${repository.name}</b> will result in deletion of all records for the + Purging the repository named <b>${repository.name|h}</b> will result in deletion of all records for the following associated items from the database. Click the <b>Purge</b> button to purge this repository and its associated items. </p></div><div class="toolForm"> - <div class="toolFormTitle">Purge tool shed repository <b>${repository.name}</b></div> + <div class="toolFormTitle">Purge tool shed repository <b>${repository.name|h}</b></div><form name="purge_repository" id="purge_repository" action="${h.url_for( controller='admin_toolshed', action='purge_repository', id=trans.security.encode_id( repository.id ) )}" method="post" ><% tool_versions = 0 @@ -59,11 +59,11 @@ orphan_repository_dependency_records += 1 %><table class="grid"> - <tr><td>Tool version records</td><td>${tool_versions}</td><tr> - <tr><td>Tool dependency records</td><td>${tool_dependencies}</td><tr> - <tr><td>Repository dependency records</td><td>${required_repositories}</td><tr> - <tr><td>Orphan repository_repository_dependency_association records</td><td>${orphan_repository_repository_dependency_association_records}</td><tr> - <tr><td>Orphan repository_dependency records</td><td>${orphan_repository_dependency_records}</td><tr> + <tr><td>Tool version records</td><td>${tool_versions|h}</td><tr> + <tr><td>Tool dependency records</td><td>${tool_dependencies|h}</td><tr> + <tr><td>Repository dependency records</td><td>${required_repositories|h}</td><tr> + <tr><td>Orphan repository_repository_dependency_association records</td><td>${orphan_repository_repository_dependency_association_records|h}</td><tr> + <tr><td>Orphan repository_dependency records</td><td>${orphan_repository_dependency_records|h}</td><tr></table><div style="clear: both"></div><div class="form-row"> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/repair_repository.mako --- a/templates/admin/tool_shed_repository/repair_repository.mako +++ b/templates/admin/tool_shed_repository/repair_repository.mako @@ -37,9 +37,9 @@ </div><div class="toolForm"> - <div class="toolFormTitle">Repair tool shed repository <b>${repository.name}</b></div> + <div class="toolFormTitle">Repair tool shed repository <b>${repository.name|h}</b></div><form name="repair_repository" id="repair_repository" action="${h.url_for( controller='admin_toolshed', action='repair_repository', id=trans.security.encode_id( repository.id ) )}" method="post" > - <input type="hidden" name="repair_dict" value="${encoded_repair_dict}"/> + <input type="hidden" name="repair_dict" value="${encoded_repair_dict|h}"/><% from tool_shed.util.shed_util_common import get_tool_shed_repository_status_label ordered_repo_info_dicts = repair_dict.get( 'ordered_repo_info_dicts', [] ) diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/repository_installation_status.mako --- a/templates/admin/tool_shed_repository/repository_installation_status.mako +++ b/templates/admin/tool_shed_repository/repository_installation_status.mako @@ -1,5 +1,6 @@ <%def name="render_repository_status( repository )"><% + from markupsafe import escape if repository.status in [ trans.install_model.ToolShedRepository.installation_status.CLONING, trans.install_model.ToolShedRepository.installation_status.SETTING_TOOL_VERSIONS, trans.install_model.ToolShedRepository.installation_status.INSTALLING_TOOL_DEPENDENCIES, @@ -20,7 +21,7 @@ else: bgcolor = trans.install_model.ToolShedRepository.states.ERROR rval = '<div class="count-box state-color-%s" id="RepositoryStatus-%s">' % ( bgcolor, trans.security.encode_id( repository.id ) ) - rval += '%s</div>' % repository.status + rval += '%s</div>' % escape( repository.status ) return rval %> ${rval} diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/reselect_tool_panel_section.mako --- a/templates/admin/tool_shed_repository/reselect_tool_panel_section.mako +++ b/templates/admin/tool_shed_repository/reselect_tool_panel_section.mako @@ -62,12 +62,12 @@ <label>Shed tool configuration file:</label> ${shed_tool_conf_select_field.get_html()} <div class="toolParamHelp" style="clear: both;"> - ${select_help} + ${select_help|h} </div></div><div style="clear: both"></div> %else: - <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf}"/> + <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf|h}"/> %endif %if includes_tools_for_display_in_tool_panel: <div style="clear: both"></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/select_shed_tool_panel_config.mako --- a/templates/admin/tool_shed_repository/select_shed_tool_panel_config.mako +++ b/templates/admin/tool_shed_repository/select_shed_tool_panel_config.mako @@ -71,7 +71,7 @@ <input type="hidden" name="includes_tools" value="${includes_tools}" /><input type="hidden" name="includes_tool_dependencies" value="${includes_tool_dependencies}" /><input type="hidden" name="includes_tools_for_display_in_tool_panel" value="${includes_tools_for_display_in_tool_panel}" /> - <input type="hidden" name="tool_shed_url" value="${tool_shed_url}" /> + <input type="hidden" name="tool_shed_url" value="${tool_shed_url|h}" /></div><div style="clear: both"></div><% readme_files_dict = containers_dict.get( 'readme_files', None ) %> @@ -111,12 +111,12 @@ <label>Shed tool configuration file:</label> ${shed_tool_conf_select_field.get_html()} <div class="toolParamHelp" style="clear: both;"> - ${select_help} + ${select_help|h} </div></div><div style="clear: both"></div> %else: - <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf}"/> + <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf|h}"/> %endif <div class="form-row"><input type="submit" name="select_shed_tool_panel_config_button" value="Install"/> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/select_tool_panel_section.mako --- a/templates/admin/tool_shed_repository/select_tool_panel_section.mako +++ b/templates/admin/tool_shed_repository/select_tool_panel_section.mako @@ -111,16 +111,16 @@ <label>Shed tool configuration file:</label> ${shed_tool_conf_select_field.get_html()} <div class="toolParamHelp" style="clear: both;"> - ${select_help} + ${select_help|h} </div></div><div style="clear: both"></div> %else: - <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf}"/> + <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf|h}"/> %endif <div class="form-row"><label>Add new tool panel section:</label> - <input name="new_tool_panel_section_label" type="textfield" value="${new_tool_panel_section_label}" size="40"/> + <input name="new_tool_panel_section_label" type="textfield" value="${new_tool_panel_section_label|h}" size="40"/><div class="toolParamHelp" style="clear: both;"> Add a new tool panel section to contain the installed tools (optional). </div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/uninstall_tool_dependencies.mako --- a/templates/admin/tool_shed_repository/uninstall_tool_dependencies.mako +++ b/templates/admin/tool_shed_repository/uninstall_tool_dependencies.mako @@ -43,10 +43,10 @@ install_dir = "This dependency's installation directory does not exist, click <b>Uninstall</b> to reset for installation." %><tr> - <td>${tool_dependency.name}</td> - <td>${tool_dependency.version}</td> - <td>${tool_dependency.type}</td> - <td>${install_dir}</td> + <td>${tool_dependency.name|h}</td> + <td>${tool_dependency.version|h}</td> + <td>${tool_dependency.type|h}</td> + <td>${install_dir|h}</td></tr> %endfor </table> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/view_tool_metadata.mako --- a/templates/admin/tool_shed_repository/view_tool_metadata.mako +++ b/templates/admin/tool_shed_repository/view_tool_metadata.mako @@ -11,7 +11,7 @@ %if tool_metadata: <p/><div class="toolForm"> - <div class="toolFormTitle">${tool_metadata[ 'name' ]} tool metadata</div> + <div class="toolFormTitle">${tool_metadata[ 'name' ]|h} tool metadata</div><div class="toolFormBody"><div class="form-row"><table width="100%"> @@ -20,41 +20,41 @@ </div><div class="form-row"><label>Name:</label> - ${tool_metadata[ 'name' ]} + ${tool_metadata[ 'name' ]|h} <div style="clear: both"></div></div> %if 'description' in tool_metadata: <div class="form-row"><label>Description:</label> - ${tool_metadata[ 'description' ]} + ${tool_metadata[ 'description' ]|h} <div style="clear: both"></div></div> %endif %if 'id' in tool_metadata: <div class="form-row"><label>Id:</label> - ${tool_metadata[ 'id' ]} + ${tool_metadata[ 'id' ]|h} <div style="clear: both"></div></div> %endif %if 'guid' in tool_metadata: <div class="form-row"><label>Guid:</label> - ${tool_metadata[ 'guid' ]} + ${tool_metadata[ 'guid' ]|h} <div style="clear: both"></div></div> %endif %if 'version' in tool_metadata: <div class="form-row"><label>Version:</label> - ${tool_metadata[ 'version' ]} + ${tool_metadata[ 'version' ]|h} <div style="clear: both"></div></div> %endif %if 'version_string_cmd' in tool_metadata: <div class="form-row"><label>Version command string:</label> - ${tool_metadata[ 'version_string_cmd' ]} + ${tool_metadata[ 'version_string_cmd' ]|h} <div style="clear: both"></div></div> %endif @@ -70,9 +70,9 @@ <tr><td> %if guid == tool_metadata[ 'guid' ]: - ${guid} <b>(this tool)</b> + ${guid|h} <b>(this tool)</b> %else: - ${guid} + ${guid|h} %endif </td></tr> @@ -109,9 +109,9 @@ requirement_type = requirement_dict[ 'type' ] or 'not provided' %><tr> - <td>${requirement_name}</td> - <td>${requirement_version}</td> - <td>${requirement_type}</td> + <td>${requirement_name|h}</td> + <td>${requirement_version|h}</td> + <td>${requirement_type|h}</td></tr> %endfor </table> @@ -130,27 +130,27 @@ </div><div class="form-row"><label>Command:</label> - <pre>${tool.command}</pre> + <pre>${tool.command|h}</pre><div style="clear: both"></div></div><div class="form-row"><label>Interpreter:</label> - ${tool.interpreter} + ${tool.interpreter|h} <div style="clear: both"></div></div><div class="form-row"><label>Is multi-byte:</label> - ${tool.is_multi_byte} + ${tool.is_multi_byte|h} <div style="clear: both"></div></div><div class="form-row"><label>Forces a history refresh:</label> - ${tool.force_history_refresh} + ${tool.force_history_refresh|h} <div style="clear: both"></div></div><div class="form-row"><label>Parallelism:</label> - ${tool.parallelism} + ${tool.parallelism|h} <div style="clear: both"></div></div> %endif @@ -181,20 +181,20 @@ required_files = test_dict[ 'required_files' ] %><tr> - <td>${test_dict[ 'name' ]}</td> + <td>${test_dict[ 'name' ]|h}</td><td> %for input in inputs: - <b>${input[0]}:</b> ${input[1]}<br/> + <b>${input[0]|h}:</b> ${input[1]|h}<br/> %endfor </td><td> %for output in outputs: - <b>${output[0]}:</b> ${output[1]}<br/> + <b>${output[0]|h}:</b> ${output[1]|h}<br/> %endfor </td><td> %for required_file in required_files: - ${required_file}<br/> + ${required_file|h}<br/> %endfor </td></tr> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/view_workflow.mako --- a/templates/admin/tool_shed_repository/view_workflow.mako +++ b/templates/admin/tool_shed_repository/view_workflow.mako @@ -17,7 +17,7 @@ <%def name="render_workflow( workflow_name, repository_id )"><% center_url = h.url_for( controller='admin_toolshed', action='generate_workflow_image', workflow_name=tool_shed_encode( workflow_name ), repository_id=repository_id ) %> - <iframe name="workflow_image" id="workflow_image" frameborder="0" style="position: absolute; width: 100%; height: 100%;" src="${center_url}"></iframe> + <iframe name="workflow_image" id="workflow_image" frameborder="0" style="position: absolute; width: 100%; height: 100%;" src="${center_url|h}"></iframe></%def> ${render_galaxy_repository_actions( repository )} diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/user/reset_password.mako --- a/templates/admin/user/reset_password.mako +++ b/templates/admin/user/reset_password.mako @@ -13,7 +13,7 @@ %for user in users: <div class="form-row"><label>Email:</label> - ${user.email} + ${user.email|h} <div style="clear: both"></div></div> %endfor diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/user/user.mako --- a/templates/admin/user/user.mako +++ b/templates/admin/user/user.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">User '${user.email}'</div> + <div class="toolFormTitle">User '${user.email|h}'</div><div class="toolFormBody"><form name="associate_user_role_group" id="associate_user_role_group" action="${h.url_for(controller='admin', action='manage_roles_and_groups_for_user', id=trans.security.encode_id( user.id ) )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Roles associated with '${user.email}'</label> + <label>Roles associated with '${user.email|h}'</label> ${render_select( "in_roles", in_roles )}<br/><input type="submit" id="roles_remove_button" value=">>"/></div><div> - <label>Roles not associated with '${user.email}'</label> + <label>Roles not associated with '${user.email|h}'</label> ${render_select( "out_roles", out_roles )}<br/><input type="submit" id="roles_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Groups associated with '${user.email}'</label> + <label>Groups associated with '${user.email|h}'</label> ${render_select( "in_groups", in_groups )}<br/><input type="submit" id="groups_remove_button" value=">>"/></div><div> - <label>Groups not associated with '${user.email}'</label> + <label>Groups not associated with '${user.email|h}'</label> ${render_select( "out_groups", out_groups )}<br/><input type="submit" id="groups_add_button" value="<<"/></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/view_datatypes_registry.mako --- a/templates/admin/view_datatypes_registry.mako +++ b/templates/admin/view_datatypes_registry.mako @@ -37,16 +37,16 @@ %else: <tr class="tr"> %endif - <td>${datatype.extension}</td> - <td>${datatype.dtype}</td> + <td>${datatype.extension|h}</td> + <td>${datatype.dtype|h}</td><td> %if datatype.mimetype: - ${datatype.mimetype} + ${datatype.mimetype|h} %endif </td><td> %if datatype.display_in_upload: - ${datatype.display_in_upload} + ${datatype.display_in_upload|h} %endif </td></tr> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/base.mako --- a/templates/base.mako +++ b/templates/base.mako @@ -39,7 +39,7 @@ <script> Raven.config('${app.config.sentry_dsn_public}').install(); %if trans.user: - Raven.setUser( { email: "${trans.user.email}" } ); + Raven.setUser( { email: "${trans.user.email|h}" } ); %endif </script> %endif diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/galaxy_client_app.mako --- a/templates/galaxy_client_app.mako +++ b/templates/galaxy_client_app.mako @@ -70,11 +70,12 @@ ## Return a dictionary of user or anonymous user data including: ## email, id, disk space used, quota percent, and tags used <% + from markupsafe import escape user_dict = {} try: if trans.user: user_dict = trans.user.to_dict( view='element', - value_mapper={ 'id': trans.security.encode_id, 'total_disk_usage': float } ) + value_mapper={ 'id': trans.security.encode_id, 'total_disk_usage': float, 'email': escape, 'username': escape } ) user_dict[ 'quota_percent' ] = trans.app.quota_agent.get_percent( trans=trans ) user_dict[ 'is_admin' ] = trans.user_is_admin() diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/user/index.mako --- a/templates/user/index.mako +++ b/templates/user/index.mako @@ -2,7 +2,7 @@ %if trans.user: <h2>${_('User preferences')}</h2> - <p>You are currently logged in as ${trans.user.email}.