December 2014 - galaxy-commits - lists.galaxyproject.org

[galaxyproject/usegalaxy-playbook] 9dbb49: Swapped event slides on landing page.
by GitHub 08 Dec '14

08 Dec '14

Branch: refs/heads/master Home: https://github.com/galaxyproject/usegalaxy-playbook Commit: 9dbb498b5b07dfa84454abab62fb540c65fbfebb https://github.com/galaxyproject/usegalaxy-playbook/commit/9dbb498b5b07dfa8… Author: Dave Clements <clements(a)Clements-Galaxy.local> Date: 2014-12-08 (Mon, 08 Dec 2014) Changed paths: A files/galaxy/common/static/welcome_img/VSU.png M templates/galaxy/common/static/welcome.html.j2 Log Message: ----------- Swapped event slides on landing page.

1 0

commit/galaxy-central: dan: HTML escape user-settable values in Data Libraries. Update tests to reflect that e.g. quotes are now html escaped within pages. Eliminate the unnecessary use of Params() object for these controllers.
by commits-noreply＠bitbucket.org 08 Dec '14

08 Dec '14

1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/0317c3ec09d9/ Changeset: 0317c3ec09d9 Branch: next-stable User: dan Date: 2014-12-08 17:27:48+00:00 Summary: HTML escape user-settable values in Data Libraries. Update tests to reflect that e.g. quotes are now html escaped within pages. Eliminate the unnecessary use of Params() object for these controllers. Affected #: 17 files diff -r caebda8c654aa079b68be736879df61c75f23faf -r 0317c3ec09d99ac40a9217a4725c6a2fe89c3de8 lib/galaxy/webapps/galaxy/controllers/library.py --- a/lib/galaxy/webapps/galaxy/controllers/library.py +++ b/lib/galaxy/webapps/galaxy/controllers/library.py @@ -3,7 +3,7 @@ from galaxy import web from galaxy.model.orm import and_, not_, or_ from galaxy.web.base.controller import BaseUIController -from galaxy.web.framework.helpers import grids +from galaxy.web.framework.helpers import escape, grids from library_common import get_comptypes, lucene_search, whoosh_search @@ -79,7 +79,6 @@ @web.expose def list( self, trans, **kwd ): - params = util.Params( kwd ) # define app configuration for generic mako template app = { 'jscript' : "galaxy.library" @@ -89,10 +88,9 @@ @web.expose def index( self, trans, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - default_action = params.get( 'default_action', None ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'done' ) ) + default_action = kwd.get( 'default_action', None ) return trans.fill_template( "/library/index.mako", default_action=default_action, message=message, diff -r caebda8c654aa079b68be736879df61c75f23faf -r 0317c3ec09d99ac40a9217a4725c6a2fe89c3de8 lib/galaxy/webapps/galaxy/controllers/library_admin.py --- a/lib/galaxy/webapps/galaxy/controllers/library_admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_admin.py @@ -5,7 +5,7 @@ from galaxy import web from galaxy.web.base.controller import BaseUIController -from galaxy.web.framework.helpers import grids, time_ago +from galaxy.web.framework.helpers import escape, grids, time_ago from library_common import get_comptypes, lucene_search, whoosh_search # from galaxy.model.orm import * @@ -141,20 +141,19 @@ lddas=lddas, show_deleted=show_deleted, use_panels=use_panels, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) # Render the list view return self.library_list_grid( trans, **kwd ) @web.expose @web.require_admin def create_library( self, trans, **kwd ): - params = galaxy.util.Params( kwd ) - message = galaxy.util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - if params.get( 'create_library_button', False ): - name = galaxy.util.restore_text( params.get( 'name', 'No name' ) ) - description = galaxy.util.restore_text( params.get( 'description', '' ) ) - synopsis = galaxy.util.restore_text( params.get( 'synopsis', '' ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + if kwd.get( 'create_library_button', False ): + name = kwd.get( 'name', 'No name' ) + description = kwd.get( 'description', '' ) + synopsis = kwd.get( 'synopsis', '' ) if synopsis in [ 'None', None ]: synopsis = '' library = trans.app.model.Library( name=name, description=description, synopsis=synopsis ) @@ -167,9 +166,9 @@ action='browse_library', cntrller='library_admin', id=trans.security.encode_id( library.id ), - message=galaxy.util.sanitize_text( message ), + message=message, status='done' ) ) - return trans.fill_template( '/admin/library/new_library.mako', message=message, status=status ) + return trans.fill_template( '/admin/library/new_library.mako', message=escape( message ), status=escape( status ) ) @web.expose @web.require_admin def delete_library( self, trans, id, **kwd ): @@ -196,8 +195,7 @@ # TODO: change this function to purge_library_item, behaving similar to delete_library_item # assuming we want the ability to purge libraries. # This function is currently only used by the functional tests. - params = galaxy.util.Params( kwd ) - library = trans.sa_session.query( trans.app.model.Library ).get( trans.security.decode_id( params.id ) ) + library = trans.sa_session.query( trans.app.model.Library ).get( trans.security.decode_id( kwd.get( 'id' ) ) ) def purge_folder( library_folder ): for lf in library_folder.folders: purge_folder( lf ) @@ -226,7 +224,7 @@ message = "Library '%s' has not been marked deleted, so it cannot be purged" % ( library.name ) return trans.response.send_redirect( web.url_for( controller='library_admin', action='browse_libraries', - message=galaxy.util.sanitize_text( message ), + message=message, status='error' ) ) else: purge_folder( library.root_folder ) @@ -236,5 +234,5 @@ message = "Library '%s' and all of its contents have been purged, datasets will be removed from disk via the cleanup_datasets script" % library.name return trans.response.send_redirect( web.url_for( controller='library_admin', action='browse_libraries', - message=galaxy.util.sanitize_text( message ), + message=message, status='done' ) ) diff -r caebda8c654aa079b68be736879df61c75f23faf -r 0317c3ec09d99ac40a9217a4725c6a2fe89c3de8 lib/galaxy/webapps/galaxy/controllers/library_common.py --- a/lib/galaxy/webapps/galaxy/controllers/library_common.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_common.py @@ -20,6 +20,7 @@ from galaxy.util.streamball import StreamBall from galaxy.web.base.controller import BaseUIController, UsesFormDefinitionsMixin, UsesExtendedMetadataMixin, UsesLibraryMixinItems from galaxy.web.form_builder import AddressField, CheckboxField, SelectField, build_select_field +from galaxy.web.framework.helpers import escape from galaxy.model.orm import and_, eagerload_all # Whoosh is compatible with Python 2.5+ Try to import Whoosh and set flag to indicate whether tool search is enabled. @@ -92,14 +93,13 @@ @web.expose def browse_library( self, trans, cntrller='library', **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) # If use_panels is True, the library is being accessed via an external link # which did not originate from within the Galaxy instance, and the library will # be displayed correctly with the mast head. - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - library_id = params.get( 'id', None ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + library_id = kwd.get( 'id', None ) if not library_id: # To handle bots message = "You must specify a library id." @@ -116,9 +116,9 @@ message = "Invalid library id ( %s ) specified." % str( library_id ) status = 'error' else: - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - created_ldda_ids = params.get( 'created_ldda_ids', '' ) - hidden_folder_ids = util.listify( params.get( 'hidden_folder_ids', '' ) ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + created_ldda_ids = kwd.get( 'created_ldda_ids', '' ) + hidden_folder_ids = util.listify( kwd.get( 'hidden_folder_ids', '' ) ) if created_ldda_ids and not message: message = "%d datasets are uploading in the background to the library '%s' (each is selected). " % \ ( len( created_ldda_ids.split( ',' ) ), library.name ) @@ -137,8 +137,8 @@ show_deleted=show_deleted, comptypes=comptypes, current_user_roles=current_user_roles, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) else: return trans.fill_template( 'library/common/browse_library.mako', cntrller=cntrller, @@ -149,45 +149,44 @@ show_deleted=show_deleted, comptypes=comptypes, current_user_roles=current_user_roles, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) except Exception, e: message = 'Error attempting to display contents of library (%s): %s.' % ( str( library.name ), str( e ) ) status = 'error' - default_action = params.get( 'default_action', None ) + default_action = kwd.get( 'default_action', None ) return trans.response.send_redirect( web.url_for( use_panels=use_panels, controller=cntrller, action='browse_libraries', default_action=default_action, - message=util.sanitize_text( message ), + message=message, status=status ) ) @web.expose def library_info( self, trans, cntrller, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() - library_id = params.get( 'id', None ) + library_id = kwd.get( 'id', None ) try: library = trans.sa_session.query( trans.app.model.Library ).get( trans.security.decode_id( library_id ) ) except: library = None self._check_access( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'library_info_button', False ): + if kwd.get( 'library_info_button', False ): self._check_modify( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) old_name = library.name - new_name = util.restore_text( params.get( 'name', 'No name' ) ) + new_name = kwd.get( 'name', 'No name' ) if not new_name: message = 'Enter a valid name' status='error' else: - new_description = util.restore_text( params.get( 'description', '' ) ) - new_synopsis = util.restore_text( params.get( 'synopsis', '' ) ) + new_description = kwd.get( 'description', '' ) + new_synopsis = kwd.get( 'synopsis', '' ) if new_synopsis in [ None, 'None' ]: new_synopsis = '' library.name = new_name @@ -205,7 +204,7 @@ use_panels=use_panels, id=trans.security.encode_id( library.id ), show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) # See if we have any associated templates info_association, inherited = library.get_info_association() @@ -221,30 +220,29 @@ show_deleted=show_deleted, info_association=info_association, inherited=inherited, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def library_permissions( self, trans, cntrller, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() - library_id = params.get( 'id', None ) + library_id = kwd.get( 'id', None ) try: library = trans.sa_session.query( trans.app.model.Library ).get( trans.security.decode_id( library_id ) ) except: library = None self._check_access( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) self._check_manage( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'update_roles_button', False ): + if kwd.get( 'update_roles_button', False ): # The user clicked the Save button on the 'Associate With Roles' form permissions = {} for k, v in trans.app.model.Library.permitted_actions.items(): - in_roles = [ trans.sa_session.query( trans.app.model.Role ).get( x ) for x in util.listify( params.get( k + '_in', [] ) ) ] + in_roles = [ trans.sa_session.query( trans.app.model.Role ).get( x ) for x in util.listify( kwd.get( k + '_in', [] ) ) ] permissions[ trans.app.security_agent.get_action( v.action ) ] = in_roles trans.app.security_agent.set_all_library_permissions( trans, library, permissions ) trans.sa_session.refresh( library ) @@ -257,7 +255,7 @@ use_panels=use_panels, id=trans.security.encode_id( library.id ), show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) roles = trans.app.security_agent.get_legitimate_roles( trans, library, cntrller ) all_roles = trans.app.security_agent.get_all_roles( trans, cntrller ) @@ -269,16 +267,15 @@ roles=roles, all_roles=all_roles, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def create_folder( self, trans, cntrller, parent_id, library_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller in ( 'library_admin', 'api' ) current_user_roles = trans.get_current_user_roles() try: @@ -291,9 +288,9 @@ parent_library = parent_folder.parent_library self._check_access( trans, cntrller, is_admin, parent_folder, current_user_roles, use_panels, library_id, show_deleted ) self._check_add( trans, cntrller, is_admin, parent_folder, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'new_folder_button', False ) or cntrller == 'api': - new_folder = trans.app.model.LibraryFolder( name=util.restore_text( params.name ), - description=util.restore_text( params.description ) ) + if kwd.get( 'new_folder_button', False ) or cntrller == 'api': + new_folder = trans.app.model.LibraryFolder( name=kwd.get( 'name', '' ), + description=kwd.get( 'description', '' ) ) # We are associating the last used genome build with folders, so we will always # initialize a new folder with the first dbkey in genome builds list which is currently # ? unspecified (?) @@ -325,7 +322,7 @@ show_deleted=show_deleted, info_association=info_association, inherited=inherited, - message=message, + message=escape( message ), status='done' ) # If not inheritable info_association, redirect to the library. message = "The new folder named '%s' has been added to the data library." % new_folder.name @@ -337,7 +334,7 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) # We do not render any template widgets on creation pages since saving the info_association # cannot occur before the associated item is saved. @@ -347,16 +344,15 @@ library_id=library_id, folder=parent_folder, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def folder_info( self, trans, cntrller, id, library_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -364,11 +360,11 @@ except: folder = None self._check_access( trans, cntrller, is_admin, folder, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'rename_folder_button', False ): + if kwd.get( 'rename_folder_button', False ): self._check_modify( trans, cntrller, is_admin, folder, current_user_roles, use_panels, library_id, show_deleted ) old_name = folder.name - new_name = util.restore_text( params.name ) - new_description = util.restore_text( params.description ) + new_name = kwd.get( 'name', '' ) + new_description = kwd.get( 'description', '' ) if not new_name: message = 'Enter a valid name' status='error' @@ -385,7 +381,7 @@ id=id, library_id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) # See if we have any associated templates widgets = [] @@ -405,16 +401,15 @@ show_deleted=show_deleted, info_association=info_association, inherited=inherited, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def folder_permissions( self, trans, cntrller, id, library_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -423,14 +418,14 @@ folder = None self._check_access( trans, cntrller, is_admin, folder, current_user_roles, use_panels, library_id, show_deleted ) self._check_manage( trans, cntrller, is_admin, folder, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'update_roles_button', False ): + if kwd.get( 'update_roles_button', False ): # The user clicked the Save button on the 'Associate With Roles' form permissions = {} for k, v in trans.app.model.Library.permitted_actions.items(): if k != 'LIBRARY_ACCESS': # LIBRARY_ACCESS is a special permission set only at the library level # and it is not inherited. - in_roles = [ trans.sa_session.query( trans.app.model.Role ).get( int( x ) ) for x in util.listify( params.get( k + '_in', [] ) ) ] + in_roles = [ trans.sa_session.query( trans.app.model.Role ).get( int( x ) ) for x in util.listify( kwd.get( k + '_in', [] ) ) ] permissions[ trans.app.security_agent.get_action( v.action ) ] = in_roles trans.app.security_agent.set_all_library_permissions( trans, folder, permissions ) trans.sa_session.refresh( folder ) @@ -442,7 +437,7 @@ id=trans.security.encode_id( folder.id ), library_id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) # If the library is public all roles are legitimate, but if the library # is restricted, only those roles associated with the LIBRARY_ACCESS @@ -456,16 +451,15 @@ current_user_roles=current_user_roles, roles=roles, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def ldda_edit_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -474,7 +468,7 @@ ldda = None self._check_access( trans, cntrller, is_admin, ldda, current_user_roles, use_panels, library_id, show_deleted ) self._check_modify( trans, cntrller, is_admin, ldda, current_user_roles, use_panels, library_id, show_deleted ) - dbkey = params.get( 'dbkey', '?' ) + dbkey = kwd.get( 'dbkey', '?' ) if isinstance( dbkey, list ): dbkey = dbkey[0] file_formats = [ dtype_name for dtype_name, dtype_value in trans.app.datatypes_registry.datatypes_by_extension.iteritems() if dtype_value.allow_datatype_change ] @@ -498,26 +492,26 @@ info_association, inherited = ldda.get_info_association() if info_association and ( not( inherited ) or info_association.inheritable ): widgets = ldda.get_template_widgets( trans ) - if params.get( 'change', False ): + if kwd.get( 'change', False ): # The user clicked the Save button on the 'Change data type' form if __ok_to_edit_metadata( ldda.id ): - if ldda.datatype.allow_datatype_change and trans.app.datatypes_registry.get_datatype_by_extension( params.datatype ).allow_datatype_change: - trans.app.datatypes_registry.change_datatype( ldda, params.datatype ) + if ldda.datatype.allow_datatype_change and trans.app.datatypes_registry.get_datatype_by_extension( kwd.get( 'datatype' ) ).allow_datatype_change: + trans.app.datatypes_registry.change_datatype( ldda, kwd.get( 'datatype' ) ) trans.sa_session.flush() message = "Data type changed for library dataset '%s'." % ldda.name status = 'done' else: - message = "You are unable to change datatypes in this manner. Changing %s to %s is not allowed." % ( ldda.extension, params.datatype ) + message = "You are unable to change datatypes in this manner. Changing %s to %s is not allowed." % ( ldda.extension, kwd.get( 'datatype' ) ) status = 'error' else: message = "This dataset is currently being used as input or output. You cannot change datatype until the jobs have completed or you have canceled them." status = "error" - elif params.get( 'save', False ): + elif kwd.get( 'save', False ): # The user clicked the Save button on the 'Edit Attributes' form old_name = ldda.name - new_name = util.restore_text( params.get( 'name', '' ) ) - new_info = util.restore_text( params.get( 'info', '' ) ) - new_message = util.restore_text( params.get( 'message', '' ) ) + new_name = kwd.get( 'name', '' ) + new_info = kwd.get( 'info', '' ) + new_message = kwd.get( 'message', '' ) if not new_name: message = 'Enter a valid name' status = 'error' @@ -530,12 +524,12 @@ for name, spec in ldda.datatype.metadata_spec.items(): if spec.get("readonly"): continue - optional = params.get( "is_" + name, None ) + optional = kwd.get( "is_" + name, None ) if optional and optional == 'true': # optional element... == 'true' actually means it is NOT checked (and therefore ommitted) setattr( ldda.metadata, name, None ) else: - setattr( ldda.metadata, name, spec.unwrap( params.get ( name, None ) ) ) + setattr( ldda.metadata, name, spec.unwrap( kwd.get( name, None ) ) ) ldda.metadata.dbkey = dbkey ldda.datatype.after_setting_metadata( ldda ) message = "Attributes updated for library dataset '%s'." % ldda.name @@ -544,7 +538,7 @@ message = "Attributes updated, but metadata could not be changed because this dataset is currently being used as input or output. You must cancel or wait for these jobs to complete before changing metadata." status = 'warning' trans.sa_session.flush() - elif params.get( 'detect', False ): + elif kwd.get( 'detect', False ): # The user clicked the Auto-detect button on the 'Edit Attributes' form if __ok_to_edit_metadata( ldda.id ): for name, spec in ldda.datatype.metadata_spec.items(): @@ -559,8 +553,8 @@ message = "This dataset is currently being used as input or output. You cannot change metadata until the jobs have completed or you have canceled them." status = 'error' trans.sa_session.flush() - elif params.get( 'change_extended_metadata', False): - em_string = util.restore_text( params.get("extended_metadata", "") ) + elif kwd.get( 'change_extended_metadata', False): + em_string = kwd.get("extended_metadata", "" ) if len(em_string): payload = None try: @@ -610,17 +604,16 @@ show_deleted=show_deleted, info_association=info_association, inherited=inherited, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def ldda_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - show_associated_hdas_and_lddas = util.string_as_bool( params.get( 'show_associated_hdas_and_lddas', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + show_associated_hdas_and_lddas = util.string_as_bool( kwd.get( 'show_associated_hdas_and_lddas', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() ldda = trans.sa_session.query( trans.app.model.LibraryDatasetDatasetAssociation ).get( trans.security.decode_id( id ) ) @@ -660,16 +653,15 @@ current_user_roles=current_user_roles, info_association=info_association, inherited=inherited, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def ldda_permissions( self, trans, cntrller, library_id, folder_id, id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) ids = util.listify( id ) lddas = [] libraries = [] @@ -693,7 +685,7 @@ id=library_id, cntrller=cntrller, use_panels=use_panels, - message=util.sanitize_text( message ), + message=message, status='error' ) ) # If access to the dataset is restricted, then use the roles associated with the DATASET_ACCESS permission to # determine the legitimate roles. If the dataset is public, see if access to the library is restricted. If @@ -706,7 +698,7 @@ roles = trans.app.security_agent.get_legitimate_roles( trans, library, cntrller ) else: roles = trans.app.security_agent.get_legitimate_roles( trans, ldda.dataset, cntrller ) - if params.get( 'update_roles_button', False ): + if kwd.get( 'update_roles_button', False ): # Dataset permissions access_action = trans.app.security_agent.get_action( trans.app.security_agent.permitted_actions.DATASET_ACCESS.action ) manage_permissions_action = trans.app.security_agent.get_action( trans.app.security_agent.permitted_actions.DATASET_MANAGE_PERMISSIONS.action ) @@ -763,8 +755,8 @@ library_id=library_id, roles=roles, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) if len( ids ) > 1: # Ensure that the permissions across all library items are identical, otherwise we can't update them together. check_list = [] @@ -789,7 +781,7 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) # Display permission form, permissions will be updated for all lddas simultaneously. return trans.fill_template( "/library/common/ldda_permissions.mako", @@ -799,32 +791,31 @@ library_id=library_id, roles=roles, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def upload_library_dataset( self, trans, cntrller, library_id, folder_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - ldda_message = util.restore_text( params.get( 'ldda_message', '' ) ) - deleted = util.string_as_bool( params.get( 'deleted', False ) ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - replace_id = params.get( 'replace_id', None ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + ldda_message = kwd.get( 'ldda_message', '' ) + deleted = util.string_as_bool( kwd.get( 'deleted', False ) ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + replace_id = kwd.get( 'replace_id', None ) replace_dataset = None - upload_option = params.get( 'upload_option', 'upload_file' ) - if params.get( 'files_0|space_to_tab', False ): - space_to_tab = params.get( 'files_0|space_to_tab', '' ) + upload_option = kwd.get( 'upload_option', 'upload_file' ) + if kwd.get( 'files_0|space_to_tab', False ): + space_to_tab = kwd.get( 'files_0|space_to_tab', '' ) else: - space_to_tab = params.get( 'space_to_tab', '' ) - link_data_only = params.get( 'link_data_only', 'copy_files' ) - dbkey = params.get( 'dbkey', '?' ) + space_to_tab = kwd.get( 'space_to_tab', '' ) + link_data_only = kwd.get( 'link_data_only', 'copy_files' ) + dbkey = kwd.get( 'dbkey', '?' ) if isinstance( dbkey, list ): last_used_build = dbkey[0] else: last_used_build = dbkey - roles = params.get( 'roles', '' ) + roles = kwd.get( 'roles', '' ) is_admin = trans.user_is_admin() and cntrller in ( 'library_admin', 'api' ) current_user_roles = trans.get_current_user_roles() widgets = [] @@ -853,7 +844,7 @@ library = folder.parent_library if folder and last_used_build in [ 'None', None, '?' ]: last_used_build = folder.genome_build - if params.get( 'runtool_btn', False ) or params.get( 'ajax_upload', False ) or cntrller == 'api': + if kwd.get( 'runtool_btn', False ) or kwd.get( 'ajax_upload', False ) or cntrller == 'api': error = False if upload_option == 'upload_paths' and not trans.app.config.allow_library_path_paste: error = True @@ -878,7 +869,7 @@ replace_id=replace_id, upload_option=upload_option, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) else: # See if we have any inherited templates. @@ -892,7 +883,7 @@ for index, widget_dict in enumerate( widgets ): widget = widget_dict[ 'widget' ] if isinstance( widget, AddressField ): - value = util.restore_text( params.get( widget.name, '' ) ) + value = kwd.get( widget.name, '' ) if value == 'new': if self.field_param_values_ok( widget.name, 'AddressField', **kwd ): # Save the new address @@ -975,7 +966,7 @@ default_action=default_action, created_ldda_ids=created_ldda_ids, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) else: created_ldda_ids = '' @@ -990,7 +981,7 @@ id=library_id, created_ldda_ids=created_ldda_ids, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status=status ) ) # Note: if the upload form was submitted due to refresh_on_change for a form field, we cannot re-populate # the field for the selected file ( files_0|file_data ) if the user selected one. This is because the value @@ -1049,8 +1040,8 @@ link_data_only=link_data_only, show_deleted=show_deleted, ldda_message=ldda_message, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) def upload_dataset( self, trans, cntrller, library_id, folder_id, replace_dataset=None, **kwd ): # Set up the traditional tool state/params @@ -1064,16 +1055,15 @@ if input.type == "upload_dataset": dataset_upload_inputs.append( input ) # Library-specific params - params = util.Params( kwd ) # is this filetoolparam safe? - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - server_dir = util.restore_text( params.get( 'server_dir', '' ) ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + server_dir = kwd.get( 'server_dir', '' ) if replace_dataset not in [ None, 'None' ]: replace_id = trans.security.encode_id( replace_dataset.id ) else: replace_id = None - upload_option = params.get( 'upload_option', 'upload_file' ) + upload_option = kwd.get( 'upload_option', 'upload_file' ) response_code = 200 if upload_option == 'upload_directory': if server_dir in [ None, 'None', '' ]: @@ -1102,7 +1092,7 @@ try: # FIXME: instead of passing params here ( which have been processed by util.Params(), the original kwd # should be passed so that complex objects that may have been included in the initial request remain. - library_bunch = upload_common.handle_library_params( trans, params, folder_id, replace_dataset ) + library_bunch = upload_common.handle_library_params( trans, kwd, folder_id, replace_dataset ) except: response_code = 500 message = "Unable to parse upload parameters, please report this error." @@ -1113,9 +1103,9 @@ tool_params = upload_common.persist_uploads( tool_params ) uploaded_datasets = upload_common.get_uploaded_datasets( trans, cntrller, tool_params, precreated_datasets, dataset_upload_inputs, library_bunch=library_bunch ) elif upload_option == 'upload_directory': - uploaded_datasets, response_code, message = self.get_server_dir_uploaded_datasets( trans, cntrller, params, full_dir, import_dir_desc, library_bunch, response_code, message ) + uploaded_datasets, response_code, message = self.get_server_dir_uploaded_datasets( trans, cntrller, kwd, full_dir, import_dir_desc, library_bunch, response_code, message ) elif upload_option == 'upload_paths': - uploaded_datasets, response_code, message = self.get_path_paste_uploaded_datasets( trans, cntrller, params, library_bunch, response_code, message ) + uploaded_datasets, response_code, message = self.get_path_paste_uploaded_datasets( trans, cntrller, kwd, library_bunch, response_code, message ) upload_common.cleanup_unused_precreated_datasets( precreated_datasets ) if upload_option == 'upload_file' and not uploaded_datasets: response_code = 400 @@ -1131,7 +1121,7 @@ replace_id=replace_id, upload_option=upload_option, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) json_file_path = upload_common.create_paramfile( trans, uploaded_datasets ) data_list = [ ud.data for ud in uploaded_datasets ] @@ -1146,7 +1136,7 @@ def make_library_uploaded_dataset( self, trans, cntrller, params, name, path, type, library_bunch, in_folder=None ): link_data_only = params.get( 'link_data_only', 'copy_files' ) uuid_str = params.get( 'uuid', None ) - file_type = params.file_type + file_type = params.get( 'file_type' ) library_bunch.replace_dataset = None # not valid for these types of upload uploaded_dataset = util.bunch.Bunch() new_name = name @@ -1162,8 +1152,8 @@ uploaded_dataset.type = type uploaded_dataset.ext = None uploaded_dataset.file_type = file_type - uploaded_dataset.dbkey = params.dbkey - uploaded_dataset.space_to_tab = params.space_to_tab + uploaded_dataset.dbkey = params.get( 'dbkey' ) + uploaded_dataset.space_to_tab = params.get( 'space_to_tab' ) if in_folder: uploaded_dataset.in_folder = in_folder uploaded_dataset.data = upload_common.new_upload( trans, cntrller, uploaded_dataset, library_bunch ) @@ -1262,7 +1252,7 @@ return files_and_folders def _paths_list(self, params): - return [ (l.strip(), os.path.abspath(l.strip())) for l in params.filesystem_paths.splitlines() if l.strip() ] + return [ (l.strip(), os.path.abspath(l.strip())) for l in params.get( 'filesystem_paths', '' ).splitlines() if l.strip() ] def _check_path_paste_params(self, params): if params.get( 'filesystem_paths', '' ) == '': @@ -1274,33 +1264,32 @@ if not os.path.exists( path ): bad_paths.append( path ) if bad_paths: - message = "Invalid paths:<br><ul><li>%s</li></ul>" % "</li><li>".join( bad_paths ) + message = 'Invalid paths: "%s".' % '", "'.join( bad_paths ) response_code = 400 return None, response_code, message return None @web.expose def add_history_datasets_to_library( self, trans, cntrller, library_id, folder_id, hda_ids='', **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - ldda_message = util.restore_text( params.get( 'ldda_message', '' ) ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - replace_id = params.get( 'replace_id', None ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + ldda_message = kwd.get( 'ldda_message', '' ) + show_deleted = kwd.get( 'show_deleted', False ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + replace_id = kwd.get( 'replace_id', None ) replace_dataset = None - upload_option = params.get( 'upload_option', 'import_from_history' ) - if params.get( 'files_0|space_to_tab', False ): - space_to_tab = params.get( 'files_0|space_to_tab', '' ) + upload_option = kwd.get( 'upload_option', 'import_from_history' ) + if kwd.get( 'files_0|space_to_tab', False ): + space_to_tab = kwd.get( 'files_0|space_to_tab', '' ) else: - space_to_tab = params.get( 'space_to_tab', '' ) - link_data_only = params.get( 'link_data_only', 'copy_files' ) - dbkey = params.get( 'dbkey', '?' ) + space_to_tab = kwd.get( 'space_to_tab', '' ) + link_data_only = kwd.get( 'link_data_only', 'copy_files' ) + dbkey = kwd.get( 'dbkey', '?' ) if isinstance( dbkey, list ): last_used_build = dbkey[0] else: last_used_build = dbkey - roles = params.get( 'roles', '' ) + roles = kwd.get( 'roles', '' ) is_admin = trans.user_is_admin() and cntrller in ( 'library_admin', 'api' ) current_user_roles = trans.get_current_user_roles() widgets = [] @@ -1338,9 +1327,9 @@ cntrller=cntrller, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) - if params.get( 'add_history_datasets_to_library_button', False ): + if kwd.get( 'add_history_datasets_to_library_button', False ): hda_ids = util.listify( hda_ids ) if hda_ids: dataset_names = [] @@ -1369,7 +1358,7 @@ trans.app.security_agent.copy_library_permissions( trans, folder, ldda ) trans.app.security_agent.copy_library_permissions( trans, folder, ldda.library_dataset ) else: - library_bunch = upload_common.handle_library_params( trans, params, folder_id, replace_dataset ) + library_bunch = upload_common.handle_library_params( trans, kwd, folder_id, replace_dataset ) if library_bunch.template and library_bunch.template_field_contents: # Since information templates are inherited, the template fields can be displayed on the upload form. # If the user has added field contents, we'll need to create a new form_values and info_association @@ -1437,12 +1426,12 @@ id=library_id, created_ldda_ids=created_ldda_ids, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) else: message = 'Select at least one dataset from the list of active datasets in your current history' status = 'error' - upload_option = params.get( 'upload_option', 'import_from_history' ) + upload_option = kwd.get( 'upload_option', 'import_from_history' ) widgets = self._get_populated_widgets( folder ) # Send list of data formats to the upload form so the "extension" select list can be populated dynamically file_formats = trans.app.datatypes_registry.upload_file_formats @@ -1476,8 +1465,8 @@ link_data_only=link_data_only, show_deleted=show_deleted, ldda_message=ldda_message, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) def _build_roles_select_list( self, trans, cntrller, library, selected_role_ids=[] ): # Get the list of legitimate roles to display on the upload form. If the library is public, @@ -1540,8 +1529,7 @@ def download_dataset_from_folder( self, trans, cntrller, id, library_id=None, **kwd ): """Catches the dataset id and displays file contents as directed""" show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) - params = util.Params( kwd ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -1574,16 +1562,15 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) @web.expose def library_dataset_info( self, trans, cntrller, id, library_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -1591,11 +1578,11 @@ except: library_dataset = None self._check_access( trans, cntrller, is_admin, library_dataset, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'edit_attributes_button', False ): + if kwd.get( 'edit_attributes_button', False ): self._check_modify( trans, cntrller, is_admin, library_dataset, current_user_roles, use_panels, library_id, show_deleted ) old_name = library_dataset.name - new_name = util.restore_text( params.get( 'name', '' ) ) - new_info = util.restore_text( params.get( 'info', '' ) ) + new_name = kwd.get( 'name', '' ) + new_info = kwd.get( 'info', '' ) if not new_name: message = 'Enter a valid name' status = 'error' @@ -1624,16 +1611,15 @@ widgets=widgets, widget_fields_have_contents=widget_fields_have_contents, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def library_dataset_permissions( self, trans, cntrller, id, library_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -1642,7 +1628,7 @@ library_dataset = None self._check_access( trans, cntrller, is_admin, library_dataset, current_user_roles, use_panels, library_id, show_deleted ) self._check_manage( trans, cntrller, is_admin, library_dataset, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'update_roles_button', False ): + if kwd.get( 'update_roles_button', False ): # The user clicked the Save button on the 'Associate With Roles' form permissions = {} for k, v in trans.app.model.Library.permitted_actions.items(): @@ -1673,23 +1659,22 @@ roles=roles, current_user_roles=current_user_roles, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def make_library_item_public( self, trans, cntrller, library_id, item_type, id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) current_user_roles = trans.get_current_user_roles() is_admin = trans.user_is_admin() and cntrller == 'library_admin' if item_type == 'library': library = trans.sa_session.query( trans.model.Library ).get( trans.security.decode_id( id ) ) self._check_access( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) self._check_manage( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) - contents = util.string_as_bool( params.get( 'contents', 'False' ) ) + contents = util.string_as_bool( kwd.get( 'contents', 'False' ) ) trans.app.security_agent.make_library_public( library, contents=contents ) if contents: message = "The data library (%s) and all its contents have been made publicly accessible." % library.name @@ -1716,7 +1701,7 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status=status ) ) @web.expose @@ -1741,12 +1726,11 @@ rval += '%s %i %s%s %s\r\n' % ( crc, size, self.url_base, quoted_fname, relpath ) return rval # Perform an action on a list of library datasets. - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - action = params.get( 'do_action', None ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + action = kwd.get( 'do_action', None ) lddas = [] error = False is_admin = trans.user_is_admin() and cntrller == 'library_admin' @@ -1761,7 +1745,7 @@ else: if action in [ 'import_to_current_history', 'import_to_histories' ]: new_kwd = {} - if action == 'import_to_current_history': + if current_history is not None and action == 'import_to_current_history': encoded_current_history_id = trans.security.encode_id( current_history.id ) selected_history_id = encoded_current_history_id new_kwd[ 'do_action' ] = action @@ -1832,7 +1816,7 @@ folder_id=folder_id, id=",".join( encoded_ldda_ids ), show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status=status ) ) else: message = "You are not authorized to manage permissions on any of the selected datasets." @@ -1993,11 +1977,11 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status=status ) ) else: # We arrived here from the library_dataset_search_results page, so redirect there. - search_term = params.get( 'search_term', '' ) + search_term = kwd.get( 'search_term', '' ) comptypes = get_comptypes( trans ) return trans.fill_template( '/library/common/library_dataset_search_results.mako', cntrller=cntrller, @@ -2007,8 +1991,8 @@ lddas=lddas, show_deleted=show_deleted, use_panels=use_panels, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def import_datasets_to_histories( self, trans, cntrller, library_id='', folder_id='', ldda_ids='', target_history_id='', target_history_ids='', new_history_name='', **kwd ): @@ -2018,12 +2002,11 @@ # - a select list option for acting on multiple selected datasets within a library # ( ldda_ids is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( ldda_ids is a comma separated string of ldda ids ) - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - action = params.get( 'do_action', None ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + action = kwd.get( 'do_action', None ) user = trans.get_user() current_history = trans.get_history() if library_id: @@ -2042,7 +2025,7 @@ target_history_ids = set( [ trans.security.decode_id( target_history_id ) for target_history_id in target_history_ids if target_history_id ] ) elif target_history_id: target_history_ids = [ trans.security.decode_id( target_history_id ) ] - if params.get( 'import_datasets_to_histories_button', False ): + if kwd.get( 'import_datasets_to_histories_button', False ): invalid_datasets = 0 if not ldda_ids or not ( target_history_ids or new_history_name ): message = "You must provide one or more source library datasets and one or more target histories." @@ -2106,11 +2089,13 @@ # to the lddas in order for the menu optin to be available. ldda = trans.sa_session.query( trans.model.LibraryDatasetDatasetAssociation ).get( ldda_id ) source_lddas.append( ldda ) + if current_history is None: + current_history = trans.get_history( create=True ) if current_history is not None: target_histories = [ current_history ] else: target_histories = [] - message = 'You must have a history before you can import datasets. You can do this by <a href="%s" target="_top">loading the analysis interface</a>.' % url_for(controller='root') + message = 'You must have a history before you can import datasets. You can do this by loading the analysis interface.' status = 'error' if user: target_histories = user.active_histories @@ -2120,7 +2105,7 @@ action='browse_library', cntrller=cntrller, id=library_id, - message=util.sanitize_text( message ), + message=message, status=status ) ) return trans.fill_template( "/library/common/import_datasets_to_histories.mako", cntrller=cntrller, @@ -2134,16 +2119,15 @@ new_history_name=new_history_name, show_deleted=show_deleted, use_panels=use_panels, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def manage_template_inheritance( self, trans, cntrller, item_type, library_id, folder_id=None, ldda_id=None, **kwd ): - params = util.Params( kwd ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) is_admin = ( trans.user_is_admin() and cntrller == 'library_admin' ) current_user_roles = trans.get_current_user_roles() try: @@ -2162,7 +2146,7 @@ cntrller=cntrller, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) info_association, inherited = item.get_info_association( restrict=True ) if info_association: @@ -2181,7 +2165,7 @@ folder_id=folder_id, id=id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) @web.expose @@ -2193,11 +2177,10 @@ # 'ldda' and item_id is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( item_type is 'ldda' and item_id is a # comma separated string of ldda ids ) - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) make_target_current = util.string_as_bool( make_target_current ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' user = trans.get_user() @@ -2211,14 +2194,14 @@ else: # Request sent from the library_dataset_search_results page. source_library = None - target_library_id = params.get( 'target_library_id', '' ) + target_library_id = kwd.get( 'target_library_id', '' ) if target_library_id not in [ '', 'none', None ]: target_library = trans.sa_session.query( trans.model.Library ).get( trans.security.decode_id( target_library_id ) ) elif make_target_current: target_library = source_library else: target_library = None - target_folder_id = params.get( 'target_folder_id', '' ) + target_folder_id = kwd.get( 'target_folder_id', '' ) if target_folder_id not in [ '', 'none', None ]: target_folder = trans.sa_session.query( trans.model.LibraryFolder ).get( trans.security.decode_id( target_folder_id ) ) if target_library is None: @@ -2233,7 +2216,7 @@ elif item_type == 'folder': move_folder_id = item_id move_folder = trans.sa_session.query( trans.model.LibraryFolder ).get( trans.security.decode_id( move_folder_id ) ) - if params.get( 'move_library_item_button', False ): + if kwd.get( 'move_library_item_button', False ): if not ( move_ldda_ids or move_folder_id ) or target_folder_id in [ '', 'none', None ]: message = "You must select a source folder or one or more source datasets, and a target folder." status = 'error' @@ -2397,8 +2380,8 @@ target_folder_id_select_field=target_folder_id_select_field, show_deleted=show_deleted, use_panels=use_panels, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def delete_library_item( self, trans, cntrller, library_id, item_id, item_type, **kwd ): @@ -2569,7 +2552,7 @@ action='browse_libraries', cntrller=cntrller, use_panels=use_panels, - message=util.sanitize_text( message ), + message=message, status='error' ) ) return trans.response.send_redirect( web.url_for( controller='library_common', action='browse_library', @@ -2577,7 +2560,7 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) def _check_add( self, trans, cntrller, is_admin, item, current_user_roles, use_panels, library_id, show_deleted ): @@ -2593,7 +2576,7 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) def _check_manage( self, trans, cntrller, is_admin, item, current_user_roles, use_panels, library_id, show_deleted ): @@ -2610,7 +2593,7 @@ id=library_id, cntrller=cntrller, use_panels=use_panels, - message=util.sanitize_text( message ), + message=message, status='error' ) ) # Deny access if the user is not an admin and does not have the LIBRARY_MANAGE permission. if not ( is_admin or trans.app.security_agent.can_manage_library_item( current_user_roles, item ) ): @@ -2622,7 +2605,7 @@ id=library_id, cntrller=cntrller, use_panels=use_panels, - message=util.sanitize_text( message ), + message=message, status='error' ) ) def _check_modify( self, trans, cntrller, is_admin, item, current_user_roles, use_panels, library_id, show_deleted ): @@ -2637,7 +2620,7 @@ id=library_id, use_panels=use_panels, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) # ---- Utility methods ------------------------------------------------------- @@ -2777,9 +2760,8 @@ def lucene_search( trans, cntrller, search_term, search_url, **kwd ): """Return display of results from a full-text lucene search of data libraries.""" - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) full_url = "%s/find?%s" % ( search_url, urllib.urlencode( { "kwd" : search_term } ) ) response = urllib2.urlopen( full_url ) ldda_ids = util.json.loads( response.read() )[ "ids" ] @@ -2789,9 +2771,8 @@ def whoosh_search( trans, cntrller, search_term, **kwd ): """Return display of results from a full-text whoosh search of data libraries.""" - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) ok = True if whoosh_search_enabled: whoosh_index_dir = trans.app.config.whoosh_index_dir diff -r caebda8c654aa079b68be736879df61c75f23faf -r 0317c3ec09d99ac40a9217a4725c6a2fe89c3de8 templates/webapps/galaxy/library/common/browse_library.mako --- a/templates/webapps/galaxy/library/common/browse_library.mako +++ b/templates/webapps/galaxy/library/common/browse_library.mako @@ -236,29 +236,29 @@ %if current_version and ( not ldda.library_dataset.deleted or show_deleted ): <tr class="datasetRow" %if parent is not None: - parent="${parent}" + parent="${parent | h}" %endif - id="libraryItem-${ldda.id}"> + id="libraryItem-${ldda.id | h}"><td style="padding-left: ${pad+20}px;"> - <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id )}" value="${trans.security.encode_id( ldda.id )}" + <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${trans.security.encode_id( ldda.id ) | h}" %if selected: checked="checked" %endif /> %if simple: - <label for="${trans.security.encode_id( ldda.id )}">${ util.unicodify( ldda.name )}</label> + <label for="${trans.security.encode_id( ldda.id ) | h}">${ util.unicodify( ldda.name ) | h}</label> %else: - <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id}-popup"> + <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id | h}-popup"><a class="view-info" href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}"> %if ldda.library_dataset.deleted: - <div class="libraryItem-error">${util.unicodify( ldda.name )}</div> + <div class="libraryItem-error">${util.unicodify( ldda.name ) | h}</div> %else: - ${util.unicodify( ldda.name )} + ${util.unicodify( ldda.name ) | h} %endif </a></div> %if not library.deleted: - <div popupmenu="dataset-${ldda.id}-popup"> + <div popupmenu="dataset-${ldda.id | h}-popup"> %if not branch_deleted( folder ) and not ldda.library_dataset.deleted and can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a><a class="action-button" href="${h.url_for( controller='library_common', action='move_library_item', cntrller=cntrller, item_type='ldda', item_id=trans.security.encode_id( ldda.id ), source_library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Move this dataset</a> @@ -287,7 +287,7 @@ %endif %if can_modify: %if not library.deleted and not branch_deleted( folder ) and not ldda.library_dataset.deleted: - <a class="action-button" confirm="Click OK to delete dataset '${util.unicodify( ldda.name )}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Delete this dataset</a> + <a class="action-button" confirm="Click OK to delete dataset '${util.unicodify( ldda.name ) | h}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Delete this dataset</a> %elif not library.deleted and not branch_deleted( folder ) and not ldda.library_dataset.purged and ldda.library_dataset.deleted: <a class="action-button" href="${h.url_for( controller='library_common', action='undelete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Undelete this dataset</a> %endif @@ -298,10 +298,10 @@ </td> % if not simple: <td id="libraryItemInfo">${render_library_item_info( ldda )}</td> - <td>${ldda.extension}</td> + <td>${ldda.extension | h}</td> % endif - <td>${ldda.create_time.strftime( trans.app.config.pretty_datetime_format )}</td> - <td>${ldda.get_size( nice_size=True )}</td> + <td>${ldda.create_time.strftime( trans.app.config.pretty_datetime_format ) | h}</td> + <td>${ldda.get_size( nice_size=True ) | h}</td></tr><% my_row = row_counter.count @@ -355,28 +355,28 @@ %> %if not root_folder and ( not folder.deleted or show_deleted ): <% encoded_id = trans.security.encode_id( folder.id ) %> - <tr id="folder-${encoded_id}" class="folderRow libraryOrFolderRow" + <tr id="folder-${encoded_id | h}" class="folderRow libraryOrFolderRow" %if parent is not None: - parent="${parent}" + parent="${parent | h}" style="display: none;" %endif > - <td style="padding-left: ${folder_pad}px;"> + <td style="padding-left: ${folder_pad | h}px;"><input type="checkbox" class="folderCheckbox"/> - <span class="expandLink folder-${encoded_id}-click"> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id}-popup"> - <a class="folder-${encoded_id}-click" href="javascript:void(0);"> + <span class="expandLink folder-${encoded_id | h}-click"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id | h}-popup"> + <a class="folder-${encoded_id | h}-click" href="javascript:void(0);"><span class="rowIcon"></span> %if folder.deleted: - <div class="libraryItem-error">${folder.name}</div> + <div class="libraryItem-error">${folder.name | h}</div> %else: - ${folder.name} + ${folder.name | h} %endif </a></div></span> %if not library.deleted: - <div popupmenu="folder_img-${folder.id}-popup"> + <div popupmenu="folder_img-${folder.id | h}-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> @@ -407,7 +407,7 @@ %endif %if can_modify: %if not library.deleted and not folder.deleted: - <a class="action-button" confirm="Click OK to delete the folder '${folder.name}.'" href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Delete this folder</a> + <a class="action-button" confirm="Click OK to delete the folder '${folder.name | h}.'" href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Delete this folder</a> %elif not library.deleted and folder.deleted and not folder.purged: <a class="action-button" href="${h.url_for( controller='library_common', action='undelete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Undelete this folder</a> %endif @@ -416,7 +416,7 @@ %endif <td> %if folder.description: - ${folder.description} + ${folder.description | h} %endif <td colspan="3"></td></tr> @@ -504,7 +504,7 @@ return str( self.count ) %> - <h2>Data Library “${library.name}”</h2> + <h2>Data Library “${library.name | h}”</h2><ul class="manage-table-actions"> %if not library.deleted and ( is_admin or can_add ): @@ -517,7 +517,7 @@ %if not library.deleted: %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='library_info', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> - <a class="action-button" confirm="Click OK to delete the library named '${library.name}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library.id ), item_type='library' )}">Delete this data library</a> + <a class="action-button" confirm="Click OK to delete the library named '${library.name | h}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library.id ), item_type='library' )}">Delete this data library</a> %if show_deleted: <a class="action-button" href="${h.url_for( controller='library_common', action='browse_library', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=False )}">Hide deleted items</a> %else: @@ -555,7 +555,7 @@ %if library.synopsis not in [ '', 'None', None ]: <div class="libraryItemBody"> - ${library.synopsis} + ${library.synopsis | h} </div> %endif @@ -610,6 +610,6 @@ ${render_compression_types_help( comptypes )} %endif %if not has_accessible_folders: - The data library '${library.name}' does not contain any datasets that you can access. + The data library '${library.name | h}' does not contain any datasets that you can access. %endif </%def> diff -r caebda8c654aa079b68be736879df61c75f23faf -r 0317c3ec09d99ac40a9217a4725c6a2fe89c3de8 templates/webapps/galaxy/library/common/browse_library_opt.mako --- a/templates/webapps/galaxy/library/common/browse_library_opt.mako +++ b/templates/webapps/galaxy/library/common/browse_library_opt.mako @@ -228,29 +228,29 @@ %if current_version and ( not ldda.library_dataset.deleted or show_deleted ): <tr class="datasetRow" %if parent is not None: - parent="${parent}" + parent="${parent | h}" %endif - id="libraryItem-${ldda.id}"> + id="libraryItem-${ldda.id | h}"><td style="padding-left: ${pad+20}px;"> - <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id )}" value="${trans.security.encode_id( ldda.id )}" + <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${trans.security.encode_id( ldda.id ) | h}" %if selected: checked="checked" %endif /> %if simple: - <label for="${trans.security.encode_id( ldda.id )}">${ util.unicodify( ldda.name )}</label> + <label for="${trans.security.encode_id( ldda.id ) | h}">${ util.unicodify( ldda.name ) | h}</label> %else: - <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id}-popup"> + <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id | h}-popup"><a class="view-info" href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}"> %if ldda.library_dataset.deleted: - <div class="libraryItem-error">${util.unicodify( ldda.name )}</div> + <div class="libraryItem-error">${util.unicodify( ldda.name ) | h}</div> %else: - ${util.unicodify( ldda.name )} + ${util.unicodify( ldda.name ) | h} %endif </a></div> %if not library.deleted: - <div popupmenu="dataset-${ldda.id}-popup"> + <div popupmenu="dataset-${ldda.id | h}-popup"> %if not branch_deleted( folder ) and not ldda.library_dataset.deleted and can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a><a class="action-button" href="${h.url_for( controller='library_common', action='move_library_item', cntrller=cntrller, item_type='ldda', item_id=trans.security.encode_id( ldda.id ), source_library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Move this dataset</a> @@ -279,7 +279,7 @@ %endif %if can_modify: %if not library.deleted and not branch_deleted( folder ) and not ldda.library_dataset.deleted: - <a class="action-button" confirm="Click OK to delete dataset '${util.unicodify( ldda.name )}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Delete this dataset</a> + <a class="action-button" confirm="Click OK to delete dataset '${util.unicodify( ldda.name ) | h}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Delete this dataset</a> %elif not library.deleted and not branch_deleted( folder ) and not ldda.library_dataset.purged and ldda.library_dataset.deleted: <a class="action-button" href="${h.url_for( controller='library_common', action='undelete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Undelete this dataset</a> %endif @@ -290,10 +290,10 @@ </td> % if not simple: <td id="libraryItemInfo">${render_library_item_info( ldda )}</td> - <td>${ldda.extension}</td> + <td>${ldda.extension | h}</td> % endif - <td>${ldda.create_time.strftime( "%Y-%m-%d" )}</td> - <td>${ldda.get_size( nice_size=True )}</td> + <td>${ldda.create_time.strftime( "%Y-%m-%d" ) | h}</td> + <td>${ldda.get_size( nice_size=True ) | h}</td></tr><% my_row = row_counter.count @@ -362,28 +362,28 @@ %> %if not root_folder and ( not folder.deleted or show_deleted ): <% encoded_id = trans.security.encode_id( folder.id ) %> - <tr id="folder-${encoded_id}" class="folderRow libraryOrFolderRow" + <tr id="folder-${encoded_id | h}" class="folderRow libraryOrFolderRow" %if parent is not None: - parent="${parent}" + parent="${parent | h}" style="display: none;" %endif > - <td style="padding-left: ${folder_pad}px;"> + <td style="padding-left: ${folder_pad | h}px;"><input type="checkbox" class="folderCheckbox"/> - <span class="expandLink folder-${encoded_id}-click"> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id}-popup"> - <a class="folder-${encoded_id}-click" href="javascript:void(0);"> + <span class="expandLink folder-${encoded_id | h}-click"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id | h}-popup"> + <a class="folder-${encoded_id | h}-click" href="javascript:void(0);"><span class="rowIcon"></span> %if folder.deleted: - <div class="libraryItem-error">${folder.name}</div> + <div class="libraryItem-error">${folder.name | h}</div> %else: - ${folder.name} + ${folder.name | h} %endif </a></div></span> %if not library.deleted: - <div popupmenu="folder_img-${folder.id}-popup"> + <div popupmenu="folder_img-${folder.id | h}-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> @@ -414,7 +414,7 @@ %endif %if can_modify: %if not library.deleted and not folder.deleted: - <a class="action-button" confirm="Click OK to delete the folder '${folder.name}.'" href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Delete this folder</a> + <a class="action-button" confirm="Click OK to delete the folder '${folder.name | h}.'" href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Delete this folder</a> %elif not library.deleted and folder.deleted and not folder.purged: <a class="action-button" href="${h.url_for( controller='library_common', action='undelete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Undelete this folder</a> %endif @@ -423,7 +423,7 @@ %endif <td> %if folder.description: - ${folder.description} + ${folder.description | h} %endif <td colspan="3"></td></tr> @@ -515,12 +515,12 @@ <li><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( library.root_folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add folder</a></li> %endif %if ( ( not library.deleted ) and ( can_modify or can_manage ) ) or ( can_modify and not library.purged ) or ( library.purged ): - <li><a class="action-button" id="library-${library.id}-popup" class="menubutton">Library Actions</a></li> - <div popupmenu="library-${library.id}-popup"> + <li><a class="action-button" id="library-${library.id | h}-popup" class="menubutton">Library Actions</a></li> + <div popupmenu="library-${library.id | h}-popup"> %if not library.deleted: %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='library_info', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> - <a class="action-button" confirm="Click OK to delete the library named '${library.name}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library.id ), item_type='library' )}">Delete this data library</a> + <a class="action-button" confirm="Click OK to delete the library named '${library.name | h}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library.id ), item_type='library' )}">Delete this data library</a> %if show_deleted: <a class="action-button" href="${h.url_for( controller='library_common', action='browse_library', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=False )}">Hide deleted items</a> %else: @@ -558,7 +558,7 @@ %if library.synopsis not in [ '', 'None', None ]: <div class="libraryItemBody"> - ${library.synopsis} + ${library.synopsis | h} </div> %endif @@ -616,6 +616,6 @@ ${render_compression_types_help( comptypes )} %endif %if not has_accessible_folders: - The data library '${library.name}' does not contain any datasets that you can access. + The data library '${library.name | h}' does not contain any datasets that you can access. %endif </%def> diff -r caebda8c654aa079b68be736879df61c75f23faf -r 0317c3ec09d99ac40a9217a4725c6a2fe89c3de8 templates/webapps/galaxy/library/common/common.mako --- a/templates/webapps/galaxy/library/common/common.mako +++ b/templates/webapps/galaxy/library/common/common.mako @@ -88,19 +88,19 @@ else: tool_form_title = 'Upload files' %> - <div class="toolFormTitle">${tool_form_title}</div> + <div class="toolFormTitle">${tool_form_title | h}</div><div class="toolFormBody"><form name="upload_library_dataset" id="upload_library_dataset" action="${action}" enctype="multipart/form-data" method="post"><input type="hidden" name="tool_id" value="upload1"/><input type="hidden" name="tool_state" value="None"/> - <input type="hidden" name="cntrller" value="${cntrller}"/> - <input type="hidden" name="library_id" value="${library_id}"/> - <input type="hidden" name="folder_id" value="${folder_id}"/> - <input type="hidden" name="show_deleted" value="${show_deleted}"/> + <input type="hidden" name="cntrller" value="${cntrller | h}"/> + <input type="hidden" name="library_id" value="${library_id | h}"/> + <input type="hidden" name="folder_id" value="${folder_id | h}"/> + <input type="hidden" name="show_deleted" value="${show_deleted | h}"/> %if replace_dataset not in [ None, 'None' ]: - <input type="hidden" name="replace_id" value="${trans.security.encode_id( replace_dataset.id )}"/> + <input type="hidden" name="replace_id" value="${trans.security.encode_id( replace_dataset.id ) | h}"/><div class="form-row"> - You are currently selecting a new file to replace '<a href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=library_id, folder_id=folder_id, id=trans.security.encode_id( replace_dataset.library_dataset_dataset_association.id ) )}">${util.unicodify( replace_dataset.name )}</a>'. + You are currently selecting a new file to replace '<a href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=library_id, folder_id=folder_id, id=trans.security.encode_id( replace_dataset.library_dataset_dataset_association.id ) )}">${util.unicodify( replace_dataset.name ) | h}</a>'. <div style="clear: both"></div></div> %endif @@ -120,7 +120,7 @@ <select name="file_type"><option value="auto" selected>Auto-detect</option> %for file_format in file_formats: - <option value="${file_format}">${file_format}</option> + <option value="${file_format | h}">${file_format | h}</option> %endfor </select></div> @@ -176,23 +176,23 @@ %for entry in os.listdir( import_dir ): ## Do not include entries that are not directories %if os.path.isdir( os.path.join( import_dir, entry ) ): - <option>${entry}</option> + <option>${entry | h}</option> %endif %endfor %else: %if ( trans.user_is_admin() and cntrller == 'library_admin' ): - <option>${import_dir}</option> + <option>${import_dir | h}</option> %else: - <option>${trans.user.email}</option> + <option>${trans.user.email | h}</option> %endif %endif </select></div><div class="toolParamHelp" style="clear: both;"> %if contains_directories: - Upload all files in a sub-directory of <strong>${import_dir}</strong> on the Galaxy server. + Upload all files in a sub-directory of <strong>${import_dir | h}</strong> on the Galaxy server. %else: - Upload all files in <strong>${import_dir}</strong> on the Galaxy server. + Upload all files in <strong>${import_dir | h}</strong> on the Galaxy server. %endif </div><div style="clear: both"></div> @@ -282,9 +282,9 @@ %> %for dbkey in dbkeys: %if dbkey[1] == default_selected: - <option value="${dbkey[1]}" selected>${dbkey[0]}</option> + <option value="${dbkey[1] | h}" selected>${dbkey[0] | h}</option> %else: - <option value="${dbkey[1]}">${dbkey[0]}</option> + <option value="${dbkey[1] | h}">${dbkey[0] | h}</option> %endif %endfor </select> @@ -295,7 +295,7 @@ <label>Message:</label><div class="form-row-input"> %if ldda_message: - <textarea name="ldda_message" rows="3" cols="35">${ldda_message}</textarea> + <textarea name="ldda_message" rows="3" cols="35">${ldda_message | h}</textarea> %else: <textarea name="ldda_message" rows="3" cols="35"></textarea> %endif @@ -320,13 +320,13 @@ %if widgets: %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field[ 'label' ]}</label> + <label>${field[ 'label' ] | h}</label><div class="form-row-input"> ${field[ 'widget' ].get_html()} </div><div class="toolParamHelp" style="clear: both;"> %if field[ 'helptext' ]: - ${field[ 'helptext' ]}<br/> + ${field[ 'helptext' ] | h}<br/> %endif *Inherited template field </div> @@ -342,14 +342,14 @@ </div> %elif upload_option == 'import_from_history': <div class="toolForm"> - <div class="toolFormTitle">Active datasets in your current history (${ util.unicodify( history.name )})</div> + <div class="toolFormTitle">Active datasets in your current history (${ util.unicodify( history.name ) | h})</div><div class="toolFormBody"> %if history and history.active_datasets: <form name="add_history_datasets_to_library" action="${h.url_for( controller='library_common', action='add_history_datasets_to_library', cntrller=cntrller, library_id=library_id )}" enctype="multipart/form-data" method="post"> - <input type="hidden" name="folder_id" value="${folder_id}"/> - <input type="hidden" name="show_deleted" value="${show_deleted}"/> + <input type="hidden" name="folder_id" value="${folder_id | h}"/> + <input type="hidden" name="show_deleted" value="${show_deleted | h}"/><input type="hidden" name="upload_option" value="import_from_history"/> - <input type="hidden" name="ldda_message" value="${ldda_message}"/> + <input type="hidden" name="ldda_message" value="${ldda_message | h}"/><% role_ids_selected = '' if roles_select_list: @@ -357,32 +357,32 @@ if selected: role_ids_selected = ','.join( selected ) %> - <input type="hidden" name="roles" value="${role_ids_selected}"/> + <input type="hidden" name="roles" value="${role_ids_selected | h}"/> %if replace_dataset not in [ None, 'None' ]: - <input type="hidden" name="replace_id" value="${trans.security.encode_id( replace_dataset.id )}"/> + <input type="hidden" name="replace_id" value="${trans.security.encode_id( replace_dataset.id ) | h}"/><div class="form-row"> - You are currently selecting a new file to replace '<a href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=library_id, folder_id=folder_id, id=trans.security.encode_id( replace_dataset.library_dataset_dataset_association.id ) )}">${ util.unicodify( replace_dataset.name )}</a>'. + You are currently selecting a new file to replace '<a href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=library_id, folder_id=folder_id, id=trans.security.encode_id( replace_dataset.library_dataset_dataset_association.id ) )}">${ util.unicodify( replace_dataset.name ) | h}</a>'. <div style="clear: both"></div></div> %endif %for hda in history.visible_datasets: <% encoded_id = trans.security.encode_id( hda.id ) %><div class="form-row"> - <input name="hda_ids" id="hist_${encoded_id}" value="${encoded_id}" type="checkbox"/> - <label for="hist_${encoded_id}" style="display: inline;font-weight:normal;">${hda.hid}: ${ util.unicodify( hda.name )}</label> + <input name="hda_ids" id="hist_${encoded_id | h}" value="${encoded_id | h}" type="checkbox"/> + <label for="hist_${encoded_id | h}" style="display: inline;font-weight:normal;">${hda.hid | h}: ${ util.unicodify( hda.name ) | h}</label></div> %endfor %if widgets: - <input type="hidden" name="template_id" value="${template_id}"/> + <input type="hidden" name="template_id" value="${template_id | h}"/> %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field[ 'label' ]}</label> + <label>${field[ 'label' ] | h}</label><div class="form-row-input"> ${field[ 'widget' ].get_html()} </div><div class="toolParamHelp" style="clear: both;"> %if field[ 'helptext' ]: - ${field[ 'helptext' ]}<br/> + ${field[ 'helptext' ] | h}<br/> %endif *Inherited template field </div> diff -r caebda8c654aa079b68be736879df61c75f23faf -r 0317c3ec09d99ac40a9217a4725c6a2fe89c3de8 templates/webapps/galaxy/library/common/import_datasets_to_histories.mako --- a/templates/webapps/galaxy/library/common/import_datasets_to_histories.mako +++ b/templates/webapps/galaxy/library/common/import_datasets_to_histories.mako @@ -34,8 +34,8 @@ checked = " checked='checked'" %><div class="form-row"> - <input type="checkbox" name="ldda_ids" id="dataset_${encoded_id}" value="${encoded_id}" ${checked}/> - <label for="dataset_${encoded_id}" style="display: inline;font-weight:normal;">${util.unicodify( source_ldda.name )}</label> + <input type="checkbox" name="ldda_ids" id="dataset_${encoded_id | h}" value="${encoded_id | h}" ${checked}/> + <label for="dataset_${encoded_id | h}" style="display: inline;font-weight:normal;">${util.unicodify( source_ldda.name ) | h}</label></div> %endfor %else: @@ -61,7 +61,7 @@ else: current_history_text = "" %> - <option value="${encoded_id}"${selected_text}>${i + 1}: ${h.truncate( util.unicodify( target_history.name ), 30 )}${current_history_text}</option> + <option value="${encoded_id | h}"${selected_text}>${i + 1}: ${h.truncate( util.unicodify( target_history.name ), 30 ) | h}${current_history_text | h}</option> %endfor </select><br/><br/> @@ -77,8 +77,8 @@ current_history_text = "" %><div class="form-row"> - <input type="checkbox" name="target_history_ids" id="target_history_${encoded_id}" value="${encoded_id}"/> - <label for="target_history_${encoded_id}" style="display: inline; font-weight:normal;">${i + 1}: ${util.unicodify( target_history.name )}${current_history_text}</label> + <input type="checkbox" name="target_history_ids" id="target_history_${encoded_id | h}" value="${encoded_id | h}"/> + <label for="target_history_${encoded_id | h}" style="display: inline; font-weight:normal;">${i + 1}: ${util.unicodify( target_history.name ) | h}${current_history_text | h}</label></div> %endfor </div> diff -r caebda8c654aa079b68be736879df61c75f23faf -r 0317c3ec09d99ac40a9217a4725c6a2fe89c3de8 templates/webapps/galaxy/library/common/ldda_edit_info.mako --- a/templates/webapps/galaxy/library/common/ldda_edit_info.mako +++ b/templates/webapps/galaxy/library/common/ldda_edit_info.mako @@ -34,9 +34,9 @@ <select name="datatype"> %for ext in file_formats: %if ldda.ext == ext: - <option value="${ext}" selected="yes">${ext}</option> + <option value="${ext | h}" selected="yes">${ext | h}</option> %else: - <option value="${ext}">${ext}</option> + <option value="${ext | h}">${ext | h}</option> %endif %endfor </select> @@ -44,24 +44,24 @@ %if ( trans.user_is_admin() and cntrller=='library_admin' ) or trans.app.security_agent.can_modify_library_item( current_user_roles, ldda.library_dataset ): <div class="toolForm"> - <div class="toolFormTitle">Edit attributes of ${util.unicodify( ldda.name )}</div> + <div class="toolFormTitle">Edit attributes of ${util.unicodify( ldda.name ) | h}</div><div class="toolFormBody"><form name="edit_attributes" action="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=library_id, folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), use_panels=use_panels, show_deleted=show_deleted, )}" method="post"> - <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id )}"/> + <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id ) | h}"/><div class="form-row"><label>Name:</label> - <input type="text" name="name" value="${util.unicodify( ldda.name )}" size="40"/> + <input type="text" name="name" value="${util.unicodify( ldda.name ) | h}" size="40"/><div style="clear: both"></div></div><div class="form-row"><label>Info:</label> - <input type="text" name="info" value="${util.unicodify( ldda.info )}" size="40"/> + <input type="text" name="info" value="${util.unicodify( ldda.info ) | h}" size="40"/><div style="clear: both"></div></div><div class="form-row"><label>Message:</label> %if ldda.message: - <textarea name="message" rows="3" cols="35">${ldda.message}</textarea> + <textarea name="message" rows="3" cols="35">${ldda.message | h}</textarea> %else: <textarea name="message" rows="3" cols="35"></textarea> %endif @@ -73,7 +73,7 @@ %for name, spec in ldda.metadata.spec.items(): %if spec.visible: <div class="form-row"> - <label>${spec.desc}:</label> + <label>${spec.desc | h}:</label> ${ldda.metadata.get_html_by_name( name, trans=trans )} <div style="clear: both"></div></div> @@ -85,7 +85,7 @@ </form><form name="auto_detect" action="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=library_id, folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), use_panels=use_panels, show_deleted=show_deleted, )}" method="post"><div class="form-row"> - <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id )}"/> + <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id ) | h}"/><input type="submit" name="detect" value="Auto-detect"/><div class="toolParamHelp" style="clear: both;"> This will inspect the dataset and attempt to correct the above column values if they are not accurate. @@ -101,7 +101,7 @@ %if ldda.datatype.allow_datatype_change: <form name="change_datatype" action="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=library_id, folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), use_panels=use_panels, show_deleted=show_deleted, )}" method="post"><div class="form-row"> - <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id )}"/> + <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id ) | h}"/><label>New Type:</label> ${datatype( ldda, file_formats )} <div class="toolParamHelp" style="clear: both;"> @@ -129,10 +129,10 @@ <div class="form-row"><label>Extended Metadata:</label></div> - <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id )}"/> + <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id ) | h}"/><div class="form-row"> %if ldda.extended_metadata: - <textarea name="extended_metadata" rows="15" cols="35">${util.pretty_print_json(ldda.extended_metadata.data)}</textarea> + <textarea name="extended_metadata" rows="15" cols="35">${util.pretty_print_json(ldda.extended_metadata.data) | h}</textarea> %else: <textarea name="extended_metadata" rows="15" cols="35"></textarea> %endif @@ -147,28 +147,28 @@ <p/> %else: <div class="toolForm"> - <div class="toolFormTitle">View information about ${util.unicodify( ldda.name )}</div> + <div class="toolFormTitle">View information about ${util.unicodify( ldda.name ) | h}</div><div class="toolFormBody"><div class="form-row"><label>Name:</label> - ${util.unicodify( ldda.name )} + ${util.unicodify( ldda.name ) | h} <div style="clear: both"></div></div><div class="form-row"><label>Info:</label> - ${util.unicodify( ldda.info )} + ${util.unicodify( ldda.info ) | h} <div style="clear: both"></div></div><div class="form-row"><label>Data Format:</label> - ${ldda.ext} + ${ldda.ext | h} <div style="clear: both"></div></div> %for name, spec in ldda.metadata.spec.items(): %if spec.visible: <div class="form-row"> - <label>${spec.desc}:</label> - ${ldda.metadata.get( name )} + <label>${spec.desc | h}:</label> + ${ldda.metadata.get( name ) | h} <div style="clear: both"></div></div> %endif This diff is so big that we needed to truncate the remainder. Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: dan: HTML escape user-settable values in Data Libraries. Update tests to reflect that e.g. quotes are now html escaped within pages. Eliminate the unnecessary use of Params() object for these controllers.
by commits-noreply＠bitbucket.org 08 Dec '14