</p> + <p>You are currently logged in as ${trans.user.email|h}.</p><ul> %if t.webapp.name == 'galaxy': %if not trans.app.config.use_remote_user: diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/webapps/galaxy/admin/tool_sheds.mako --- a/templates/webapps/galaxy/admin/tool_sheds.mako +++ b/templates/webapps/galaxy/admin/tool_sheds.mako @@ -22,7 +22,7 @@ <tr class="libraryTitle"><td><div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${shed_id}-popup"> - <a class="view-info" href="${h.url_for( controller='admin_toolshed', action='browse_tool_shed', tool_shed_url=url )}">${name}</a> + <a class="view-info" href="${h.url_for( controller='admin_toolshed', action='browse_tool_shed', tool_shed_url=url )}">${name|h}</a></div><div popupmenu="dataset-${shed_id}-popup"><a class="action-button" href="${h.url_for( controller='admin_toolshed', action='browse_tool_shed', tool_shed_url=url )}">Browse valid repositories</a> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/webapps/galaxy/dataset/errors.mako --- a/templates/webapps/galaxy/dataset/errors.mako +++ b/templates/webapps/galaxy/dataset/errors.mako @@ -95,7 +95,7 @@ <input type="hidden" name="id" value="${trans.security.encode_id( hda.id)}" /><div class="form-row"><label>Your email</label> - <input type="text" name="email" size="40" value="${user_email}" /> + <input type="text" name="email" size="40" value="${user_email|h}" /></div><div class="form-row"><label>Message</label> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/webapps/galaxy/galaxy.masthead.mako --- a/templates/webapps/galaxy/galaxy.masthead.mako +++ b/templates/webapps/galaxy/galaxy.masthead.mako @@ -3,6 +3,7 @@ ## masthead head generator <%def name="load(active_view = None)"><% + from markupsafe import escape ## get configuration masthead_config = { ## inject configuration @@ -32,7 +33,7 @@ ## user details 'user' : { 'requests' : bool(trans.user and (trans.user.requests or trans.app.security_agent.get_accessible_request_types(trans, trans.user))), - 'email' : trans.user.email if (trans.user) else "", + 'email' : escape( trans.user.email ) if (trans.user) else "", 'valid' : bool(trans.user != None), 'json' : get_user_dict() } diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/webapps/galaxy/galaxy.panels.mako --- a/templates/webapps/galaxy/galaxy.panels.mako +++ b/templates/webapps/galaxy/galaxy.panels.mako @@ -49,7 +49,7 @@ <script> Raven.config('${app.config.sentry_dsn_public}').install(); %if trans.user: - Raven.setUser( { email: "${trans.user.email}" } ); + Raven.setUser( { email: "${trans.user.email|h}" } ); %endif </script> %endif diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/webapps/tool_shed/base_panels.mako --- a/templates/webapps/tool_shed/base_panels.mako +++ b/templates/webapps/tool_shed/base_panels.mako @@ -91,7 +91,8 @@ %> ## User tabs. - <% + <% + from markupsafe import escape # Menu for user who is not logged in. menu_options = [ [ _("Login"), h.url_for( controller='/user', action='login' ), "galaxy_main" ] ] if app.config.allow_user_creation: @@ -101,7 +102,7 @@ tab( "user", _("User"), None, visible=visible, menu_options=menu_options ) # Menu for user who is logged in. if trans.user: - email = trans.user.email + email = escape( trans.user.email ) else: email = "" menu_options = [ [ '<a>Logged in as <span id="user-email">%s</span></a>' % email ] ] Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: 3 new changesets
by commits-noreply＠bitbucket.org 11 Dec '14

11 Dec '14

3 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/a4b74b3d6f0d/ Changeset: a4b74b3d6f0d Branch: stable User: davebgx Date: 2014-12-10 16:31:21+00:00 Summary: Escape anything that could be user input in mako templates, add markupsafe.escape to username and email in users API controller. Affected #: 46 files diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 lib/galaxy/webapps/galaxy/api/users.py --- a/lib/galaxy/webapps/galaxy/api/users.py +++ b/lib/galaxy/webapps/galaxy/api/users.py @@ -11,6 +11,7 @@ from galaxy.web.base.controller import BaseAPIController, UsesTagsMixin from galaxy.web.base.controller import CreatesApiKeysMixin from galaxy.web.base.controller import CreatesUsersMixin +from markupsafe import escape log = logging.getLogger( __name__ ) @@ -38,10 +39,10 @@ query = query.filter( trans.app.model.User.table.c.deleted == False ) # noqa # special case: user can see only their own user if not trans.user_is_admin(): - item = trans.user.to_dict( value_mapper={ 'id': trans.security.encode_id } ) + item = trans.user.to_dict( value_mapper={ 'id': trans.security.encode_id, 'email': escape } ) return [item] for user in query: - item = user.to_dict( value_mapper={ 'id': trans.security.encode_id } ) + item = user.to_dict( value_mapper={ 'id': trans.security.encode_id, 'email': escape } ) # TODO: move into api_values rval.append( item ) return rval @@ -78,7 +79,9 @@ else: raise HTTPBadRequest( detail='Invalid user id ( %s ) specified' % id ) item = user.to_dict( view='element', value_mapper={ 'id': trans.security.encode_id, - 'total_disk_usage': float } ) + 'total_disk_usage': float, + 'email': escape, + 'username': escape } ) # add a list of tags used by the user (as strings) item[ 'tags_used' ] = self.get_user_tags_used( trans, user=user ) # TODO: move into api_values (needs trans, tho - can we do that with api_keys/@property??) diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/dataset_security/group/group.mako --- a/templates/admin/dataset_security/group/group.mako +++ b/templates/admin/dataset_security/group/group.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Group '${group.name}'</div> + <div class="toolFormTitle">Group '${group.name|h}'</div><div class="toolFormBody"><form name="associate_group_role_user" id="associate_group_role_user" action="${h.url_for(controller='admin', action='manage_users_and_roles_for_group', id=trans.security.encode_id( group.id ) )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Roles associated with '${group.name}'</label> + <label>Roles associated with '${group.name|h}'</label> ${render_select( "in_roles", in_roles )}<br/><input type="submit" id="roles_remove_button" value=">>"/></div><div> - <label>Roles not associated with '${group.name}'</label> + <label>Roles not associated with '${group.name|h}'</label> ${render_select( "out_roles", out_roles )}<br/><input type="submit" id="roles_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${group.name}'</label> + <label>Users associated with '${group.name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${group.name}'</label> + <label>Users not associated with '${group.name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/dataset_security/group/group_create.mako --- a/templates/admin/dataset_security/group/group_create.mako +++ b/templates/admin/dataset_security/group/group_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -60,7 +60,7 @@ <form name="associate_group_role_user" id="associate_group_role_user" action="${h.url_for(controller='admin', action='create_group' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><div style="float: left; margin-right: 10px;"> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/dataset_security/group/group_rename.mako --- a/templates/admin/dataset_security/group/group_rename.mako +++ b/templates/admin/dataset_security/group/group_rename.mako @@ -12,7 +12,7 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${group.name}" size="40"/> + <input type="text" name="name" value="${group.name|h}" size="40"/></div><div style="clear: both"></div></div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/dataset_security/role/role.mako --- a/templates/admin/dataset_security/role/role.mako +++ b/templates/admin/dataset_security/role/role.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Role '${role.name}'</div> + <div class="toolFormTitle">Role '${role.name|h}'</div><div class="toolFormBody"><form name="associate_role_user_group" id="associate_role_user_group" action="${h.url_for(controller='admin', action='manage_users_and_groups_for_role', id=trans.security.encode_id( role.id ) )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${role.name}'</label> + <label>Users associated with '${role.name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${role.name}'</label> + <label>Users not associated with '${role.name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Groups associated with '${role.name}'</label> + <label>Groups associated with '${role.name|h}'</label> ${render_select( "in_groups", in_groups )}<br/><input type="submit" id="groups_remove_button" value=">>"/></div><div> - <label>Groups not associated with '${role.name}'</label> + <label>Groups not associated with '${role.name|h}'</label> ${render_select( "out_groups", out_groups )}<br/><input type="submit" id="groups_add_button" value="<<"/></div> @@ -84,7 +84,7 @@ <br clear="left"/><br/> %if len( library_dataset_actions ) > 0: - <h3>Data library datasets associated with role '${role.name}'</h3> + <h3>Data library datasets associated with role '${role.name|h}'</h3><table class="manage-table colored" border="0" cellspacing="0" cellpadding="0" width="100%"><tr><td> @@ -92,16 +92,16 @@ %for ctr, library, in enumerate( library_dataset_actions.keys() ): <li><img src="${h.url_for( '/static/images/silk/book_open.png' )}" class="rowIcon"/> - ${library.name} + ${library.name|h} <ul> %for folder_path, permissions in library_dataset_actions[ library ].items(): <li><img src="/static/images/silk/folder_page.png" class="rowIcon"/> - ${folder_path} + ${folder_path|h} <ul> % for permission in permissions: <ul> - <li>${permission}</li> + <li>${permission|h}</li></ul> %endfor </ul> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/dataset_security/role/role_create.mako --- a/templates/admin/dataset_security/role/role_create.mako +++ b/templates/admin/dataset_security/role/role_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -60,11 +60,11 @@ <form name="associate_role_group_user" id="associate_role_group_user" action="${h.url_for(controller='admin', action='create_role' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><label>Description:</label> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div class="form-row"><div style="float: left; margin-right: 10px;"> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/dataset_security/role/role_rename.mako --- a/templates/admin/dataset_security/role/role_rename.mako +++ b/templates/admin/dataset_security/role/role_rename.mako @@ -12,14 +12,14 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${role.name}" size="40"/> + <input type="text" name="name" value="${role.name|h}" size="40"/></div><div style="clear: both"></div></div><div class="form-row"><label>Description:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input name="description" type="textfield" value="${role.description}" size=40"/> + <input name="description" type="textfield" value="${role.description|h}" size=40"/></div><div style="clear: both"></div></div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/external_service/create_external_service.mako --- a/templates/admin/external_service/create_external_service.mako +++ b/templates/admin/external_service/create_external_service.mako @@ -12,10 +12,10 @@ %if widgets: %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field['label']}:</label> + <label>${field['label']|h}:</label> ${field['widget'].get_html()} <div class="toolParamHelp" style="clear: both;"> - ${field['helptext']} + ${field['helptext']|h} </div><div style="clear: both"></div></div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/external_service/edit_external_service.mako --- a/templates/admin/external_service/edit_external_service.mako +++ b/templates/admin/external_service/edit_external_service.mako @@ -25,10 +25,10 @@ <div class="toolFormTitle">Edit external service</div> %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field['label']}:</label> + <label>${field['label']|h}:</label> ${field['widget'].get_html()} <div class="toolParamHelp" style="clear: both;"> - ${field['helptext']} + ${field['helptext']|h} </div><div style="clear: both"></div></div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/jobs.mako --- a/templates/admin/jobs.mako +++ b/templates/admin/jobs.mako @@ -63,12 +63,12 @@ </td><td>${job.id}</td> %if job.history and job.history.user: - <td>${job.history.user.email}</td> + <td>${job.history.user.email|h}</td> %else: <td>anonymous</td> %endif <td>${last_updated[job.id]} ago</td> - <td>${job.tool_id}</td> + <td>${job.tool_id|h}</td><td>${job.state}</td><% try: @@ -77,8 +77,8 @@ inputs = 'Unable to determine inputs' %><td>${inputs}</td> - <td>${job.command_line}</td> - <td>${job.job_runner_name}</td> + <td>${job.command_line|h}</td> + <td>${job.job_runner_name|h}</td><td>${job.job_runner_external_id}</td></tr> %endfor @@ -131,12 +131,12 @@ %for job in recent_jobs: <td><a href="${h.url_for( controller="admin", action="job_info" )}?jobid=${job.id}">${job.id}</a></td> %if job.history and job.history.user: - <td>${job.history.user.email}</td> + <td>${job.history.user.email|h}</td> %else: <td>anonymous</td> %endif <td>${finished[job.id]} ago</td> - <td>${job.tool_id}</td> + <td>${job.tool_id|h}</td><td>${job.state}</td><% try: @@ -145,9 +145,9 @@ inputs = 'Unable to determine inputs' %><td>${inputs}</td> - <td>${job.command_line}</td> - <td>${job.job_runner_name}</td> - <td>${job.job_runner_external_id}</td> + <td>${job.command_line|h}</td> + <td>${job.job_runner_name|h}</td> + <td>${job.job_runner_external_id|h}</td></tr> %endfor </table> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/memdump.mako --- a/templates/admin/memdump.mako +++ b/templates/admin/memdump.mako @@ -55,7 +55,7 @@ <br/> You are here: ${breadcrumb}<br/> %if breadcrumb.endswith( 'theone' ): - ${heap} + ${heap|h} %else: <nobr> Sort: diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/package_tool.mako --- a/templates/admin/package_tool.mako +++ b/templates/admin/package_tool.mako @@ -28,9 +28,9 @@ <select name="tool_id"> %for key, val in toolbox.tool_panel.items(): %if isinstance( val, Tool ): - <option value="${val.id}">${val.name}</option> + <option value="${val.id|h}">${val.name|h}</option> %elif isinstance( val, ToolSection ): - <optgroup label="${val.name}"> + <optgroup label="${val.name|h}"><% section = val %> %for section_key, section_val in section.elems.items(): %if isinstance( section_val, Tool ): @@ -38,7 +38,7 @@ %if section_val.id == tool_id: <% selected_str = " selected=\"selected\"" %> %endif - <option value="${section_val.id}"${selected_str}>${section_val.name}</option> + <option value="${section_val.id|h}"${selected_str}>${section_val.name|h}</option> %endif %endfor %endif diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/quota/quota.mako --- a/templates/admin/quota/quota.mako +++ b/templates/admin/quota/quota.