08 Dec '14

1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/bfc3b5e52781/ Changeset: bfc3b5e52781 User: dan Date: 2014-12-08 17:27:48+00:00 Summary: HTML escape user-settable values in Data Libraries. Update tests to reflect that e.g. quotes are now html escaped within pages. Eliminate the unnecessary use of Params() object for these controllers. Affected #: 17 files diff -r a8b8961827ec2475a20748f5151bd96c49566e98 -r bfc3b5e52781683efc8024f18c4aa57c65af1e15 lib/galaxy/webapps/galaxy/controllers/library.py --- a/lib/galaxy/webapps/galaxy/controllers/library.py +++ b/lib/galaxy/webapps/galaxy/controllers/library.py @@ -3,7 +3,7 @@ from galaxy import web from galaxy.model.orm import and_, not_, or_ from galaxy.web.base.controller import BaseUIController -from galaxy.web.framework.helpers import grids +from galaxy.web.framework.helpers import escape, grids from library_common import get_comptypes, lucene_search, whoosh_search @@ -79,7 +79,6 @@ @web.expose def list( self, trans, **kwd ): - params = util.Params( kwd ) # define app configuration for generic mako template app = { 'jscript' : "galaxy.library" @@ -91,10 +90,9 @@ @web.expose def index( self, trans, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - default_action = params.get( 'default_action', None ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'done' ) ) + default_action = kwd.get( 'default_action', None ) return trans.fill_template( "/library/index.mako", default_action=default_action, message=message, diff -r a8b8961827ec2475a20748f5151bd96c49566e98 -r bfc3b5e52781683efc8024f18c4aa57c65af1e15 lib/galaxy/webapps/galaxy/controllers/library_admin.py --- a/lib/galaxy/webapps/galaxy/controllers/library_admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_admin.py @@ -5,7 +5,7 @@ from galaxy import web from galaxy.web.base.controller import BaseUIController -from galaxy.web.framework.helpers import grids, time_ago +from galaxy.web.framework.helpers import escape, grids, time_ago from library_common import get_comptypes, lucene_search, whoosh_search # from galaxy.model.orm import * @@ -141,20 +141,19 @@ lddas=lddas, show_deleted=show_deleted, use_panels=use_panels, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) # Render the list view return self.library_list_grid( trans, **kwd ) @web.expose @web.require_admin def create_library( self, trans, **kwd ): - params = galaxy.util.Params( kwd ) - message = galaxy.util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - if params.get( 'create_library_button', False ): - name = galaxy.util.restore_text( params.get( 'name', 'No name' ) ) - description = galaxy.util.restore_text( params.get( 'description', '' ) ) - synopsis = galaxy.util.restore_text( params.get( 'synopsis', '' ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + if kwd.get( 'create_library_button', False ): + name = kwd.get( 'name', 'No name' ) + description = kwd.get( 'description', '' ) + synopsis = kwd.get( 'synopsis', '' ) if synopsis in [ 'None', None ]: synopsis = '' library = trans.app.model.Library( name=name, description=description, synopsis=synopsis ) @@ -167,9 +166,9 @@ action='browse_library', cntrller='library_admin', id=trans.security.encode_id( library.id ), - message=galaxy.util.sanitize_text( message ), + message=message, status='done' ) ) - return trans.fill_template( '/admin/library/new_library.mako', message=message, status=status ) + return trans.fill_template( '/admin/library/new_library.mako', message=escape( message ), status=escape( status ) ) @web.expose @web.require_admin def delete_library( self, trans, id, **kwd ): @@ -196,8 +195,7 @@ # TODO: change this function to purge_library_item, behaving similar to delete_library_item # assuming we want the ability to purge libraries. # This function is currently only used by the functional tests. - params = galaxy.util.Params( kwd ) - library = trans.sa_session.query( trans.app.model.Library ).get( trans.security.decode_id( params.id ) ) + library = trans.sa_session.query( trans.app.model.Library ).get( trans.security.decode_id( kwd.get( 'id' ) ) ) def purge_folder( library_folder ): for lf in library_folder.folders: purge_folder( lf ) @@ -226,7 +224,7 @@ message = "Library '%s' has not been marked deleted, so it cannot be purged" % ( library.name ) return trans.response.send_redirect( web.url_for( controller='library_admin', action='browse_libraries', - message=galaxy.util.sanitize_text( message ), + message=message, status='error' ) ) else: purge_folder( library.root_folder ) @@ -236,5 +234,5 @@ message = "Library '%s' and all of its contents have been purged, datasets will be removed from disk via the cleanup_datasets script" % library.name return trans.response.send_redirect( web.url_for( controller='library_admin', action='browse_libraries', - message=galaxy.util.sanitize_text( message ), + message=message, status='done' ) ) diff -r a8b8961827ec2475a20748f5151bd96c49566e98 -r bfc3b5e52781683efc8024f18c4aa57c65af1e15 lib/galaxy/webapps/galaxy/controllers/library_common.py --- a/lib/galaxy/webapps/galaxy/controllers/library_common.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_common.py @@ -20,6 +20,7 @@ from galaxy.util.streamball import StreamBall from galaxy.web.base.controller import BaseUIController, UsesFormDefinitionsMixin, UsesExtendedMetadataMixin, UsesLibraryMixinItems from galaxy.web.form_builder import AddressField, CheckboxField, SelectField, build_select_field +from galaxy.web.framework.helpers import escape from galaxy.model.orm import and_, eagerload_all # Whoosh is compatible with Python 2.5+ Try to import Whoosh and set flag to indicate whether tool search is enabled. @@ -92,14 +93,13 @@ @web.expose def browse_library( self, trans, cntrller='library', **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) # If use_panels is True, the library is being accessed via an external link # which did not originate from within the Galaxy instance, and the library will # be displayed correctly with the mast head. - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - library_id = params.get( 'id', None ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + library_id = kwd.get( 'id', None ) if not library_id: # To handle bots message = "You must specify a library id." @@ -116,9 +116,9 @@ message = "Invalid library id ( %s ) specified." % str( library_id ) status = 'error' else: - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - created_ldda_ids = params.get( 'created_ldda_ids', '' ) - hidden_folder_ids = util.listify( params.get( 'hidden_folder_ids', '' ) ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + created_ldda_ids = kwd.get( 'created_ldda_ids', '' ) + hidden_folder_ids = util.listify( kwd.get( 'hidden_folder_ids', '' ) ) if created_ldda_ids and not message: message = "%d datasets are uploading in the background to the library '%s' (each is selected). " % \ ( len( created_ldda_ids.split( ',' ) ), library.name ) @@ -137,8 +137,8 @@ show_deleted=show_deleted, comptypes=comptypes, current_user_roles=current_user_roles, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) else: return trans.fill_template( 'library/common/browse_library.mako', cntrller=cntrller, @@ -149,45 +149,44 @@ show_deleted=show_deleted, comptypes=comptypes, current_user_roles=current_user_roles, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) except Exception, e: message = 'Error attempting to display contents of library (%s): %s.' % ( str( library.name ), str( e ) ) status = 'error' - default_action = params.get( 'default_action', None ) + default_action = kwd.get( 'default_action', None ) return trans.response.send_redirect( web.url_for( use_panels=use_panels, controller=cntrller, action='browse_libraries', default_action=default_action, - message=util.sanitize_text( message ), + message=message, status=status ) ) @web.expose def library_info( self, trans, cntrller, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() - library_id = params.get( 'id', None ) + library_id = kwd.get( 'id', None ) try: library = trans.sa_session.query( trans.app.model.Library ).get( trans.security.decode_id( library_id ) ) except: library = None self._check_access( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'library_info_button', False ): + if kwd.get( 'library_info_button', False ): self._check_modify( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) old_name = library.name - new_name = util.restore_text( params.get( 'name', 'No name' ) ) + new_name = kwd.get( 'name', 'No name' ) if not new_name: message = 'Enter a valid name' status='error' else: - new_description = util.restore_text( params.get( 'description', '' ) ) - new_synopsis = util.restore_text( params.get( 'synopsis', '' ) ) + new_description = kwd.get( 'description', '' ) + new_synopsis = kwd.get( 'synopsis', '' ) if new_synopsis in [ None, 'None' ]: new_synopsis = '' library.name = new_name @@ -205,7 +204,7 @@ use_panels=use_panels, id=trans.security.encode_id( library.id ), show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) # See if we have any associated templates info_association, inherited = library.get_info_association() @@ -221,30 +220,29 @@ show_deleted=show_deleted, info_association=info_association, inherited=inherited, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def library_permissions( self, trans, cntrller, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() - library_id = params.get( 'id', None ) + library_id = kwd.get( 'id', None ) try: library = trans.sa_session.query( trans.app.model.Library ).get( trans.security.decode_id( library_id ) ) except: library = None self._check_access( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) self._check_manage( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'update_roles_button', False ): + if kwd.get( 'update_roles_button', False ): # The user clicked the Save button on the 'Associate With Roles' form permissions = {} for k, v in trans.app.model.Library.permitted_actions.items(): - in_roles = [ trans.sa_session.query( trans.app.model.Role ).get( x ) for x in util.listify( params.get( k + '_in', [] ) ) ] + in_roles = [ trans.sa_session.query( trans.app.model.Role ).get( x ) for x in util.listify( kwd.get( k + '_in', [] ) ) ] permissions[ trans.app.security_agent.get_action( v.action ) ] = in_roles trans.app.security_agent.set_all_library_permissions( trans, library, permissions ) trans.sa_session.refresh( library ) @@ -257,7 +255,7 @@ use_panels=use_panels, id=trans.security.encode_id( library.id ), show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) roles = trans.app.security_agent.get_legitimate_roles( trans, library, cntrller ) all_roles = trans.app.security_agent.get_all_roles( trans, cntrller ) @@ -269,16 +267,15 @@ roles=roles, all_roles=all_roles, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def create_folder( self, trans, cntrller, parent_id, library_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller in ( 'library_admin', 'api' ) current_user_roles = trans.get_current_user_roles() try: @@ -291,9 +288,9 @@ parent_library = parent_folder.parent_library self._check_access( trans, cntrller, is_admin, parent_folder, current_user_roles, use_panels, library_id, show_deleted ) self._check_add( trans, cntrller, is_admin, parent_folder, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'new_folder_button', False ) or cntrller == 'api': - new_folder = trans.app.model.LibraryFolder( name=util.restore_text( params.name ), - description=util.restore_text( params.description ) ) + if kwd.get( 'new_folder_button', False ) or cntrller == 'api': + new_folder = trans.app.model.LibraryFolder( name=kwd.get( 'name', '' ), + description=kwd.get( 'description', '' ) ) # We are associating the last used genome build with folders, so we will always # initialize a new folder with the first dbkey in genome builds list which is currently # ? unspecified (?) @@ -325,7 +322,7 @@ show_deleted=show_deleted, info_association=info_association, inherited=inherited, - message=message, + message=escape( message ), status='done' ) # If not inheritable info_association, redirect to the library. message = "The new folder named '%s' has been added to the data library." % new_folder.name @@ -337,7 +334,7 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) # We do not render any template widgets on creation pages since saving the info_association # cannot occur before the associated item is saved. @@ -347,16 +344,15 @@ library_id=library_id, folder=parent_folder, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def folder_info( self, trans, cntrller, id, library_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -364,11 +360,11 @@ except: folder = None self._check_access( trans, cntrller, is_admin, folder, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'rename_folder_button', False ): + if kwd.get( 'rename_folder_button', False ): self._check_modify( trans, cntrller, is_admin, folder, current_user_roles, use_panels, library_id, show_deleted ) old_name = folder.name - new_name = util.restore_text( params.name ) - new_description = util.restore_text( params.description ) + new_name = kwd.get( 'name', '' ) + new_description = kwd.get( 'description', '' ) if not new_name: message = 'Enter a valid name' status='error' @@ -385,7 +381,7 @@ id=id, library_id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) # See if we have any associated templates widgets = [] @@ -405,16 +401,15 @@ show_deleted=show_deleted, info_association=info_association, inherited=inherited, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def folder_permissions( self, trans, cntrller, id, library_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -423,14 +418,14 @@ folder = None self._check_access( trans, cntrller, is_admin, folder, current_user_roles, use_panels, library_id, show_deleted ) self._check_manage( trans, cntrller, is_admin, folder, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'update_roles_button', False ): + if kwd.get( 'update_roles_button', False ): # The user clicked the Save button on the 'Associate With Roles' form permissions = {} for k, v in trans.app.model.Library.permitted_actions.items(): if k != 'LIBRARY_ACCESS': # LIBRARY_ACCESS is a special permission set only at the library level # and it is not inherited. - in_roles = [ trans.sa_session.query( trans.app.model.Role ).get( int( x ) ) for x in util.listify( params.get( k + '_in', [] ) ) ] + in_roles = [ trans.sa_session.query( trans.app.model.Role ).get( int( x ) ) for x in util.listify( kwd.get( k + '_in', [] ) ) ] permissions[ trans.app.security_agent.get_action( v.action ) ] = in_roles trans.app.security_agent.set_all_library_permissions( trans, folder, permissions ) trans.sa_session.refresh( folder ) @@ -442,7 +437,7 @@ id=trans.security.encode_id( folder.id ), library_id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) # If the library is public all roles are legitimate, but if the library # is restricted, only those roles associated with the LIBRARY_ACCESS @@ -456,16 +451,15 @@ current_user_roles=current_user_roles, roles=roles, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def ldda_edit_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -474,7 +468,7 @@ ldda = None self._check_access( trans, cntrller, is_admin, ldda, current_user_roles, use_panels, library_id, show_deleted ) self._check_modify( trans, cntrller, is_admin, ldda, current_user_roles, use_panels, library_id, show_deleted ) - dbkey = params.get( 'dbkey', '?' ) + dbkey = kwd.get( 'dbkey', '?' ) if isinstance( dbkey, list ): dbkey = dbkey[0] file_formats = [ dtype_name for dtype_name, dtype_value in trans.app.datatypes_registry.datatypes_by_extension.iteritems() if dtype_value.allow_datatype_change ] @@ -498,26 +492,26 @@ info_association, inherited = ldda.get_info_association() if info_association and ( not( inherited ) or info_association.inheritable ): widgets = ldda.get_template_widgets( trans ) - if params.get( 'change', False ): + if kwd.get( 'change', False ): # The user clicked the Save button on the 'Change data type' form if __ok_to_edit_metadata( ldda.id ): - if ldda.datatype.allow_datatype_change and trans.app.datatypes_registry.get_datatype_by_extension( params.datatype ).allow_datatype_change: - trans.app.datatypes_registry.change_datatype( ldda, params.datatype ) + if ldda.datatype.allow_datatype_change and trans.app.datatypes_registry.get_datatype_by_extension( kwd.get( 'datatype' ) ).allow_datatype_change: + trans.app.datatypes_registry.change_datatype( ldda, kwd.get( 'datatype' ) ) trans.sa_session.flush() message = "Data type changed for library dataset '%s'." % ldda.name status = 'done' else: - message = "You are unable to change datatypes in this manner. Changing %s to %s is not allowed." % ( ldda.extension, params.datatype ) + message = "You are unable to change datatypes in this manner. Changing %s to %s is not allowed." % ( ldda.extension, kwd.get( 'datatype' ) ) status = 'error' else: message = "This dataset is currently being used as input or output. You cannot change datatype until the jobs have completed or you have canceled them." status = "error" - elif params.get( 'save', False ): + elif kwd.get( 'save', False ): # The user clicked the Save button on the 'Edit Attributes' form old_name = ldda.name - new_name = util.restore_text( params.get( 'name', '' ) ) - new_info = util.restore_text( params.get( 'info', '' ) ) - new_message = util.restore_text( params.get( 'message', '' ) ) + new_name = kwd.get( 'name', '' ) + new_info = kwd.get( 'info', '' ) + new_message = kwd.get( 'message', '' ) if not new_name: message = 'Enter a valid name' status = 'error' @@ -530,12 +524,12 @@ for name, spec in ldda.datatype.metadata_spec.items(): if spec.get("readonly"): continue - optional = params.get( "is_" + name, None ) + optional = kwd.get( "is_" + name, None ) if optional and optional == 'true': # optional element... == 'true' actually means it is NOT checked (and therefore ommitted) setattr( ldda.metadata, name, None ) else: - setattr( ldda.metadata, name, spec.unwrap( params.get ( name, None ) ) ) + setattr( ldda.metadata, name, spec.unwrap( kwd.get( name, None ) ) ) ldda.metadata.dbkey = dbkey ldda.datatype.after_setting_metadata( ldda ) message = "Attributes updated for library dataset '%s'." % ldda.name @@ -544,7 +538,7 @@ message = "Attributes updated, but metadata could not be changed because this dataset is currently being used as input or output. You must cancel or wait for these jobs to complete before changing metadata." status = 'warning' trans.sa_session.flush() - elif params.get( 'detect', False ): + elif kwd.get( 'detect', False ): # The user clicked the Auto-detect button on the 'Edit Attributes' form if __ok_to_edit_metadata( ldda.id ): for name, spec in ldda.datatype.metadata_spec.items(): @@ -559,8 +553,8 @@ message = "This dataset is currently being used as input or output. You cannot change metadata until the jobs have completed or you have canceled them." status = 'error' trans.sa_session.flush() - elif params.get( 'change_extended_metadata', False): - em_string = util.restore_text( params.get("extended_metadata", "") ) + elif kwd.get( 'change_extended_metadata', False): + em_string = kwd.get("extended_metadata", "" ) if len(em_string): payload = None try: @@ -610,17 +604,16 @@ show_deleted=show_deleted, info_association=info_association, inherited=inherited, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def ldda_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - show_associated_hdas_and_lddas = util.string_as_bool( params.get( 'show_associated_hdas_and_lddas', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + show_associated_hdas_and_lddas = util.string_as_bool( kwd.get( 'show_associated_hdas_and_lddas', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() ldda = trans.sa_session.query( trans.app.model.LibraryDatasetDatasetAssociation ).get( trans.security.decode_id( id ) ) @@ -660,16 +653,15 @@ current_user_roles=current_user_roles, info_association=info_association, inherited=inherited, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def ldda_permissions( self, trans, cntrller, library_id, folder_id, id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) ids = util.listify( id ) lddas = [] libraries = [] @@ -693,7 +685,7 @@ id=library_id, cntrller=cntrller, use_panels=use_panels, - message=util.sanitize_text( message ), + message=message, status='error' ) ) # If access to the dataset is restricted, then use the roles associated with the DATASET_ACCESS permission to # determine the legitimate roles. If the dataset is public, see if access to the library is restricted. If @@ -706,7 +698,7 @@ roles = trans.app.security_agent.get_legitimate_roles( trans, library, cntrller ) else: roles = trans.app.security_agent.get_legitimate_roles( trans, ldda.dataset, cntrller ) - if params.get( 'update_roles_button', False ): + if kwd.get( 'update_roles_button', False ): # Dataset permissions access_action = trans.app.security_agent.get_action( trans.app.security_agent.permitted_actions.DATASET_ACCESS.action ) manage_permissions_action = trans.app.security_agent.get_action( trans.app.security_agent.permitted_actions.DATASET_MANAGE_PERMISSIONS.action ) @@ -763,8 +755,8 @@ library_id=library_id, roles=roles, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) if len( ids ) > 1: # Ensure that the permissions across all library items are identical, otherwise we can't update them together. check_list = [] @@ -789,7 +781,7 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) # Display permission form, permissions will be updated for all lddas simultaneously. return trans.fill_template( "/library/common/ldda_permissions.mako", @@ -799,32 +791,31 @@ library_id=library_id, roles=roles, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def upload_library_dataset( self, trans, cntrller, library_id, folder_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - ldda_message = util.restore_text( params.get( 'ldda_message', '' ) ) - deleted = util.string_as_bool( params.get( 'deleted', False ) ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - replace_id = params.get( 'replace_id', None ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + ldda_message = kwd.get( 'ldda_message', '' ) + deleted = util.string_as_bool( kwd.get( 'deleted', False ) ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + replace_id = kwd.get( 'replace_id', None ) replace_dataset = None - upload_option = params.get( 'upload_option', 'upload_file' ) - if params.get( 'files_0|space_to_tab', False ): - space_to_tab = params.get( 'files_0|space_to_tab', '' ) + upload_option = kwd.get( 'upload_option', 'upload_file' ) + if kwd.get( 'files_0|space_to_tab', False ): + space_to_tab = kwd.get( 'files_0|space_to_tab', '' ) else: - space_to_tab = params.get( 'space_to_tab', '' ) - link_data_only = params.get( 'link_data_only', 'copy_files' ) - dbkey = params.get( 'dbkey', '?' ) + space_to_tab = kwd.get( 'space_to_tab', '' ) + link_data_only = kwd.get( 'link_data_only', 'copy_files' ) + dbkey = kwd.get( 'dbkey', '?' ) if isinstance( dbkey, list ): last_used_build = dbkey[0] else: last_used_build = dbkey - roles = params.get( 'roles', '' ) + roles = kwd.get( 'roles', '' ) is_admin = trans.user_is_admin() and cntrller in ( 'library_admin', 'api' ) current_user_roles = trans.get_current_user_roles() widgets = [] @@ -853,7 +844,7 @@ library = folder.parent_library if folder and last_used_build in [ 'None', None, '?' ]: last_used_build = folder.genome_build - if params.get( 'runtool_btn', False ) or params.get( 'ajax_upload', False ) or cntrller == 'api': + if kwd.get( 'runtool_btn', False ) or kwd.get( 'ajax_upload', False ) or cntrller == 'api': error = False if upload_option == 'upload_paths' and not trans.app.config.allow_library_path_paste: error = True @@ -878,7 +869,7 @@ replace_id=replace_id, upload_option=upload_option, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) else: # See if we have any inherited templates. @@ -892,7 +883,7 @@ for index, widget_dict in enumerate( widgets ): widget = widget_dict[ 'widget' ] if isinstance( widget, AddressField ): - value = util.restore_text( params.get( widget.name, '' ) ) + value = kwd.get( widget.name, '' ) if value == 'new': if self.field_param_values_ok( widget.name, 'AddressField', **kwd ): # Save the new address @@ -975,7 +966,7 @@ default_action=default_action, created_ldda_ids=created_ldda_ids, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) else: created_ldda_ids = '' @@ -990,7 +981,7 @@ id=library_id, created_ldda_ids=created_ldda_ids, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status=status ) ) # Note: if the upload form was submitted due to refresh_on_change for a form field, we cannot re-populate # the field for the selected file ( files_0|file_data ) if the user selected one. This is because the value @@ -1049,8 +1040,8 @@ link_data_only=link_data_only, show_deleted=show_deleted, ldda_message=ldda_message, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) def upload_dataset( self, trans, cntrller, library_id, folder_id, replace_dataset=None, **kwd ): # Set up the traditional tool state/params @@ -1064,16 +1055,15 @@ if input.type == "upload_dataset": dataset_upload_inputs.append( input ) # Library-specific params - params = util.Params( kwd ) # is this filetoolparam safe? - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - server_dir = util.restore_text( params.get( 'server_dir', '' ) ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + server_dir = kwd.get( 'server_dir', '' ) if replace_dataset not in [ None, 'None' ]: replace_id = trans.security.encode_id( replace_dataset.id ) else: replace_id = None - upload_option = params.get( 'upload_option', 'upload_file' ) + upload_option = kwd.get( 'upload_option', 'upload_file' ) response_code = 200 if upload_option == 'upload_directory': if server_dir in [ None, 'None', '' ]: @@ -1102,7 +1092,7 @@ try: # FIXME: instead of passing params here ( which have been processed by util.Params(), the original kwd # should be passed so that complex objects that may have been included in the initial request remain. - library_bunch = upload_common.handle_library_params( trans, params, folder_id, replace_dataset ) + library_bunch = upload_common.handle_library_params( trans, kwd, folder_id, replace_dataset ) except: response_code = 500 message = "Unable to parse upload parameters, please report this error." @@ -1113,9 +1103,9 @@ tool_params = upload_common.persist_uploads( tool_params ) uploaded_datasets = upload_common.get_uploaded_datasets( trans, cntrller, tool_params, precreated_datasets, dataset_upload_inputs, library_bunch=library_bunch ) elif upload_option == 'upload_directory': - uploaded_datasets, response_code, message = self.get_server_dir_uploaded_datasets( trans, cntrller, params, full_dir, import_dir_desc, library_bunch, response_code, message ) + uploaded_datasets, response_code, message = self.get_server_dir_uploaded_datasets( trans, cntrller, kwd, full_dir, import_dir_desc, library_bunch, response_code, message ) elif upload_option == 'upload_paths': - uploaded_datasets, response_code, message = self.get_path_paste_uploaded_datasets( trans, cntrller, params, library_bunch, response_code, message ) + uploaded_datasets, response_code, message = self.get_path_paste_uploaded_datasets( trans, cntrller, kwd, library_bunch, response_code, message ) upload_common.cleanup_unused_precreated_datasets( precreated_datasets ) if upload_option == 'upload_file' and not uploaded_datasets: response_code = 400 @@ -1131,7 +1121,7 @@ replace_id=replace_id, upload_option=upload_option, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) json_file_path = upload_common.create_paramfile( trans, uploaded_datasets ) data_list = [ ud.data for ud in uploaded_datasets ] @@ -1146,7 +1136,7 @@ def make_library_uploaded_dataset( self, trans, cntrller, params, name, path, type, library_bunch, in_folder=None ): link_data_only = params.get( 'link_data_only', 'copy_files' ) uuid_str = params.get( 'uuid', None ) - file_type = params.file_type + file_type = params.get( 'file_type' ) library_bunch.replace_dataset = None # not valid for these types of upload uploaded_dataset = util.bunch.Bunch() new_name = name @@ -1162,8 +1152,8 @@ uploaded_dataset.type = type uploaded_dataset.ext = None uploaded_dataset.file_type = file_type - uploaded_dataset.dbkey = params.dbkey - uploaded_dataset.space_to_tab = params.space_to_tab + uploaded_dataset.dbkey = params.get( 'dbkey' ) + uploaded_dataset.space_to_tab = params.get( 'space_to_tab' ) if in_folder: uploaded_dataset.in_folder = in_folder uploaded_dataset.data = upload_common.new_upload( trans, cntrller, uploaded_dataset, library_bunch ) @@ -1262,7 +1252,7 @@ return files_and_folders def _paths_list(self, params): - return [ (l.strip(), os.path.abspath(l.strip())) for l in params.filesystem_paths.splitlines() if l.strip() ] + return [ (l.strip(), os.path.abspath(l.strip())) for l in params.get( 'filesystem_paths', '' ).splitlines() if l.strip() ] def _check_path_paste_params(self, params): if params.get( 'filesystem_paths', '' ) == '': @@ -1274,33 +1264,32 @@ if not os.path.exists( path ): bad_paths.append( path ) if bad_paths: - message = "Invalid paths:<br><ul><li>%s</li></ul>" % "</li><li>".join( bad_paths ) + message = 'Invalid paths: "%s".' % '", "'.join( bad_paths ) response_code = 400 return None, response_code, message return None @web.expose def add_history_datasets_to_library( self, trans, cntrller, library_id, folder_id, hda_ids='', **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - ldda_message = util.restore_text( params.get( 'ldda_message', '' ) ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - replace_id = params.get( 'replace_id', None ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + ldda_message = kwd.get( 'ldda_message', '' ) + show_deleted = kwd.get( 'show_deleted', False ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + replace_id = kwd.get( 'replace_id', None ) replace_dataset = None - upload_option = params.get( 'upload_option', 'import_from_history' ) - if params.get( 'files_0|space_to_tab', False ): - space_to_tab = params.get( 'files_0|space_to_tab', '' ) + upload_option = kwd.get( 'upload_option', 'import_from_history' ) + if kwd.get( 'files_0|space_to_tab', False ): + space_to_tab = kwd.get( 'files_0|space_to_tab', '' ) else: - space_to_tab = params.get( 'space_to_tab', '' ) - link_data_only = params.get( 'link_data_only', 'copy_files' ) - dbkey = params.get( 'dbkey', '?' ) + space_to_tab = kwd.get( 'space_to_tab', '' ) + link_data_only = kwd.get( 'link_data_only', 'copy_files' ) + dbkey = kwd.get( 'dbkey', '?' ) if isinstance( dbkey, list ): last_used_build = dbkey[0] else: last_used_build = dbkey - roles = params.get( 'roles', '' ) + roles = kwd.get( 'roles', '' ) is_admin = trans.user_is_admin() and cntrller in ( 'library_admin', 'api' ) current_user_roles = trans.get_current_user_roles() widgets = [] @@ -1338,9 +1327,9 @@ cntrller=cntrller, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) - if params.get( 'add_history_datasets_to_library_button', False ): + if kwd.get( 'add_history_datasets_to_library_button', False ): hda_ids = util.listify( hda_ids ) if hda_ids: dataset_names = [] @@ -1369,7 +1358,7 @@ trans.app.security_agent.copy_library_permissions( trans, folder, ldda ) trans.app.security_agent.copy_library_permissions( trans, folder, ldda.library_dataset ) else: - library_bunch = upload_common.handle_library_params( trans, params, folder_id, replace_dataset ) + library_bunch = upload_common.handle_library_params( trans, kwd, folder_id, replace_dataset ) if library_bunch.template and library_bunch.template_field_contents: # Since information templates are inherited, the template fields can be displayed on the upload form. # If the user has added field contents, we'll need to create a new form_values and info_association @@ -1437,12 +1426,12 @@ id=library_id, created_ldda_ids=created_ldda_ids, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) else: message = 'Select at least one dataset from the list of active datasets in your current history' status = 'error' - upload_option = params.get( 'upload_option', 'import_from_history' ) + upload_option = kwd.get( 'upload_option', 'import_from_history' ) widgets = self._get_populated_widgets( folder ) # Send list of data formats to the upload form so the "extension" select list can be populated dynamically file_formats = trans.app.datatypes_registry.upload_file_formats @@ -1476,8 +1465,8 @@ link_data_only=link_data_only, show_deleted=show_deleted, ldda_message=ldda_message, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) def _build_roles_select_list( self, trans, cntrller, library, selected_role_ids=[] ): # Get the list of legitimate roles to display on the upload form. If the library is public, @@ -1540,8 +1529,7 @@ def download_dataset_from_folder( self, trans, cntrller, id, library_id=None, **kwd ): """Catches the dataset id and displays file contents as directed""" show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) - params = util.Params( kwd ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -1574,16 +1562,15 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) @web.expose def library_dataset_info( self, trans, cntrller, id, library_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -1591,11 +1578,11 @@ except: library_dataset = None self._check_access( trans, cntrller, is_admin, library_dataset, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'edit_attributes_button', False ): + if kwd.get( 'edit_attributes_button', False ): self._check_modify( trans, cntrller, is_admin, library_dataset, current_user_roles, use_panels, library_id, show_deleted ) old_name = library_dataset.name - new_name = util.restore_text( params.get( 'name', '' ) ) - new_info = util.restore_text( params.get( 'info', '' ) ) + new_name = kwd.get( 'name', '' ) + new_info = kwd.get( 'info', '' ) if not new_name: message = 'Enter a valid name' status = 'error' @@ -1624,16 +1611,15 @@ widgets=widgets, widget_fields_have_contents=widget_fields_have_contents, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def library_dataset_permissions( self, trans, cntrller, id, library_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -1642,7 +1628,7 @@ library_dataset = None self._check_access( trans, cntrller, is_admin, library_dataset, current_user_roles, use_panels, library_id, show_deleted ) self._check_manage( trans, cntrller, is_admin, library_dataset, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'update_roles_button', False ): + if kwd.get( 'update_roles_button', False ): # The user clicked the Save button on the 'Associate With Roles' form permissions = {} for k, v in trans.app.model.Library.permitted_actions.items(): @@ -1673,23 +1659,22 @@ roles=roles, current_user_roles=current_user_roles, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def make_library_item_public( self, trans, cntrller, library_id, item_type, id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) current_user_roles = trans.get_current_user_roles() is_admin = trans.user_is_admin() and cntrller == 'library_admin' if item_type == 'library': library = trans.sa_session.query( trans.model.Library ).get( trans.security.decode_id( id ) ) self._check_access( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) self._check_manage( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) - contents = util.string_as_bool( params.get( 'contents', 'False' ) ) + contents = util.string_as_bool( kwd.get( 'contents', 'False' ) ) trans.app.security_agent.make_library_public( library, contents=contents ) if contents: message = "The data library (%s) and all its contents have been made publicly accessible." % library.name @@ -1716,7 +1701,7 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status=status ) ) @web.expose @@ -1741,12 +1726,11 @@ rval += '%s %i %s%s %s\r\n' % ( crc, size, self.url_base, quoted_fname, relpath ) return rval # Perform an action on a list of library datasets. - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - action = params.get( 'do_action', None ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + action = kwd.get( 'do_action', None ) lddas = [] error = False is_admin = trans.user_is_admin() and cntrller == 'library_admin' @@ -1761,7 +1745,7 @@ else: if action in [ 'import_to_current_history', 'import_to_histories' ]: new_kwd = {} - if action == 'import_to_current_history': + if current_history is not None and action == 'import_to_current_history': encoded_current_history_id = trans.security.encode_id( current_history.id ) selected_history_id = encoded_current_history_id new_kwd[ 'do_action' ] = action @@ -1832,7 +1816,7 @@ folder_id=folder_id, id=",".join( encoded_ldda_ids ), show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status=status ) ) else: message = "You are not authorized to manage permissions on any of the selected datasets." @@ -1993,11 +1977,11 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status=status ) ) else: # We arrived here from the library_dataset_search_results page, so redirect there. - search_term = params.get( 'search_term', '' ) + search_term = kwd.get( 'search_term', '' ) comptypes = get_comptypes( trans ) return trans.fill_template( '/library/common/library_dataset_search_results.mako', cntrller=cntrller, @@ -2007,8 +1991,8 @@ lddas=lddas, show_deleted=show_deleted, use_panels=use_panels, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def import_datasets_to_histories( self, trans, cntrller, library_id='', folder_id='', ldda_ids='', target_history_id='', target_history_ids='', new_history_name='', **kwd ): @@ -2018,12 +2002,11 @@ # - a select list option for acting on multiple selected datasets within a library # ( ldda_ids is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( ldda_ids is a comma separated string of ldda ids ) - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - action = params.get( 'do_action', None ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + action = kwd.get( 'do_action', None ) user = trans.get_user() current_history = trans.get_history() if library_id: @@ -2042,7 +2025,7 @@ target_history_ids = set( [ trans.security.decode_id( target_history_id ) for target_history_id in target_history_ids if target_history_id ] ) elif target_history_id: target_history_ids = [ trans.security.decode_id( target_history_id ) ] - if params.get( 'import_datasets_to_histories_button', False ): + if kwd.get( 'import_datasets_to_histories_button', False ): invalid_datasets = 0 if not ldda_ids or not ( target_history_ids or new_history_name ): message = "You must provide one or more source library datasets and one or more target histories." @@ -2106,11 +2089,13 @@ # to the lddas in order for the menu optin to be available. ldda = trans.sa_session.query( trans.model.LibraryDatasetDatasetAssociation ).get( ldda_id ) source_lddas.append( ldda ) + if current_history is None: + current_history = trans.get_history( create=True ) if current_history is not None: target_histories = [ current_history ] else: target_histories = [] - message = 'You must have a history before you can import datasets. You can do this by <a href="%s" target="_top">loading the analysis interface</a>.' % url_for(controller='root') + message = 'You must have a history before you can import datasets. You can do this by loading the analysis interface.' status = 'error' if user: target_histories = user.active_histories @@ -2120,7 +2105,7 @@ action='browse_library', cntrller=cntrller, id=library_id, - message=util.sanitize_text( message ), + message=message, status=status ) ) return trans.fill_template( "/library/common/import_datasets_to_histories.mako", cntrller=cntrller, @@ -2134,16 +2119,15 @@ new_history_name=new_history_name, show_deleted=show_deleted, use_panels=use_panels, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def manage_template_inheritance( self, trans, cntrller, item_type, library_id, folder_id=None, ldda_id=None, **kwd ): - params = util.Params( kwd ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) is_admin = ( trans.user_is_admin() and cntrller == 'library_admin' ) current_user_roles = trans.get_current_user_roles() try: @@ -2162,7 +2146,7 @@ cntrller=cntrller, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) info_association, inherited = item.get_info_association( restrict=True ) if info_association: @@ -2181,7 +2165,7 @@ folder_id=folder_id, id=id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) @web.expose @@ -2193,11 +2177,10 @@ # 'ldda' and item_id is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( item_type is 'ldda' and item_id is a # comma separated string of ldda ids ) - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) make_target_current = util.string_as_bool( make_target_current ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' user = trans.get_user() @@ -2211,14 +2194,14 @@ else: # Request sent from the library_dataset_search_results page. source_library = None - target_library_id = params.get( 'target_library_id', '' ) + target_library_id = kwd.get( 'target_library_id', '' ) if target_library_id not in [ '', 'none', None ]: target_library = trans.sa_session.query( trans.model.Library ).get( trans.security.decode_id( target_library_id ) ) elif make_target_current: target_library = source_library else: target_library = None - target_folder_id = params.get( 'target_folder_id', '' ) + target_folder_id = kwd.get( 'target_folder_id', '' ) if target_folder_id not in [ '', 'none', None ]: target_folder = trans.sa_session.query( trans.model.LibraryFolder ).get( trans.security.decode_id( target_folder_id ) ) if target_library is None: @@ -2233,7 +2216,7 @@ elif item_type == 'folder': move_folder_id = item_id move_folder = trans.sa_session.query( trans.model.LibraryFolder ).get( trans.security.decode_id( move_folder_id ) ) - if params.get( 'move_library_item_button', False ): + if kwd.get( 'move_library_item_button', False ): if not ( move_ldda_ids or move_folder_id ) or target_folder_id in [ '', 'none', None ]: message = "You must select a source folder or one or more source datasets, and a target folder." status = 'error' @@ -2397,8 +2380,8 @@ target_folder_id_select_field=target_folder_id_select_field, show_deleted=show_deleted, use_panels=use_panels, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def delete_library_item( self, trans, cntrller, library_id, item_id, item_type, **kwd ): @@ -2569,7 +2552,7 @@ action='browse_libraries', cntrller=cntrller, use_panels=use_panels, - message=util.sanitize_text( message ), + message=message, status='error' ) ) return trans.response.send_redirect( web.url_for( controller='library_common', action='browse_library', @@ -2577,7 +2560,7 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) def _check_add( self, trans, cntrller, is_admin, item, current_user_roles, use_panels, library_id, show_deleted ): @@ -2593,7 +2576,7 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) def _check_manage( self, trans, cntrller, is_admin, item, current_user_roles, use_panels, library_id, show_deleted ): @@ -2610,7 +2593,7 @@ id=library_id, cntrller=cntrller, use_panels=use_panels, - message=util.sanitize_text( message ), + message=message, status='error' ) ) # Deny access if the user is not an admin and does not have the LIBRARY_MANAGE permission. if not ( is_admin or trans.app.security_agent.can_manage_library_item( current_user_roles, item ) ): @@ -2622,7 +2605,7 @@ id=library_id, cntrller=cntrller, use_panels=use_panels, - message=util.sanitize_text( message ), + message=message, status='error' ) ) def _check_modify( self, trans, cntrller, is_admin, item, current_user_roles, use_panels, library_id, show_deleted ): @@ -2637,7 +2620,7 @@ id=library_id, use_panels=use_panels, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) # ---- Utility methods ------------------------------------------------------- @@ -2777,9 +2760,8 @@ def lucene_search( trans, cntrller, search_term, search_url, **kwd ): """Return display of results from a full-text lucene search of data libraries.""" - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) full_url = "%s/find?%s" % ( search_url, urllib.urlencode( { "kwd" : search_term } ) ) response = urllib2.urlopen( full_url ) ldda_ids = util.json.loads( response.read() )[ "ids" ] @@ -2789,9 +2771,8 @@ def whoosh_search( trans, cntrller, search_term, **kwd ): """Return display of results from a full-text whoosh search of data libraries.""" - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) ok = True if whoosh_search_enabled: whoosh_index_dir = trans.app.config.whoosh_index_dir diff -r a8b8961827ec2475a20748f5151bd96c49566e98 -r bfc3b5e52781683efc8024f18c4aa57c65af1e15 templates/webapps/galaxy/library/common/browse_library.mako --- a/templates/webapps/galaxy/library/common/browse_library.mako +++ b/templates/webapps/galaxy/library/common/browse_library.mako @@ -236,29 +236,29 @@ %if current_version and ( not ldda.library_dataset.deleted or show_deleted ): <tr class="datasetRow" %if parent is not None: - parent="${parent}" + parent="${parent | h}" %endif - id="libraryItem-${ldda.id}"> + id="libraryItem-${ldda.id | h}"><td style="padding-left: ${pad+20}px;"> - <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id )}" value="${trans.security.encode_id( ldda.id )}" + <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${trans.security.encode_id( ldda.id ) | h}" %if selected: checked="checked" %endif /> %if simple: - <label for="${trans.security.encode_id( ldda.id )}">${ util.unicodify( ldda.name )}</label> + <label for="${trans.security.encode_id( ldda.id ) | h}">${ util.unicodify( ldda.name ) | h}</label> %else: - <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id}-popup"> + <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id | h}-popup"><a class="view-info" href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}"> %if ldda.library_dataset.deleted: - <div class="libraryItem-error">${util.unicodify( ldda.name )}</div> + <div class="libraryItem-error">${util.unicodify( ldda.name ) | h}</div> %else: - ${util.unicodify( ldda.name )} + ${util.unicodify( ldda.name ) | h} %endif </a></div> %if not library.deleted: - <div popupmenu="dataset-${ldda.id}-popup"> + <div popupmenu="dataset-${ldda.id | h}-popup"> %if not branch_deleted( folder ) and not ldda.library_dataset.deleted and can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a><a class="action-button" href="${h.url_for( controller='library_common', action='move_library_item', cntrller=cntrller, item_type='ldda', item_id=trans.security.encode_id( ldda.id ), source_library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Move this dataset</a> @@ -287,7 +287,7 @@ %endif %if can_modify: %if not library.deleted and not branch_deleted( folder ) and not ldda.library_dataset.deleted: - <a class="action-button" confirm="Click OK to delete dataset '${util.unicodify( ldda.name )}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Delete this dataset</a> + <a class="action-button" confirm="Click OK to delete dataset '${util.unicodify( ldda.name ) | h}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Delete this dataset</a> %elif not library.deleted and not branch_deleted( folder ) and not ldda.library_dataset.purged and ldda.library_dataset.deleted: <a class="action-button" href="${h.url_for( controller='library_common', action='undelete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Undelete this dataset</a> %endif @@ -298,10 +298,10 @@ </td> % if not simple: <td id="libraryItemInfo">${render_library_item_info( ldda )}</td> - <td>${ldda.extension}</td> + <td>${ldda.extension | h}</td> % endif - <td>${ldda.create_time.strftime( trans.app.config.pretty_datetime_format )}</td> - <td>${ldda.get_size( nice_size=True )}</td> + <td>${ldda.create_time.strftime( trans.app.config.pretty_datetime_format ) | h}</td> + <td>${ldda.get_size( nice_size=True ) | h}</td></tr><% my_row = row_counter.count @@ -355,28 +355,28 @@ %> %if not root_folder and ( not folder.deleted or show_deleted ): <% encoded_id = trans.security.encode_id( folder.id ) %> - <tr id="folder-${encoded_id}" class="folderRow libraryOrFolderRow" + <tr id="folder-${encoded_id | h}" class="folderRow libraryOrFolderRow" %if parent is not None: - parent="${parent}" + parent="${parent | h}" style="display: none;" %endif > - <td style="padding-left: ${folder_pad}px;"> + <td style="padding-left: ${folder_pad | h}px;"><input type="checkbox" class="folderCheckbox"/> - <span class="expandLink folder-${encoded_id}-click"> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id}-popup"> - <a class="folder-${encoded_id}-click" href="javascript:void(0);"> + <span class="expandLink folder-${encoded_id | h}-click"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id | h}-popup"> + <a class="folder-${encoded_id | h}-click" href="javascript:void(0);"><span class="rowIcon"></span> %if folder.deleted: - <div class="libraryItem-error">${folder.name}</div> + <div class="libraryItem-error">${folder.name | h}</div> %else: - ${folder.name} + ${folder.name | h} %endif </a></div></span> %if not library.deleted: - <div popupmenu="folder_img-${folder.id}-popup"> + <div popupmenu="folder_img-${folder.id | h}-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> @@ -407,7 +407,7 @@ %endif %if can_modify: %if not library.deleted and not folder.deleted: - <a class="action-button" confirm="Click OK to delete the folder '${folder.name}.'" href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Delete this folder</a> + <a class="action-button" confirm="Click OK to delete the folder '${folder.name | h}.'" href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Delete this folder</a> %elif not library.deleted and folder.deleted and not folder.purged: <a class="action-button" href="${h.url_for( controller='library_common', action='undelete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Undelete this folder</a> %endif @@ -416,7 +416,7 @@ %endif <td> %if folder.description: - ${folder.description} + ${folder.description | h} %endif <td colspan="3"></td></tr> @@ -504,7 +504,7 @@ return str( self.count ) %> - <h2>Data Library “${library.name}”</h2> + <h2>Data Library “${library.name | h}”</h2><ul class="manage-table-actions"> %if not library.deleted and ( is_admin or can_add ): @@ -517,7 +517,7 @@ %if not library.deleted: %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='library_info', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> - <a class="action-button" confirm="Click OK to delete the library named '${library.name}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library.id ), item_type='library' )}">Delete this data library</a> + <a class="action-button" confirm="Click OK to delete the library named '${library.name | h}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library.id ), item_type='library' )}">Delete this data library</a> %if show_deleted: <a class="action-button" href="${h.url_for( controller='library_common', action='browse_library', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=False )}">Hide deleted items</a> %else: @@ -555,7 +555,7 @@ %if library.synopsis not in [ '', 'None', None ]: <div class="libraryItemBody"> - ${library.synopsis} + ${library.synopsis | h} </div> %endif @@ -610,6 +610,6 @@ ${render_compression_types_help( comptypes )} %endif %if not has_accessible_folders: - The data library '${library.name}' does not contain any datasets that you can access. + The data library '${library.name | h}' does not contain any datasets that you can access. %endif </%def> diff -r a8b8961827ec2475a20748f5151bd96c49566e98 -r bfc3b5e52781683efc8024f18c4aa57c65af1e15 templates/webapps/galaxy/library/common/browse_library_opt.mako --- a/templates/webapps/galaxy/library/common/browse_library_opt.mako +++ b/templates/webapps/galaxy/library/common/browse_library_opt.mako @@ -228,29 +228,29 @@ %if current_version and ( not ldda.library_dataset.deleted or show_deleted ): <tr class="datasetRow" %if parent is not None: - parent="${parent}" + parent="${parent | h}" %endif - id="libraryItem-${ldda.id}"> + id="libraryItem-${ldda.id | h}"><td style="padding-left: ${pad+20}px;"> - <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id )}" value="${trans.security.encode_id( ldda.id )}" + <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${trans.security.encode_id( ldda.id ) | h}" %if selected: checked="checked" %endif /> %if simple: - <label for="${trans.security.encode_id( ldda.id )}">${ util.unicodify( ldda.name )}</label> + <label for="${trans.security.encode_id( ldda.id ) | h}">${ util.unicodify( ldda.name ) | h}</label> %else: - <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id}-popup"> + <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id | h}-popup"><a class="view-info" href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}"> %if ldda.library_dataset.deleted: - <div class="libraryItem-error">${util.unicodify( ldda.name )}</div> + <div class="libraryItem-error">${util.unicodify( ldda.name ) | h}</div> %else: - ${util.unicodify( ldda.name )} + ${util.unicodify( ldda.name ) | h} %endif </a></div> %if not library.deleted: - <div popupmenu="dataset-${ldda.id}-popup"> + <div popupmenu="dataset-${ldda.id | h}-popup"> %if not branch_deleted( folder ) and not ldda.library_dataset.deleted and can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a><a class="action-button" href="${h.url_for( controller='library_common', action='move_library_item', cntrller=cntrller, item_type='ldda', item_id=trans.security.encode_id( ldda.id ), source_library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Move this dataset</a> @@ -279,7 +279,7 @@ %endif %if can_modify: %if not library.deleted and not branch_deleted( folder ) and not ldda.library_dataset.deleted: - <a class="action-button" confirm="Click OK to delete dataset '${util.unicodify( ldda.name )}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Delete this dataset</a> + <a class="action-button" confirm="Click OK to delete dataset '${util.unicodify( ldda.name ) | h}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Delete this dataset</a> %elif not library.deleted and not branch_deleted( folder ) and not ldda.library_dataset.purged and ldda.library_dataset.deleted: <a class="action-button" href="${h.url_for( controller='library_common', action='undelete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Undelete this dataset</a> %endif @@ -290,10 +290,10 @@ </td> % if not simple: <td id="libraryItemInfo">${render_library_item_info( ldda )}</td> - <td>${ldda.extension}</td> + <td>${ldda.extension | h}</td> % endif - <td>${ldda.create_time.strftime( "%Y-%m-%d" )}</td> - <td>${ldda.get_size( nice_size=True )}</td> + <td>${ldda.create_time.strftime( "%Y-%m-%d" ) | h}</td> + <td>${ldda.get_size( nice_size=True ) | h}</td></tr><% my_row = row_counter.count @@ -362,28 +362,28 @@ %> %if not root_folder and ( not folder.deleted or show_deleted ): <% encoded_id = trans.security.encode_id( folder.id ) %> - <tr id="folder-${encoded_id}" class="folderRow libraryOrFolderRow" + <tr id="folder-${encoded_id | h}" class="folderRow libraryOrFolderRow" %if parent is not None: - parent="${parent}" + parent="${parent | h}" style="display: none;" %endif > - <td style="padding-left: ${folder_pad}px;"> + <td style="padding-left: ${folder_pad | h}px;"><input type="checkbox" class="folderCheckbox"/> - <span class="expandLink folder-${encoded_id}-click"> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id}-popup"> - <a class="folder-${encoded_id}-click" href="javascript:void(0);"> + <span class="expandLink folder-${encoded_id | h}-click"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id | h}-popup"> + <a class="folder-${encoded_id | h}-click" href="javascript:void(0);"><span class="rowIcon"></span> %if folder.deleted: - <div class="libraryItem-error">${folder.name}</div> + <div class="libraryItem-error">${folder.name | h}</div> %else: - ${folder.name} + ${folder.name | h} %endif </a></div></span> %if not library.deleted: - <div popupmenu="folder_img-${folder.id}-popup"> + <div popupmenu="folder_img-${folder.id | h}-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> @@ -414,7 +414,7 @@ %endif %if can_modify: %if not library.deleted and not folder.deleted: - <a class="action-button" confirm="Click OK to delete the folder '${folder.name}.'" href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Delete this folder</a> + <a class="action-button" confirm="Click OK to delete the folder '${folder.name | h}.'" href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Delete this folder</a> %elif not library.deleted and folder.deleted and not folder.purged: <a class="action-button" href="${h.url_for( controller='library_common', action='undelete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Undelete this folder</a> %endif @@ -423,7 +423,7 @@ %endif <td> %if folder.description: - ${folder.description} + ${folder.description | h} %endif <td colspan="3"></td></tr> @@ -515,12 +515,12 @@ <li><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( library.root_folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add folder</a></li> %endif %if ( ( not library.deleted ) and ( can_modify or can_manage ) ) or ( can_modify and not library.purged ) or ( library.purged ): - <li><a class="action-button" id="library-${library.id}-popup" class="menubutton">Library Actions</a></li> - <div popupmenu="library-${library.id}-popup"> + <li><a class="action-button" id="library-${library.id | h}-popup" class="menubutton">Library Actions</a></li> + <div popupmenu="library-${library.id | h}-popup"> %if not library.deleted: %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='library_info', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> - <a class="action-button" confirm="Click OK to delete the library named '${library.name}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library.id ), item_type='library' )}">Delete this data library</a> + <a class="action-button" confirm="Click OK to delete the library named '${library.name | h}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library.id ), item_type='library' )}">Delete this data library</a> %if show_deleted: <a class="action-button" href="${h.url_for( controller='library_common', action='browse_library', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=False )}">Hide deleted items</a> %else: @@ -558,7 +558,7 @@ %if library.synopsis not in [ '', 'None', None ]: <div class="libraryItemBody"> - ${library.synopsis} + ${library.synopsis | h} </div> %endif @@ -616,6 +616,6 @@ ${render_compression_types_help( comptypes )} %endif %if not has_accessible_folders: - The data library '${library.name}' does not contain any datasets that you can access. + The data library '${library.name | h}' does not contain any datasets that you can access. %endif </%def> diff -r a8b8961827ec2475a20748f5151bd96c49566e98 -r bfc3b5e52781683efc8024f18c4aa57c65af1e15 templates/webapps/galaxy/library/common/common.mako --- a/templates/webapps/galaxy/library/common/common.mako +++ b/templates/webapps/galaxy/library/common/common.mako @@ -88,19 +88,19 @@ else: tool_form_title = 'Upload files' %> - <div class="toolFormTitle">${tool_form_title}</div> + <div class="toolFormTitle">${tool_form_title | h}</div><div class="toolFormBody"><form name="upload_library_dataset" id="upload_library_dataset" action="${action}" enctype="multipart/form-data" method="post"><input type="hidden" name="tool_id" value="upload1"/><input type="hidden" name="tool_state" value="None"/> - <input type="hidden" name="cntrller" value="${cntrller}"/> - <input type="hidden" name="library_id" value="${library_id}"/> - <input type="hidden" name="folder_id" value="${folder_id}"/> - <input type="hidden" name="show_deleted" value="${show_deleted}"/> + <input type="hidden" name="cntrller" value="${cntrller | h}"/> + <input type="hidden" name="library_id" value="${library_id | h}"/> + <input type="hidden" name="folder_id" value="${folder_id | h}"/> + <input type="hidden" name="show_deleted" value="${show_deleted | h}"/> %if replace_dataset not in [ None, 'None' ]: - <input type="hidden" name="replace_id" value="${trans.security.encode_id( replace_dataset.id )}"/> + <input type="hidden" name="replace_id" value="${trans.security.encode_id( replace_dataset.id ) | h}"/><div class="form-row"> - You are currently selecting a new file to replace '<a href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=library_id, folder_id=folder_id, id=trans.security.encode_id( replace_dataset.library_dataset_dataset_association.id ) )}">${util.unicodify( replace_dataset.name )}</a>'. + You are currently selecting a new file to replace '<a href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=library_id, folder_id=folder_id, id=trans.security.encode_id( replace_dataset.library_dataset_dataset_association.id ) )}">${util.unicodify( replace_dataset.name ) | h}</a>'. <div style="clear: both"></div></div> %endif @@ -120,7 +120,7 @@ <select name="file_type"><option value="auto" selected>Auto-detect</option> %for file_format in file_formats: - <option value="${file_format}">${file_format}</option> + <option value="${file_format | h}">${file_format | h}</option> %endfor </select></div> @@ -176,23 +176,23 @@ %for entry in os.listdir( import_dir ): ## Do not include entries that are not directories %if os.path.isdir( os.path.join( import_dir, entry ) ): - <option>${entry}</option> + <option>${entry | h}</option> %endif %endfor %else: %if ( trans.user_is_admin() and cntrller == 'library_admin' ): - <option>${import_dir}</option> + <option>${import_dir | h}</option> %else: - <option>${trans.user.email}</option> + <option>${trans.user.email | h}</option> %endif %endif </select></div><div class="toolParamHelp" style="clear: both;"> %if contains_directories: - Upload all files in a sub-directory of <strong>${import_dir}</strong> on the Galaxy server. + Upload all files in a sub-directory of <strong>${import_dir | h}</strong> on the Galaxy server. %else: - Upload all files in <strong>${import_dir}</strong> on the Galaxy server. + Upload all files in <strong>${import_dir | h}</strong> on the Galaxy server. %endif </div><div style="clear: both"></div> @@ -282,9 +282,9 @@ %> %for dbkey in dbkeys: %if dbkey[1] == default_selected: - <option value="${dbkey[1]}" selected>${dbkey[0]}</option> + <option value="${dbkey[1] | h}" selected>${dbkey[0] | h}</option> %else: - <option value="${dbkey[1]}">${dbkey[0]}</option> + <option value="${dbkey[1] | h}">${dbkey[0] | h}</option> %endif %endfor </select> @@ -295,7 +295,7 @@ <label>Message:</label><div class="form-row-input"> %if ldda_message: - <textarea name="ldda_message" rows="3" cols="35">${ldda_message}</textarea> + <textarea name="ldda_message" rows="3" cols="35">${ldda_message | h}</textarea> %else: <textarea name="ldda_message" rows="3" cols="35"></textarea> %endif @@ -320,13 +320,13 @@ %if widgets: %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field[ 'label' ]}</label> + <label>${field[ 'label' ] | h}</label><div class="form-row-input"> ${field[ 'widget' ].get_html()} </div><div class="toolParamHelp" style="clear: both;"> %if field[ 'helptext' ]: - ${field[ 'helptext' ]}<br/> + ${field[ 'helptext' ] | h}<br/> %endif *Inherited template field </div> @@ -342,14 +342,14 @@ </div> %elif upload_option == 'import_from_history': <div class="toolForm"> - <div class="toolFormTitle">Active datasets in your current history (${ util.unicodify( history.name )})</div> + <div class="toolFormTitle">Active datasets in your current history (${ util.unicodify( history.name ) | h})</div><div class="toolFormBody"> %if history and history.active_datasets: <form name="add_history_datasets_to_library" action="${h.url_for( controller='library_common', action='add_history_datasets_to_library', cntrller=cntrller, library_id=library_id )}" enctype="multipart/form-data" method="post"> - <input type="hidden" name="folder_id" value="${folder_id}"/> - <input type="hidden" name="show_deleted" value="${show_deleted}"/> + <input type="hidden" name="folder_id" value="${folder_id | h}"/> + <input type="hidden" name="show_deleted" value="${show_deleted | h}"/><input type="hidden" name="upload_option" value="import_from_history"/> - <input type="hidden" name="ldda_message" value="${ldda_message}"/> + <input type="hidden" name="ldda_message" value="${ldda_message | h}"/><% role_ids_selected = '' if roles_select_list: @@ -357,32 +357,32 @@ if selected: role_ids_selected = ','.join( selected ) %> - <input type="hidden" name="roles" value="${role_ids_selected}"/> + <input type="hidden" name="roles" value="${role_ids_selected | h}"/> %if replace_dataset not in [ None, 'None' ]: - <input type="hidden" name="replace_id" value="${trans.security.encode_id( replace_dataset.id )}"/> + <input type="hidden" name="replace_id" value="${trans.security.encode_id( replace_dataset.id ) | h}"/><div class="form-row"> - You are currently selecting a new file to replace '<a href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=library_id, folder_id=folder_id, id=trans.security.encode_id( replace_dataset.library_dataset_dataset_association.id ) )}">${ util.unicodify( replace_dataset.name )}</a>'. + You are currently selecting a new file to replace '<a href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=library_id, folder_id=folder_id, id=trans.security.encode_id( replace_dataset.library_dataset_dataset_association.id ) )}">${ util.unicodify( replace_dataset.name ) | h}</a>'. <div style="clear: both"></div></div> %endif %for hda in history.visible_datasets: <% encoded_id = trans.security.encode_id( hda.id ) %><div class="form-row"> - <input name="hda_ids" id="hist_${encoded_id}" value="${encoded_id}" type="checkbox"/> - <label for="hist_${encoded_id}" style="display: inline;font-weight:normal;">${hda.hid}: ${ util.unicodify( hda.name )}</label> + <input name="hda_ids" id="hist_${encoded_id | h}" value="${encoded_id | h}" type="checkbox"/> + <label for="hist_${encoded_id | h}" style="display: inline;font-weight:normal;">${hda.hid | h}: ${ util.unicodify( hda.name ) | h}</label></div> %endfor %if widgets: - <input type="hidden" name="template_id" value="${template_id}"/> + <input type="hidden" name="template_id" value="${template_id | h}"/> %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field[ 'label' ]}</label> + <label>${field[ 'label' ] | h}</label><div class="form-row-input"> ${field[ 'widget' ].get_html()} </div><div class="toolParamHelp" style="clear: both;"> %if field[ 'helptext' ]: - ${field[ 'helptext' ]}<br/> + ${field[ 'helptext' ] | h}<br/> %endif *Inherited template field </div> diff -r a8b8961827ec2475a20748f5151bd96c49566e98 -r bfc3b5e52781683efc8024f18c4aa57c65af1e15 templates/webapps/galaxy/library/common/import_datasets_to_histories.mako --- a/templates/webapps/galaxy/library/common/import_datasets_to_histories.mako +++ b/templates/webapps/galaxy/library/common/import_datasets_to_histories.mako @@ -34,8 +34,8 @@ checked = " checked='checked'" %><div class="form-row"> - <input type="checkbox" name="ldda_ids" id="dataset_${encoded_id}" value="${encoded_id}" ${checked}/> - <label for="dataset_${encoded_id}" style="display: inline;font-weight:normal;">${util.unicodify( source_ldda.name )}</label> + <input type="checkbox" name="ldda_ids" id="dataset_${encoded_id | h}" value="${encoded_id | h}" ${checked}/> + <label for="dataset_${encoded_id | h}" style="display: inline;font-weight:normal;">${util.unicodify( source_ldda.name ) | h}</label></div> %endfor %else: @@ -61,7 +61,7 @@ else: current_history_text = "" %> - <option value="${encoded_id}"${selected_text}>${i + 1}: ${h.truncate( util.unicodify( target_history.name ), 30 )}${current_history_text}</option> + <option value="${encoded_id | h}"${selected_text}>${i + 1}: ${h.truncate( util.unicodify( target_history.name ), 30 ) | h}${current_history_text | h}</option> %endfor </select><br/><br/> @@ -77,8 +77,8 @@ current_history_text = "" %><div class="form-row"> - <input type="checkbox" name="target_history_ids" id="target_history_${encoded_id}" value="${encoded_id}"/> - <label for="target_history_${encoded_id}" style="display: inline; font-weight:normal;">${i + 1}: ${util.unicodify( target_history.name )}${current_history_text}</label> + <input type="checkbox" name="target_history_ids" id="target_history_${encoded_id | h}" value="${encoded_id | h}"/> + <label for="target_history_${encoded_id | h}" style="display: inline; font-weight:normal;">${i + 1}: ${util.unicodify( target_history.name ) | h}${current_history_text | h}</label></div> %endfor </div> diff -r a8b8961827ec2475a20748f5151bd96c49566e98 -r bfc3b5e52781683efc8024f18c4aa57c65af1e15 templates/webapps/galaxy/library/common/ldda_edit_info.mako --- a/templates/webapps/galaxy/library/common/ldda_edit_info.mako +++ b/templates/webapps/galaxy/library/common/ldda_edit_info.mako @@ -34,9 +34,9 @@ <select name="datatype"> %for ext in file_formats: %if ldda.ext == ext: - <option value="${ext}" selected="yes">${ext}</option> + <option value="${ext | h}" selected="yes">${ext | h}</option> %else: - <option value="${ext}">${ext}</option> + <option value="${ext | h}">${ext | h}</option> %endif %endfor </select> @@ -44,24 +44,24 @@ %if ( trans.user_is_admin() and cntrller=='library_admin' ) or trans.app.security_agent.can_modify_library_item( current_user_roles, ldda.library_dataset ): <div class="toolForm"> - <div class="toolFormTitle">Edit attributes of ${util.unicodify( ldda.name )}</div> + <div class="toolFormTitle">Edit attributes of ${util.unicodify( ldda.name ) | h}</div><div class="toolFormBody"><form name="edit_attributes" action="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=library_id, folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), use_panels=use_panels, show_deleted=show_deleted, )}" method="post"> - <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id )}"/> + <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id ) | h}"/><div class="form-row"><label>Name:</label> - <input type="text" name="name" value="${util.unicodify( ldda.name )}" size="40"/> + <input type="text" name="name" value="${util.unicodify( ldda.name ) | h}" size="40"/><div style="clear: both"></div></div><div class="form-row"><label>Info:</label> - <input type="text" name="info" value="${util.unicodify( ldda.info )}" size="40"/> + <input type="text" name="info" value="${util.unicodify( ldda.info ) | h}" size="40"/><div style="clear: both"></div></div><div class="form-row"><label>Message:</label> %if ldda.message: - <textarea name="message" rows="3" cols="35">${ldda.message}</textarea> + <textarea name="message" rows="3" cols="35">${ldda.message | h}</textarea> %else: <textarea name="message" rows="3" cols="35"></textarea> %endif @@ -73,7 +73,7 @@ %for name, spec in ldda.metadata.spec.items(): %if spec.visible: <div class="form-row"> - <label>${spec.desc}:</label> + <label>${spec.desc | h}:</label> ${ldda.metadata.get_html_by_name( name, trans=trans )} <div style="clear: both"></div></div> @@ -85,7 +85,7 @@ </form><form name="auto_detect" action="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=library_id, folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), use_panels=use_panels, show_deleted=show_deleted, )}" method="post"><div class="form-row"> - <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id )}"/> + <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id ) | h}"/><input type="submit" name="detect" value="Auto-detect"/><div class="toolParamHelp" style="clear: both;"> This will inspect the dataset and attempt to correct the above column values if they are not accurate. @@ -101,7 +101,7 @@ %if ldda.datatype.allow_datatype_change: <form name="change_datatype" action="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=library_id, folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), use_panels=use_panels, show_deleted=show_deleted, )}" method="post"><div class="form-row"> - <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id )}"/> + <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id ) | h}"/><label>New Type:</label> ${datatype( ldda, file_formats )} <div class="toolParamHelp" style="clear: both;"> @@ -129,10 +129,10 @@ <div class="form-row"><label>Extended Metadata:</label></div> - <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id )}"/> + <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id ) | h}"/><div class="form-row"> %if ldda.extended_metadata: - <textarea name="extended_metadata" rows="15" cols="35">${util.pretty_print_json(ldda.extended_metadata.data)}</textarea> + <textarea name="extended_metadata" rows="15" cols="35">${util.pretty_print_json(ldda.extended_metadata.data) | h}</textarea> %else: <textarea name="extended_metadata" rows="15" cols="35"></textarea> %endif @@ -147,28 +147,28 @@ <p/> %else: <div class="toolForm"> - <div class="toolFormTitle">View information about ${util.unicodify( ldda.name )}</div> + <div class="toolFormTitle">View information about ${util.unicodify( ldda.name ) | h}</div><div class="toolFormBody"><div class="form-row"><label>Name:</label> - ${util.unicodify( ldda.name )} + ${util.unicodify( ldda.name ) | h} <div style="clear: both"></div></div><div class="form-row"><label>Info:</label> - ${util.unicodify( ldda.info )} + ${util.unicodify( ldda.info ) | h} <div style="clear: both"></div></div><div class="form-row"><label>Data Format:</label> - ${ldda.ext} + ${ldda.ext | h} <div style="clear: both"></div></div> %for name, spec in ldda.metadata.spec.items(): %if spec.visible: <div class="form-row"> - <label>${spec.desc}:</label> - ${ldda.metadata.get( name )} + <label>${spec.desc | h}:</label> + ${ldda.metadata.get( name ) | h} <div style="clear: both"></div></div> %endif This diff is so big that we needed to truncate the remainder. Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: 4 new changesets
by commits-noreply＠bitbucket.org 08 Dec '14

08 Dec '14

4 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/1c33c99c5250/ Changeset: 1c33c99c5250 Branch: stable User: carlfeberhard Date: 2014-11-25 19:22:08+00:00 Summary: Sanitize tag output in tagging_common and user.tags_used; protect against closing tags in bootstrapped JSON (http://benalpert.com/2012/08/03/preventing-xss-json.html) minor fixes Affected #: 8 files diff -r 546ff6ef27b4b83e26ae228c292fd981173ac550 -r 1c33c99c5250533fd9b2e36748573d5ae6d23cfa lib/galaxy/tags/tag_handler.py --- a/lib/galaxy/tags/tag_handler.py +++ b/lib/galaxy/tags/tag_handler.py @@ -1,5 +1,7 @@ -import re, logging -from sqlalchemy.sql.expression import func, and_ +import re +import logging +from sqlalchemy.sql.expression import func +from sqlalchemy.sql.expression import and_ from sqlalchemy.sql import select log = logging.getLogger( __name__ ) @@ -25,12 +27,15 @@ self.key_value_separators = "=:" # Initialize with known classes - add to this in subclasses. self.item_tag_assoc_info = {} + def get_tag_assoc_class( self, item_class ): """Returns tag association class for item class.""" return self.item_tag_assoc_info[item_class.__name__].tag_assoc_class + def get_id_col_in_item_tag_assoc_table( self, item_class ): """Returns item id column in class' item-tag association table.""" return self.item_tag_assoc_info[item_class.__name__].item_id_col + def get_community_tags( self, trans, item=None, limit=None ): """Returns community tags for an item.""" # Get item-tag association class. @@ -58,6 +63,7 @@ tag_id = row[0] community_tags.append( self.get_tag_by_id( trans, tag_id ) ) return community_tags + def get_tool_tags( self, trans ): result_set = trans.sa_session.execute( select( columns=[ trans.app.model.ToolTagAssociation.table.c.tag_id ], from_obj=trans.app.model.ToolTagAssociation.table ).distinct() ) @@ -67,6 +73,7 @@ tag_id = row[0] tags.append( self.get_tag_by_id( trans, tag_id ) ) return tags + def remove_item_tag( self, trans, user, item, tag_name ): """Remove a tag from an item.""" # Get item tag association. @@ -78,6 +85,7 @@ item.tags.remove( item_tag_assoc ) return True return False + def delete_item_tags( self, trans, user, item ): """Delete tags from an item.""" # Delete item-tag associations. @@ -85,6 +93,7 @@ trans.sa_session.delete( tag ) # Delete tags from item. del item.tags[:] + def item_has_tag( self, trans, user, item, tag ): """Returns true if item is has a given tag.""" # Get tag name. @@ -97,6 +106,7 @@ if item_tag_assoc: return True return False + def apply_item_tag( self, trans, user, item, name, value=None ): # Use lowercase name for searching/creating tag. lc_name = name.lower() @@ -124,6 +134,7 @@ item_tag_assoc.user_value = value item_tag_assoc.value = lc_value return item_tag_assoc + def apply_item_tags( self, trans, user, item, tags_str ): """Apply tags to an item.""" # Parse tags. @@ -131,6 +142,7 @@ # Apply each tag. for name, value in parsed_tags.items(): self.apply_item_tag( trans, user, item, name, value ) + def get_tags_str( self, tags ): """Build a string from an item's tags.""" # Return empty string if there are no tags. @@ -144,14 +156,17 @@ tag_str += ":" + tag.user_value tags_str_list.append( tag_str ) return ", ".join( tags_str_list ) + def get_tag_by_id( self, trans, tag_id ): """Get a Tag object from a tag id.""" return trans.sa_session.query( trans.app.model.Tag ).filter_by( id=tag_id ).first() + def get_tag_by_name( self, trans, tag_name ): """Get a Tag object from a tag name (string).""" if tag_name: return trans.sa_session.query( trans.app.model.Tag ).filter_by( name=tag_name.lower() ).first() return None + def _create_tag( self, trans, tag_str ): """Create a Tag object from a tag string.""" tag_hierarchy = tag_str.split( self.hierarchy_separator ) @@ -169,6 +184,7 @@ parent_tag = tag tag_prefix = tag.name + self.hierarchy_separator return tag + def _get_or_create_tag( self, trans, tag_str ): """Get or create a Tag object from a tag string.""" # Scrub tag; if tag is None after being scrubbed, return None. @@ -181,6 +197,7 @@ if tag is None: tag = self._create_tag( trans, scrubbed_tag_str ) return tag + def _get_item_tag_assoc( self, user, item, tag_name ): """ Return ItemTagAssociation object for a user, item, and tag string; returns None if there is @@ -191,6 +208,7 @@ if ( item_tag_assoc.user == user ) and ( item_tag_assoc.user_tname == scrubbed_tag_name ): return item_tag_assoc return None + def parse_tags( self, tag_str ): """ Returns a list of raw (tag-name, value) pairs derived from a string; method scrubs tag names and values as well. @@ -210,6 +228,7 @@ scrubbed_value = self._scrub_tag_value( nv_pair[1] ) name_value_pairs[scrubbed_name] = scrubbed_value return name_value_pairs + def _scrub_tag_value( self, value ): """Scrub a tag value.""" # Gracefully handle None: @@ -219,6 +238,7 @@ reg_exp = re.compile( '\s' ) scrubbed_value = re.sub( reg_exp, "", value ) return scrubbed_value + def _scrub_tag_name( self, name ): """Scrub a tag name.""" # Gracefully handle None: @@ -234,12 +254,14 @@ if len( scrubbed_name ) < self.min_tag_len or len( scrubbed_name ) > self.max_tag_len: return None return scrubbed_name + def _scrub_tag_name_list( self, tag_name_list ): """Scrub a tag name list.""" scrubbed_tag_list = list() for tag in tag_name_list: scrubbed_tag_list.append( self._scrub_tag_name( tag ) ) return scrubbed_tag_list + def _get_name_value_pair( self, tag_str ): """Get name, value pair from a tag string.""" # Use regular expression to parse name, value. @@ -250,6 +272,7 @@ name_value_pair.append( None ) return name_value_pair + class GalaxyTagHandler( TagHandler ): def __init__( self ): from galaxy import model @@ -271,6 +294,7 @@ model.VisualizationTagAssociation, model.VisualizationTagAssociation.table.c.visualization_id ) + class CommunityTagHandler( TagHandler ): def __init__( self ): from galaxy.webapps.tool_shed import model diff -r 546ff6ef27b4b83e26ae228c292fd981173ac550 -r 1c33c99c5250533fd9b2e36748573d5ae6d23cfa lib/galaxy/util/json.py --- a/lib/galaxy/util/json.py +++ b/lib/galaxy/util/json.py @@ -57,7 +57,7 @@ return val -def safe_dumps(*args, **kwargs): +def safe_dumps( *args, **kwargs ): """ This is a wrapper around dumps that encodes Infinity and NaN values. It's a fairly rare case (which will be low in request volume). Basically, we tell @@ -65,10 +65,12 @@ re-encoding. """ try: - dumped = json.dumps(*args, allow_nan=False, **kwargs) + dumped = json.dumps( *args, allow_nan=False, **kwargs ) except ValueError: - obj = swap_inf_nan(copy.deepcopy(args[0])) - dumped = json.dumps(obj, allow_nan=False, **kwargs) + obj = swap_inf_nan( copy.deepcopy( args[0] ) ) + dumped = json.dumps( obj, allow_nan=False, **kwargs ) + if kwargs.get( 'escape_closing_tags', True ): + return dumped.replace( '</', '<\\/' ) return dumped diff -r 546ff6ef27b4b83e26ae228c292fd981173ac550 -r 1c33c99c5250533fd9b2e36748573d5ae6d23cfa lib/galaxy/util/validation.py --- a/lib/galaxy/util/validation.py +++ b/lib/galaxy/util/validation.py @@ -8,8 +8,8 @@ def validate_and_sanitize_basestring( key, val ): if not isinstance( val, basestring ): - raise exceptions.RequestParameterInvalidException( '%s must be a string or unicode: %s' - % ( key, str( type( val ) ) ) ) + raise exceptions.RequestParameterInvalidException( '%s must be a string or unicode: %s' + % ( key, str( type( val ) ) ) ) return unicode( sanitize_html( val, 'utf-8', 'text/html' ), 'utf-8' ) diff -r 546ff6ef27b4b83e26ae228c292fd981173ac550 -r 1c33c99c5250533fd9b2e36748573d5ae6d23cfa lib/galaxy/web/framework/helpers/__init__.py --- a/lib/galaxy/web/framework/helpers/__init__.py +++ b/lib/galaxy/web/framework/helpers/__init__.py @@ -111,4 +111,3 @@ Returns true if input is a boolean and true or is a string and looks like a true value. """ return val == True or val in [ 'True', 'true', 'T', 't' ] - diff -r 546ff6ef27b4b83e26ae228c292fd981173ac550 -r 1c33c99c5250533fd9b2e36748573d5ae6d23cfa lib/galaxy/webapps/galaxy/controllers/tag.py --- a/lib/galaxy/webapps/galaxy/controllers/tag.py +++ b/lib/galaxy/webapps/galaxy/controllers/tag.py @@ -64,7 +64,7 @@ trans.log_action( user, unicode( "untag" ), context, params ) # Retag an item. All previous tags are deleted and new tags are applied. - #(a)web.expose + @web.expose @web.require_login( "Apply a new set of tags to an item; previous tags are deleted." ) def retag_async( self, trans, item_id=None, item_class=None, new_tags=None ): """ @@ -73,7 +73,7 @@ # Apply tags. item = self._get_item( trans, item_class, trans.security.decode_id( item_id ) ) user = trans.user - self.get_tag_handler( trans ).delete_item_tags( trans, item ) + self.get_tag_handler( trans ).delete_item_tags( trans, user, item ) self.get_tag_handler( trans ).apply_item_tags( trans, user, item, new_tags.encode( 'utf-8' ) ) trans.sa_session.flush() diff -r 546ff6ef27b4b83e26ae228c292fd981173ac550 -r 1c33c99c5250533fd9b2e36748573d5ae6d23cfa templates/galaxy_client_app.mako --- a/templates/galaxy_client_app.mako +++ b/templates/galaxy_client_app.mako @@ -15,7 +15,7 @@ //TODO: global... %for key in kwargs: ( window.bootstrapped = window.bootstrapped || {} )[ '${key}' ] = ( - ${ h.dumps( kwargs[ key ], indent=( 2 if trans.debug else 0 ) )} ); + ${ h.dumps( kwargs[ key ], indent=( 2 if trans.debug else 0 ) ).replace( '</', '<\\/' ) } ); %endfor define( 'bootstrapped-data', function(){ return window.bootstrapped; @@ -76,11 +76,17 @@ user_dict = trans.user.to_dict( view='element', value_mapper={ 'id': trans.security.encode_id, 'total_disk_usage': float } ) user_dict[ 'quota_percent' ] = trans.app.quota_agent.get_percent( trans=trans ) + user_dict[ 'is_admin' ] = trans.user_is_admin() # tags used users_api_controller = trans.webapp.api_controllers[ 'users' ] - user_dict[ 'tags_used' ] = users_api_controller.get_user_tags_used( trans, user=trans.user ) - user_dict[ 'is_admin' ] = trans.user_is_admin() + tags_used = [] + for tag in users_api_controller.get_user_tags_used( trans, user=trans.user ): + tag = tag | h + if tag: + tags_used.append( tag ) + user_dict[ 'tags_used' ] = tags_used + return user_dict usage = 0 diff -r 546ff6ef27b4b83e26ae228c292fd981173ac550 -r 1c33c99c5250533fd9b2e36748573d5ae6d23cfa templates/tagging_common.mako --- a/templates/tagging_common.mako +++ b/templates/tagging_common.mako @@ -19,7 +19,7 @@ ## Render HTML for a list of tags. <%def name="render_tagging_element_html(elt_id=None, tags=None, editable=True, use_toggle_link=True, input_size='15', in_form=False, tag_type='individual', render_add_tag_button=True)"> ## Useful attributes. - <% + <% num_tags = len( tags ) %><div class="tag-element" @@ -50,6 +50,7 @@ elif isinstance( tag, ItemTagAssociation ): tag_name = tag.user_tname tag_value = tag.user_value + ## Convert tag name, value to unicode. if isinstance( tag_name, str ): tag_name = unicode( escape( tag_name ), 'utf-8' ) @@ -61,7 +62,7 @@ tag_str = tag_name %><span class="tag-button"> - <span class="tag-name">${tag_str}</span> + <span class="tag-name">${tag_str | h}</span> %if editable: <img class="delete-tag-img" src="${h.url_for('/static/images/delete_tag_icon_gray.png')}"/> %endif @@ -186,10 +187,11 @@ ## Build dict of tag name, values. tag_names_and_values = dict() for tag in item_tags: - tag_name = tag.user_tname + tag_name = escape( tag.user_tname ) tag_value = "" if tag.value is not None: - tag_value = tag.user_value + tag_value = escape( tag.user_value ) + ## Tag names and values may be string or unicode object. if isinstance( tag_name, str ): tag_names_and_values[unicode(tag_name, 'utf-8')] = unicode(tag_value, 'utf-8') diff -r 546ff6ef27b4b83e26ae228c292fd981173ac550 -r 1c33c99c5250533fd9b2e36748573d5ae6d23cfa templates/webapps/galaxy/galaxy.masthead.mako --- a/templates/webapps/galaxy/galaxy.masthead.mako +++ b/templates/webapps/galaxy/galaxy.masthead.mako @@ -1,32 +1,4 @@ -## get user data -<%def name="get_user_json()"> -<% - """Bootstrapping user API JSON""" - #TODO: move into common location (poss. BaseController) - if trans.user: - user_dict = trans.user.to_dict( view='element', value_mapper={ 'id': trans.security.encode_id, - 'total_disk_usage': float } ) - user_dict[ 'quota_percent' ] = trans.app.quota_agent.get_percent( trans=trans ) - users_api_controller = trans.webapp.api_controllers[ 'users' ] - user_dict[ 'tags_used' ] = users_api_controller.get_user_tags_used( trans, user=trans.user ) - user_dict[ 'is_admin' ] = trans.user_is_admin() - else: - usage = 0 - percent = None - try: - usage = trans.app.quota_agent.get_usage( trans, history=trans.history ) - percent = trans.app.quota_agent.get_percent( trans=trans, usage=usage ) - except AssertionError, assertion: - # no history for quota_agent.get_usage assertion - pass - user_dict = { - 'total_disk_usage' : int( usage ), - 'nice_total_disk_usage' : util.nice_size( usage ), - 'quota_percent' : percent - } - return user_dict -%> -</%def> +<%namespace file="/galaxy_client_app.mako" import="get_user_json" /> ## masthead head generator <%def name="load(active_view = None)"> @@ -87,7 +59,7 @@ ], function( mod_masthead, mod_menu, mod_modal, mod_frame, GalaxyUpload, user, quotameter ){ if( !Galaxy.currUser ){ // this doesn't need to wait for the page being readied - Galaxy.currUser = new user.User(${ h.dumps( get_user_json(), indent=2 ) }); + Galaxy.currUser = new user.User(${ h.dumps( masthead_config[ 'user' ][ 'json' ], indent=2 ) }); } $(function() { https://bitbucket.org/galaxy/galaxy-central/commits/07b0b60f17ee/ Changeset: 07b0b60f17ee Branch: stable User: carlfeberhard Date: 2014-11-25 19:29:48+00:00 Summary: Fix to 04a072e98658: remove unnecessary replace Affected #: 1 file diff -r 1c33c99c5250533fd9b2e36748573d5ae6d23cfa -r 07b0b60f17ee5ce4383029f1c98267284e6e0160 templates/galaxy_client_app.mako --- a/templates/galaxy_client_app.mako +++ b/templates/galaxy_client_app.mako @@ -15,7 +15,7 @@ //TODO: global... %for key in kwargs: ( window.bootstrapped = window.bootstrapped || {} )[ '${key}' ] = ( - ${ h.dumps( kwargs[ key ], indent=( 2 if trans.debug else 0 ) ).replace( '</', '<\\/' ) } ); + ${ h.dumps( kwargs[ key ], indent=( 2 if trans.debug else 0 ) ) } ); %endfor define( 'bootstrapped-data', function(){ return window.bootstrapped; https://bitbucket.org/galaxy/galaxy-central/commits/374e94196a14/ Changeset: 374e94196a14 Branch: stable User: carlfeberhard Date: 2014-11-26 17:28:28+00:00 Summary: Security, UI: minor fixes to history, dataset, and page escaping; escape js tag and annotation displays Affected #: 18 files diff -r 07b0b60f17ee5ce4383029f1c98267284e6e0160 -r 374e94196a14673993540a60d446addc6b1780a0 client/galaxy/scripts/mvc/annotations.js --- a/client/galaxy/scripts/mvc/annotations.js +++ b/client/galaxy/scripts/mvc/annotations.js @@ -56,7 +56,7 @@ '<label class="prompt">', _l( 'Annotation' ), '</label>', // set up initial tags by adding as CSV to input vals (necc. to init select2) '<div class="annotation" title="', _l( 'Edit annotation' ), '">', - annotation, + _.escape( annotation ), '</div>' ].join( '' ); }, diff -r 07b0b60f17ee5ce4383029f1c98267284e6e0160 -r 374e94196a14673993540a60d446addc6b1780a0 client/galaxy/scripts/mvc/tags.js --- a/client/galaxy/scripts/mvc/tags.js +++ b/client/galaxy/scripts/mvc/tags.js @@ -56,7 +56,9 @@ if( !_.isArray( tagsArray ) || _.isEmpty( tagsArray ) ){ return ''; } - return tagsArray.sort().join( ',' ); + return tagsArray.map( function( tag ){ + return _.escape( tag ); + }).sort().join( ',' ); }, /** @returns {jQuery} the input for this view */ diff -r 07b0b60f17ee5ce4383029f1c98267284e6e0160 -r 374e94196a14673993540a60d446addc6b1780a0 static/scripts/mvc/annotations.js --- a/static/scripts/mvc/annotations.js +++ b/static/scripts/mvc/annotations.js @@ -56,7 +56,7 @@ '<label class="prompt">', _l( 'Annotation' ), '</label>', // set up initial tags by adding as CSV to input vals (necc. to init select2) '<div class="annotation" title="', _l( 'Edit annotation' ), '">', - annotation, + _.escape( annotation ), '</div>' ].join( '' ); }, diff -r 07b0b60f17ee5ce4383029f1c98267284e6e0160 -r 374e94196a14673993540a60d446addc6b1780a0 static/scripts/mvc/tags.js --- a/static/scripts/mvc/tags.js +++ b/static/scripts/mvc/tags.js @@ -56,7 +56,9 @@ if( !_.isArray( tagsArray ) || _.isEmpty( tagsArray ) ){ return ''; } - return tagsArray.sort().join( ',' ); + return tagsArray.map( function( tag ){ + return _.escape( tag ); + }).sort().join( ',' ); }, /** @returns {jQuery} the input for this view */ diff -r 07b0b60f17ee5ce4383029f1c98267284e6e0160 -r 374e94196a14673993540a60d446addc6b1780a0 static/scripts/packed/mvc/annotations.js --- a/static/scripts/packed/mvc/annotations.js +++ b/static/scripts/packed/mvc/annotations.js @@ -1,1 +1,1 @@ -define(["mvc/base-mvc","utils/localization"],function(a,c){var b=Backbone.View.extend(a.LoggableMixin).extend(a.HiddenUntilActivatedViewMixin).extend({tagName:"div",className:"annotation-display",initialize:function(d){d=d||{};this.tooltipConfig=d.tooltipConfig||{placement:"bottom"};this.listenTo(this.model,"change:annotation",function(){this.render()});this.hiddenUntilActivated(d.$activator,d)},render:function(){var d=this;this.$el.html(this._template());this.$el.find("[title]").tooltip(this.tooltipConfig);this.$annotation().make_text_editable({use_textarea:true,on_finish:function(e){d.$annotation().text(e);d.model.save({annotation:e},{silent:true}).fail(function(){d.$annotation().text(d.model.previous("annotation"))})}});return this},_template:function(){var d=this.model.get("annotation");return['<label class="prompt">',c("Annotation"),"</label>",'<div class="annotation" title="',c("Edit annotation"),'">',d,"</div>"].join("")},$annotation:function(){return this.$el.find(".annotation")},remove:function(){this.$annotation.off();this.stopListening(this.model);Backbone.View.prototype.remove.call(this)},toString:function(){return["AnnotationEditor(",this.model+"",")"].join("")}});return{AnnotationEditor:b}}); \ No newline at end of file +define(["mvc/base-mvc","utils/localization"],function(a,c){var b=Backbone.View.extend(a.LoggableMixin).extend(a.HiddenUntilActivatedViewMixin).extend({tagName:"div",className:"annotation-display",initialize:function(d){d=d||{};this.tooltipConfig=d.tooltipConfig||{placement:"bottom"};this.listenTo(this.model,"change:annotation",function(){this.render()});this.hiddenUntilActivated(d.$activator,d)},render:function(){var d=this;this.$el.html(this._template());this.$el.find("[title]").tooltip(this.tooltipConfig);this.$annotation().make_text_editable({use_textarea:true,on_finish:function(e){d.$annotation().text(e);d.model.save({annotation:e},{silent:true}).fail(function(){d.$annotation().text(d.model.previous("annotation"))})}});return this},_template:function(){var d=this.model.get("annotation");return['<label class="prompt">',c("Annotation"),"</label>",'<div class="annotation" title="',c("Edit annotation"),'">',_.escape(d),"</div>"].join("")},$annotation:function(){return this.$el.find(".annotation")},remove:function(){this.$annotation.off();this.stopListening(this.model);Backbone.View.prototype.remove.call(this)},toString:function(){return["AnnotationEditor(",this.model+"",")"].join("")}});return{AnnotationEditor:b}}); \ No newline at end of file diff -r 07b0b60f17ee5ce4383029f1c98267284e6e0160 -r 374e94196a14673993540a60d446addc6b1780a0 static/scripts/packed/mvc/tags.js --- a/static/scripts/packed/mvc/tags.js +++ b/static/scripts/packed/mvc/tags.js @@ -1,1 +1,1 @@ -define(["mvc/base-mvc","utils/localization"],function(a,b){var c=Backbone.View.extend(a.LoggableMixin).extend(a.HiddenUntilActivatedViewMixin).extend({tagName:"div",className:"tags-display",initialize:function(d){this.listenTo(this.model,"change:tags",function(){this.render()});this.hiddenUntilActivated(d.$activator,d)},render:function(){var d=this;this.$el.html(this._template());this.$input().select2({placeholder:"Add tags",width:"100%",tags:function(){return d._getTagsUsed()}});this._setUpBehaviors();return this},_template:function(){return['<label class="prompt">',b("Tags"),"</label>",'<input class="tags-input" value="',this.tagsToCSV(),'" />'].join("")},tagsToCSV:function(){var d=this.model.get("tags");if(!_.isArray(d)||_.isEmpty(d)){return""}return d.sort().join(",")},$input:function(){return this.$el.find("input.tags-input")},_getTagsUsed:function(){return Galaxy.currUser.get("tags_used")},_setUpBehaviors:function(){var d=this;this.$input().on("change",function(e){d.model.save({tags:e.val},{silent:true});if(e.added){d._addNewTagToTagsUsed(e.added.text+"")}})},_addNewTagToTagsUsed:function(d){var e=Galaxy.currUser.get("tags_used");if(!_.contains(e,d)){e.push(d);e.sort();Galaxy.currUser.set("tags_used",e)}},remove:function(){this.$input.off();this.stopListening(this.model);Backbone.View.prototype.remove.call(this)},toString:function(){return["TagsEditor(",this.model+"",")"].join("")}});return{TagsEditor:c}}); \ No newline at end of file +define(["mvc/base-mvc","utils/localization"],function(a,b){var c=Backbone.View.extend(a.LoggableMixin).extend(a.HiddenUntilActivatedViewMixin).extend({tagName:"div",className:"tags-display",initialize:function(d){this.listenTo(this.model,"change:tags",function(){this.render()});this.hiddenUntilActivated(d.$activator,d)},render:function(){var d=this;this.$el.html(this._template());this.$input().select2({placeholder:"Add tags",width:"100%",tags:function(){return d._getTagsUsed()}});this._setUpBehaviors();return this},_template:function(){return['<label class="prompt">',b("Tags"),"</label>",'<input class="tags-input" value="',this.tagsToCSV(),'" />'].join("")},tagsToCSV:function(){var d=this.model.get("tags");if(!_.isArray(d)||_.isEmpty(d)){return""}return d.map(function(e){return _.escape(e)}).sort().join(",")},$input:function(){return this.$el.find("input.tags-input")},_getTagsUsed:function(){return Galaxy.currUser.get("tags_used")},_setUpBehaviors:function(){var d=this;this.$input().on("change",function(e){d.model.save({tags:e.val},{silent:true});if(e.added){d._addNewTagToTagsUsed(e.added.text+"")}})},_addNewTagToTagsUsed:function(d){var e=Galaxy.currUser.get("tags_used");if(!_.contains(e,d)){e.push(d);e.sort();Galaxy.currUser.set("tags_used",e)}},remove:function(){this.$input.off();this.stopListening(this.model);Backbone.View.prototype.remove.call(this)},toString:function(){return["TagsEditor(",this.model+"",")"].join("")}});return{TagsEditor:c}}); \ No newline at end of file diff -r 07b0b60f17ee5ce4383029f1c98267284e6e0160 -r 374e94196a14673993540a60d446addc6b1780a0 templates/webapps/galaxy/dataset/copy_view.mako --- a/templates/webapps/galaxy/dataset/copy_view.mako +++ b/templates/webapps/galaxy/dataset/copy_view.mako @@ -53,7 +53,7 @@ %><option value="${trans.security.encode_id(hist.id)}" ${selected}> - ${i + 1}: ${h.truncate(util.unicodify( hist.name ), 30)}${current_history_text} + ${i + 1}: ${h.truncate(util.unicodify( hist.name ), 30) | h}${current_history_text} </option> %endfor </select> @@ -70,7 +70,7 @@ %><div class="form-row"><input type="checkbox" name="source_content_ids" id="${input_id}" value="${input_id}"${checked}/> - <label for="${input_id}" style="display: inline;font-weight:normal;"> ${data.hid}: ${h.to_unicode(data.name)}</label> + <label for="${input_id}" style="display: inline;font-weight:normal;"> ${data.hid}: ${h.to_unicode(data.name) | h}</label></div> %endfor %else: @@ -95,7 +95,7 @@ if encoded_id == target_history_id: selected = " selected='selected'" %> - <option value="${encoded_id}"${selected}>${i + 1}: ${h.truncate( util.unicodify( hist.name ), 30)}${source_history_text}</option> + <option value="${encoded_id}"${selected}>${i + 1}: ${h.truncate( util.unicodify( hist.name ), 30) | h}${source_history_text}</option> %endfor </select><br /><br /><a style="margin-left: 10px;" href="javascript:void(0);" id="select-multiple">Choose multiple histories</a> @@ -110,7 +110,7 @@ %><div class="form-row"><input type="checkbox" name="target_history_ids" id="hist_${encoded_id}" value="${encoded_id}"/> - <label for="hist_${encoded_id}" style="display: inline; font-weight:normal;">${i + 1}: ${ util.unicodify( hist.name ) }${cur_history_text}</label> + <label for="hist_${encoded_id}" style="display: inline; font-weight:normal;">${i + 1}: ${ util.unicodify( hist.name ) | h }${cur_history_text}</label></div> %endfor </div> diff -r 07b0b60f17ee5ce4383029f1c98267284e6e0160 -r 374e94196a14673993540a60d446addc6b1780a0 templates/webapps/galaxy/dataset/display.mako --- a/templates/webapps/galaxy/dataset/display.mako +++ b/templates/webapps/galaxy/dataset/display.mako @@ -26,13 +26,11 @@ data.createTabularDatasetChunkedView({ // TODO: encode id. dataset_config: - _.extend( ${h.dumps( item.to_dict() )}, - { - chunk_url: "${h.url_for( controller='/dataset', action='display', - dataset_id=trans.security.encode_id( item.id ))}", - first_data_chunk: ${first_chunk} - } - ), + _.extend( ${h.dumps( item.to_dict() )}, { + chunk_url: "${h.url_for( controller='/dataset', action='display', + dataset_id=trans.security.encode_id( item.id ))}", + first_data_chunk: ${first_chunk} + }), parent_elt: $('.page-body') }); }); diff -r 07b0b60f17ee5ce4383029f1c98267284e6e0160 -r 374e94196a14673993540a60d446addc6b1780a0 templates/webapps/galaxy/dataset/embed.mako --- a/templates/webapps/galaxy/dataset/embed.mako +++ b/templates/webapps/galaxy/dataset/embed.mako @@ -4,10 +4,13 @@ %><%def name="render_item_links( dataset )"> - <a href="${h.url_for( controller='/dataset', action='display', dataset_id=trans.security.encode_id( dataset.id ), to_ext=dataset.ext )}" title="Save dataset" class="icon-button disk"></a> + <a href="${h.url_for( controller='/dataset', action='display', dataset_id=trans.security.encode_id( dataset.id ), to_ext=dataset.ext )}" + title="Save dataset" class="icon-button disk"></a> ## Links for importing and viewing an item. - <a href="${h.url_for( controller='/dataset', action='imp', dataset_id=trans.security.encode_id( item.id ) )}" title="Import dataset" class="icon-button import"></a> - <a class="icon-button go-to-full-screen" href="${h.url_for( controller='/dataset', action='display_by_username_and_slug', username=dataset.history.user.username, slug=trans.security.encode_id( dataset.id ) )}" title="Go to dataset"></a> + <a href="${h.url_for( controller='/dataset', action='imp', dataset_id=trans.security.encode_id( item.id ) )}" + title="Import dataset" class="icon-button import"></a> + <a href="${h.url_for( controller='/dataset', action='display_by_username_and_slug', username=dataset.history.user.username, slug=trans.security.encode_id( dataset.id ) )}" + title="Go to dataset" class="icon-button go-to-full-screen"></a></%def> diff -r 07b0b60f17ee5ce4383029f1c98267284e6e0160 -r 374e94196a14673993540a60d446addc6b1780a0 templates/webapps/galaxy/dataset/errors.mako --- a/templates/webapps/galaxy/dataset/errors.mako +++ b/templates/webapps/galaxy/dataset/errors.mako @@ -49,7 +49,7 @@ <body><h2>Dataset generation errors</h2> - <p><b>Dataset ${hda.hid}: ${hda.display_name()}</b></p> + <p><b>Dataset ${hda.hid}: ${hda.display_name() | h}</b></p><% job = hda.creating_job %> %if job: diff -r 07b0b60f17ee5ce4383029f1c98267284e6e0160 -r 374e94196a14673993540a60d446addc6b1780a0 templates/webapps/galaxy/dataset/security_common.mako --- a/templates/webapps/galaxy/dataset/security_common.mako +++ b/templates/webapps/galaxy/dataset/security_common.mako @@ -77,7 +77,7 @@ else: current_actions = [] permitted_actions = {}.items() - obj_str = 'unknown object %s' %obj_name + obj_str = 'unknown object %s' % obj_name obj_type = '' %><script type="text/javascript"> @@ -104,7 +104,7 @@ }); </script><div class="toolForm"> - <div class="toolFormTitle">Manage ${obj_type} permissions on ${obj_str}</div> + <div class="toolFormTitle">Manage ${obj_type} permissions on ${obj_str | h}</div><div class="toolFormBody"><form name="edit_role_associations" id="edit_role_associations" action="${form_url}" method="post"><div class="form-row"></div> diff -r 07b0b60f17ee5ce4383029f1c98267284e6e0160 -r 374e94196a14673993540a60d446addc6b1780a0 templates/webapps/galaxy/dataset/tabular_chunked.mako --- a/templates/webapps/galaxy/dataset/tabular_chunked.mako +++ b/templates/webapps/galaxy/dataset/tabular_chunked.mako @@ -15,14 +15,12 @@ } }); - require(['mvc/data'], function(data) { + require([ 'mvc/data' ], function( data ) { data.createTabularDatasetChunkedView({ - dataset_config: _.extend( ${h.dumps( trans.security.encode_dict_ids( dataset.to_dict() ) )}, - { - first_data_chunk: ${chunk} - } - ), - parent_elt: $('body') + dataset_config : _.extend( ${ h.dumps( trans.security.encode_dict_ids( dataset.to_dict() ) )}, { + first_data_chunk: ${ chunk } + }), + parent_elt : $( 'body' ) }); }); </script> diff -r 07b0b60f17ee5ce4383029f1c98267284e6e0160 -r 374e94196a14673993540a60d446addc6b1780a0 templates/webapps/galaxy/history/embed.mako --- a/templates/webapps/galaxy/history/embed.mako +++ b/templates/webapps/galaxy/history/embed.mako @@ -24,7 +24,7 @@ </a></h4> %if hasattr( item, "annotation") and item.annotation: - <div class="annotation">${item.annotation}</div> + <div class="annotation">${item.annotation | h}</div> %endif </div><div class='summary-content'> diff -r 07b0b60f17ee5ce4383029f1c98267284e6e0160 -r 374e94196a14673993540a60d446addc6b1780a0 templates/webapps/galaxy/history/history_panel.mako --- a/templates/webapps/galaxy/history/history_panel.mako +++ /dev/null @@ -1,14 +0,0 @@ -## shortcuts for script tags that create history panels -## ---------------------------------------------------------------------------- -<%def name="current_history_panel( selector_to_attach_to=None, options )"> -</%def> - - -## ---------------------------------------------------------------------------- -<%def name="history_panel( history_id, selector_to_attach_to=None, options )"> -</%def> - - -## ---------------------------------------------------------------------------- -<%def name="bootstrapped_history_panel( history, hdas, selector_to_attach_to=None, options )"> -</%def> diff -r 07b0b60f17ee5ce4383029f1c98267284e6e0160 -r 374e94196a14673993540a60d446addc6b1780a0 templates/webapps/galaxy/history/share.mako --- a/templates/webapps/galaxy/history/share.mako +++ b/templates/webapps/galaxy/history/share.mako @@ -20,7 +20,7 @@ <tr><td><input type="hidden" name="id" value="${trans.security.encode_id( history.id )}"> - ${ util.unicodify( history.name )} + ${ util.unicodify( history.name ) | h } </td><td> %if len( history.datasets ) < 1: diff -r 07b0b60f17ee5ce4383029f1c98267284e6e0160 -r 374e94196a14673993540a60d446addc6b1780a0 templates/webapps/galaxy/history/view.mako --- a/templates/webapps/galaxy/history/view.mako +++ b/templates/webapps/galaxy/history/view.mako @@ -1,4 +1,4 @@ -<%namespace file="/galaxy.masthead.mako" import="get_user_json" /> +<%namespace file="/galaxy_client_app.mako" import="get_user_json" /> ## ---------------------------------------------------------------------------- <%! @@ -166,9 +166,9 @@ // use_panels effects where the the center_panel() is rendered: // w/o it renders to the body, w/ it renders to #center - we need to adjust a few things for scrolling to work var hasMasthead = ${ 'true' if use_panels else 'false' }, - userIsOwner = ${'true' if user_is_owner else 'false'}, - historyJSON = ${h.dumps( history )}, - hdaJSON = ${h.dumps( hdas )}, + userIsOwner = ${ 'true' if user_is_owner else 'false' }, + historyJSON = ${ h.dumps( history ) }, + hdaJSON = ${ h.dumps( hdas ) }, panelToUse = ( userIsOwner )? //TODO: change class names ({ location: 'mvc/history/history-panel-edit', className: 'HistoryPanelEdit' }): diff -r 07b0b60f17ee5ce4383029f1c98267284e6e0160 -r 374e94196a14673993540a60d446addc6b1780a0 templates/webapps/galaxy/page/editor.mako --- a/templates/webapps/galaxy/page/editor.mako +++ b/templates/webapps/galaxy/page/editor.mako @@ -47,7 +47,7 @@ <a id="close-button" class="panel-header-button">Close</a></div><div class="unified-panel-header-inner"> - Page Editor <span style="font-weight: normal">| Title : ${page.title}</span> + Page Editor <span style="font-weight: normal">| Title : ${page.title | h}</span></div></div> diff -r 07b0b60f17ee5ce4383029f1c98267284e6e0160 -r 374e94196a14673993540a60d446addc6b1780a0 templates/webapps/galaxy/page/index.mako --- a/templates/webapps/galaxy/page/index.mako +++ b/templates/webapps/galaxy/page/index.mako @@ -30,7 +30,7 @@ <% page = association.page %><tr><td> - <a class="menubutton" id="shared-${i}-popup" href="${h.url_for(controller='page', action='display_by_username_and_slug', username=page.user.username, slug=page.slug)}">${page.title}</a> + <a class="menubutton" id="shared-${i}-popup" href="${h.url_for(controller='page', action='display_by_username_and_slug', username=page.user.username, slug=page.slug)}">${page.title | h}</a></td><td>${page.user.username}</td><td> https://bitbucket.org/galaxy/galaxy-central/commits/0c8ac7330cdd/ Changeset: 0c8ac7330cdd Branch: stable User: dannon Date: 2014-12-08 16:44:52+00:00 Summary: Merged in carlfeberhard/carlfeberhard-galaxy-central-stable/stable (pull request #594) [STABLE] Next-stable security fixes to stable. Affected #: 26 files diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 client/galaxy/scripts/mvc/annotations.js --- a/client/galaxy/scripts/mvc/annotations.js +++ b/client/galaxy/scripts/mvc/annotations.js @@ -56,7 +56,7 @@ '<label class="prompt">', _l( 'Annotation' ), '</label>', // set up initial tags by adding as CSV to input vals (necc. to init select2) '<div class="annotation" title="', _l( 'Edit annotation' ), '">', - annotation, + _.escape( annotation ), '</div>' ].join( '' ); }, diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 client/galaxy/scripts/mvc/tags.js --- a/client/galaxy/scripts/mvc/tags.js +++ b/client/galaxy/scripts/mvc/tags.js @@ -56,7 +56,9 @@ if( !