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Quota '${name}'</div> + <div class="toolFormTitle">Quota '${name|h}'</div><div class="toolFormBody"><form name="associate_quota_user_group" id="associate_quota_user_group" action="${h.url_for(controller='admin', action='manage_users_and_groups_for_quota', id=id )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${name}'</label> + <label>Users associated with '${name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${name}'</label> + <label>Users not associated with '${name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Groups associated with '${name}'</label> + <label>Groups associated with '${name|h}'</label> ${render_select( "in_groups", in_groups )}<br/><input type="submit" id="groups_remove_button" value=">>"/></div><div> - <label>Groups not associated with '${name}'</label> + <label>Groups not associated with '${name|h}'</label> ${render_select( "out_groups", out_groups )}<br/><input type="submit" id="groups_add_button" value="<<"/></div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/quota/quota_create.mako --- a/templates/admin/quota/quota_create.mako +++ b/templates/admin/quota/quota_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -69,15 +69,15 @@ <form name="associate_quota_group_user" id="associate_quota_group_user" action="${h.url_for(controller='admin', action='create_quota' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><label>Description:</label> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div class="form-row"><label>Amount</label> - <input name="amount" type="textfield" value="${amount}" size=40"/> + <input name="amount" type="textfield" value="${amount|h}" size=40"/><div class="toolParamHelp" style="clear: both;"> Examples: "10000MB", "99 gb", "0.2T", "unlimited" </div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/quota/quota_edit.mako --- a/templates/admin/quota/quota_edit.mako +++ b/templates/admin/quota/quota_edit.mako @@ -29,7 +29,7 @@ <input name="id" type="hidden" value="${id}"/><div class="form-row"><label>Amount</label> - <input name="amount" type="textfield" value="${display_amount}" size=40"/> + <input name="amount" type="textfield" value="${display_amount|h}" size=40"/><div class="toolParamHelp" style="clear: both;"> Examples: "10000MB", "99 gb", "0.2T", "unlimited" </div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/quota/quota_rename.mako --- a/templates/admin/quota/quota_rename.mako +++ b/templates/admin/quota/quota_rename.mako @@ -21,14 +21,14 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${name}" size="40"/> + <input type="text" name="name" value="${name|h}" size="40"/></div><div style="clear: both"></div></div><div class="form-row"><label>Description:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div style="clear: both"></div></div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/reload_tool.mako --- a/templates/admin/reload_tool.mako +++ b/templates/admin/reload_tool.mako @@ -28,9 +28,9 @@ <select name="tool_id"> %for key, val in toolbox.tool_panel.items(): %if isinstance( val, Tool ): - <option value="${val.id}">${val.name}</option> + <option value="${val.id}">${val.name|h}</option> %elif isinstance( val, ToolSection ): - <optgroup label="${val.name}"> + <optgroup label="${val.name|h}"><% section = val %> %for section_key, section_val in section.elems.items(): %if isinstance( section_val, Tool ): @@ -38,7 +38,7 @@ %if section_val.id == tool_id: <% selected_str = " selected=\"selected\"" %> %endif - <option value="${section_val.id}"${selected_str}>${section_val.name}</option> + <option value="${section_val.id}"${selected_str}>${section_val.name|h}</option> %endif %endfor %endif diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/review_tool_migration_stages.mako --- a/templates/admin/review_tool_migration_stages.mako +++ b/templates/admin/review_tool_migration_stages.mako @@ -4,7 +4,9 @@ %if message: ${render_msg( message, status )} %endif - +<% +from markupsafe import escape +%><div class="toolForm"><div class="toolFormTitle">Tool migrations that can be performed on this Galaxy instance</div><div class="toolFormBody"> @@ -51,7 +53,7 @@ repository_names.sort() repository_names = ', '.join( repository_names ) %> - <tr><td bgcolor="#D8D8D8"><b>Tool migration stage ${stage} - repositories: ${repository_names}</b></td></tr> + <tr><td bgcolor="#D8D8D8"><b>Tool migration stage ${stage} - repositories: ${repository_names|h}</b></td></tr><tr><td bgcolor="#FFFFCC"><div class="form-row"> @@ -59,11 +61,11 @@ <p> %if tool_dependencies: This migration stage includes tools that have tool dependencies that can be automatically installed. To install them, run:<br/> - <b>${install_dependencies}</b><br/><br/> + <b>${install_dependencies|h}</b><br/><br/> To skip tool dependency installation run:<br/> - <b>${migration_command}</b> + <b>${migration_command|h}</b> %else: - <b>${migration_command}</b> + <b>${migration_command|h}</b> %endif </p></div> @@ -74,7 +76,7 @@ <tr><td bgcolor="#DADFEF"><div class="form-row"> - <b>Repository:</b> ${repository_name} + <b>Repository:</b> ${repository_name|h} </div></td></tr> @@ -88,10 +90,10 @@ </tr> %for tool_dependencies_tup in tool_dependencies: <% - tool_dependency_name = tool_dependencies_tup[0] - tool_dependency_version = tool_dependencies_tup[1] - tool_dependency_type = tool_dependencies_tup[2] - installation_requirements = tool_dependencies_tup[3].replace( '\n', '<br/>' ) + tool_dependency_name = escape( tool_dependencies_tup[0] ) + tool_dependency_version = escape( tool_dependencies_tup[1] ) + tool_dependency_type = escape( tool_dependencies_tup[2] ) + installation_requirements = escape( tool_dependencies_tup[3] ).replace( '\n', '<br/>' ) %><tr><td> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/browse_repository.mako --- a/templates/admin/tool_shed_repository/browse_repository.mako +++ b/templates/admin/tool_shed_repository/browse_repository.mako @@ -21,7 +21,7 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Browse ${repository.name} revision ${repository.changeset_revision} files</div> + <div class="toolFormTitle">Browse ${repository.name|h} revision ${repository.changeset_revision} files</div><div class="toolFormBody"><div class="form-row" ><label>Contents:</label> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/browse_tool_dependency.mako --- a/templates/admin/tool_shed_repository/browse_tool_dependency.mako +++ b/templates/admin/tool_shed_repository/browse_tool_dependency.mako @@ -23,33 +23,33 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Browse tool dependency ${tool_dependency.name} installation directory</div> + <div class="toolFormTitle">Browse tool dependency ${tool_dependency.name|h} installation directory</div><div class="toolFormBody"><div class="form-row" ><label>Tool shed repository:</label> - ${repository.name} + ${repository.name|h} <div style="clear: both"></div></div><div class="form-row" ><label>Tool shed repository changeset revision:</label> - ${repository.changeset_revision} + ${repository.changeset_revision|h} <div style="clear: both"></div></div><div class="form-row" ><label>Tool dependency status:</label> - ${tool_dependency.status} + ${tool_dependency.status|h} <div style="clear: both"></div></div> %if tool_dependency.in_error_state: <div class="form-row" ><label>Tool dependency installation error:</label> - ${tool_dependency.error_message} + ${tool_dependency.error_message|h} <div style="clear: both"></div></div> %endif <div class="form-row" ><label>Tool dependency installation directory:</label> - ${tool_dependency.installation_directory( trans.app )} + ${tool_dependency.installation_directory( trans.app )|h} <div style="clear: both"></div></div><div class="form-row" > diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/common.mako --- a/templates/admin/tool_shed_repository/common.mako +++ b/templates/admin/tool_shed_repository/common.mako @@ -8,7 +8,7 @@ }); // --- Initialize sample trees $("#tree").dynatree({ - title: "${title_text}", + title: "${title_text|h}", rootVisible: true, minExpandLevel: 0, // 1: root node is not collapsible persist: false, @@ -24,7 +24,7 @@ // initAjax is hard to fake, so we pass the children as object array: initAjax: {url: "${h.url_for( controller='admin_toolshed', action='open_folder' )}", dataType: "json", - data: { folder_path: "${directory_path}" }, + data: { folder_path: "${directory_path|h}" }, }, onLazyRead: function(dtnode){ dtnode.appendAjax({ @@ -45,7 +45,7 @@ var cell = $("#file_contents"); var selected_value; if (dtnode.data.key == 'root') { - selected_value = "${directory_path}/"; + selected_value = "${directory_path|h}/"; } else { selected_value = dtnode.data.key; }; @@ -81,6 +81,7 @@ line-break:strict; } </style><% + from markupsafe import escape class RowCounter( object ): def __init__( self ): self.count = 0 @@ -96,7 +97,7 @@ env_settings_heaader_row_displayed = False package_header_row_displayed = False if revision_label: - revision_label_str = ' revision <b>%s</b> of ' % str( revision_label ) + revision_label_str = ' revision <b>%s</b> of ' % escape( str( revision_label ) ) else: revision_label_str = ' ' %> @@ -104,7 +105,7 @@ <div class="toolParamHelp" style="clear: both;"><p> %if export: - The following additional repositories are required by${revision_label_str}the <b>${repository.name}</b> repository + The following additional repositories are required by${revision_label_str}the <b>${repository.name|h}</b> repository and they can be exported as well. %else: These dependencies can be automatically handled with${revision_label_str}the installed repository, providing significant diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/deactivate_or_uninstall_repository.mako --- a/templates/admin/tool_shed_repository/deactivate_or_uninstall_repository.mako +++ b/templates/admin/tool_shed_repository/deactivate_or_uninstall_repository.mako @@ -10,30 +10,30 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">${repository.name}</div> + <div class="toolFormTitle">${repository.name|h}</div><div class="toolFormBody"><form name="deactivate_or_uninstall_repository" id="deactivate_or_uninstall_repository" action="${h.url_for( controller='admin_toolshed', action='deactivate_or_uninstall_repository', id=trans.security.encode_id( repository.id ) )}" method="post" ><div class="form-row"><label>Description:</label> - ${repository.description} + ${repository.description|h} <div style="clear: both"></div></div><div class="form-row"><label>Revision:</label> - ${repository.changeset_revision}</a> + ${repository.changeset_revision|h}</a></div><div class="form-row"><label>Tool shed:</label> - ${repository.tool_shed} + ${repository.tool_shed|h} <div style="clear: both"></div></div><div class="form-row"><label>Owner:</label> - ${repository.owner} + ${repository.owner|h} </div><div class="form-row"><label>Deleted:</label> - ${repository.deleted} + ${repository.deleted|h} </div><div class="form-row"><% @@ -186,7 +186,7 @@ ##hack to mimic check box <input type="hidden" name="remove_from_disk" value="true"/><input type="hidden" name="remove_from_disk" value="true"/> %endif - <input type="submit" name="deactivate_or_uninstall_repository_button" value="${deactivate_uninstall_button_text}"/> + <input type="submit" name="deactivate_or_uninstall_repository_button" value="${deactivate_uninstall_button_text|h}"/></div></form></div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/initiate_repository_installation.mako --- a/templates/admin/tool_shed_repository/initiate_repository_installation.mako +++ b/templates/admin/tool_shed_repository/initiate_repository_installation.mako @@ -53,18 +53,18 @@ <td> %if link_to_manage_tool_dependencies: <a class="view-info" href="${h.url_for( controller='admin_toolshed', action='manage_tool_dependencies', tool_dependency_ids=ids_of_tool_dependencies_missing_or_being_installed )}"> - ${tool_shed_repository.name} + ${tool_shed_repository.name|h} </a> %else: <a class="view-info" href="${h.url_for( controller='admin_toolshed', action='manage_repository', id=encoded_repository_id )}"> - ${tool_shed_repository.name} + ${tool_shed_repository.name|h} </a> %endif </td><td>${tool_shed_repository.description}</td><td>${tool_shed_repository.owner}</td><td>${tool_shed_repository.changeset_revision}</td> - <td><div id="RepositoryStatus-${encoded_repository_id}">${tool_shed_repository.status}</div></td> + <td><div id="RepositoryStatus-${encoded_repository_id}">${tool_shed_repository.status|h}</div></td></tr> %endfor </table> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/install_tool_dependencies_with_update.mako --- a/templates/admin/tool_shed_repository/install_tool_dependencies_with_update.mako +++ b/templates/admin/tool_shed_repository/install_tool_dependencies_with_update.mako @@ -20,12 +20,12 @@ <div class="toolForm"><div class="toolFormBody"><form name="install_tool_dependencies_with_update" id="install_tool_dependencies_with_update" action="${h.url_for( controller='admin_toolshed', action='install_tool_dependencies_with_update' )}" method="post" > - <input type="hidden" name="updating_repository_id" value="${updating_repository_id}"/> - <input type="hidden" name="updating_to_ctx_rev" value="${updating_to_ctx_rev}"/> - <input type="hidden" name="updating_to_changeset_revision" value="${updating_to_changeset_revision}"/> - <input type="hidden" name="encoded_updated_metadata" value="${encoded_updated_metadata}"/> - <input