_.isArray( tagsArray ) || _.isEmpty( tagsArray ) ){ return ''; } - return tagsArray.sort().join( ',' ); + return tagsArray.map( function( tag ){ + return _.escape( tag ); + }).sort().join( ',' ); }, /** @returns {jQuery} the input for this view */ diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 lib/galaxy/tags/tag_handler.py --- a/lib/galaxy/tags/tag_handler.py +++ b/lib/galaxy/tags/tag_handler.py @@ -1,5 +1,7 @@ -import re, logging -from sqlalchemy.sql.expression import func, and_ +import re +import logging +from sqlalchemy.sql.expression import func +from sqlalchemy.sql.expression import and_ from sqlalchemy.sql import select log = logging.getLogger( __name__ ) @@ -25,12 +27,15 @@ self.key_value_separators = "=:" # Initialize with known classes - add to this in subclasses. self.item_tag_assoc_info = {} + def get_tag_assoc_class( self, item_class ): """Returns tag association class for item class.""" return self.item_tag_assoc_info[item_class.__name__].tag_assoc_class + def get_id_col_in_item_tag_assoc_table( self, item_class ): """Returns item id column in class' item-tag association table.""" return self.item_tag_assoc_info[item_class.__name__].item_id_col + def get_community_tags( self, trans, item=None, limit=None ): """Returns community tags for an item.""" # Get item-tag association class. @@ -58,6 +63,7 @@ tag_id = row[0] community_tags.append( self.get_tag_by_id( trans, tag_id ) ) return community_tags + def get_tool_tags( self, trans ): result_set = trans.sa_session.execute( select( columns=[ trans.app.model.ToolTagAssociation.table.c.tag_id ], from_obj=trans.app.model.ToolTagAssociation.table ).distinct() ) @@ -67,6 +73,7 @@ tag_id = row[0] tags.append( self.get_tag_by_id( trans, tag_id ) ) return tags + def remove_item_tag( self, trans, user, item, tag_name ): """Remove a tag from an item.""" # Get item tag association. @@ -78,6 +85,7 @@ item.tags.remove( item_tag_assoc ) return True return False + def delete_item_tags( self, trans, user, item ): """Delete tags from an item.""" # Delete item-tag associations. @@ -85,6 +93,7 @@ trans.sa_session.delete( tag ) # Delete tags from item. del item.tags[:] + def item_has_tag( self, trans, user, item, tag ): """Returns true if item is has a given tag.""" # Get tag name. @@ -97,6 +106,7 @@ if item_tag_assoc: return True return False + def apply_item_tag( self, trans, user, item, name, value=None ): # Use lowercase name for searching/creating tag. lc_name = name.lower() @@ -124,6 +134,7 @@ item_tag_assoc.user_value = value item_tag_assoc.value = lc_value return item_tag_assoc + def apply_item_tags( self, trans, user, item, tags_str ): """Apply tags to an item.""" # Parse tags. @@ -131,6 +142,7 @@ # Apply each tag. for name, value in parsed_tags.items(): self.apply_item_tag( trans, user, item, name, value ) + def get_tags_str( self, tags ): """Build a string from an item's tags.""" # Return empty string if there are no tags. @@ -144,14 +156,17 @@ tag_str += ":" + tag.user_value tags_str_list.append( tag_str ) return ", ".join( tags_str_list ) + def get_tag_by_id( self, trans, tag_id ): """Get a Tag object from a tag id.""" return trans.sa_session.query( trans.app.model.Tag ).filter_by( id=tag_id ).first() + def get_tag_by_name( self, trans, tag_name ): """Get a Tag object from a tag name (string).""" if tag_name: return trans.sa_session.query( trans.app.model.Tag ).filter_by( name=tag_name.lower() ).first() return None + def _create_tag( self, trans, tag_str ): """Create a Tag object from a tag string.""" tag_hierarchy = tag_str.split( self.hierarchy_separator ) @@ -169,6 +184,7 @@ parent_tag = tag tag_prefix = tag.name + self.hierarchy_separator return tag + def _get_or_create_tag( self, trans, tag_str ): """Get or create a Tag object from a tag string.""" # Scrub tag; if tag is None after being scrubbed, return None. @@ -181,6 +197,7 @@ if tag is None: tag = self._create_tag( trans, scrubbed_tag_str ) return tag + def _get_item_tag_assoc( self, user, item, tag_name ): """ Return ItemTagAssociation object for a user, item, and tag string; returns None if there is @@ -191,6 +208,7 @@ if ( item_tag_assoc.user == user ) and ( item_tag_assoc.user_tname == scrubbed_tag_name ): return item_tag_assoc return None + def parse_tags( self, tag_str ): """ Returns a list of raw (tag-name, value) pairs derived from a string; method scrubs tag names and values as well. @@ -210,6 +228,7 @@ scrubbed_value = self._scrub_tag_value( nv_pair[1] ) name_value_pairs[scrubbed_name] = scrubbed_value return name_value_pairs + def _scrub_tag_value( self, value ): """Scrub a tag value.""" # Gracefully handle None: @@ -219,6 +238,7 @@ reg_exp = re.compile( '\s' ) scrubbed_value = re.sub( reg_exp, "", value ) return scrubbed_value + def _scrub_tag_name( self, name ): """Scrub a tag name.""" # Gracefully handle None: @@ -234,12 +254,14 @@ if len( scrubbed_name ) < self.min_tag_len or len( scrubbed_name ) > self.max_tag_len: return None return scrubbed_name + def _scrub_tag_name_list( self, tag_name_list ): """Scrub a tag name list.""" scrubbed_tag_list = list() for tag in tag_name_list: scrubbed_tag_list.append( self._scrub_tag_name( tag ) ) return scrubbed_tag_list + def _get_name_value_pair( self, tag_str ): """Get name, value pair from a tag string.""" # Use regular expression to parse name, value. @@ -250,6 +272,7 @@ name_value_pair.append( None ) return name_value_pair + class GalaxyTagHandler( TagHandler ): def __init__( self ): from galaxy import model @@ -271,6 +294,7 @@ model.VisualizationTagAssociation, model.VisualizationTagAssociation.table.c.visualization_id ) + class CommunityTagHandler( TagHandler ): def __init__( self ): from galaxy.webapps.tool_shed import model diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 lib/galaxy/util/json.py --- a/lib/galaxy/util/json.py +++ b/lib/galaxy/util/json.py @@ -57,7 +57,7 @@ return val -def safe_dumps(*args, **kwargs): +def safe_dumps( *args, **kwargs ): """ This is a wrapper around dumps that encodes Infinity and NaN values. It's a fairly rare case (which will be low in request volume). Basically, we tell @@ -65,10 +65,12 @@ re-encoding. """ try: - dumped = json.dumps(*args, allow_nan=False, **kwargs) + dumped = json.dumps( *args, allow_nan=False, **kwargs ) except ValueError: - obj = swap_inf_nan(copy.deepcopy(args[0])) - dumped = json.dumps(obj, allow_nan=False, **kwargs) + obj = swap_inf_nan( copy.deepcopy( args[0] ) ) + dumped = json.dumps( obj, allow_nan=False, **kwargs ) + if kwargs.get( 'escape_closing_tags', True ): + return dumped.replace( '</', '<\\/' ) return dumped diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 lib/galaxy/util/validation.py --- a/lib/galaxy/util/validation.py +++ b/lib/galaxy/util/validation.py @@ -8,8 +8,8 @@ def validate_and_sanitize_basestring( key, val ): if not isinstance( val, basestring ): - raise exceptions.RequestParameterInvalidException( '%s must be a string or unicode: %s' - % ( key, str( type( val ) ) ) ) + raise exceptions.RequestParameterInvalidException( '%s must be a string or unicode: %s' + % ( key, str( type( val ) ) ) ) return unicode( sanitize_html( val, 'utf-8', 'text/html' ), 'utf-8' ) diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 lib/galaxy/web/framework/helpers/__init__.py --- a/lib/galaxy/web/framework/helpers/__init__.py +++ b/lib/galaxy/web/framework/helpers/__init__.py @@ -111,4 +111,3 @@ Returns true if input is a boolean and true or is a string and looks like a true value. """ return val == True or val in [ 'True', 'true', 'T', 't' ] - diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 lib/galaxy/webapps/galaxy/controllers/tag.py --- a/lib/galaxy/webapps/galaxy/controllers/tag.py +++ b/lib/galaxy/webapps/galaxy/controllers/tag.py @@ -64,7 +64,7 @@ trans.log_action( user, unicode( "untag" ), context, params ) # Retag an item. All previous tags are deleted and new tags are applied. - #(a)web.expose + @web.expose @web.require_login( "Apply a new set of tags to an item; previous tags are deleted." ) def retag_async( self, trans, item_id=None, item_class=None, new_tags=None ): """ @@ -73,7 +73,7 @@ # Apply tags. item = self._get_item( trans, item_class, trans.security.decode_id( item_id ) ) user = trans.user - self.get_tag_handler( trans ).delete_item_tags( trans, item ) + self.get_tag_handler( trans ).delete_item_tags( trans, user, item ) self.get_tag_handler( trans ).apply_item_tags( trans, user, item, new_tags.encode( 'utf-8' ) ) trans.sa_session.flush() diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 static/scripts/mvc/annotations.js --- a/static/scripts/mvc/annotations.js +++ b/static/scripts/mvc/annotations.js @@ -56,7 +56,7 @@ '<label class="prompt">', _l( 'Annotation' ), '</label>', // set up initial tags by adding as CSV to input vals (necc. to init select2) '<div class="annotation" title="', _l( 'Edit annotation' ), '">', - annotation, + _.escape( annotation ), '</div>' ].join( '' ); }, diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 static/scripts/mvc/tags.js --- a/static/scripts/mvc/tags.js +++ b/static/scripts/mvc/tags.js @@ -56,7 +56,9 @@ if( !_.isArray( tagsArray ) || _.isEmpty( tagsArray ) ){ return ''; } - return tagsArray.sort().join( ',' ); + return tagsArray.map( function( tag ){ + return _.escape( tag ); + }).sort().join( ',' ); }, /** @returns {jQuery} the input for this view */ diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 static/scripts/packed/mvc/annotations.js --- a/static/scripts/packed/mvc/annotations.js +++ b/static/scripts/packed/mvc/annotations.js @@ -1,1 +1,1 @@ -define(["mvc/base-mvc","utils/localization"],function(a,c){var b=Backbone.View.extend(a.LoggableMixin).extend(a.HiddenUntilActivatedViewMixin).extend({tagName:"div",className:"annotation-display",initialize:function(d){d=d||{};this.tooltipConfig=d.tooltipConfig||{placement:"bottom"};this.listenTo(this.model,"change:annotation",function(){this.render()});this.hiddenUntilActivated(d.$activator,d)},render:function(){var d=this;this.$el.html(this._template());this.$el.find("[title]").tooltip(this.tooltipConfig);this.$annotation().make_text_editable({use_textarea:true,on_finish:function(e){d.$annotation().text(e);d.model.save({annotation:e},{silent:true}).fail(function(){d.$annotation().text(d.model.previous("annotation"))})}});return this},_template:function(){var d=this.model.get("annotation");return['<label class="prompt">',c("Annotation"),"</label>",'<div class="annotation" title="',c("Edit annotation"),'">',d,"</div>"].join("")},$annotation:function(){return this.$el.find(".annotation")},remove:function(){this.$annotation.off();this.stopListening(this.model);Backbone.View.prototype.remove.call(this)},toString:function(){return["AnnotationEditor(",this.model+"",")"].join("")}});return{AnnotationEditor:b}}); \ No newline at end of file +define(["mvc/base-mvc","utils/localization"],function(a,c){var b=Backbone.View.extend(a.LoggableMixin).extend(a.HiddenUntilActivatedViewMixin).extend({tagName:"div",className:"annotation-display",initialize:function(d){d=d||{};this.tooltipConfig=d.tooltipConfig||{placement:"bottom"};this.listenTo(this.model,"change:annotation",function(){this.render()});this.hiddenUntilActivated(d.$activator,d)},render:function(){var d=this;this.$el.html(this._template());this.$el.find("[title]").tooltip(this.tooltipConfig);this.$annotation().make_text_editable({use_textarea:true,on_finish:function(e){d.$annotation().text(e);d.model.save({annotation:e},{silent:true}).fail(function(){d.$annotation().text(d.model.previous("annotation"))})}});return this},_template:function(){var d=this.model.get("annotation");return['<label class="prompt">',c("Annotation"),"</label>",'<div class="annotation" title="',c("Edit annotation"),'">',_.escape(d),"</div>"].join("")},$annotation:function(){return this.$el.find(".annotation")},remove:function(){this.$annotation.off();this.stopListening(this.model);Backbone.View.prototype.remove.call(this)},toString:function(){return["AnnotationEditor(",this.model+"",")"].join("")}});return{AnnotationEditor:b}}); \ No newline at end of file diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 static/scripts/packed/mvc/tags.js --- a/static/scripts/packed/mvc/tags.js +++ b/static/scripts/packed/mvc/tags.js @@ -1,1 +1,1 @@ -define(["mvc/base-mvc","utils/localization"],function(a,b){var c=Backbone.View.extend(a.LoggableMixin).extend(a.HiddenUntilActivatedViewMixin).extend({tagName:"div",className:"tags-display",initialize:function(d){this.listenTo(this.model,"change:tags",function(){this.render()});this.hiddenUntilActivated(d.$activator,d)},render:function(){var d=this;this.$el.html(this._template());this.$input().select2({placeholder:"Add tags",width:"100%",tags:function(){return d._getTagsUsed()}});this._setUpBehaviors();return this},_template:function(){return['<label class="prompt">',b("Tags"),"</label>",'<input class="tags-input" value="',this.tagsToCSV(),'" />'].join("")},tagsToCSV:function(){var d=this.model.get("tags");if(!_.isArray(d)||_.isEmpty(d)){return""}return d.sort().join(",")},$input:function(){return this.$el.find("input.tags-input")},_getTagsUsed:function(){return Galaxy.currUser.get("tags_used")},_setUpBehaviors:function(){var d=this;this.$input().on("change",function(e){d.model.save({tags:e.val},{silent:true});if(e.added){d._addNewTagToTagsUsed(e.added.text+"")}})},_addNewTagToTagsUsed:function(d){var e=Galaxy.currUser.get("tags_used");if(!_.contains(e,d)){e.push(d);e.sort();Galaxy.currUser.set("tags_used",e)}},remove:function(){this.$input.off();this.stopListening(this.model);Backbone.View.prototype.remove.call(this)},toString:function(){return["TagsEditor(",this.model+"",")"].join("")}});return{TagsEditor:c}}); \ No newline at end of file +define(["mvc/base-mvc","utils/localization"],function(a,b){var c=Backbone.View.extend(a.LoggableMixin).extend(a.HiddenUntilActivatedViewMixin).extend({tagName:"div",className:"tags-display",initialize:function(d){this.listenTo(this.model,"change:tags",function(){this.render()});this.hiddenUntilActivated(d.$activator,d)},render:function(){var d=this;this.$el.html(this._template());this.$input().select2({placeholder:"Add tags",width:"100%",tags:function(){return d._getTagsUsed()}});this._setUpBehaviors();return this},_template:function(){return['<label class="prompt">',b("Tags"),"</label>",'<input class="tags-input" value="',this.tagsToCSV(),'" />'].join("")},tagsToCSV:function(){var d=this.model.get("tags");if(!_.isArray(d)||_.isEmpty(d)){return""}return d.map(function(e){return _.escape(e)}).sort().join(",")},$input:function(){return this.$el.find("input.tags-input")},_getTagsUsed:function(){return Galaxy.currUser.get("tags_used")},_setUpBehaviors:function(){var d=this;this.$input().on("change",function(e){d.model.save({tags:e.val},{silent:true});if(e.added){d._addNewTagToTagsUsed(e.added.text+"")}})},_addNewTagToTagsUsed:function(d){var e=Galaxy.currUser.get("tags_used");if(!_.contains(e,d)){e.push(d);e.sort();Galaxy.currUser.set("tags_used",e)}},remove:function(){this.$input.off();this.stopListening(this.model);Backbone.View.prototype.remove.call(this)},toString:function(){return["TagsEditor(",this.model+"",")"].join("")}});return{TagsEditor:c}}); \ No newline at end of file diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/galaxy_client_app.mako --- a/templates/galaxy_client_app.mako +++ b/templates/galaxy_client_app.mako @@ -15,7 +15,7 @@ //TODO: global... %for key in kwargs: ( window.bootstrapped = window.bootstrapped || {} )[ '${key}' ] = ( - ${ h.dumps( kwargs[ key ], indent=( 2 if trans.debug else 0 ) )} ); + ${ h.dumps( kwargs[ key ], indent=( 2 if trans.debug else 0 ) ) } ); %endfor define( 'bootstrapped-data', function(){ return window.bootstrapped; @@ -76,11 +76,17 @@ user_dict = trans.user.to_dict( view='element', value_mapper={ 'id': trans.security.encode_id, 'total_disk_usage': float } ) user_dict[ 'quota_percent' ] = trans.app.quota_agent.get_percent( trans=trans ) + user_dict[ 'is_admin' ] = trans.user_is_admin() # tags used users_api_controller = trans.webapp.api_controllers[ 'users' ] - user_dict[ 'tags_used' ] = users_api_controller.get_user_tags_used( trans, user=trans.user ) - user_dict[ 'is_admin' ] = trans.user_is_admin() + tags_used = [] + for tag in users_api_controller.get_user_tags_used( trans, user=trans.user ): + tag = tag | h + if tag: + tags_used.append( tag ) + user_dict[ 'tags_used' ] = tags_used + return user_dict usage = 0 diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/tagging_common.mako --- a/templates/tagging_common.mako +++ b/templates/tagging_common.mako @@ -19,7 +19,7 @@ ## Render HTML for a list of tags. <%def name="render_tagging_element_html(elt_id=None, tags=None, editable=True, use_toggle_link=True, input_size='15', in_form=False, tag_type='individual', render_add_tag_button=True)"> ## Useful attributes. - <% + <% num_tags = len( tags ) %><div class="tag-element" @@ -50,6 +50,7 @@ elif isinstance( tag, ItemTagAssociation ): tag_name = tag.user_tname tag_value = tag.user_value + ## Convert tag name, value to unicode. if isinstance( tag_name, str ): tag_name = unicode( escape( tag_name ), 'utf-8' ) @@ -61,7 +62,7 @@ tag_str = tag_name %><span class="tag-button"> - <span class="tag-name">${tag_str}</span> + <span class="tag-name">${tag_str | h}</span> %if editable: <img class="delete-tag-img" src="${h.url_for('/static/images/delete_tag_icon_gray.png')}"/> %endif @@ -186,10 +187,11 @@ ## Build dict of tag name, values. tag_names_and_values = dict() for tag in item_tags: - tag_name = tag.user_tname + tag_name = escape( tag.user_tname ) tag_value = "" if tag.value is not None: - tag_value = tag.user_value + tag_value = escape( tag.user_value ) + ## Tag names and values may be string or unicode object. if isinstance( tag_name, str ): tag_names_and_values[unicode(tag_name, 'utf-8')] = unicode(tag_value, 'utf-8') diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/dataset/copy_view.mako --- a/templates/webapps/galaxy/dataset/copy_view.mako +++ b/templates/webapps/galaxy/dataset/copy_view.mako @@ -53,7 +53,7 @@ %><option value="${trans.security.encode_id(hist.id)}" ${selected}> - ${i + 1}: ${h.truncate(util.unicodify( hist.name ), 30)}${current_history_text} + ${i + 1}: ${h.truncate(util.unicodify( hist.name ), 30) | h}${current_history_text} </option> %endfor </select> @@ -70,7 +70,7 @@ %><div class="form-row"><input type="checkbox" name="source_content_ids" id="${input_id}" value="${input_id}"${checked}/> - <label for="${input_id}" style="display: inline;font-weight:normal;"> ${data.hid}: ${h.to_unicode(data.name)}</label> + <label for="${input_id}" style="display: inline;font-weight:normal;"> ${data.hid}: ${h.to_unicode(data.name) | h}</label></div> %endfor %else: @@ -95,7 +95,7 @@ if encoded_id == target_history_id: selected = " selected='selected'" %> - <option value="${encoded_id}"${selected}>${i + 1}: ${h.truncate( util.unicodify( hist.name ), 30)}${source_history_text}</option> + <option value="${encoded_id}"${selected}>${i + 1}: ${h.truncate( util.unicodify( hist.name ), 30) | h}${source_history_text}</option> %endfor </select><br /><br /><a style="margin-left: 10px;" href="javascript:void(0);" id="select-multiple">Choose multiple histories</a> @@ -110,7 +110,7 @@ %><div class="form-row"><input type="checkbox" name="target_history_ids" id="hist_${encoded_id}" value="${encoded_id}"/> - <label for="hist_${encoded_id}" style="display: inline; font-weight:normal;">${i + 1}: ${ util.unicodify( hist.name ) }${cur_history_text}</label> + <label for="hist_${encoded_id}" style="display: inline; font-weight:normal;">${i + 1}: ${ util.unicodify( hist.name ) | h }${cur_history_text}</label></div> %endfor </div> diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/dataset/display.mako --- a/templates/webapps/galaxy/dataset/display.mako +++ b/templates/webapps/galaxy/dataset/display.mako @@ -26,13 +26,11 @@ data.createTabularDatasetChunkedView({ // TODO: encode id. dataset_config: - _.extend( ${h.dumps( item.to_dict() )}, - { - chunk_url: "${h.url_for( controller='/dataset', action='display', - dataset_id=trans.security.encode_id( item.id ))}", - first_data_chunk: ${first_chunk} - } - ), + _.extend( ${h.dumps( item.to_dict() )}, { + chunk_url: "${h.url_for( controller='/dataset', action='display', + dataset_id=trans.security.encode_id( item.id ))}", + first_data_chunk: ${first_chunk} + }), parent_elt: $('.page-body') }); }); diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/dataset/embed.mako --- a/templates/webapps/galaxy/dataset/embed.mako +++ b/templates/webapps/galaxy/dataset/embed.mako @@ -4,10 +4,13 @@ %><%def name="render_item_links( dataset )"> - <a href="${h.url_for( controller='/dataset', action='display', dataset_id=trans.security.encode_id( dataset.id ), to_ext=dataset.ext )}" title="Save dataset" class="icon-button disk"></a> + <a href="${h.url_for( controller='/dataset', action='display', dataset_id=trans.security.encode_id( dataset.id ), to_ext=dataset.ext )}" + title="Save dataset" class="icon-button disk"></a> ## Links for importing and viewing an item. - <a href="${h.url_for( controller='/dataset', action='imp', dataset_id=trans.security.encode_id( item.id ) )}" title="Import dataset" class="icon-button import"></a> - <a class="icon-button go-to-full-screen" href="${h.url_for( controller='/dataset', action='display_by_username_and_slug', username=dataset.history.user.username, slug=trans.security.encode_id( dataset.id ) )}" title="Go to dataset"></a> + <a href="${h.url_for( controller='/dataset', action='imp', dataset_id=trans.security.encode_id( item.id ) )}" + title="Import dataset" class="icon-button import"></a> + <a href="${h.url_for( controller='/dataset', action='display_by_username_and_slug', username=dataset.history.user.username, slug=trans.security.encode_id( dataset.id ) )}" + title="Go to dataset" class="icon-button go-to-full-screen"></a></%def> diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/dataset/errors.mako --- a/templates/webapps/galaxy/dataset/errors.mako +++ b/templates/webapps/galaxy/dataset/errors.mako @@ -49,7 +49,7 @@ <body><h2>Dataset generation errors</h2> - <p><b>Dataset ${hda.hid}: ${hda.display_name()}</b></p> + <p><b>Dataset ${hda.hid}: ${hda.display_name() | h}</b></p><% job = hda.creating_job %> %if job: diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/dataset/security_common.mako --- a/templates/webapps/galaxy/dataset/security_common.mako +++ b/templates/webapps/galaxy/dataset/security_common.mako @@ -77,7 +77,7 @@ else: current_actions = [] permitted_actions = {}.items() - obj_str = 'unknown object %s' %obj_name + obj_str = 'unknown object %s' % obj_name obj_type = '' %><script type="text/javascript"> @@ -104,7 +104,7 @@ }); </script><div class="toolForm"> - <div class="toolFormTitle">Manage ${obj_type} permissions on ${obj_str}</div> + <div class="toolFormTitle">Manage ${obj_type} permissions on ${obj_str | h}</div><div class="toolFormBody"><form name="edit_role_associations" id="edit_role_associations" action="${form_url}" method="post"><div class="form-row"></div> diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/dataset/tabular_chunked.mako --- a/templates/webapps/galaxy/dataset/tabular_chunked.mako +++ b/templates/webapps/galaxy/dataset/tabular_chunked.mako @@ -15,14 +15,12 @@ } }); - require(['mvc/data'], function(data) { + require([ 'mvc/data' ], function( data ) { data.createTabularDatasetChunkedView({ - dataset_config: _.extend( ${h.dumps( trans.security.encode_dict_ids( dataset.to_dict() ) )}, - { - first_data_chunk: ${chunk} - } - ), - parent_elt: $('body') + dataset_config : _.extend( ${ h.dumps( trans.security.encode_dict_ids( dataset.to_dict() ) )}, { + first_data_chunk: ${ chunk } + }), + parent_elt : $( 'body' ) }); }); </script> diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/galaxy.masthead.mako --- a/templates/webapps/galaxy/galaxy.masthead.mako +++ b/templates/webapps/galaxy/galaxy.masthead.mako @@ -1,32 +1,4 @@ -## get user data -<%def name="get_user_json()"> -<% - """Bootstrapping user API JSON""" - #TODO: move into common location (poss. BaseController) - if trans.user: - user_dict = trans.user.to_dict( view='element', value_mapper={ 'id': trans.security.encode_id, - 'total_disk_usage': float } ) - user_dict[ 'quota_percent' ] = trans.app.quota_agent.get_percent( trans=trans ) - users_api_controller = trans.webapp.api_controllers[ 'users' ] - user_dict[ 'tags_used' ] = users_api_controller.get_user_tags_used( trans, user=trans.user ) - user_dict[ 'is_admin' ] = trans.user_is_admin() - else: - usage = 0 - percent = None - try: - usage = trans.app.quota_agent.get_usage( trans, history=trans.history ) - percent = trans.app.quota_agent.get_percent( trans=trans, usage=usage ) - except AssertionError, assertion: - # no history for quota_agent.get_usage assertion - pass - user_dict = { - 'total_disk_usage' : int( usage ), - 'nice_total_disk_usage' : util.nice_size( usage ), - 'quota_percent' : percent - } - return user_dict -%> -</%def> +<%namespace file="/galaxy_client_app.mako" import="get_user_json" /> ## masthead head generator <%def name="load(active_view = None)"> @@ -87,7 +59,7 @@ ], function( mod_masthead, mod_menu, mod_modal, mod_frame, GalaxyUpload, user, quotameter ){ if( !Galaxy.currUser ){ // this doesn't need to wait for the page being readied - Galaxy.currUser = new user.User(${ h.dumps( get_user_json(), indent=2 ) }); + Galaxy.currUser = new user.User(${ h.dumps( masthead_config[ 'user' ][ 'json' ], indent=2 ) }); } $(function() { diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/history/embed.mako --- a/templates/webapps/galaxy/history/embed.mako +++ b/templates/webapps/galaxy/history/embed.mako @@ -24,7 +24,7 @@ </a></h4> %if hasattr( item, "annotation") and item.annotation: - <div class="annotation">${item.annotation}</div> + <div class="annotation">${item.annotation | h}</div> %endif </div><div class='summary-content'> diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/history/history_panel.mako --- a/templates/webapps/galaxy/history/history_panel.mako +++ /dev/null @@ -1,14 +0,0 @@ -## shortcuts for script tags that create history panels -## ---------------------------------------------------------------------------- -<%def name="current_history_panel( selector_to_attach_to=None, options )"> -</%def> - - -## ---------------------------------------------------------------------------- -<%def name="history_panel( history_id, selector_to_attach_to=None, options )"> -</%def> - - -## ---------------------------------------------------------------------------- -<%def name="bootstrapped_history_panel( history, hdas, selector_to_attach_to=None, options )"> -</%def> diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/history/share.mako --- a/templates/webapps/galaxy/history/share.mako +++ b/templates/webapps/galaxy/history/share.mako @@ -20,7 +20,7 @@ <tr><td><input type="hidden" name="id" value="${trans.security.encode_id( history.id )}"> - ${ util.unicodify( history.name )} + ${ util.unicodify( history.name ) | h } </td><td> %if len( history.datasets ) < 1: diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/history/view.mako --- a/templates/webapps/galaxy/history/view.mako +++ b/templates/webapps/galaxy/history/view.mako @@ -1,4 +1,4 @@ -<%namespace file="/galaxy.masthead.mako" import="get_user_json" /> +<%namespace file="/galaxy_client_app.mako" import="get_user_json" /> ## ---------------------------------------------------------------------------- <%! @@ -166,9 +166,9 @@ // use_panels effects where the the center_panel() is rendered: // w/o it renders to the body, w/ it renders to #center - we need to adjust a few things for scrolling to work var hasMasthead = ${ 'true' if use_panels else 'false' }, - userIsOwner = ${'true' if user_is_owner else 'false'}, - historyJSON = ${h.dumps( history )}, - hdaJSON = ${h.dumps( hdas )}, + userIsOwner = ${ 'true' if user_is_owner else 'false' }, + historyJSON = ${ h.dumps( history ) }, + hdaJSON = ${ h.dumps( hdas ) }, panelToUse = ( userIsOwner )? //TODO: change class names ({ location: 'mvc/history/history-panel-edit', className: 'HistoryPanelEdit' }): diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/page/editor.mako --- a/templates/webapps/galaxy/page/editor.mako +++ b/templates/webapps/galaxy/page/editor.mako @@ -47,7 +47,7 @@ <a id="close-button" class="panel-header-button">Close</a></div><div class="unified-panel-header-inner"> - Page Editor <span style="font-weight: normal">| Title : ${page.title}</span> + Page Editor <span style="font-weight: normal">| Title : ${page.title | h}</span></div></div> diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/page/index.mako --- a/templates/webapps/galaxy/page/index.mako +++ b/templates/webapps/galaxy/page/index.mako @@ -30,7 +30,7 @@ <% page = association.page %><tr><td> - <a class="menubutton" id="shared-${i}-popup" href="${h.url_for(controller='page', action='display_by_username_and_slug', username=page.user.username, slug=page.slug)}">${page.title}</a> + <a class="menubutton" id="shared-${i}-popup" href="${h.url_for(controller='page', action='display_by_username_and_slug', username=page.user.username, slug=page.slug)}">${page.title | h}</a></td><td>${page.user.username}</td><td> Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: dannon: Merged in carlfeberhard/carlfeberhard-galaxy-central-stable/stable (pull request #594)
by commits-noreply＠bitbucket.org 08 Dec '14