type="hidden" name="encoded_relative_install_dir" value="${encoded_relative_install_dir}"/> - <input type="hidden" name="encoded_tool_dependencies_dict" value="${encoded_tool_dependencies_dict}"/> + <input type="hidden" name="updating_repository_id" value="${updating_repository_id|h}"/> + <input type="hidden" name="updating_to_ctx_rev" value="${updating_to_ctx_rev|h}"/> + <input type="hidden" name="updating_to_changeset_revision" value="${updating_to_changeset_revision|h}"/> + <input type="hidden" name="encoded_updated_metadata" value="${encoded_updated_metadata|h}"/> + <input type="hidden" name="encoded_relative_install_dir" value="${encoded_relative_install_dir|h}"/> + <input type="hidden" name="encoded_tool_dependencies_dict" value="${encoded_tool_dependencies_dict|h}"/> %if tool_dependencies_dict: %if install_tool_dependencies_check_box is not None: <div class="form-row"> @@ -71,12 +71,12 @@ %> %if not os.path.exists( install_dir ): <tr> - <td>${key_name}</td> - <td>${key_version}</td> - <td>${install_dir}</td> + <td>${key_name|h}</td> + <td>${key_version|h}</td> + <td>${install_dir|h}</td></tr> %if readme_text: - <tr><td colspan="4" bgcolor="#FFFFCC">${key_name} ${key_version} requirements and installation information</td></tr> + <tr><td colspan="4" bgcolor="#FFFFCC">${key_name|h} ${key_version|h} requirements and installation information</td></tr><tr><td colspan="4"><pre>${readme_text}</pre></td></tr> %endif %endif diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/manage_repository.mako --- a/templates/admin/tool_shed_repository/manage_repository.mako +++ b/templates/admin/tool_shed_repository/manage_repository.mako @@ -22,50 +22,50 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Installed tool shed repository '${repository.name}'</div> + <div class="toolFormTitle">Installed tool shed repository '${repository.name|h}'</div><div class="toolFormBody"><form name="edit_repository" id="edit_repository" action="${h.url_for( controller='admin_toolshed', action='manage_repository', id=trans.security.encode_id( repository.id ) )}" method="post" ><div class="form-row"><label>Tool shed:</label> - ${repository.tool_shed} + ${repository.tool_shed|h} <div style="clear: both"></div></div><div class="form-row"><label>Name:</label> - ${repository.name} + ${repository.name|h} <div style="clear: both"></div></div><div class="form-row"><label>Description:</label> %if in_error_state: - ${description} + ${description|h} %else: - <input name="description" type="textfield" value="${description}" size="80"/> + <input name="description" type="textfield" value="${description|h}" size="80"/> %endif <div style="clear: both"></div></div><div class="form-row"><label>Revision:</label> - ${repository.changeset_revision} + ${repository.changeset_revision|h} </div><div class="form-row"><label>Owner:</label> - ${repository.owner} + ${repository.owner|h} </div> %if in_error_state: <div class="form-row"><label>Repository installation error:</label> - ${repository.error_message} + ${repository.error_message|h} </div> %else: <div class="form-row"><label>Location:</label> - ${repo_files_dir} + ${repo_files_dir|h} </div> %endif <div class="form-row"><label>Deleted:</label> - ${repository.deleted} + ${repository.deleted|h} </div> %if not in_error_state: <div class="form-row"> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/manage_repository_tool_dependencies.mako --- a/templates/admin/tool_shed_repository/manage_repository_tool_dependencies.mako +++ b/templates/admin/tool_shed_repository/manage_repository_tool_dependencies.mako @@ -20,7 +20,7 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Tool shed repository '${repository.name}' tool dependencies</div> + <div class="toolFormTitle">Tool shed repository '${repository.name|h}' tool dependencies</div><% can_install = False can_uninstall = False @@ -48,16 +48,16 @@ <td> %if tool_dependency.status not in [ trans.install_model.ToolDependency.installation_status.UNINSTALLED ]: <a target="galaxy_main" href="${h.url_for( controller='admin_toolshed', action='manage_repository_tool_dependencies', operation='browse', tool_dependency_ids=trans.security.encode_id( tool_dependency.id ), repository_id=trans.security.encode_id( repository.id ) )}"> - ${tool_dependency.name} + ${tool_dependency.name|h} </a> %else: - ${tool_dependency.name} + ${tool_dependency.name|h} %endif </td> - <td>${tool_dependency.version}</td> - <td>${tool_dependency.type}</td> - <td>${tool_dependency.status}</td> - <td>${error_message}</td> + <td>${tool_dependency.version|h}</td> + <td>${tool_dependency.type|h}</td> + <td>${tool_dependency.status|h}</td> + <td>${error_message|h}</td></tr> %endfor </table> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/purge_repository_confirmation.mako --- a/templates/admin/tool_shed_repository/purge_repository_confirmation.mako +++ b/templates/admin/tool_shed_repository/purge_repository_confirmation.mako @@ -19,14 +19,14 @@ <div class="warningmessage"><p> - Purging the repository named <b>${repository.name}</b> will result in deletion of all records for the + Purging the repository named <b>${repository.name|h}</b> will result in deletion of all records for the following associated items from the database. Click the <b>Purge</b> button to purge this repository and its associated items. </p></div><div class="toolForm"> - <div class="toolFormTitle">Purge tool shed repository <b>${repository.name}</b></div> + <div class="toolFormTitle">Purge tool shed repository <b>${repository.name|h}</b></div><form name="purge_repository" id="purge_repository" action="${h.url_for( controller='admin_toolshed', action='purge_repository', id=trans.security.encode_id( repository.id ) )}" method="post" ><% tool_versions = 0 @@ -59,11 +59,11 @@ orphan_repository_dependency_records += 1 %><table class="grid"> - <tr><td>Tool version records</td><td>${tool_versions}</td><tr> - <tr><td>Tool dependency records</td><td>${tool_dependencies}</td><tr> - <tr><td>Repository dependency records</td><td>${required_repositories}</td><tr> - <tr><td>Orphan repository_repository_dependency_association records</td><td>${orphan_repository_repository_dependency_association_records}</td><tr> - <tr><td>Orphan repository_dependency records</td><td>${orphan_repository_dependency_records}</td><tr> + <tr><td>Tool version records</td><td>${tool_versions|h}</td><tr> + <tr><td>Tool dependency records</td><td>${tool_dependencies|h}</td><tr> + <tr><td>Repository dependency records</td><td>${required_repositories|h}</td><tr> + <tr><td>Orphan repository_repository_dependency_association records</td><td>${orphan_repository_repository_dependency_association_records|h}</td><tr> + <tr><td>Orphan repository_dependency records</td><td>${orphan_repository_dependency_records|h}</td><tr></table><div style="clear: both"></div><div class="form-row"> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/repair_repository.mako --- a/templates/admin/tool_shed_repository/repair_repository.mako +++ b/templates/admin/tool_shed_repository/repair_repository.mako @@ -37,9 +37,9 @@ </div><div class="toolForm"> - <div class="toolFormTitle">Repair tool shed repository <b>${repository.name}</b></div> + <div class="toolFormTitle">Repair tool shed repository <b>${repository.name|h}</b></div><form name="repair_repository" id="repair_repository" action="${h.url_for( controller='admin_toolshed', action='repair_repository', id=trans.security.encode_id( repository.id ) )}" method="post" > - <input type="hidden" name="repair_dict" value="${encoded_repair_dict}"/> + <input type="hidden" name="repair_dict" value="${encoded_repair_dict|h}"/><% from tool_shed.util.shed_util_common import get_tool_shed_repository_status_label ordered_repo_info_dicts = repair_dict.get( 'ordered_repo_info_dicts', [] ) diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/repository_installation_status.mako --- a/templates/admin/tool_shed_repository/repository_installation_status.mako +++ b/templates/admin/tool_shed_repository/repository_installation_status.mako @@ -1,5 +1,6 @@ <%def name="render_repository_status( repository )"><% + from markupsafe import escape if repository.status in [ trans.install_model.ToolShedRepository.installation_status.CLONING, trans.install_model.ToolShedRepository.installation_status.SETTING_TOOL_VERSIONS, trans.install_model.ToolShedRepository.installation_status.INSTALLING_TOOL_DEPENDENCIES, @@ -20,7 +21,7 @@ else: bgcolor = trans.install_model.ToolShedRepository.states.ERROR rval = '<div class="count-box state-color-%s" id="RepositoryStatus-%s">' % ( bgcolor, trans.security.encode_id( repository.id ) ) - rval += '%s</div>' % repository.status + rval += '%s</div>' % escape( repository.status ) return rval %> ${rval} diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/reselect_tool_panel_section.mako --- a/templates/admin/tool_shed_repository/reselect_tool_panel_section.mako +++ b/templates/admin/tool_shed_repository/reselect_tool_panel_section.mako @@ -62,12 +62,12 @@ <label>Shed tool configuration file:</label> ${shed_tool_conf_select_field.get_html()} <div class="toolParamHelp" style="clear: both;"> - ${select_help} + ${select_help|h} </div></div><div style="clear: both"></div> %else: - <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf}"/> + <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf|h}"/> %endif %if includes_tools_for_display_in_tool_panel: <div style="clear: both"></div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/select_shed_tool_panel_config.mako --- a/templates/admin/tool_shed_repository/select_shed_tool_panel_config.mako +++ b/templates/admin/tool_shed_repository/select_shed_tool_panel_config.mako @@ -71,7 +71,7 @@ <input type="hidden" name="includes_tools" value="${includes_tools}" /><input type="hidden" name="includes_tool_dependencies" value="${includes_tool_dependencies}" /><input type="hidden" name="includes_tools_for_display_in_tool_panel" value="${includes_tools_for_display_in_tool_panel}" /> - <input type="hidden" name="tool_shed_url" value="${tool_shed_url}" /> + <input type="hidden" name="tool_shed_url" value="${tool_shed_url|h}" /></div><div style="clear: both"></div><% readme_files_dict = containers_dict.get( 'readme_files', None ) %> @@ -111,12 +111,12 @@ <label>Shed tool configuration file:</label> ${shed_tool_conf_select_field.get_html()} <div class="toolParamHelp" style="clear: both;"> - ${select_help} + ${select_help|h} </div></div><div style="clear: both"></div> %else: - <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf}"/> + <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf|h}"/> %endif <div class="form-row"><input type="submit" name="select_shed_tool_panel_config_button" value="Install"/> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/select_tool_panel_section.mako --- a/templates/admin/tool_shed_repository/select_tool_panel_section.mako +++ b/templates/admin/tool_shed_repository/select_tool_panel_section.mako @@ -111,16 +111,16 @@ <label>Shed tool configuration file:</label> ${shed_tool_conf_select_field.get_html()} <div class="toolParamHelp" style="clear: both;"> - ${select_help} + ${select_help|h} </div></div><div style="clear: both"></div> %else: - <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf}"/> + <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf|h}"/> %endif <div class="form-row"><label>Add new tool panel section:</label> - <input name="new_tool_panel_section_label" type="textfield" value="${new_tool_panel_section_label}" size="40"/> + <input name="new_tool_panel_section_label" type="textfield" value="${new_tool_panel_section_label|h}" size="40"/><div class="toolParamHelp" style="clear: both;"> Add a new tool panel section to contain the installed tools (optional). </div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/uninstall_tool_dependencies.mako --- a/templates/admin/tool_shed_repository/uninstall_tool_dependencies.mako +++ b/templates/admin/tool_shed_repository/uninstall_tool_dependencies.mako @@ -43,10 +43,10 @@ install_dir = "This dependency's installation directory does not exist, click <b>Uninstall</b> to reset for installation." %><tr> - <td>${tool_dependency.name}</td> - <td>${tool_dependency.version}</td> - <td>${tool_dependency.type}</td> - <td>${install_dir}</td> + <td>${tool_dependency.name|h}</td> + <td>${tool_dependency.version|h}</td> + <td>${tool_dependency.type|h}</td> + <td>${install_dir|h}</td></tr> %endfor </table> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/view_tool_metadata.mako --- a/templates/admin/tool_shed_repository/view_tool_metadata.mako +++ b/templates/admin/tool_shed_repository/view_tool_metadata.mako @@ -11,7 +11,7 @@ %if tool_metadata: <p/><div class="toolForm"> - <div class="toolFormTitle">${tool_metadata[ 'name' ]} tool metadata</div> + <div class="toolFormTitle">${tool_metadata[ 'name' ]|h} tool metadata</div><div class="toolFormBody"><div class="form-row"><table width="100%"> @@ -20,41 +20,41 @@ </div><div class="form-row"><label>Name:</label> - ${tool_metadata[ 'name' ]} + ${tool_metadata[ 'name' ]|h} <div style="clear: both"></div></div> %if 'description' in tool_metadata: <div class="form-row"><label>Description:</label> - ${tool_metadata[ 'description' ]} + ${tool_metadata[ 'description' ]|h} <div style="clear: both"></div></div> %endif %if 'id' in tool_metadata: <div class="form-row"><label>Id:</label> - ${tool_metadata[ 'id' ]} + ${tool_metadata[ 'id' ]|h} <div style="clear: both"></div></div> %endif %if 'guid' in tool_metadata: <div class="form-row"><label>Guid:</label> - ${tool_metadata[ 'guid' ]} + ${tool_metadata[ 'guid' ]|h} <div style="clear: both"></div></div> %endif %if 'version' in tool_metadata: <div class="form-row"><label>Version:</label> - ${tool_metadata[ 'version' ]} + ${tool_metadata[ 'version' ]|h} <div style="clear: both"></div></div> %endif %if 'version_string_cmd' in tool_metadata: <div class="form-row"><label>Version command string:</label> - ${tool_metadata[ 'version_string_cmd' ]} + ${tool_metadata[ 'version_string_cmd' ]|h} <div style="clear: both"></div></div> %endif @@ -70,9 +70,9 @@ <tr><td> %if guid == tool_metadata[ 'guid' ]: - ${guid} <b>(this tool)</b> + ${guid|h} <b>(this tool)</b> %else: - ${guid} + ${guid|h} %endif </td></tr> @@ -109,9 +109,9 @@ requirement_type = requirement_dict[ 'type' ] or 'not provided' %><tr> - <td>${requirement_name}</td> - <td>${requirement_version}</td> - <td>${requirement_type}</td> + <td>${requirement_name|h}</td> + <td>${requirement_version|h}</td> + <td>${requirement_type|h}</td></tr> %endfor </table> @@ -130,27 +130,27 @@ </div><div class="form-row"><label>Command:</label> - <pre>${tool.command}</pre> + <pre>${tool.command|h}</pre><div style="clear: both"></div></div><div class="form-row"><label>Interpreter:</label> - ${tool.interpreter} + ${tool.interpreter|h} <div style="clear: both"></div></div><div class="form-row"><label>Is multi-byte:</label> - ${tool.is_multi_byte} + ${tool.is_multi_byte|h} <div style="clear: both"></div></div><div class="form-row"><label>Forces a history refresh:</label> - ${tool.force_history_refresh} + ${tool.force_history_refresh|h} <div style="clear: both"></div></div><div class="form-row"><label>Parallelism:</label> - ${tool.parallelism} + ${tool.parallelism|h} <div style="clear: both"></div></div> %endif @@ -181,20 +181,20 @@ required_files = test_dict[ 'required_files' ] %><tr> - <td>${test_dict[ 'name' ]}</td> + <td>${test_dict[ 'name' ]|h}</td><td> %for input in inputs: - <b>${input[0]}:</b> ${input[1]}<br/> + <b>${input[0]|h}:</b> ${input[1]|h}<br/> %endfor </td><td> %for output in outputs: - <b>${output[0]}:</b> ${output[1]}<br/> + <b>${output[0]|h}:</b> ${output[1]|h}<br/> %endfor </td><td> %for required_file in required_files: - ${required_file}<br/> + ${required_file|h}<br/> %endfor </td></tr> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/view_workflow.mako --- a/templates/admin/tool_shed_repository/view_workflow.mako +++ b/templates/admin/tool_shed_repository/view_workflow.mako @@ -17,7 +17,7 @@ <%def name="render_workflow( workflow_name, repository_id )"><% center_url = h.url_for( controller='admin_toolshed', action='generate_workflow_image', workflow_name=tool_shed_encode( workflow_name ), repository_id=repository_id ) %> - <iframe name="workflow_image" id="workflow_image" frameborder="0" style="position: absolute; width: 100%; height: 100%;" src="${center_url}"></iframe> + <iframe name="workflow_image" id="workflow_image" frameborder="0" style="position: absolute; width: 100%; height: 100%;" src="${center_url|h}"></iframe></%def> ${render_galaxy_repository_actions( repository )} diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/user/reset_password.mako --- a/templates/admin/user/reset_password.mako +++ b/templates/admin/user/reset_password.mako @@ -13,7 +13,7 @@ %for user in users: <div class="form-row"><label>Email:</label> - ${user.email} + ${user.email|h} <div style="clear: both"></div></div> %endfor diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/user/user.mako --- a/templates/admin/user/user.mako +++ b/templates/admin/user/user.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">User '${user.email}'</div> + <div class="toolFormTitle">User '${user.email|h}'</div><div class="toolFormBody"><form name="associate_user_role_group" id="associate_user_role_group" action="${h.url_for(controller='admin', action='manage_roles_and_groups_for_user', id=trans.security.encode_id( user.id ) )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Roles associated with '${user.email}'</label> + <label>Roles associated with '${user.email|h}'</label> ${render_select( "in_roles", in_roles )}<br/><input type="submit" id="roles_remove_button" value=">>"/></div><div> - <label>Roles not associated with '${user.email}'</label> + <label>Roles not associated with '${user.email|h}'</label> ${render_select( "out_roles", out_roles )}<br/><input type="submit" id="roles_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Groups associated with '${user.email}'</label> + <label>Groups associated with '${user.email|h}'</label> ${render_select( "in_groups", in_groups )}<br/><input type="submit" id="groups_remove_button" value=">>"/></div><div> - <label>Groups not associated with '${user.email}'</label> + <label>Groups not associated with '${user.email|h}'</label> ${render_select( "out_groups", out_groups )}<br/><input type="submit" id="groups_add_button" value="<<"/></div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/view_datatypes_registry.mako --- a/templates/admin/view_datatypes_registry.mako +++ b/templates/admin/view_datatypes_registry.mako @@ -37,16 +37,16 @@ %else: <tr class="tr"> %endif - <td>${datatype.extension}</td> - <td>${datatype.dtype}</td> + <td>${datatype.extension|h}</td> + <td>${datatype.dtype|h}</td><td> %if datatype.mimetype: - ${datatype.mimetype} + ${datatype.mimetype|h} %endif </td><td> %if datatype.display_in_upload: - ${datatype.display_in_upload} + ${datatype.display_in_upload|h} %endif </td></tr> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/base.mako --- a/templates/base.mako +++ b/templates/base.mako @@ -39,7 +39,7 @@ <script> Raven.config('${app.config.sentry_dsn_public}').install(); %if trans.user: - Raven.setUser( { email: "${trans.user.email}" } ); + Raven.setUser( { email: "${trans.user.email|h}" } ); %endif </script> %endif diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/galaxy_client_app.mako --- a/templates/galaxy_client_app.mako +++ b/templates/galaxy_client_app.mako @@ -70,11 +70,12 @@ ## Return a dictionary of user or anonymous user data including: ## email, id, disk space used, quota percent, and tags used <% + from markupsafe import escape user_dict = {} try: if trans.user: user_dict = trans.user.to_dict( view='element', - value_mapper={ 'id': trans.security.encode_id, 'total_disk_usage': float } ) + value_mapper={ 'id': trans.security.encode_id, 'total_disk_usage': float, 'email': escape, 'username': escape } ) user_dict[ 'quota_percent' ] = trans.app.quota_agent.get_percent( trans=trans ) user_dict[ 'is_admin' ] = trans.user_is_admin() diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/user/index.mako --- a/templates/user/index.mako +++ b/templates/user/index.mako @@ -2,7 +2,7 @@ %if trans.user: <h2>${_('User preferences')}</h2> - <p>You are currently logged in as ${trans.user.email}.</p> + <p>You are currently logged in as ${trans.user.email|h}.</p><ul> %if t.webapp.name == 'galaxy': %if not trans.app.config.use_remote_user: diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/webapps/galaxy/admin/tool_sheds.mako --- a/templates/webapps/galaxy/admin/tool_sheds.mako +++ b/templates/webapps/galaxy/admin/tool_sheds.mako @@ -22,7 +22,7 @@ <tr class="libraryTitle"><td><div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${shed_id}-popup"> - <a class="view-info" href="${h.url_for( controller='admin_toolshed', action='browse_tool_shed', tool_shed_url=url )}">${name}</a> + <a class="view-info" href="${h.url_for( controller='admin_toolshed', action='browse_tool_shed', tool_shed_url=url )}">${name|h}</a></div><div popupmenu="dataset-${shed_id}-popup"><a class="action-button" href="${h.url_for( controller='admin_toolshed', action='browse_tool_shed', tool_shed_url=url )}">Browse valid repositories</a> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/webapps/galaxy/dataset/errors.mako --- a/templates/webapps/galaxy/dataset/errors.mako +++ b/templates/webapps/galaxy/dataset/errors.mako @@ -95,7 +95,7 @@ <input type="hidden" name="id" value="${trans.security.encode_id( hda.id)}" /><div class="form-row"><label>Your email</label> - <input type="text" name="email" size="40" value="${user_email}" /> + <input type="text" name="email" size="40" value="${user_email|h}" /></div><div class="form-row"><label>Message</label> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/webapps/galaxy/galaxy.masthead.mako --- a/templates/webapps/galaxy/galaxy.masthead.mako +++ b/templates/webapps/galaxy/galaxy.masthead.mako @@ -3,6 +3,7 @@ ## masthead head generator <%def name="load(active_view = None)"><% + from markupsafe import escape ## get configuration masthead_config = { ## inject configuration @@ -32,7 +33,7 @@ ## user details 'user' : { 'requests' : bool(trans.user and (trans.user.requests or trans.app.security_agent.get_accessible_request_types(trans, trans.user))), - 'email' : trans.user.email if (trans.user) else "", + 'email' : escape( trans.user.email ) if (trans.user) else "", 'valid' : bool(trans.user != None), 'json' : get_user_dict() } diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/webapps/galaxy/galaxy.panels.mako --- a/templates/webapps/galaxy/galaxy.panels.mako +++ b/templates/webapps/galaxy/galaxy.panels.mako @@ -49,7 +49,7 @@ <script> Raven.config('${app.config.sentry_dsn_public}').install(); %if trans.user: - Raven.setUser( { email: "${trans.user.email}" } ); + Raven.setUser( { email: "${trans.user.email|h}" } ); %endif </script> %endif diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/webapps/tool_shed/base_panels.mako --- a/templates/webapps/tool_shed/base_panels.mako +++ b/templates/webapps/tool_shed/base_panels.mako @@ -91,7 +91,8 @@ %> ## User tabs. - <% + <% + from markupsafe import escape # Menu for user who is not logged in. menu_options = [ [ _("Login"), h.url_for( controller='/user', action='login' ), "galaxy_main" ] ] if app.config.allow_user_creation: @@ -101,7 +102,7 @@ tab( "user", _("User"), None, visible=visible, menu_options=menu_options ) # Menu for user who is logged in. if trans.user: - email = trans.user.email + email = escape( trans.user.email ) else: email = "" menu_options = [ [ '<a>Logged in as <span id="user-email">%s</span></a>' % email ] ] https://bitbucket.org/galaxy/galaxy-central/commits/ad38faf1b0b6/ Changeset: ad38faf1b0b6 Branch: stable User: davebgx Date: 2014-12-10 17:49:42+00:00 Summary: Revert html escaping in API controller, per input on pull request. Affected #: 1 file diff -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 -r ad38faf1b0b6768c31ed972ad5434079a2cd1225 lib/galaxy/webapps/galaxy/api/users.py --- a/lib/galaxy/webapps/galaxy/api/users.py +++ b/lib/galaxy/webapps/galaxy/api/users.py @@ -11,7 +11,6 @@ from galaxy.web.base.controller import BaseAPIController, UsesTagsMixin from galaxy.web.base.controller import CreatesApiKeysMixin from galaxy.web.base.controller import CreatesUsersMixin -from markupsafe import escape log = logging.getLogger( __name__ ) @@ -39,10 +38,10 @@ query = query.filter( trans.app.model.User.table.c.deleted == False ) # noqa # special case: user can see only their own user if not trans.user_is_admin(): - item = trans.user.to_dict( value_mapper={ 'id': trans.security.encode_id, 'email': escape } ) + item = trans.user.to_dict( value_mapper={ 'id': trans.security.encode_id } ) return [item] for user in query: - item = user.to_dict( value_mapper={ 'id': trans.security.encode_id, 'email': escape } ) + item = user.to_dict( value_mapper={ 'id': trans.security.encode_id } ) # TODO: move into api_values rval.append( item ) return rval @@ -79,9 +78,7 @@ else: raise HTTPBadRequest( detail='Invalid user id ( %s ) specified' % id ) item = user.to_dict( view='element', value_mapper={ 'id': trans.security.encode_id, - 'total_disk_usage': float, - 'email': escape, - 'username': escape } ) + 'total_disk_usage': float } ) # add a list of tags used by the user (as strings) item[ 'tags_used' ] = self.get_user_tags_used( trans, user=user ) # TODO: move into api_values (needs trans, tho - can we do that with api_keys/@property??) https://bitbucket.org/galaxy/galaxy-central/commits/f0f1f78b54c5/ Changeset: f0f1f78b54c5 Branch: stable User: dannon Date: 2014-12-11 14:50:35+00:00 Summary: Merged in davebgx/galaxy-central/stable (pull request #603) [STABLE] Escape anything that could be user input in my assigned mako templates, add markupsafe.escape to username and email in users API controller. Affected #: 46 files diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/dataset_security/group/group.mako --- a/templates/admin/dataset_security/group/group.mako +++ b/templates/admin/dataset_security/group/group.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Group '${group.name}'</div> + <div class="toolFormTitle">Group '${group.name|h}'</div><div class="toolFormBody"><form name="associate_group_role_user" id="associate_group_role_user" action="${h.url_for(controller='admin', action='manage_users_and_roles_for_group', id=trans.security.encode_id( group.id ) )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Roles associated with '${group.name}'</label> + <label>Roles associated with '${group.name|h}'</label> ${render_select( "in_roles", in_roles )}<br/><input type="submit" id="roles_remove_button" value=">>"/></div><div> - <label>Roles not associated with '${group.name}'</label> + <label>Roles not associated with '${group.name|h}'</label> ${render_select( "out_roles", out_roles )}<br/><input type="submit" id="roles_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${group.name}'</label> + <label>Users associated with '${group.name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${group.name}'</label> + <label>Users not associated with '${group.name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/dataset_security/group/group_create.mako --- a/templates/admin/dataset_security/group/group_create.mako +++ b/templates/admin/dataset_security/group/group_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -60,7 +60,7 @@ <form name="associate_group_role_user" id="associate_group_role_user" action="${h.url_for(controller='admin', action='create_group' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><div style="float: left; margin-right: 10px;"> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/dataset_security/group/group_rename.mako --- a/templates/admin/dataset_security/group/group_rename.mako +++ b/templates/admin/dataset_security/group/group_rename.mako @@ -12,7 +12,7 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${group.name}" size="40"/> + <input type="text" name="name" value="${group.name|h}" size="40"/></div><div style="clear: both"></div></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/dataset_security/role/role.mako --- a/templates/admin/dataset_security/role/role.mako +++ b/templates/admin/dataset_security/role/role.