08 Dec '14

1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/0c8ac7330cdd/ Changeset: 0c8ac7330cdd Branch: stable User: dannon Date: 2014-12-08 16:44:52+00:00 Summary: Merged in carlfeberhard/carlfeberhard-galaxy-central-stable/stable (pull request #594) [STABLE] Next-stable security fixes to stable. Affected #: 26 files diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 client/galaxy/scripts/mvc/annotations.js --- a/client/galaxy/scripts/mvc/annotations.js +++ b/client/galaxy/scripts/mvc/annotations.js @@ -56,7 +56,7 @@ '<label class="prompt">', _l( 'Annotation' ), '</label>', // set up initial tags by adding as CSV to input vals (necc. to init select2) '<div class="annotation" title="', _l( 'Edit annotation' ), '">', - annotation, + _.escape( annotation ), '</div>' ].join( '' ); }, diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 client/galaxy/scripts/mvc/tags.js --- a/client/galaxy/scripts/mvc/tags.js +++ b/client/galaxy/scripts/mvc/tags.js @@ -56,7 +56,9 @@ if( !_.isArray( tagsArray ) || _.isEmpty( tagsArray ) ){ return ''; } - return tagsArray.sort().join( ',' ); + return tagsArray.map( function( tag ){ + return _.escape( tag ); + }).sort().join( ',' ); }, /** @returns {jQuery} the input for this view */ diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 lib/galaxy/tags/tag_handler.py --- a/lib/galaxy/tags/tag_handler.py +++ b/lib/galaxy/tags/tag_handler.py @@ -1,5 +1,7 @@ -import re, logging -from sqlalchemy.sql.expression import func, and_ +import re +import logging +from sqlalchemy.sql.expression import func +from sqlalchemy.sql.expression import and_ from sqlalchemy.sql import select log = logging.getLogger( __name__ ) @@ -25,12 +27,15 @@ self.key_value_separators = "=:" # Initialize with known classes - add to this in subclasses. self.item_tag_assoc_info = {} + def get_tag_assoc_class( self, item_class ): """Returns tag association class for item class.""" return self.item_tag_assoc_info[item_class.__name__].tag_assoc_class + def get_id_col_in_item_tag_assoc_table( self, item_class ): """Returns item id column in class' item-tag association table.""" return self.item_tag_assoc_info[item_class.__name__].item_id_col + def get_community_tags( self, trans, item=None, limit=None ): """Returns community tags for an item.""" # Get item-tag association class. @@ -58,6 +63,7 @@ tag_id = row[0] community_tags.append( self.get_tag_by_id( trans, tag_id ) ) return community_tags + def get_tool_tags( self, trans ): result_set = trans.sa_session.execute( select( columns=[ trans.app.model.ToolTagAssociation.table.c.tag_id ], from_obj=trans.app.model.ToolTagAssociation.table ).distinct() ) @@ -67,6 +73,7 @@ tag_id = row[0] tags.append( self.get_tag_by_id( trans, tag_id ) ) return tags + def remove_item_tag( self, trans, user, item, tag_name ): """Remove a tag from an item.""" # Get item tag association. @@ -78,6 +85,7 @@ item.tags.remove( item_tag_assoc ) return True return False + def delete_item_tags( self, trans, user, item ): """Delete tags from an item.""" # Delete item-tag associations. @@ -85,6 +93,7 @@ trans.sa_session.delete( tag ) # Delete tags from item. del item.tags[:] + def item_has_tag( self, trans, user, item, tag ): """Returns true if item is has a given tag.""" # Get tag name. @@ -97,6 +106,7 @@ if item_tag_assoc: return True return False + def apply_item_tag( self, trans, user, item, name, value=None ): # Use lowercase name for searching/creating tag. lc_name = name.lower() @@ -124,6 +134,7 @@ item_tag_assoc.user_value = value item_tag_assoc.value = lc_value return item_tag_assoc + def apply_item_tags( self, trans, user, item, tags_str ): """Apply tags to an item.""" # Parse tags. @@ -131,6 +142,7 @@ # Apply each tag. for name, value in parsed_tags.items(): self.apply_item_tag( trans, user, item, name, value ) + def get_tags_str( self, tags ): """Build a string from an item's tags.""" # Return empty string if there are no tags. @@ -144,14 +156,17 @@ tag_str += ":" + tag.user_value tags_str_list.append( tag_str ) return ", ".join( tags_str_list ) + def get_tag_by_id( self, trans, tag_id ): """Get a Tag object from a tag id.""" return trans.sa_session.query( trans.app.model.Tag ).filter_by( id=tag_id ).first() + def get_tag_by_name( self, trans, tag_name ): """Get a Tag object from a tag name (string).""" if tag_name: return trans.sa_session.query( trans.app.model.Tag ).filter_by( name=tag_name.lower() ).first() return None + def _create_tag( self, trans, tag_str ): """Create a Tag object from a tag string.""" tag_hierarchy = tag_str.split( self.hierarchy_separator ) @@ -169,6 +184,7 @@ parent_tag = tag tag_prefix = tag.name + self.hierarchy_separator return tag + def _get_or_create_tag( self, trans, tag_str ): """Get or create a Tag object from a tag string.""" # Scrub tag; if tag is None after being scrubbed, return None. @@ -181,6 +197,7 @@ if tag is None: tag = self._create_tag( trans, scrubbed_tag_str ) return tag + def _get_item_tag_assoc( self, user, item, tag_name ): """ Return ItemTagAssociation object for a user, item, and tag string; returns None if there is @@ -191,6 +208,7 @@ if ( item_tag_assoc.user == user ) and ( item_tag_assoc.user_tname == scrubbed_tag_name ): return item_tag_assoc return None + def parse_tags( self, tag_str ): """ Returns a list of raw (tag-name, value) pairs derived from a string; method scrubs tag names and values as well. @@ -210,6 +228,7 @@ scrubbed_value = self._scrub_tag_value( nv_pair[1] ) name_value_pairs[scrubbed_name] = scrubbed_value return name_value_pairs + def _scrub_tag_value( self, value ): """Scrub a tag value.""" # Gracefully handle None: @@ -219,6 +238,7 @@ reg_exp = re.compile( '\s' ) scrubbed_value = re.sub( reg_exp, "", value ) return scrubbed_value + def _scrub_tag_name( self, name ): """Scrub a tag name.""" # Gracefully handle None: @@ -234,12 +254,14 @@ if len( scrubbed_name ) < self.min_tag_len or len( scrubbed_name ) > self.max_tag_len: return None return scrubbed_name + def _scrub_tag_name_list( self, tag_name_list ): """Scrub a tag name list.""" scrubbed_tag_list = list() for tag in tag_name_list: scrubbed_tag_list.append( self._scrub_tag_name( tag ) ) return scrubbed_tag_list + def _get_name_value_pair( self, tag_str ): """Get name, value pair from a tag string.""" # Use regular expression to parse name, value. @@ -250,6 +272,7 @@ name_value_pair.append( None ) return name_value_pair + class GalaxyTagHandler( TagHandler ): def __init__( self ): from galaxy import model @@ -271,6 +294,7 @@ model.VisualizationTagAssociation, model.VisualizationTagAssociation.table.c.visualization_id ) + class CommunityTagHandler( TagHandler ): def __init__( self ): from galaxy.webapps.tool_shed import model diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 lib/galaxy/util/json.py --- a/lib/galaxy/util/json.py +++ b/lib/galaxy/util/json.py @@ -57,7 +57,7 @@ return val -def safe_dumps(*args, **kwargs): +def safe_dumps( *args, **kwargs ): """ This is a wrapper around dumps that encodes Infinity and NaN values. It's a fairly rare case (which will be low in request volume). Basically, we tell @@ -65,10 +65,12 @@ re-encoding. """ try: - dumped = json.dumps(*args, allow_nan=False, **kwargs) + dumped = json.dumps( *args, allow_nan=False, **kwargs ) except ValueError: - obj = swap_inf_nan(copy.deepcopy(args[0])) - dumped = json.dumps(obj, allow_nan=False, **kwargs) + obj = swap_inf_nan( copy.deepcopy( args[0] ) ) + dumped = json.dumps( obj, allow_nan=False, **kwargs ) + if kwargs.get( 'escape_closing_tags', True ): + return dumped.replace( '</', '<\\/' ) return dumped diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 lib/galaxy/util/validation.py --- a/lib/galaxy/util/validation.py +++ b/lib/galaxy/util/validation.py @@ -8,8 +8,8 @@ def validate_and_sanitize_basestring( key, val ): if not isinstance( val, basestring ): - raise exceptions.RequestParameterInvalidException( '%s must be a string or unicode: %s' - % ( key, str( type( val ) ) ) ) + raise exceptions.RequestParameterInvalidException( '%s must be a string or unicode: %s' + % ( key, str( type( val ) ) ) ) return unicode( sanitize_html( val, 'utf-8', 'text/html' ), 'utf-8' ) diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 lib/galaxy/web/framework/helpers/__init__.py --- a/lib/galaxy/web/framework/helpers/__init__.py +++ b/lib/galaxy/web/framework/helpers/__init__.py @@ -111,4 +111,3 @@ Returns true if input is a boolean and true or is a string and looks like a true value. """ return val == True or val in [ 'True', 'true', 'T', 't' ] - diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 lib/galaxy/webapps/galaxy/controllers/tag.py --- a/lib/galaxy/webapps/galaxy/controllers/tag.py +++ b/lib/galaxy/webapps/galaxy/controllers/tag.py @@ -64,7 +64,7 @@ trans.log_action( user, unicode( "untag" ), context, params ) # Retag an item. All previous tags are deleted and new tags are applied. - #(a)web.expose + @web.expose @web.require_login( "Apply a new set of tags to an item; previous tags are deleted." ) def retag_async( self, trans, item_id=None, item_class=None, new_tags=None ): """ @@ -73,7 +73,7 @@ # Apply tags. item = self._get_item( trans, item_class, trans.security.decode_id( item_id ) ) user = trans.user - self.get_tag_handler( trans ).delete_item_tags( trans, item ) + self.get_tag_handler( trans ).delete_item_tags( trans, user, item ) self.get_tag_handler( trans ).apply_item_tags( trans, user, item, new_tags.encode( 'utf-8' ) ) trans.sa_session.flush() diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 static/scripts/mvc/annotations.js --- a/static/scripts/mvc/annotations.js +++ b/static/scripts/mvc/annotations.js @@ -56,7 +56,7 @@ '<label class="prompt">', _l( 'Annotation' ), '</label>', // set up initial tags by adding as CSV to input vals (necc. to init select2) '<div class="annotation" title="', _l( 'Edit annotation' ), '">', - annotation, + _.escape( annotation ), '</div>' ].join( '' ); }, diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 static/scripts/mvc/tags.js --- a/static/scripts/mvc/tags.js +++ b/static/scripts/mvc/tags.js @@ -56,7 +56,9 @@ if( !_.isArray( tagsArray ) || _.isEmpty( tagsArray ) ){ return ''; } - return tagsArray.sort().join( ',' ); + return tagsArray.map( function( tag ){ + return _.escape( tag ); + }).sort().join( ',' ); }, /** @returns {jQuery} the input for this view */ diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 static/scripts/packed/mvc/annotations.js --- a/static/scripts/packed/mvc/annotations.js +++ b/static/scripts/packed/mvc/annotations.js @@ -1,1 +1,1 @@ -define(["mvc/base-mvc","utils/localization"],function(a,c){var b=Backbone.View.extend(a.LoggableMixin).extend(a.HiddenUntilActivatedViewMixin).extend({tagName:"div",className:"annotation-display",initialize:function(d){d=d||{};this.tooltipConfig=d.tooltipConfig||{placement:"bottom"};this.listenTo(this.model,"change:annotation",function(){this.render()});this.hiddenUntilActivated(d.$activator,d)},render:function(){var d=this;this.$el.html(this._template());this.$el.find("[title]").tooltip(this.tooltipConfig);this.$annotation().make_text_editable({use_textarea:true,on_finish:function(e){d.$annotation().text(e);d.model.save({annotation:e},{silent:true}).fail(function(){d.$annotation().text(d.model.previous("annotation"))})}});return this},_template:function(){var d=this.model.get("annotation");return['<label class="prompt">',c("Annotation"),"</label>",'<div class="annotation" title="',c("Edit annotation"),'">',d,"</div>"].join("")},$annotation:function(){return this.$el.find(".annotation")},remove:function(){this.$annotation.off();this.stopListening(this.model);Backbone.View.prototype.remove.call(this)},toString:function(){return["AnnotationEditor(",this.model+"",")"].join("")}});return{AnnotationEditor:b}}); \ No newline at end of file +define(["mvc/base-mvc","utils/localization"],function(a,c){var b=Backbone.View.extend(a.LoggableMixin).extend(a.HiddenUntilActivatedViewMixin).extend({tagName:"div",className:"annotation-display",initialize:function(d){d=d||{};this.tooltipConfig=d.tooltipConfig||{placement:"bottom"};this.listenTo(this.model,"change:annotation",function(){this.render()});this.hiddenUntilActivated(d.$activator,d)},render:function(){var d=this;this.$el.html(this._template());this.$el.find("[title]").tooltip(this.tooltipConfig);this.$annotation().make_text_editable({use_textarea:true,on_finish:function(e){d.$annotation().text(e);d.model.save({annotation:e},{silent:true}).fail(function(){d.$annotation().text(d.model.previous("annotation"))})}});return this},_template:function(){var d=this.model.get("annotation");return['<label class="prompt">',c("Annotation"),"</label>",'<div class="annotation" title="',c("Edit annotation"),'">',_.escape(d),"</div>"].join("")},$annotation:function(){return this.$el.find(".annotation")},remove:function(){this.$annotation.off();this.stopListening(this.model);Backbone.View.prototype.remove.call(this)},toString:function(){return["AnnotationEditor(",this.model+"",")"].join("")}});return{AnnotationEditor:b}}); \ No newline at end of file diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 static/scripts/packed/mvc/tags.js --- a/static/scripts/packed/mvc/tags.js +++ b/static/scripts/packed/mvc/tags.js @@ -1,1 +1,1 @@ -define(["mvc/base-mvc","utils/localization"],function(a,b){var c=Backbone.View.extend(a.LoggableMixin).extend(a.HiddenUntilActivatedViewMixin).extend({tagName:"div",className:"tags-display",initialize:function(d){this.listenTo(this.model,"change:tags",function(){this.render()});this.hiddenUntilActivated(d.$activator,d)},render:function(){var d=this;this.$el.html(this._template());this.$input().select2({placeholder:"Add tags",width:"100%",tags:function(){return d._getTagsUsed()}});this._setUpBehaviors();return this},_template:function(){return['<label class="prompt">',b("Tags"),"</label>",'<input class="tags-input" value="',this.tagsToCSV(),'" />'].join("")},tagsToCSV:function(){var d=this.model.get("tags");if(!_.isArray(d)||_.isEmpty(d)){return""}return d.sort().join(",")},$input:function(){return this.$el.find("input.tags-input")},_getTagsUsed:function(){return Galaxy.currUser.get("tags_used")},_setUpBehaviors:function(){var d=this;this.$input().on("change",function(e){d.model.save({tags:e.val},{silent:true});if(e.added){d._addNewTagToTagsUsed(e.added.text+"")}})},_addNewTagToTagsUsed:function(d){var e=Galaxy.currUser.get("tags_used");if(!_.contains(e,d)){e.push(d);e.sort();Galaxy.currUser.set("tags_used",e)}},remove:function(){this.$input.off();this.stopListening(this.model);Backbone.View.prototype.remove.call(this)},toString:function(){return["TagsEditor(",this.model+"",")"].join("")}});return{TagsEditor:c}}); \ No newline at end of file +define(["mvc/base-mvc","utils/localization"],function(a,b){var c=Backbone.View.extend(a.LoggableMixin).extend(a.HiddenUntilActivatedViewMixin).extend({tagName:"div",className:"tags-display",initialize:function(d){this.listenTo(this.model,"change:tags",function(){this.render()});this.hiddenUntilActivated(d.$activator,d)},render:function(){var d=this;this.$el.html(this._template());this.$input().select2({placeholder:"Add tags",width:"100%",tags:function(){return d._getTagsUsed()}});this._setUpBehaviors();return this},_template:function(){return['<label class="prompt">',b("Tags"),"</label>",'<input class="tags-input" value="',this.tagsToCSV(),'" />'].join("")},tagsToCSV:function(){var d=this.model.get("tags");if(!_.isArray(d)||_.isEmpty(d)){return""}return d.map(function(e){return _.escape(e)}).sort().join(",")},$input:function(){return this.$el.find("input.tags-input")},_getTagsUsed:function(){return Galaxy.currUser.get("tags_used")},_setUpBehaviors:function(){var d=this;this.$input().on("change",function(e){d.model.save({tags:e.val},{silent:true});if(e.added){d._addNewTagToTagsUsed(e.added.text+"")}})},_addNewTagToTagsUsed:function(d){var e=Galaxy.currUser.get("tags_used");if(!_.contains(e,d)){e.push(d);e.sort();Galaxy.currUser.set("tags_used",e)}},remove:function(){this.$input.off();this.stopListening(this.model);Backbone.View.prototype.remove.call(this)},toString:function(){return["TagsEditor(",this.model+"",")"].join("")}});return{TagsEditor:c}}); \ No newline at end of file diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/galaxy_client_app.mako --- a/templates/galaxy_client_app.mako +++ b/templates/galaxy_client_app.mako @@ -15,7 +15,7 @@ //TODO: global... %for key in kwargs: ( window.bootstrapped = window.bootstrapped || {} )[ '${key}' ] = ( - ${ h.dumps( kwargs[ key ], indent=( 2 if trans.debug else 0 ) )} ); + ${ h.dumps( kwargs[ key ], indent=( 2 if trans.debug else 0 ) ) } ); %endfor define( 'bootstrapped-data', function(){ return window.bootstrapped; @@ -76,11 +76,17 @@ user_dict = trans.user.to_dict( view='element', value_mapper={ 'id': trans.security.encode_id, 'total_disk_usage': float } ) user_dict[ 'quota_percent' ] = trans.app.quota_agent.get_percent( trans=trans ) + user_dict[ 'is_admin' ] = trans.user_is_admin() # tags used users_api_controller = trans.webapp.api_controllers[ 'users' ] - user_dict[ 'tags_used' ] = users_api_controller.get_user_tags_used( trans, user=trans.user ) - user_dict[ 'is_admin' ] = trans.user_is_admin() + tags_used = [] + for tag in users_api_controller.get_user_tags_used( trans, user=trans.user ): + tag = tag | h + if tag: + tags_used.append( tag ) + user_dict[ 'tags_used' ] = tags_used + return user_dict usage = 0 diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/tagging_common.mako --- a/templates/tagging_common.mako +++ b/templates/tagging_common.mako @@ -19,7 +19,7 @@ ## Render HTML for a list of tags. <%def name="render_tagging_element_html(elt_id=None, tags=None, editable=True, use_toggle_link=True, input_size='15', in_form=False, tag_type='individual', render_add_tag_button=True)"> ## Useful attributes. - <% + <% num_tags = len( tags ) %><div class="tag-element" @@ -50,6 +50,7 @@ elif isinstance( tag, ItemTagAssociation ): tag_name = tag.user_tname tag_value = tag.user_value + ## Convert tag name, value to unicode. if isinstance( tag_name, str ): tag_name = unicode( escape( tag_name ), 'utf-8' ) @@ -61,7 +62,7 @@ tag_str = tag_name %><span class="tag-button"> - <span class="tag-name">${tag_str}</span> + <span class="tag-name">${tag_str | h}</span> %if editable: <img class="delete-tag-img" src="${h.url_for('/static/images/delete_tag_icon_gray.png')}"/> %endif @@ -186,10 +187,11 @@ ## Build dict of tag name, values. tag_names_and_values = dict() for tag in item_tags: - tag_name = tag.user_tname + tag_name = escape( tag.user_tname ) tag_value = "" if tag.value is not None: - tag_value = tag.user_value + tag_value = escape( tag.user_value ) + ## Tag names and values may be string or unicode object. if isinstance( tag_name, str ): tag_names_and_values[unicode(tag_name, 'utf-8')] = unicode(tag_value, 'utf-8') diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/dataset/copy_view.mako --- a/templates/webapps/galaxy/dataset/copy_view.mako +++ b/templates/webapps/galaxy/dataset/copy_view.mako @@ -53,7 +53,7 @@ %><option value="${trans.security.encode_id(hist.id)}" ${selected}> - ${i + 1}: ${h.truncate(util.unicodify( hist.name ), 30)}${current_history_text} + ${i + 1}: ${h.truncate(util.unicodify( hist.name ), 30) | h}${current_history_text} </option> %endfor </select> @@ -70,7 +70,7 @@ %><div class="form-row"><input type="checkbox" name="source_content_ids" id="${input_id}" value="${input_id}"${checked}/> - <label for="${input_id}" style="display: inline;font-weight:normal;"> ${data.hid}: ${h.to_unicode(data.name)}</label> + <label for="${input_id}" style="display: inline;font-weight:normal;"> ${data.hid}: ${h.to_unicode(data.name) | h}</label></div> %endfor %else: @@ -95,7 +95,7 @@ if encoded_id == target_history_id: selected = " selected='selected'" %> - <option value="${encoded_id}"${selected}>${i + 1}: ${h.truncate( util.unicodify( hist.name ), 30)}${source_history_text}</option> + <option value="${encoded_id}"${selected}>${i + 1}: ${h.truncate( util.unicodify( hist.name ), 30) | h}${source_history_text}</option> %endfor </select><br /><br /><a style="margin-left: 10px;" href="javascript:void(0);" id="select-multiple">Choose multiple histories</a> @@ -110,7 +110,7 @@ %><div class="form-row"><input type="checkbox" name="target_history_ids" id="hist_${encoded_id}" value="${encoded_id}"/> - <label for="hist_${encoded_id}" style="display: inline; font-weight:normal;">${i + 1}: ${ util.unicodify( hist.name ) }${cur_history_text}</label> + <label for="hist_${encoded_id}" style="display: inline; font-weight:normal;">${i + 1}: ${ util.unicodify( hist.name ) | h }${cur_history_text}</label></div> %endfor </div> diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/dataset/display.mako --- a/templates/webapps/galaxy/dataset/display.mako +++ b/templates/webapps/galaxy/dataset/display.mako @@ -26,13 +26,11 @@ data.createTabularDatasetChunkedView({ // TODO: encode id. dataset_config: - _.extend( ${h.dumps( item.to_dict() )}, - { - chunk_url: "${h.url_for( controller='/dataset', action='display', - dataset_id=trans.security.encode_id( item.id ))}", - first_data_chunk: ${first_chunk} - } - ), + _.extend( ${h.dumps( item.to_dict() )}, { + chunk_url: "${h.url_for( controller='/dataset', action='display', + dataset_id=trans.security.encode_id( item.id ))}", + first_data_chunk: ${first_chunk} + }), parent_elt: $('.page-body') }); }); diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/dataset/embed.mako --- a/templates/webapps/galaxy/dataset/embed.mako +++ b/templates/webapps/galaxy/dataset/embed.mako @@ -4,10 +4,13 @@ %><%def name="render_item_links( dataset )"> - <a href="${h.url_for( controller='/dataset', action='display', dataset_id=trans.security.encode_id( dataset.id ), to_ext=dataset.ext )}" title="Save dataset" class="icon-button disk"></a> + <a href="${h.url_for( controller='/dataset', action='display', dataset_id=trans.security.encode_id( dataset.id ), to_ext=dataset.ext )}" + title="Save dataset" class="icon-button disk"></a> ## Links for importing and viewing an item. - <a href="${h.url_for( controller='/dataset', action='imp', dataset_id=trans.security.encode_id( item.id ) )}" title="Import dataset" class="icon-button import"></a> - <a class="icon-button go-to-full-screen" href="${h.url_for( controller='/dataset', action='display_by_username_and_slug', username=dataset.history.user.username, slug=trans.security.encode_id( dataset.id ) )}" title="Go to dataset"></a> + <a href="${h.url_for( controller='/dataset', action='imp', dataset_id=trans.security.encode_id( item.id ) )}" + title="Import dataset" class="icon-button import"></a> + <a href="${h.url_for( controller='/dataset', action='display_by_username_and_slug', username=dataset.history.user.username, slug=trans.security.encode_id( dataset.id ) )}" + title="Go to dataset" class="icon-button go-to-full-screen"></a></%def> diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/dataset/errors.mako --- a/templates/webapps/galaxy/dataset/errors.mako +++ b/templates/webapps/galaxy/dataset/errors.mako @@ -49,7 +49,7 @@ <body><h2>Dataset generation errors</h2> - <p><b>Dataset ${hda.hid}: ${hda.display_name()}</b></p> + <p><b>Dataset ${hda.hid}: ${hda.display_name() | h}</b></p><% job = hda.creating_job %> %if job: diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/dataset/security_common.mako --- a/templates/webapps/galaxy/dataset/security_common.mako +++ b/templates/webapps/galaxy/dataset/security_common.mako @@ -77,7 +77,7 @@ else: current_actions = [] permitted_actions = {}.items() - obj_str = 'unknown object %s' %obj_name + obj_str = 'unknown object %s' % obj_name obj_type = '' %><script type="text/javascript"> @@ -104,7 +104,7 @@ }); </script><div class="toolForm"> - <div class="toolFormTitle">Manage ${obj_type} permissions on ${obj_str}</div> + <div class="toolFormTitle">Manage ${obj_type} permissions on ${obj_str | h}</div><div class="toolFormBody"><form name="edit_role_associations" id="edit_role_associations" action="${form_url}" method="post"><div class="form-row"></div> diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/dataset/tabular_chunked.mako --- a/templates/webapps/galaxy/dataset/tabular_chunked.mako +++ b/templates/webapps/galaxy/dataset/tabular_chunked.mako @@ -15,14 +15,12 @@ } }); - require(['mvc/data'], function(data) { + require([ 'mvc/data' ], function( data ) { data.createTabularDatasetChunkedView({ - dataset_config: _.extend( ${h.dumps( trans.security.encode_dict_ids( dataset.to_dict() ) )}, - { - first_data_chunk: ${chunk} - } - ), - parent_elt: $('body') + dataset_config : _.extend( ${ h.dumps( trans.security.encode_dict_ids( dataset.to_dict() ) )}, { + first_data_chunk: ${ chunk } + }), + parent_elt : $( 'body' ) }); }); </script> diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/galaxy.masthead.mako --- a/templates/webapps/galaxy/galaxy.masthead.mako +++ b/templates/webapps/galaxy/galaxy.masthead.mako @@ -1,32 +1,4 @@ -## get user data -<%def name="get_user_json()"> -<% - """Bootstrapping user API JSON""" - #TODO: move into common location (poss. BaseController) - if trans.user: - user_dict = trans.user.to_dict( view='element', value_mapper={ 'id': trans.security.encode_id, - 'total_disk_usage': float } ) - user_dict[ 'quota_percent' ] = trans.app.quota_agent.get_percent( trans=trans ) - users_api_controller = trans.webapp.api_controllers[ 'users' ] - user_dict[ 'tags_used' ] = users_api_controller.get_user_tags_used( trans, user=trans.user ) - user_dict[ 'is_admin' ] = trans.user_is_admin() - else: - usage = 0 - percent = None - try: - usage = trans.app.quota_agent.get_usage( trans, history=trans.history ) - percent = trans.app.quota_agent.get_percent( trans=trans, usage=usage ) - except AssertionError, assertion: - # no history for quota_agent.get_usage assertion - pass - user_dict = { - 'total_disk_usage' : int( usage ), - 'nice_total_disk_usage' : util.nice_size( usage ), - 'quota_percent' : percent - } - return user_dict -%> -</%def> +<%namespace file="/galaxy_client_app.mako" import="get_user_json" /> ## masthead head generator <%def name="load(active_view = None)"> @@ -87,7 +59,7 @@ ], function( mod_masthead, mod_menu, mod_modal, mod_frame, GalaxyUpload, user, quotameter ){ if( !Galaxy.currUser ){ // this doesn't need to wait for the page being readied - Galaxy.currUser = new user.User(${ h.dumps( get_user_json(), indent=2 ) }); + Galaxy.currUser = new user.User(${ h.dumps( masthead_config[ 'user' ][ 'json' ], indent=2 ) }); } $(function() { diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/history/embed.mako --- a/templates/webapps/galaxy/history/embed.mako +++ b/templates/webapps/galaxy/history/embed.mako @@ -24,7 +24,7 @@ </a></h4> %if hasattr( item, "annotation") and item.annotation: - <div class="annotation">${item.annotation}</div> + <div class="annotation">${item.annotation | h}</div> %endif </div><div class='summary-content'> diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/history/history_panel.mako --- a/templates/webapps/galaxy/history/history_panel.mako +++ /dev/null @@ -1,14 +0,0 @@ -## shortcuts for script tags that create history panels -## ---------------------------------------------------------------------------- -<%def name="current_history_panel( selector_to_attach_to=None, options )"> -</%def> - - -## ---------------------------------------------------------------------------- -<%def name="history_panel( history_id, selector_to_attach_to=None, options )"> -</%def> - - -## ---------------------------------------------------------------------------- -<%def name="bootstrapped_history_panel( history, hdas, selector_to_attach_to=None, options )"> -</%def> diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/history/share.mako --- a/templates/webapps/galaxy/history/share.mako +++ b/templates/webapps/galaxy/history/share.mako @@ -20,7 +20,7 @@ <tr><td><input type="hidden" name="id" value="${trans.security.encode_id( history.id )}"> - ${ util.unicodify( history.name )} + ${ util.unicodify( history.name ) | h } </td><td> %if len( history.datasets ) < 1: diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/history/view.mako --- a/templates/webapps/galaxy/history/view.mako +++ b/templates/webapps/galaxy/history/view.mako @@ -1,4 +1,4 @@ -<%namespace file="/galaxy.masthead.mako" import="get_user_json" /> +<%namespace file="/galaxy_client_app.mako" import="get_user_json" /> ## ---------------------------------------------------------------------------- <%! @@ -166,9 +166,9 @@ // use_panels effects where the the center_panel() is rendered: // w/o it renders to the body, w/ it renders to #center - we need to adjust a few things for scrolling to work var hasMasthead = ${ 'true' if use_panels else 'false' }, - userIsOwner = ${'true' if user_is_owner else 'false'}, - historyJSON = ${h.dumps( history )}, - hdaJSON = ${h.dumps( hdas )}, + userIsOwner = ${ 'true' if user_is_owner else 'false' }, + historyJSON = ${ h.dumps( history ) }, + hdaJSON = ${ h.dumps( hdas ) }, panelToUse = ( userIsOwner )? //TODO: change class names ({ location: 'mvc/history/history-panel-edit', className: 'HistoryPanelEdit' }): diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/page/editor.mako --- a/templates/webapps/galaxy/page/editor.mako +++ b/templates/webapps/galaxy/page/editor.mako @@ -47,7 +47,7 @@ <a id="close-button" class="panel-header-button">Close</a></div><div class="unified-panel-header-inner"> - Page Editor <span style="font-weight: normal">| Title : ${page.title}</span> + Page Editor <span style="font-weight: normal">| Title : ${page.title | h}</span></div></div> diff -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 templates/webapps/galaxy/page/index.mako --- a/templates/webapps/galaxy/page/index.mako +++ b/templates/webapps/galaxy/page/index.mako @@ -30,7 +30,7 @@ <% page = association.page %><tr><td> - <a class="menubutton" id="shared-${i}-popup" href="${h.url_for(controller='page', action='display_by_username_and_slug', username=page.user.username, slug=page.slug)}">${page.title}</a> + <a class="menubutton" id="shared-${i}-popup" href="${h.url_for(controller='page', action='display_by_username_and_slug', username=page.user.username, slug=page.slug)}">${page.title | h}</a></td><td>${page.user.username}</td><td> Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: 24 new changesets
by commits-noreply＠bitbucket.org 08 Dec '14