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Role '${role.name}'</div> + <div class="toolFormTitle">Role '${role.name|h}'</div><div class="toolFormBody"><form name="associate_role_user_group" id="associate_role_user_group" action="${h.url_for(controller='admin', action='manage_users_and_groups_for_role', id=trans.security.encode_id( role.id ) )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${role.name}'</label> + <label>Users associated with '${role.name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${role.name}'</label> + <label>Users not associated with '${role.name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Groups associated with '${role.name}'</label> + <label>Groups associated with '${role.name|h}'</label> ${render_select( "in_groups", in_groups )}<br/><input type="submit" id="groups_remove_button" value=">>"/></div><div> - <label>Groups not associated with '${role.name}'</label> + <label>Groups not associated with '${role.name|h}'</label> ${render_select( "out_groups", out_groups )}<br/><input type="submit" id="groups_add_button" value="<<"/></div> @@ -84,7 +84,7 @@ <br clear="left"/><br/> %if len( library_dataset_actions ) > 0: - <h3>Data library datasets associated with role '${role.name}'</h3> + <h3>Data library datasets associated with role '${role.name|h}'</h3><table class="manage-table colored" border="0" cellspacing="0" cellpadding="0" width="100%"><tr><td> @@ -92,16 +92,16 @@ %for ctr, library, in enumerate( library_dataset_actions.keys() ): <li><img src="${h.url_for( '/static/images/silk/book_open.png' )}" class="rowIcon"/> - ${library.name} + ${library.name|h} <ul> %for folder_path, permissions in library_dataset_actions[ library ].items(): <li><img src="/static/images/silk/folder_page.png" class="rowIcon"/> - ${folder_path} + ${folder_path|h} <ul> % for permission in permissions: <ul> - <li>${permission}</li> + <li>${permission|h}</li></ul> %endfor </ul> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/dataset_security/role/role_create.mako --- a/templates/admin/dataset_security/role/role_create.mako +++ b/templates/admin/dataset_security/role/role_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -60,11 +60,11 @@ <form name="associate_role_group_user" id="associate_role_group_user" action="${h.url_for(controller='admin', action='create_role' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><label>Description:</label> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div class="form-row"><div style="float: left; margin-right: 10px;"> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/dataset_security/role/role_rename.mako --- a/templates/admin/dataset_security/role/role_rename.mako +++ b/templates/admin/dataset_security/role/role_rename.mako @@ -12,14 +12,14 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${role.name}" size="40"/> + <input type="text" name="name" value="${role.name|h}" size="40"/></div><div style="clear: both"></div></div><div class="form-row"><label>Description:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input name="description" type="textfield" value="${role.description}" size=40"/> + <input name="description" type="textfield" value="${role.description|h}" size=40"/></div><div style="clear: both"></div></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/external_service/create_external_service.mako --- a/templates/admin/external_service/create_external_service.mako +++ b/templates/admin/external_service/create_external_service.mako @@ -12,10 +12,10 @@ %if widgets: %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field['label']}:</label> + <label>${field['label']|h}:</label> ${field['widget'].get_html()} <div class="toolParamHelp" style="clear: both;"> - ${field['helptext']} + ${field['helptext']|h} </div><div style="clear: both"></div></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/external_service/edit_external_service.mako --- a/templates/admin/external_service/edit_external_service.mako +++ b/templates/admin/external_service/edit_external_service.mako @@ -25,10 +25,10 @@ <div class="toolFormTitle">Edit external service</div> %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field['label']}:</label> + <label>${field['label']|h}:</label> ${field['widget'].get_html()} <div class="toolParamHelp" style="clear: both;"> - ${field['helptext']} + ${field['helptext']|h} </div><div style="clear: both"></div></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/jobs.mako --- a/templates/admin/jobs.mako +++ b/templates/admin/jobs.mako @@ -63,12 +63,12 @@ </td><td>${job.id}</td> %if job.history and job.history.user: - <td>${job.history.user.email}</td> + <td>${job.history.user.email|h}</td> %else: <td>anonymous</td> %endif <td>${last_updated[job.id]} ago</td> - <td>${job.tool_id}</td> + <td>${job.tool_id|h}</td><td>${job.state}</td><% try: @@ -77,8 +77,8 @@ inputs = 'Unable to determine inputs' %><td>${inputs}</td> - <td>${job.command_line}</td> - <td>${job.job_runner_name}</td> + <td>${job.command_line|h}</td> + <td>${job.job_runner_name|h}</td><td>${job.job_runner_external_id}</td></tr> %endfor @@ -131,12 +131,12 @@ %for job in recent_jobs: <td><a href="${h.url_for( controller="admin", action="job_info" )}?jobid=${job.id}">${job.id}</a></td> %if job.history and job.history.user: - <td>${job.history.user.email}</td> + <td>${job.history.user.email|h}</td> %else: <td>anonymous</td> %endif <td>${finished[job.id]} ago</td> - <td>${job.tool_id}</td> + <td>${job.tool_id|h}</td><td>${job.state}</td><% try: @@ -145,9 +145,9 @@ inputs = 'Unable to determine inputs' %><td>${inputs}</td> - <td>${job.command_line}</td> - <td>${job.job_runner_name}</td> - <td>${job.job_runner_external_id}</td> + <td>${job.command_line|h}</td> + <td>${job.job_runner_name|h}</td> + <td>${job.job_runner_external_id|h}</td></tr> %endfor </table> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/memdump.mako --- a/templates/admin/memdump.mako +++ b/templates/admin/memdump.mako @@ -55,7 +55,7 @@ <br/> You are here: ${breadcrumb}<br/> %if breadcrumb.endswith( 'theone' ): - ${heap} + ${heap|h} %else: <nobr> Sort: diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/package_tool.mako --- a/templates/admin/package_tool.mako +++ b/templates/admin/package_tool.mako @@ -28,9 +28,9 @@ <select name="tool_id"> %for key, val in toolbox.tool_panel.items(): %if isinstance( val, Tool ): - <option value="${val.id}">${val.name}</option> + <option value="${val.id|h}">${val.name|h}</option> %elif isinstance( val, ToolSection ): - <optgroup label="${val.name}"> + <optgroup label="${val.name|h}"><% section = val %> %for section_key, section_val in section.elems.items(): %if isinstance( section_val, Tool ): @@ -38,7 +38,7 @@ %if section_val.id == tool_id: <% selected_str = " selected=\"selected\"" %> %endif - <option value="${section_val.id}"${selected_str}>${section_val.name}</option> + <option value="${section_val.id|h}"${selected_str}>${section_val.name|h}</option> %endif %endfor %endif diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/quota/quota.mako --- a/templates/admin/quota/quota.mako +++ b/templates/admin/quota/quota.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Quota '${name}'</div> + <div class="toolFormTitle">Quota '${name|h}'</div><div class="toolFormBody"><form name="associate_quota_user_group" id="associate_quota_user_group" action="${h.url_for(controller='admin', action='manage_users_and_groups_for_quota', id=id )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${name}'</label> + <label>Users associated with '${name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${name}'</label> + <label>Users not associated with '${name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Groups associated with '${name}'</label> + <label>Groups associated with '${name|h}'</label> ${render_select( "in_groups", in_groups )}<br/><input type="submit" id="groups_remove_button" value=">>"/></div><div> - <label>Groups not associated with '${name}'</label> + <label>Groups not associated with '${name|h}'</label> ${render_select( "out_groups", out_groups )}<br/><input type="submit" id="groups_add_button" value="<<"/></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/quota/quota_create.mako --- a/templates/admin/quota/quota_create.mako +++ b/templates/admin/quota/quota_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -69,15 +69,15 @@ <form name="associate_quota_group_user" id="associate_quota_group_user" action="${h.url_for(controller='admin', action='create_quota' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><label>Description:</label> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div class="form-row"><label>Amount</label> - <input name="amount" type="textfield" value="${amount}" size=40"/> + <input name="amount" type="textfield" value="${amount|h}" size=40"/><div class="toolParamHelp" style="clear: both;"> Examples: "10000MB", "99 gb", "0.2T", "unlimited" </div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/quota/quota_edit.mako --- a/templates/admin/quota/quota_edit.mako +++ b/templates/admin/quota/quota_edit.mako @@ -29,7 +29,7 @@ <input name="id" type="hidden" value="${id}"/><div class="form-row"><label>Amount</label> - <input name="amount" type="textfield" value="${display_amount}" size=40"/> + <input name="amount" type="textfield" value="${display_amount|h}" size=40"/><div class="toolParamHelp" style="clear: both;"> Examples: "10000MB", "99 gb", "0.2T", "unlimited" </div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/quota/quota_rename.mako --- a/templates/admin/quota/quota_rename.mako +++ b/templates/admin/quota/quota_rename.mako @@ -21,14 +21,14 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${name}" size="40"/> + <input type="text" name="name" value="${name|h}" size="40"/></div><div style="clear: both"></div></div><div class="form-row"><label>Description:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div style="clear: both"></div></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/reload_tool.mako --- a/templates/admin/reload_tool.mako +++ b/templates/admin/reload_tool.mako @@ -28,9 +28,9 @@ <select name="tool_id"> %for key, val in toolbox.tool_panel.items(): %if isinstance( val, Tool ): - <option value="${val.id}">${val.name}</option> + <option value="${val.id}">${val.name|h}</option> %elif isinstance( val, ToolSection ): - <optgroup label="${val.name}"> + <optgroup label="${val.name|h}"><% section = val %> %for section_key, section_val in section.elems.items(): %if isinstance( section_val, Tool ): @@ -38,7 +38,7 @@ %if section_val.id == tool_id: <% selected_str = " selected=\"selected\"" %> %endif - <option value="${section_val.id}"${selected_str}>${section_val.name}</option> + <option value="${section_val.id}"${selected_str}>${section_val.name|h}</option> %endif %endfor %endif diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/review_tool_migration_stages.mako --- a/templates/admin/review_tool_migration_stages.mako +++ b/templates/admin/review_tool_migration_stages.mako @@ -4,7 +4,9 @@ %if message: ${render_msg( message, status )} %endif - +<% +from markupsafe import escape +%><div class="toolForm"><div class="toolFormTitle">Tool migrations that can be performed on this Galaxy instance</div><div class="toolFormBody"> @@ -51,7 +53,7 @@ repository_names.sort() repository_names = ', '.join( repository_names ) %> - <tr><td bgcolor="#D8D8D8"><b>Tool migration stage ${stage} - repositories: ${repository_names}</b></td></tr> + <tr><td bgcolor="#D8D8D8"><b>Tool migration stage ${stage} - repositories: ${repository_names|h}</b></td></tr><tr><td bgcolor="#FFFFCC"><div class="form-row"> @@ -59,11 +61,11 @@ <p> %if tool_dependencies: This migration stage includes tools that have tool dependencies that can be automatically installed. To install them, run:<br/> - <b>${install_dependencies}</b><br/><br/> + <b>${install_dependencies|h}</b><br/><br/> To skip tool dependency installation run:<br/> - <b>${migration_command}</b> + <b>${migration_command|h}</b> %else: - <b>${migration_command}</b> + <b>${migration_command|h}</b> %endif </p></div> @@ -74,7 +76,7 @@ <tr><td bgcolor="#DADFEF"><div class="form-row"> - <b>Repository:</b> ${repository_name} + <b>Repository:</b> ${repository_name|h} </div></td></tr> @@ -88,10 +90,10 @@ </tr> %for tool_dependencies_tup in tool_dependencies: <% - tool_dependency_name = tool_dependencies_tup[0] - tool_dependency_version = tool_dependencies_tup[1] - tool_dependency_type = tool_dependencies_tup[2] - installation_requirements = tool_dependencies_tup[3].replace( '\n', '<br/>' ) + tool_dependency_name = escape( tool_dependencies_tup[0] ) + tool_dependency_version = escape( tool_dependencies_tup[1] ) + tool_dependency_type = escape( tool_dependencies_tup[2] ) + installation_requirements = escape( tool_dependencies_tup[3] ).replace( '\n', '<br/>' ) %><tr><td> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/browse_repository.mako --- a/templates/admin/tool_shed_repository/browse_repository.mako +++ b/templates/admin/tool_shed_repository/browse_repository.mako @@ -21,7 +21,7 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Browse ${repository.name} revision ${repository.changeset_revision} files</div> + <div class="toolFormTitle">Browse ${repository.name|h} revision ${repository.changeset_revision} files</div><div class="toolFormBody"><div class="form-row" ><label>Contents:</label> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/browse_tool_dependency.mako --- a/templates/admin/tool_shed_repository/browse_tool_dependency.mako +++ b/templates/admin/tool_shed_repository/browse_tool_dependency.mako @@ -23,33 +23,33 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Browse tool dependency ${tool_dependency.name} installation directory</div> + <div class="toolFormTitle">Browse tool dependency ${tool_dependency.name|h} installation directory</div><div class="toolFormBody"><div class="form-row" ><label>Tool shed repository:</label> - ${repository.name} + ${repository.name|h} <div style="clear: both"></div></div><div class="form-row" ><label>Tool shed repository changeset revision:</label> - ${repository.changeset_revision} + ${repository.changeset_revision|h} <div style="clear: both"></div></div><div class="form-row" ><label>Tool dependency status:</label> - ${tool_dependency.status} + ${tool_dependency.status|h} <div style="clear: both"></div></div> %if tool_dependency.in_error_state: <div class="form-row" ><label>Tool dependency installation error:</label> - ${tool_dependency.error_message} + ${tool_dependency.error_message|h} <div style="clear: both"></div></div> %endif <div class="form-row" ><label>Tool dependency installation directory:</label> - ${tool_dependency.installation_directory( trans.app )} + ${tool_dependency.installation_directory( trans.app )|h} <div style="clear: both"></div></div><div class="form-row" > diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/common.mako --- a/templates/admin/tool_shed_repository/common.mako +++ b/templates/admin/tool_shed_repository/common.mako @@ -8,7 +8,7 @@ }); // --- Initialize sample trees $("#tree").dynatree({ - title: "${title_text}", + title: "${title_text|h}", rootVisible: true, minExpandLevel: 0, // 1: root node is not collapsible persist: false, @@ -24,7 +24,7 @@ // initAjax is hard to fake, so we pass the children as object array: initAjax: {url: "${h.url_for( controller='admin_toolshed', action='open_folder' )}", dataType: "json", - data: { folder_path: "${directory_path}" }, + data: { folder_path: "${directory_path|h}" }, }, onLazyRead: function(dtnode){ dtnode.appendAjax({ @@ -45,7 +45,7 @@ var cell = $("#file_contents"); var selected_value; if (dtnode.data.key == 'root') { - selected_value = "${directory_path}/"; + selected_value = "${directory_path|h}/"; } else { selected_value = dtnode.data.key; }; @@ -81,6 +81,7 @@ line-break:strict; } </style><% + from markupsafe import escape class RowCounter( object ): def __init__( self ): self.count = 0 @@ -96,7 +97,7 @@ env_settings_heaader_row_displayed = False package_header_row_displayed = False if revision_label: - revision_label_str = ' revision <b>%s</b> of ' % str( revision_label ) + revision_label_str = ' revision <b>%s</b> of ' % escape( str( revision_label ) ) else: revision_label_str = ' ' %> @@ -104,7 +105,7 @@ <div class="toolParamHelp" style="clear: both;"><p> %if export: - The following additional repositories are required by${revision_label_str}the <b>${repository.name}</b> repository + The following additional repositories are required by${revision_label_str}the <b>${repository.name|h}</b> repository and they can be exported as well. %else: These dependencies can be automatically handled with${revision_label_str}the installed repository, providing significant diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/deactivate_or_uninstall_repository.mako --- a/templates/admin/tool_shed_repository/deactivate_or_uninstall_repository.mako +++ b/templates/admin/tool_shed_repository/deactivate_or_uninstall_repository.mako @@ -10,30 +10,30 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">${repository.name}</div> + <div class="toolFormTitle">${repository.name|h}</div><div class="toolFormBody"><form name="deactivate_or_uninstall_repository" id="deactivate_or_uninstall_repository" action="${h.url_for( controller='admin_toolshed', action='deactivate_or_uninstall_repository', id=trans.security.encode_id( repository.id ) )}" method="post" ><div class="form-row"><label>Description:</label> - ${repository.description} + ${repository.description|h} <div style="clear: both"></div></div><div class="form-row"><label>Revision:</label> - ${repository.changeset_revision}</a> + ${repository.changeset_revision|h}</a></div><div class="form-row"><label>Tool shed:</label> - ${repository.tool_shed} + ${repository.tool_shed|h} <div style="clear: both"></div></div><div class="form-row"><label>Owner:</label> - ${repository.owner} + ${repository.owner|h} </div><div class="form-row"><label>Deleted:</label> - ${repository.deleted} + ${repository.deleted|h} </div><div class="form-row"><% @@ -186,7 +186,7 @@ ##hack to mimic check box <input type="hidden" name="remove_from_disk" value="true"/><input type="hidden" name="remove_from_disk" value="true"/> %endif - <input type="submit" name="deactivate_or_uninstall_repository_button" value="${deactivate_uninstall_button_text}"/> + <input type="submit" name="deactivate_or_uninstall_repository_button" value="${deactivate_uninstall_button_text|h}"/></div></form></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/initiate_repository_installation.mako --- a/templates/admin/tool_shed_repository/initiate_repository_installation.mako +++ b/templates/admin/tool_shed_repository/initiate_repository_installation.mako @@ -53,18 +53,18 @@ <td> %if link_to_manage_tool_dependencies: <a class="view-info" href="${h.url_for( controller='admin_toolshed', action='manage_tool_dependencies', tool_dependency_ids=ids_of_tool_dependencies_missing_or_being_installed )}"> - ${tool_shed_repository.name} + ${tool_shed_repository.name|h} </a> %else: <a class="view-info" href="${h.url_for( controller='admin_toolshed', action='manage_repository', id=encoded_repository_id )}"> - ${tool_shed_repository.name} + ${tool_shed_repository.name|h} </a> %endif </td><td>${tool_shed_repository.description}</td><td>${tool_shed_repository.owner}</td><td>${tool_shed_repository.changeset_revision}</td> - <td><div id="RepositoryStatus-${encoded_repository_id}">${tool_shed_repository.status}</div></td> + <td><div id="RepositoryStatus-${encoded_repository_id}">${tool_shed_repository.status|h}</div></td></tr> %endfor </table> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/install_tool_dependencies_with_update.mako --- a/templates/admin/tool_shed_repository/install_tool_dependencies_with_update.mako +++ b/templates/admin/tool_shed_repository/install_tool_dependencies_with_update.mako @@ -20,12 +20,12 @@ <div class="toolForm"><div class="toolFormBody"><form name="install_tool_dependencies_with_update" id="install_tool_dependencies_with_update" action="${h.url_for( controller='admin_toolshed', action='install_tool_dependencies_with_update' )}" method="post" > - <input type="hidden" name="updating_repository_id" value="${updating_repository_id}"/> - <input type="hidden" name="updating_to_ctx_rev" value="${updating_to_ctx_rev}"/> - <input type="hidden" name="updating_to_changeset_revision" value="${updating_to_changeset_revision}"/> - <input type="hidden" name="encoded_updated_metadata" value="${encoded_updated_metadata}"/> - <input type="hidden" name="encoded_relative_install_dir" value="${encoded_relative_install_dir}"/> - <input type="hidden" name="encoded_tool_dependencies_dict" value="${encoded_tool_dependencies_dict}"/> + <input type="hidden" name="updating_repository_id" value="${updating_repository_id|h}"/> + <input type="hidden" name="updating_to_ctx_rev" value="${updating_to_ctx_rev|h}"/> + <input type="hidden" name="updating_to_changeset_revision" value="${updating_to_changeset_revision|h}"/> + <input type="hidden" name="encoded_updated_metadata" value="${encoded_updated_metadata|h}"/> + <input type="hidden" name="encoded_relative_install_dir" value="${encoded_relative_install_dir|h}"/> + <input type="hidden" name="encoded_tool_dependencies_dict" value="${encoded_tool_dependencies_dict|h}"/> %if tool_dependencies_dict: %if install_tool_dependencies_check_box is not None: <div class="form-row"> @@ -71,12 +71,12 @@ %> %if not os.path.exists( install_dir ): <tr> - <td>${key_name}</td> - <td>${key_version}</td> - <td>${install_dir}</td> + <td>${key_name|h}</td> + <td>${key_version|h}</td> + <td>${install_dir|h}</td></tr> %if readme_text: - <tr><td colspan="4" bgcolor="#FFFFCC">${key_name} ${key_version} requirements and installation information</td></tr> + <tr><td colspan="4" bgcolor="#FFFFCC">${key_name|h} ${key_version|h} requirements and installation information</td></tr><tr><td colspan="4"><pre>${readme_text}</pre></td></tr> %endif %endif diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/manage_repository.mako --- a/templates/admin/tool_shed_repository/manage_repository.mako +++ b/templates/admin/tool_shed_repository/manage_repository.mako @@ -22,50 +22,50 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Installed tool shed repository '${repository.name}'</div> + <div class="toolFormTitle">Installed tool shed repository '${repository.name|h}'</div><div class="toolFormBody"><form name="edit_repository" id="edit_repository" action="${h.url_for( controller='admin_toolshed', action='manage_repository', id=trans.security.encode_id( repository.id ) )}" method="post" ><div class="form-row"><label>Tool shed:</label> - ${repository.tool_shed} + ${repository.tool_shed|h} <div style="clear: both"></div></div><div class="form-row"><label>Name:</label> - ${repository.name} + ${repository.name|h} <div style="clear: both"></div></div><div class="form-row"><label>Description:</label> %if in_error_state: - ${description} + ${description|h} %else: - <input name="description" type="textfield" value="${description}" size="80"/> + <input name="description" type="textfield" value="${description|h}" size="80"/> %endif <div style="clear: both"></div></div><div class="form-row"><label>Revision:</label> - ${repository.changeset_revision} + ${repository.changeset_revision|h} </div><div class="form-row"><label>Owner:</label> - ${repository.owner} + ${repository.owner|h} </div> %if in_error_state: <div class="form-row"><label>Repository installation error:</label> - ${repository.error_message} + ${repository.error_message|h} </div> %else: <div class="form-row"><label>Location:</label> - ${repo_files_dir} + ${repo_files_dir|h} </div> %endif <div class="form-row"><label>Deleted:</label> - ${repository.deleted} + ${repository.deleted|h} </div> %if not in_error_state: <div class="form-row"> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/manage_repository_tool_dependencies.mako --- a/templates/admin/tool_shed_repository/manage_repository_tool_dependencies.mako +++ b/templates/admin/tool_shed_repository/manage_repository_tool_dependencies.mako @@ -20,7 +20,7 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Tool shed repository '${repository.name}' tool dependencies</div> + <div class="toolFormTitle">Tool shed repository '${repository.name|h}' tool dependencies</div><% can_install = False can_uninstall = False @@ -48,16 +48,16 @@ <td> %if tool_dependency.status not in [ trans.install_model.ToolDependency.installation_status.UNINSTALLED ]: <a target="galaxy_main" href="${h.url_for( controller='admin_toolshed', action='manage_repository_tool_dependencies', operation='browse', tool_dependency_ids=trans.security.encode_id( tool_dependency.id ), repository_id=trans.security.encode_id( repository.id ) )}"> - ${tool_dependency.name} + ${tool_dependency.name|h} </a> %else: - ${tool_dependency.name} + ${tool_dependency.name|h} %endif </td> - <td>${tool_dependency.version}</td> - <td>${tool_dependency.type}</td> - <td>${tool_dependency.status}</td> - <td>${error_message}</td> + <td>${tool_dependency.version|h}</td> + <td>${tool_dependency.type|h}</td> + <td>${tool_dependency.status|h}</td> + <td>${error_message|h}</td></tr> %endfor </table> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/purge_repository_confirmation.mako --- a/templates/admin/tool_shed_repository/purge_repository_confirmation.mako +++ b/templates/admin/tool_shed_repository/purge_repository_confirmation.mako @@ -19,14 +19,14 @@ <div class="warningmessage"><p> - Purging the repository named <b>${repository.name}</b> will result in deletion of all records for the + Purging the repository named <b>${repository.name|h}</b> will result in deletion of all records for the following associated items from the database. Click the <b>Purge</b> button to purge this repository and its associated items. </p></div><div class="toolForm"> - <div class="toolFormTitle">Purge tool shed repository <b>${repository.name}</b></div> + <div class="toolFormTitle">Purge tool shed repository <b>${repository.name|h}</b></div><form name="purge_repository" id="purge_repository" action="${h.url_for( controller='admin_toolshed', action='purge_repository', id=trans.security.encode_id( repository.id ) )}" method="post" ><% tool_versions = 0 @@ -59,11 +59,11 @@ orphan_repository_dependency_records += 1 %><table class="grid"> - <tr><td>Tool version records</td><td>${tool_versions}</td><tr> - <tr><td>Tool dependency records</td><td>${tool_dependencies}</td><tr> - <tr><td>Repository dependency records</td><td>${required_repositories}</td><tr> - <tr><td>Orphan repository_repository_dependency_association records</td><td>${orphan_repository_repository_dependency_association_records}</td><tr> - <tr><td>Orphan repository_dependency records</td><td>${orphan_repository_dependency_records}</td><tr> + <tr><td>Tool version records</td><td>${tool_versions|h}</td><tr> + <tr><td>Tool dependency records</td><td>${tool_dependencies|h}</td><tr> + <tr><td>Repository dependency records</td><td>${required_repositories|h}</td><tr> + <tr><td>Orphan repository_repository_dependency_association records</td><td>${orphan_repository_repository_dependency_association_records|h}</td><tr> + <tr><td>Orphan repository_dependency records</td><td>${orphan_repository_dependency_records|h}</td><tr></table><div style="clear: both"></div><div class="form-row"> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/repair_repository.mako --- a/templates/admin/tool_shed_repository/repair_repository.mako +++ b/templates/admin/tool_shed_repository/repair_repository.mako @@ -37,9 +37,9 @@ </div><div class="toolForm"> - <div class="toolFormTitle">Repair tool shed repository <b>${repository.name}</b></div> + <div class="toolFormTitle">Repair tool shed repository <b>${repository.name|h}</b></div><form name="repair_repository" id="repair_repository" action="${h.url_for( controller='admin_toolshed', action='repair_repository', id=trans.security.encode_id( repository.id ) )}" method="post" > - <input type="hidden" name="repair_dict" value="${encoded_repair_dict}"/> + <input type="hidden" name="repair_dict" value="${encoded_repair_dict|h}"/><% from tool_shed.util.shed_util_common import get_tool_shed_repository_status_label ordered_repo_info_dicts = repair_dict.get( 'ordered_repo_info_dicts', [] ) diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/repository_installation_status.mako --- a/templates/admin/tool_shed_repository/repository_installation_status.mako +++ b/templates/admin/tool_shed_repository/repository_installation_status.mako @@ -1,5 +1,6 @@ <%def name="render_repository_status( repository )"><% + from markupsafe import escape if repository.status in [ trans.install_model.ToolShedRepository.installation_status.CLONING, trans.install_model.ToolShedRepository.installation_status.SETTING_TOOL_VERSIONS, trans.install_model.ToolShedRepository.installation_status.INSTALLING_TOOL_DEPENDENCIES, @@ -20,7 +21,7 @@ else: bgcolor = trans.install_model.ToolShedRepository.states.ERROR rval = '<div class="count-box state-color-%s" id="RepositoryStatus-%s">' % ( bgcolor, trans.security.encode_id( repository.id ) ) - rval += '%s</div>' % repository.status + rval += '%s</div>' % escape( repository.status ) return rval %> ${rval} diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/reselect_tool_panel_section.mako --- a/templates/admin/tool_shed_repository/reselect_tool_panel_section.mako +++ b/templates/admin/tool_shed_repository/reselect_tool_panel_section.mako @@ -62,12 +62,12 @@ <label>Shed tool configuration file:</label> ${shed_tool_conf_select_field.get_html()} <div class="toolParamHelp" style="clear: both;"> - ${select_help} + ${select_help|h} </div></div><div style="clear: both"></div> %else: - <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf}"/> + <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf|h}"/> %endif %if includes_tools_for_display_in_tool_panel: <div style="clear: both"></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/select_shed_tool_panel_config.mako --- a/templates/admin/tool_shed_repository/select_shed_tool_panel_config.mako +++ b/templates/admin/tool_shed_repository/select_shed_tool_panel_config.mako @@ -71,7 +71,7 @@ <input type="hidden" name="includes_tools" value="${includes_tools}" /><input type="hidden" name="includes_tool_dependencies" value="${includes_tool_dependencies}" /><input type="hidden" name="includes_tools_for_display_in_tool_panel" value="${includes_tools_for_display_in_tool_panel}" /> - <input type="hidden" name="tool_shed_url" value="${tool_shed_url}" /> + <input type="hidden" name="tool_shed_url" value="${tool_shed_url|h}" /></div><div style="clear: both"></div><% readme_files_dict = containers_dict.get( 'readme_files', None ) %> @@ -111,12 +111,12 @@ <label>Shed tool configuration file:</label> ${shed_tool_conf_select_field.get_html()} <div class="toolParamHelp" style="clear: both;"> - ${select_help} + ${select_help|h} </div></div><div style="clear: both"></div> %else: - <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf}"/> + <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf|h}"/> %endif <div class="form-row"><input type="submit" name="select_shed_tool_panel_config_button" value="Install"/> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/select_tool_panel_section.mako --- a/templates/admin/tool_shed_repository/select_tool_panel_section.mako +++ b/templates/admin/tool_shed_repository/select_tool_panel_section.mako @@ -111,16 +111,16 @@ <label>Shed tool configuration file:</label> ${shed_tool_conf_select_field.get_html()} <div class="toolParamHelp" style="clear: both;"> - ${select_help} + ${select_help|h} </div></div><div style="clear: both"></div> %else: - <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf}"/> + <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf|h}"/> %endif <div class="form-row"><label>Add new tool panel section:</label> - <input name="new_tool_panel_section_label" type="textfield" value="${new_tool_panel_section_label}" size="40"/> + <input name="new_tool_panel_section_label" type="textfield" value="${new_tool_panel_section_label|h}" size="40"/><div class="toolParamHelp" style="clear: both;"> Add a new tool panel section to contain the installed tools (optional). </div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/uninstall_tool_dependencies.mako --- a/templates/admin/tool_shed_repository/uninstall_tool_dependencies.mako +++ b/templates/admin/tool_shed_repository/uninstall_tool_dependencies.mako @@ -43,10 +43,10 @@ install_dir = "This dependency's installation directory does not exist, click <b>Uninstall</b> to reset for installation." %><tr> - <td>${tool_dependency.name}</td> - <td>${tool_dependency.version}</td> - <td>${tool_dependency.type}</td> - <td>${install_dir}</td> + <td>${tool_dependency.name|h}</td> + <td>${tool_dependency.version|h}</td> + <td>${tool_dependency.type|h}</td> + <td>${install_dir|h}</td></tr> %endfor </table> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/view_tool_metadata.mako --- a/templates/admin/tool_shed_repository/view_tool_metadata.mako +++ b/templates/admin/tool_shed_repository/view_tool_metadata.mako @@ -11,7 +11,7 @@ %if tool_metadata: <p/><div class="toolForm"> - <div class="toolFormTitle">${tool_metadata[ 'name' ]} tool metadata</div> + <div class="toolFormTitle">${tool_metadata[ 'name' ]|h} tool metadata</div><div class="toolFormBody"><div class="form-row"><table width="100%"> @@ -20,41 +20,41 @@ </div><div class="form-row"><label>Name:</label> - ${tool_metadata[ 'name' ]} + ${tool_metadata[ 'name' ]|h} <div style="clear: both"></div></div> %if 'description' in tool_metadata: <div class="form-row"><label>Description:</label> - ${tool_metadata[ 'description' ]} + ${tool_metadata[ 'description' ]|h} <div style="clear: both"></div></div> %endif %if 'id' in tool_metadata: <div class="form-row"><label>Id:</label> - ${tool_metadata[ 'id' ]} + ${tool_metadata[ 'id' ]|h} <div style="clear: both"></div></div> %endif %if 'guid' in tool_metadata: <div class="form-row"><label>Guid:</label> - ${tool_metadata[ 'guid' ]} + ${tool_metadata[ 'guid' ]|h} <div style="clear: both"></div></div> %endif %if 'version' in tool_metadata: <div class="form-row"><label>Version:</label> - ${tool_metadata[ 'version' ]} + ${tool_metadata[ 'version' ]|h} <div style="clear: both"></div></div> %endif %if 'version_string_cmd' in tool_metadata: <div class="form-row"><label>Version command string:</label> - ${tool_metadata[ 'version_string_cmd' ]} + ${tool_metadata[ 'version_string_cmd' ]|h} <div style="clear: both"></div></div> %endif @@ -70,9 +70,9 @@ <tr><td> %if guid == tool_metadata[ 'guid' ]: - ${guid} <b>(this tool)</b> + ${guid|h} <b>(this tool)</b> %else: - ${guid} + ${guid|h} %endif </td></tr> @@ -109,9 +109,9 @@ requirement_type = requirement_dict[ 'type' ] or 'not provided' %><tr> - <td>${requirement_name}</td> - <td>${requirement_version}</td> - <td>${requirement_type}</td> + <td>${requirement_name|h}</td> + <td>${requirement_version|h}</td> + <td>${requirement_type|h}</td></tr> %endfor </table> @@ -130,27 +130,27 @@ </div><div class="form-row"><label>Command:</label> - <pre>${tool.command}</pre> + <pre>${tool.command|h}</pre><div style="clear: both"></div></div><div class="form-row"><label>Interpreter:</label> - ${tool.interpreter} + ${tool.interpreter|h} <div style="clear: both"></div></div><div class="form-row"><label>Is multi-byte:</label> - ${tool.is_multi_byte} + ${tool.is_multi_byte|h} <div style="clear: both"></div></div><div class="form-row"><label>Forces a history refresh:</label> - ${tool.force_history_refresh} + ${tool.force_history_refresh|h} <div style="clear: both"></div></div><div class="form-row"><label>Parallelism:</label> - ${tool.parallelism} + ${tool.parallelism|h} <div style="clear: both"></div></div> %endif @@ -181,20 +181,20 @@ required_files = test_dict[ 'required_files' ] %><tr> - <td>${test_dict[ 'name' ]}</td> + <td>${test_dict[ 'name' ]|h}</td><td> %for input in inputs: - <b>${input[0]}:</b> ${input[1]}<br/> + <b>${input[0]|h}:</b> ${input[1]|h}<br/> %endfor </td><td> %for output in outputs: - <b>${output[0]}:</b> ${output[1]}<br/> + <b>${output[0]|h}:</b> ${output[1]|h}<br/> %endfor </td><td> %for required_file in required_files: - ${required_file}<br/> + ${required_file|h}<br/> %endfor </td></tr> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/view_workflow.mako --- a/templates/admin/tool_shed_repository/view_workflow.mako +++ b/templates/admin/tool_shed_repository/view_workflow.mako @@ -17,7 +17,7 @@ <%def name="render_workflow( workflow_name, repository_id )"><% center_url = h.url_for( controller='admin_toolshed', action='generate_workflow_image', workflow_name=tool_shed_encode( workflow_name ), repository_id=repository_id ) %> - <iframe name="workflow_image" id="workflow_image" frameborder="0" style="position: absolute; width: 100%; height: 100%;" src="${center_url}"></iframe> + <iframe name="workflow_image" id="workflow_image" frameborder="0" style="position: absolute; width: 100%; height: 100%;" src="${center_url|h}"></iframe></%def> ${render_galaxy_repository_actions( repository )} diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/user/reset_password.mako --- a/templates/admin/user/reset_password.mako +++ b/templates/admin/user/reset_password.mako @@ -13,7 +13,7 @@ %for user in users: <div class="form-row"><label>Email:</label> - ${user.email} + ${user.email|h} <div style="clear: both"></div></div> %endfor diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/user/user.mako --- a/templates/admin/user/user.mako +++ b/templates/admin/user/user.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">User '${user.email}'</div> + <div class="toolFormTitle">User '${user.email|h}'</div><div class="toolFormBody"><form name="associate_user_role_group" id="associate_user_role_group" action="${h.url_for(controller='admin', action='manage_roles_and_groups_for_user', id=trans.security.encode_id( user.id ) )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Roles associated with '${user.email}'</label> + <label>Roles associated with '${user.email|h}'</label> ${render_select( "in_roles", in_roles )}<br/><input type="submit" id="roles_remove_button" value=">>"/></div><div> - <label>Roles not associated with '${user.email}'</label> + <label>Roles not associated with '${user.email|h}'</label> ${render_select( "out_roles", out_roles )}<br/><input type="submit" id="roles_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Groups associated with '${user.email}'</label> + <label>Groups associated with '${user.email|h}'</label> ${render_select( "in_groups", in_groups )}<br/><input type="submit" id="groups_remove_button" value=">>"/></div><div> - <label>Groups not associated with '${user.email}'</label> + <label>Groups not associated with '${user.email|h}'</label> ${render_select( "out_groups", out_groups )}<br/><input type="submit" id="groups_add_button" value="<<"/></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/view_datatypes_registry.mako --- a/templates/admin/view_datatypes_registry.mako +++ b/templates/admin/view_datatypes_registry.mako @@ -37,16 +37,16 @@ %else: <tr class="tr"> %endif - <td>${datatype.extension}</td> - <td>${datatype.dtype}</td> + <td>${datatype.extension|h}</td> + <td>${datatype.dtype|h}</td><td> %if datatype.mimetype: - ${datatype.mimetype} + ${datatype.mimetype|h} %endif </td><td> %if datatype.display_in_upload: - ${datatype.display_in_upload} + ${datatype.display_in_upload|h} %endif </td></tr> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/base.mako --- a/templates/base.mako +++ b/templates/base.mako @@ -39,7 +39,7 @@ <script> Raven.config('${app.config.sentry_dsn_public}').install(); %if trans.user: - Raven.setUser( { email: "${trans.user.email}" } ); + Raven.setUser( { email: "${trans.user.email|h}" } ); %endif </script> %endif diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/galaxy_client_app.mako --- a/templates/galaxy_client_app.mako +++ b/templates/galaxy_client_app.mako @@ -70,11 +70,12 @@ ## Return a dictionary of user or anonymous user data including: ## email, id, disk space used, quota percent, and tags used <% + from markupsafe import escape user_dict = {} try: if trans.user: user_dict = trans.user.to_dict( view='element', - value_mapper={ 'id': trans.security.encode_id, 'total_disk_usage': float } ) + value_mapper={ 'id': trans.security.encode_id, 'total_disk_usage': float, 'email': escape, 'username': escape } ) user_dict[ 'quota_percent' ] = trans.app.quota_agent.get_percent( trans=trans ) user_dict[ 'is_admin' ] = trans.user_is_admin() diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/user/index.mako --- a/templates/user/index.mako +++ b/templates/user/index.mako @@ -2,7 +2,7 @@ %if trans.user: <h2>${_('User preferences')}</h2> - <p>You are currently logged in as ${trans.user.email}.</p> + <p>You are currently logged in as ${trans.user.email|h}.</p><ul> %if t.webapp.name == 'galaxy': %if not trans.app.config.use_remote_user: diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/webapps/galaxy/admin/tool_sheds.mako --- a/templates/webapps/galaxy/admin/tool_sheds.mako +++ b/templates/webapps/galaxy/admin/tool_sheds.mako @@ -22,7 +22,7 @@ <tr class="libraryTitle"><td><div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${shed_id}-popup"> - <a class="view-info" href="${h.url_for( controller='admin_toolshed', action='browse_tool_shed', tool_shed_url=url )}">${name}</a> + <a class="view-info" href="${h.url_for( controller='admin_toolshed', action='browse_tool_shed', tool_shed_url=url )}">${name|h}</a></div><div popupmenu="dataset-${shed_id}-popup"><a class="action-button" href="${h.url_for( controller='admin_toolshed', action='browse_tool_shed', tool_shed_url=url )}">Browse valid repositories</a> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/webapps/galaxy/dataset/errors.mako --- a/templates/webapps/galaxy/dataset/errors.mako +++ b/templates/webapps/galaxy/dataset/errors.mako @@ -95,7 +95,7 @@ <input type="hidden" name="id" value="${trans.security.encode_id( hda.id)}" /><div class="form-row"><label>Your email</label> - <input type="text" name="email" size="40" value="${user_email}" /> + <input type="text" name="email" size="40" value="${user_email|h}" /></div><div class="form-row"><label>Message</label> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/webapps/galaxy/galaxy.masthead.mako --- a/templates/webapps/galaxy/galaxy.masthead.mako +++ b/templates/webapps/galaxy/galaxy.masthead.mako @@ -3,6 +3,7 @@ ## masthead head generator <%def name="load(active_view = None)"><% + from markupsafe import escape ## get configuration masthead_config = { ## inject configuration @@ -32,7 +33,7 @@ ## user details 'user' : { 'requests' : bool(trans.user and (trans.user.requests or trans.app.security_agent.get_accessible_request_types(trans, trans.user))), - 'email' : trans.user.email if (trans.user) else "", + 'email' : escape( trans.user.email ) if (trans.user) else "", 'valid' : bool(trans.user != None), 'json' : get_user_dict() } diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/webapps/galaxy/galaxy.panels.mako --- a/templates/webapps/galaxy/galaxy.panels.mako +++ b/templates/webapps/galaxy/galaxy.panels.mako @@ -49,7 +49,7 @@ <script> Raven.config('${app.config.sentry_dsn_public}').install(); %if trans.user: - Raven.setUser( { email: "${trans.user.email}" } ); + Raven.setUser( { email: "${trans.user.email|h}" } ); %endif </script> %endif diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/webapps/tool_shed/base_panels.mako --- a/templates/webapps/tool_shed/base_panels.mako +++ b/templates/webapps/tool_shed/base_panels.mako @@ -91,7 +91,8 @@ %> ## User tabs. - <% + <% + from markupsafe import escape # Menu for user who is not logged in. menu_options = [ [ _("Login"), h.url_for( controller='/user', action='login' ), "galaxy_main" ] ] if app.config.allow_user_creation: @@ -101,7 +102,7 @@ tab( "user", _("User"), None, visible=visible, menu_options=menu_options ) # Menu for user who is logged in. if trans.user: - email = trans.user.email + email = escape( trans.user.email ) else: email = "" menu_options = [ [ '<a>Logged in as <span id="user-email">%s</span></a>' % email ] ] Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0