08 Dec '14

24 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/8b4a7e48d052/ Changeset: 8b4a7e48d052 Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: Sanitize workflow and input dataset names in workflow run.mako. Affected #: 1 file diff -r 885f940bff64bbb6769fd31b21b0c73f4bfe1642 -r 8b4a7e48d052ef1c2275061c44827ad8b20ec57f templates/webapps/galaxy/workflow/run.mako --- a/templates/webapps/galaxy/workflow/run.mako +++ b/templates/webapps/galaxy/workflow/run.mako @@ -372,7 +372,7 @@ <% cls = "form-row" %> %endif <div class="${cls}"> - <label>${param.get_label()}</label> + <label>${param.get_label() | h}</label><div> %if isinstance( param, DataToolParameter ) or isinstance( param, DataCollectionToolParameter ): %if ( prefix + param.name ) in step.input_connections_by_name: @@ -474,7 +474,7 @@ <span class="action-button" id="hide_all_tool_body">Collapse</span></div> -<h2>Running workflow "${h.to_unicode( workflow.name )}"</h2> +<h2>Running workflow "${h.to_unicode( workflow.name ) | h}"</h2> %if has_upgrade_messages: <div class="warningmessage"> @@ -586,7 +586,7 @@ %else: <div class="toolForm"><div class="toolFormTitle"> - <span class='title_ul_text'>Step ${int(step.order_index)+1}: ${module.name}</span> + <span class='title_ul_text'>Step ${int(step.order_index)+1}: ${module.name | h}</span> % if step.annotations: <div class="step-annotation">${step.annotations[0].annotation}</div> % endif https://bitbucket.org/galaxy/galaxy-central/commits/bf1b90f6b3ba/ Changeset: bf1b90f6b3ba Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: Sanitize display of workflow parameters in workflow run.mako. Affected #: 1 file diff -r 8b4a7e48d052ef1c2275061c44827ad8b20ec57f -r bf1b90f6b3baa794955a1b7d2bb7b4c4dea52219 templates/webapps/galaxy/workflow/run.mako --- a/templates/webapps/galaxy/workflow/run.mako +++ b/templates/webapps/galaxy/workflow/run.mako @@ -574,6 +574,7 @@ <% pja_ss_all = [] for pja_ss in [ActionBox.get_short_str(pja) for pja in step.post_job_actions]: + pja_ss = h.escape( pja_ss ) for rematch in re.findall('\$\{.+?\}', pja_ss): pja_ss = pja_ss.replace(rematch, '<span style="background-color:%s" class="wfpspan wf_parm__%s pja_wfp">%s</span>' % (wf_parms[rematch[2:-1]], rematch[2:-1], rematch[2:-1])) pja_ss_all.append(pja_ss) https://bitbucket.org/galaxy/galaxy-central/commits/a6708f36b062/ Changeset: a6708f36b062 Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: Sanitize workflow run.mako parameters not sanitized by tooling code. Affected #: 1 file diff -r bf1b90f6b3baa794955a1b7d2bb7b4c4dea52219 -r a6708f36b0624e60d266ba2a441aaf5a9143fd1d templates/webapps/galaxy/workflow/run.mako --- a/templates/webapps/galaxy/workflow/run.mako +++ b/templates/webapps/galaxy/workflow/run.mako @@ -444,7 +444,7 @@ %else: <span class="workflow_parameters"><span class="uneditable_field"> - ${param.value_to_display_text( value, app )} + ${param.value_to_display_text( value, app ) | h} </span><span class="editable_field"><span class="editable"> https://bitbucket.org/galaxy/galaxy-central/commits/76da60bbe585/ Changeset: 76da60bbe585 Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: More sanitization in workflow display.mako. Affected #: 1 file diff -r a6708f36b0624e60d266ba2a441aaf5a9143fd1d -r 76da60bbe585f19fc968ba2aa4a5e226c02cd92e templates/webapps/galaxy/workflow/display.mako --- a/templates/webapps/galaxy/workflow/display.mako +++ b/templates/webapps/galaxy/workflow/display.mako @@ -40,7 +40,7 @@ <%def name="row_for_param( param, value, other_values, prefix, step )"><% cls = "form-row" %><div class="${cls}"> - <label>${param.get_label()}</label> + <label>${param.get_label() | h}</label><div> %if isinstance( param, DataToolParameter ) or isinstance( param, DataCollectionToolParameter ): %if ( prefix + param.name ) in step.input_connections_by_name: @@ -93,19 +93,19 @@ %><div class="toolForm"> %if tool: - <div class="toolFormTitle">Step ${int(step.order_index)+1}: ${tool.name}</div> + <div class="toolFormTitle">Step ${int(step.order_index)+1}: ${tool.name | h}</div><div class="toolFormBody"> ${do_inputs( tool.inputs, step.state.inputs, "", step )} </div> %else: - <div class="toolFormTitle">Step ${int(step.order_index)+1}: Unknown Tool with id '${step.tool_id}'</div> + <div class="toolFormTitle">Step ${int(step.order_index)+1}: Unknown Tool with id '${step.tool_id | h}'</div> %endif </div> %else: ## TODO: always input dataset? <% module = step.module %><div class="toolForm"> - <div class="toolFormTitle">Step ${int(step.order_index)+1}: ${module.name}</div> + <div class="toolFormTitle">Step ${int(step.order_index)+1}: ${module.name | h}</div><div class="toolFormBody"> ${do_inputs( module.get_runtime_inputs(), step.state.inputs, "", step )} </div> https://bitbucket.org/galaxy/galaxy-central/commits/8d095b5e0826/ Changeset: 8d095b5e0826 Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: Sanitize workflow name in message when extracting workflow from history. Affected #: 1 file diff -r 76da60bbe585f19fc968ba2aa4a5e226c02cd92e -r 8d095b5e0826b73abba81488fbd2a7f96e5327e0 lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -1228,7 +1228,7 @@ # Index page with message workflow_id = trans.security.encode_id( stored_workflow.id ) return trans.show_message( 'Workflow "%s" created from current history. You can <a href="%s" target="_parent">edit</a> or <a href="%s">run</a> the workflow.' % - ( workflow_name, url_for( controller='workflow', action='editor', id=workflow_id ), + ( escape( workflow_name ), url_for( controller='workflow', action='editor', id=workflow_id ), url_for( controller='workflow', action='run', id=workflow_id ) ) ) @web.expose https://bitbucket.org/galaxy/galaxy-central/commits/e739a6399e17/ Changeset: e739a6399e17 Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: Sanitize workflow name in myexperiment export. On the off chance that XML file ever gets interpreted as HTML. Shouldn't hurt anything for well behaved workflow names. Affected #: 1 file diff -r 8d095b5e0826b73abba81488fbd2a7f96e5327e0 -r e739a6399e177e45856bf0d80170628c0c0b4b04 templates/webapps/galaxy/workflow/myexp_export.mako --- a/templates/webapps/galaxy/workflow/myexp_export.mako +++ b/templates/webapps/galaxy/workflow/myexp_export.mako @@ -9,7 +9,7 @@ ## Generate request. <?xml version="1.0"?><workflow> - <title>${workflow_name}</title> + <title>${workflow_name | h}</title><description>${workflow_description}</description><type>Galaxy</type><content encoding="base64" type="binary"> https://bitbucket.org/galaxy/galaxy-central/commits/9b1a9ef2d8d0/ Changeset: 9b1a9ef2d8d0 Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: Sanitize tool id, name, and version during workflow import. Affected #: 1 file diff -r e739a6399e177e45856bf0d80170628c0c0b4b04 -r 9b1a9ef2d8d0342e458e460e95f0bdad8fd7d85c lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -1125,7 +1125,7 @@ message += "You can likely install the required tools from one of the Galaxy tool sheds listed below.<br/>" for missing_tool_tup in missing_tool_tups: missing_tool_id, missing_tool_name, missing_tool_version = missing_tool_tup - message += "<b>Tool name</b> %s, <b>id</b> %s, <b>version</b> %s<br/>" % ( missing_tool_name, missing_tool_id, missing_tool_version ) + message += "<b>Tool name</b> %s, <b>id</b> %s, <b>version</b> %s<br/>" % ( escape( missing_tool_name ), escape( missing_tool_id ), escape( missing_tool_version ) ) message += "<br/>" for shed_name, shed_url in trans.app.tool_shed_registry.tool_sheds.items(): if shed_url.endswith( '/' ): https://bitbucket.org/galaxy/galaxy-central/commits/e830ab78a2ce/ Changeset: e830ab78a2ce Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: More sanitization while handling fields from an imported workflow. Affected #: 1 file diff -r 9b1a9ef2d8d0342e458e460e95f0bdad8fd7d85c -r e830ab78a2ce408523da03ae9a3d2677ba7c6d5f lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -1135,7 +1135,7 @@ url += '&tool_id=' for missing_tool_tup in missing_tool_tups: missing_tool_id = missing_tool_tup[0] - url += '%s,' % missing_tool_id + url += '%s,' % escape( missing_tool_id ) message += '<a href="%s">%s</a><br/>' % ( url, shed_name ) status = 'error' if installed_repository_file or tool_shed_url: https://bitbucket.org/galaxy/galaxy-central/commits/368ae981718f/ Changeset: 368ae981718f Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: More sanitizing of workflow name and tool information during import. Affected #: 1 file diff -r e830ab78a2ce408523da03ae9a3d2677ba7c6d5f -r 368ae981718f9c0dc98c641598723d3a75616fe3 lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -1111,7 +1111,7 @@ message += "Imported, but this workflow contains cycles. " status = "error" else: - message += "Workflow <b>%s</b> imported successfully. " % workflow.name + message += "Workflow <b>%s</b> imported successfully. " % escape( workflow.name ) if missing_tool_tups: if trans.user_is_admin(): # A required tool is not available in the local Galaxy instance. @@ -1155,13 +1155,13 @@ pass if tool_shed_url: # We've received the textual representation of a workflow from a Galaxy tool shed. - message = "Workflow <b>%s</b> imported successfully." % workflow.name + message = "Workflow <b>%s</b> imported successfully." % escape( workflow.name ) url = '%s/workflow/view_workflow?repository_metadata_id=%s&workflow_name=%s&message=%s' % \ ( tool_shed_url, repository_metadata_id, encoding_util.tool_shed_encode( workflow_name ), message ) return trans.response.send_redirect( url ) elif installed_repository_file: # The workflow was read from a file included with an installed tool shed repository. - message = "Workflow <b>%s</b> imported successfully." % workflow.name + message = "Workflow <b>%s</b> imported successfully." % escape( workflow.name ) if cntrller == 'api': return status, message return trans.response.send_redirect( web.url_for( controller='admin_toolshed', https://bitbucket.org/galaxy/galaxy-central/commits/883191fe0d52/ Changeset: 883191fe0d52 Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: Sanitize workflow name and tool ids when running workflow with missing tools. Affected #: 1 file diff -r 368ae981718f9c0dc98c641598723d3a75616fe3 -r 883191fe0d5226748cb01237372e73ed0293e932 templates/webapps/galaxy/workflow/missing_tools.mako --- a/templates/webapps/galaxy/workflow/missing_tools.mako +++ b/templates/webapps/galaxy/workflow/missing_tools.mako @@ -1,6 +1,6 @@ <%inherit file="/base.mako"/> -<h2>Cannot run workflow "${h.to_unicode( workflow.name )}"</h2> +<h2>Cannot run workflow "${h.to_unicode( workflow.name ) | h}"</h2> %if workflow.annotation: <div class="workflow-annotation">${workflow.annotation}</div> @@ -11,7 +11,7 @@ <strong>This workflow utilizes tools which are unavailable, and cannot be run. Enable the tools listed below, or <a href="${h.url_for(controller='workflow', action='editor', id=trans.security.encode_id(workflow.id) )}" target="_parent">edit the workflow</a> to correct these errors.</strong><br/><ul> %for i, tool in enumerate( missing_tools ): - <li>${tool}</li> + <li>${tool | h}</li> %endfor </ul></div> \ No newline at end of file https://bitbucket.org/galaxy/galaxy-central/commits/f7c388aa4f64/ Changeset: f7c388aa4f64 Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: Sanitize incoming workflow annotations during imports. Affected #: 1 file diff -r 883191fe0d5226748cb01237372e73ed0293e932 -r f7c388aa4f6492b0411028d69a853d8d9e6978c7 lib/galaxy/web/base/controller.py --- a/lib/galaxy/web/base/controller.py +++ b/lib/galaxy/web/base/controller.py @@ -1671,7 +1671,8 @@ stored.user = trans.user stored.published = publish if data[ 'annotation' ]: - self.add_item_annotation( trans.sa_session, stored.user, stored, data[ 'annotation' ] ) + annotation = sanitize_html( data[ 'annotation' ], 'utf-8', 'text/html' ) + self.add_item_annotation( trans.sa_session, stored.user, stored, annotation ) # Persist trans.sa_session.add( stored ) https://bitbucket.org/galaxy/galaxy-central/commits/0effe518ca21/ Changeset: 0effe518ca21 Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: More workflow template sanitization during rename, copy, delete. Affected #: 2 files diff -r f7c388aa4f6492b0411028d69a853d8d9e6978c7 -r 0effe518ca213468e071b0e22c6e6e7276cbc40c lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -437,7 +437,7 @@ stored.latest_workflow.name = san_new_name trans.sa_session.flush() # For current workflows grid: - trans.set_message( "Workflow renamed to '%s'." % new_name ) + trans.set_message( "Workflow renamed to '%s'." % san_new_name ) return self.list( trans ) # For new workflows grid: #message = "Workflow renamed to '%s'." % new_name @@ -557,7 +557,7 @@ session.add( new_stored ) session.flush() # Display the management page - trans.set_message( 'Created new workflow with name "%s"' % new_stored.name ) + trans.set_message( 'Created new workflow with name "%s"' % escape( new_stored.name ) ) return self.list( trans ) @web.expose @@ -604,7 +604,7 @@ trans.sa_session.add( stored ) trans.sa_session.flush() # Display the management page - trans.set_message( "Workflow '%s' deleted" % stored.name ) + trans.set_message( "Workflow '%s' deleted" % escape( stored.name ) ) return self.list( trans ) @web.expose diff -r f7c388aa4f6492b0411028d69a853d8d9e6978c7 -r 0effe518ca213468e071b0e22c6e6e7276cbc40c templates/webapps/galaxy/workflow/rename.mako --- a/templates/webapps/galaxy/workflow/rename.mako +++ b/templates/webapps/galaxy/workflow/rename.mako @@ -15,7 +15,7 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Rename workflow '${stored.name}'</div> + <div class="toolFormTitle">Rename workflow '${stored.name | h}'</div><div class="toolFormBody"><form action="${h.url_for(controller='workflow', action='rename', id=trans.security.encode_id(stored.id) )}" method="POST"><div class="form-row"> @@ -23,7 +23,7 @@ New name </label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="new_name" value="${stored.name}" size="40"> + <input type="text" name="new_name" value="${stored.name | h}" size="40"></div><div style="clear: both"></div></div> https://bitbucket.org/galaxy/galaxy-central/commits/66dc08787b6f/ Changeset: 66dc08787b6f Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: Sanitize all values in configure_menu.mako. Affected #: 1 file diff -r 0effe518ca213468e071b0e22c6e6e7276cbc40c -r 66dc08787b6feff55473bf1e032ce4517d28bb42 templates/webapps/galaxy/workflow/configure_menu.mako --- a/templates/webapps/galaxy/workflow/configure_menu.mako +++ b/templates/webapps/galaxy/workflow/configure_menu.mako @@ -1,4 +1,5 @@ <%inherit file="/webapps/galaxy/base_panels.mako"/> +<%page expression_filter="h"/><%def name="init()"><% https://bitbucket.org/galaxy/galaxy-central/commits/118df7eb098f/ Changeset: 118df7eb098f Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: Sanitize workflow names in tool menu. Affected #: 1 file diff -r 66dc08787b6feff55473bf1e032ce4517d28bb42 -r 118df7eb098f83191b70d32a290becf9753160bf templates/webapps/galaxy/root/tool_menu.mako --- a/templates/webapps/galaxy/root/tool_menu.mako +++ b/templates/webapps/galaxy/root/tool_menu.mako @@ -82,7 +82,7 @@ %if t.user.stored_workflow_menu_entries: %for m in t.user.stored_workflow_menu_entries: <div class="toolTitle"> - <a href="${h.url_for( controller='workflow', action='run', id=trans.security.encode_id(m.stored_workflow_id) )}" target="galaxy_main">${ util.unicodify( m.stored_workflow.name ) }</a> + <a href="${h.url_for( controller='workflow', action='run', id=trans.security.encode_id(m.stored_workflow_id) )}" target="galaxy_main">${ util.unicodify( m.stored_workflow.name ) | h}</a></div> %endfor %endif https://bitbucket.org/galaxy/galaxy-central/commits/6d94a32edcd7/ Changeset: 6d94a32edcd7 Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: Sanitize workflow and dataset names in run_complete.mako. Affected #: 1 file diff -r 118df7eb098f83191b70d32a290becf9753160bf -r 6d94a32edcd7c07f2ff9b14b651745092671a0e2 templates/webapps/galaxy/workflow/run_complete.mako --- a/templates/webapps/galaxy/workflow/run_complete.mako +++ b/templates/webapps/galaxy/workflow/run_complete.mako @@ -1,4 +1,5 @@ <%inherit file="/base.mako"/> +<%page expression_filter="h"/><div class="donemessagelarge"> Successfully ran workflow "${util.unicodify( workflow.name )}". The following datasets have been added to the queue: @@ -6,7 +7,7 @@ <div class="workflow-invocation-complete"> %if invocation['new_history']: <p>These datasets will appear in a new history: - <a target='galaxy_history' href="${h.url_for( controller='history', action='list', operation="Switch", id=trans.security.encode_id(invocation['new_history'].id), use_panels=False, show_deleted=False )}"> + <a target='galaxy_history' href="${h.url_for( controller='history', action='list', operation="Switch", id=trans.security.encode_id(invocation['new_history'].id), use_panels=False, show_deleted=False ) | n}"> '${h.to_unicode(invocation['new_history'].name)}'. </a></p> %endif https://bitbucket.org/galaxy/galaxy-central/commits/a9475110d9bc/ Changeset: a9475110d9bc Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: Sanitize values in switching data parameter form. Affected #: 1 file diff -r 6d94a32edcd7c07f2ff9b14b651745092671a0e2 -r a9475110d9bcf52edc445de0ce5f66fecdc29e5b lib/galaxy/web/form_builder.py --- a/lib/galaxy/web/form_builder.py +++ b/lib/galaxy/web/form_builder.py @@ -563,7 +563,7 @@ html += '<input name="__switch_default__" type="hidden" value="%s" />' % self.default_field options = [] for name, delegate_field in self.delegate_fields.items(): - field = dumps( delegate_field.to_dict() ) + field = escape( dumps( delegate_field.to_dict() ) ) option = " '%s': %s" % ( name, field ) options.append( option ) html += '<script>$(document).ready( function() {\nvar switchOptions = {\n' https://bitbucket.org/galaxy/galaxy-central/commits/de60fe1e52fe/ Changeset: de60fe1e52fe Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: Sanitization for workflows_for_run.mako. Affected #: 1 file diff -r a9475110d9bcf52edc445de0ce5f66fecdc29e5b -r de60fe1e52fe56611629775affe698768f460581 templates/webapps/galaxy/workflow/list_for_run.mako --- a/templates/webapps/galaxy/workflow/list_for_run.mako +++ b/templates/webapps/galaxy/workflow/list_for_run.mako @@ -36,7 +36,7 @@ %for i, workflow in enumerate( workflows ): <tr><td> - <a href="${h.url_for(controller='workflow', action='run', id=trans.security.encode_id(workflow.id) )}">${h.to_unicode( workflow.name )}</a> + <a href="${h.url_for(controller='workflow', action='run', id=trans.security.encode_id(workflow.id) )}">${h.to_unicode( workflow.name ) | h}</a><a id="wf-${i}-popup" class="popup-arrow" style="display: none;">▼</a></td><td>${len(workflow.latest_workflow.steps)}</td> @@ -64,10 +64,10 @@ <% workflow = association.stored_workflow %><tr><td> - <a href="${h.url_for( controller='workflow', action='run', id=trans.security.encode_id(workflow.id) )}">${workflow.name}</a> + <a href="${h.url_for( controller='workflow', action='run', id=trans.security.encode_id(workflow.id) )}">${workflow.name | h}</a><a id="shared-${i}-popup" class="popup-arrow" style="display: none;">▼</a></td> - <td>${workflow.user.email}</td> + <td>${workflow.user.email | h}</td><td>${len(workflow.latest_workflow.steps)}</td></tr> %endfor https://bitbucket.org/galaxy/galaxy-central/commits/293f3ff27dcb/ Changeset: 293f3ff27dcb Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: Sanitize user e-mail in workflow sharing actions. Affected #: 1 file diff -r de60fe1e52fe56611629775affe698768f460581 -r 293f3ff27dcb5f5b22d6dea3ac7274a309f0c36b lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -311,14 +311,14 @@ .first() if not other: mtype = "error" - msg = ( "User '%s' does not exist" % email ) + msg = ( "User '%s' does not exist" % escape( email ) ) elif other == trans.get_user(): mtype = "error" msg = ( "You cannot share a workflow with yourself" ) elif trans.sa_session.query( model.StoredWorkflowUserShareAssociation ) \ .filter_by( user=other, stored_workflow=stored ).count() > 0: mtype = "error" - msg = ( "Workflow already shared with '%s'" % email ) + msg = ( "Workflow already shared with '%s'" % escape( email ) ) else: share = model.StoredWorkflowUserShareAssociation() share.stored_workflow = stored @@ -326,7 +326,7 @@ session = trans.sa_session session.add( share ) session.flush() - trans.set_message( "Workflow '%s' shared with user '%s'" % ( stored.name, other.email ) ) + trans.set_message( "Workflow '%s' shared with user '%s'" % ( escape( stored.name ), escape( other.email ) ) ) return trans.response.send_redirect( url_for( controller='workflow', action='sharing', id=id ) ) return trans.fill_template( "/ind_share_base.mako", message=msg, https://bitbucket.org/galaxy/galaxy-central/commits/70403d601043/ Changeset: 70403d601043 Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: One last fix for workflow/list.mako. Affected #: 1 file diff -r 293f3ff27dcb5f5b22d6dea3ac7274a309f0c36b -r 70403d6010438350b3762a562bdfdd6846d91ea2 templates/webapps/galaxy/workflow/list.mako --- a/templates/webapps/galaxy/workflow/list.mako +++ b/templates/webapps/galaxy/workflow/list.mako @@ -94,7 +94,7 @@ <% workflow = association.stored_workflow %><tr><td> - <a class="menubutton" id="shared-${i}-popup" href="${h.url_for( controller='workflow', action='run', id=trans.security.encode_id(workflow.id) )}">${h.to_unicode( workflow.name )}</a> + <a class="menubutton" id="shared-${i}-popup" href="${h.url_for( controller='workflow', action='run', id=trans.security.encode_id(workflow.id) )}">${h.to_unicode( workflow.name ) | h}</a></td><td>${workflow.user.email}</td><td>${len(workflow.latest_workflow.steps)}</td> https://bitbucket.org/galaxy/galaxy-central/commits/341c3a853e28/ Changeset: 341c3a853e28 Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: Some comments to clarify working santization. Affected #: 2 files diff -r 70403d6010438350b3762a562bdfdd6846d91ea2 -r 341c3a853e28fb1177d5e212ef4a3220eba4fbdc lib/galaxy/security/validate_user_input.py --- a/lib/galaxy/security/validate_user_input.py +++ b/lib/galaxy/security/validate_user_input.py @@ -1,3 +1,9 @@ +""" +Utilities for validating inputs related to user objects. + +The validate_* methods in this file return simple messages that do not contain +user inputs - so these methods do not need to be escaped. +""" import logging import re diff -r 70403d6010438350b3762a562bdfdd6846d91ea2 -r 341c3a853e28fb1177d5e212ef4a3220eba4fbdc lib/galaxy/web/base/controller.py --- a/lib/galaxy/web/base/controller.py +++ b/lib/galaxy/web/base/controller.py @@ -2581,6 +2581,8 @@ def set_public_username( self, trans, id, username, **kwargs ): """ Set user's public username and delegate to sharing() """ user = trans.get_user() + # message from validate_publicname does not contain input, no need + # to escape. message = validate_publicname( trans, username, user ) if message: return trans.fill_template( '/sharing_base.mako', item=self.get_item( trans, id ), message=message, status='error' ) https://bitbucket.org/galaxy/galaxy-central/commits/f88707a93008/ Changeset: f88707a93008 Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: Sanitize error message when unsharing history. Affected #: 1 file diff -r 341c3a853e28fb1177d5e212ef4a3220eba4fbdc -r f88707a930087d82a2a9bd63b73d5f62887c2d86 lib/galaxy/webapps/galaxy/controllers/history.py --- a/lib/galaxy/webapps/galaxy/controllers/history.py +++ b/lib/galaxy/webapps/galaxy/controllers/history.py @@ -659,7 +659,9 @@ for husa in husas: trans.sa_session.delete( husa ) if not deleted_sharing_relation: - message = "History '%s' does not seem to be shared with user '%s'" % ( history.name, user.email ) + history_name = escape( history.name ) + user_email = escape( user.email ) + message = "History '%s' does not seem to be shared with user '%s'" % ( history_name, user_email ) return trans.fill_template( '/sharing_base.mako', item=history, message=message, status='error' ) https://bitbucket.org/galaxy/galaxy-central/commits/8d8e43126e48/ Changeset: 8d8e43126e48 Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: More sanitization of tool ids during tool related activities. Affected #: 1 file diff -r f88707a930087d82a2a9bd63b73d5f62887c2d86 -r 8d8e43126e48e21546794ed5ff50beae5e6fe41a lib/galaxy/tools/__init__.py --- a/lib/galaxy/tools/__init__.py +++ b/lib/galaxy/tools/__init__.py @@ -66,6 +66,7 @@ from galaxy.util.template import fill_template from galaxy.web import url_for from galaxy.web.form_builder import SelectField +from galaxy.web.framework.helpers import escape from galaxy.model.item_attrs import Dictifiable from galaxy.model import Workflow from tool_shed.util import common_util @@ -734,7 +735,7 @@ success = True # Make sure the tool is actually loaded. if tool_id not in self.tools_by_id: - return None, False, "No tool with id %s" % tool_id + return None, False, "No tool with id %s" % escape( tool_id ) else: tool = self.tools_by_id[ tool_id ] tarball_files = [] @@ -843,7 +844,7 @@ replace the old tool. """ if tool_id not in self.tools_by_id: - message = "No tool with id %s" % tool_id + message = "No tool with id %s" % escape( tool_id ) status = 'error' else: old_tool = self.tools_by_id[ tool_id ] @@ -880,7 +881,7 @@ Attempt to remove the tool identified by 'tool_id'. """ if tool_id not in self.tools_by_id: - message = "No tool with id %s" % tool_id + message = "No tool with id %s" % escape( tool_id ) status = 'error' else: tool = self.tools_by_id[ tool_id ] https://bitbucket.org/galaxy/galaxy-central/commits/e461da2d5b6e/ Changeset: e461da2d5b6e Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: Sanitize user generated values in tool_executed.mako. Affected #: 1 file diff -r 8d8e43126e48e21546794ed5ff50beae5e6fe41a -r e461da2d5b6e8596297a19b93da107fe18bd449e templates/webapps/galaxy/tool_executed.mako --- a/templates/webapps/galaxy/tool_executed.mako +++ b/templates/webapps/galaxy/tool_executed.mako @@ -61,7 +61,7 @@ ${jobs_str} been successfully added to the queue - resulting in the following ${datasets_str}: </p> %for _, data in out_data: - <div style="padding: 10px"><b> ${data.hid}: ${data.name}</b></div> + <div style="padding: 10px"><b> ${data.hid}: ${data.name | h}</b></div> %endfor <p> @@ -83,7 +83,7 @@ <ul> %for job_error in job_errors: - <li><b>${job_error}</b></li> + <li><b>${job_error | h}</b></li> %endfor </ul></div> https://bitbucket.org/galaxy/galaxy-central/commits/6619aac23f9b/ Changeset: 6619aac23f9b Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: More sanitization related to sharing objects. Affected #: 4 files diff -r e461da2d5b6e8596297a19b93da107fe18bd449e -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 lib/galaxy/webapps/galaxy/controllers/page.py --- a/lib/galaxy/webapps/galaxy/controllers/page.py +++ b/lib/galaxy/webapps/galaxy/controllers/page.py @@ -499,14 +499,14 @@ .first() if not other: mtype = "error" - msg = ( "User '%s' does not exist" % email ) + msg = ( "User '%s' does not exist" % escape( email ) ) elif other == trans.get_user(): mtype = "error" msg = ( "You cannot share a page with yourself" ) elif trans.sa_session.query( model.PageUserShareAssociation ) \ .filter_by( user=other, page=page ).count() > 0: mtype = "error" - msg = ( "Page already shared with '%s'" % email ) + msg = ( "Page already shared with '%s'" % escape( email ) ) else: share = model.PageUserShareAssociation() share.page = page @@ -515,7 +515,9 @@ session.add( share ) self.create_item_slug( session, page ) session.flush() - trans.set_message( "Page '%s' shared with user '%s'" % ( page.title, other.email ) ) + page_title = escape( page.title ) + other_email = escape( other.email ) + trans.set_message( "Page '%s' shared with user '%s'" % ( page_title, other_email ) ) return trans.response.send_redirect( url_for( controller='page', action='sharing', id=id ) ) return trans.fill_template( "/ind_share_base.mako", message = msg, diff -r e461da2d5b6e8596297a19b93da107fe18bd449e -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 lib/galaxy/webapps/galaxy/controllers/visualization.py --- a/lib/galaxy/webapps/galaxy/controllers/visualization.py +++ b/lib/galaxy/webapps/galaxy/controllers/visualization.py @@ -535,14 +535,14 @@ .first() if not other: mtype = "error" - msg = ( "User '%s' does not exist" % email ) + msg = ( "User '%s' does not exist" % escape( email ) ) elif other == trans.get_user(): mtype = "error" msg = ( "You cannot share a visualization with yourself" ) elif trans.sa_session.query( model.VisualizationUserShareAssociation ) \ .filter_by( user=other, visualization=visualization ).count() > 0: mtype = "error" - msg = ( "Visualization already shared with '%s'" % email ) + msg = ( "Visualization already shared with '%s'" % escape( email ) ) else: share = model.VisualizationUserShareAssociation() share.visualization = visualization @@ -551,7 +551,9 @@ session.add( share ) self.create_item_slug( session, visualization ) session.flush() - trans.set_message( "Visualization '%s' shared with user '%s'" % ( visualization.title, other.email ) ) + viz_title = escape( visualization.title ) + other_email = escape( other.email ) + trans.set_message( "Visualization '%s' shared with user '%s'" % ( viz_title, other_email ) ) return trans.response.send_redirect( web.url_for(controller='visualization', action='sharing', id=id ) ) return trans.fill_template( "/ind_share_base.mako", message = msg, diff -r e461da2d5b6e8596297a19b93da107fe18bd449e -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 templates/embed_base.mako --- a/templates/embed_base.mako +++ b/templates/embed_base.mako @@ -51,7 +51,7 @@ </div><h4><a class="toggle-embed" href="${display_href}" title="Show or hide ${item_display_name} content">Galaxy ${get_class_display_name( item.__class__ )} | ${get_item_name( item ) | h}</a></h4> %if hasattr( item, "annotation") and item.annotation: - <div class="annotation">${item.annotation}</div> + <div class="annotation">${item.annotation | h}</div> %endif ## Use a hidden var to store the ajax URL for getting an item's content. diff -r e461da2d5b6e8596297a19b93da107fe18bd449e -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 templates/ind_share_base.mako --- a/templates/ind_share_base.mako +++ b/templates/ind_share_base.mako @@ -91,7 +91,7 @@ Email address of user to share with </label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="email" value="${email}" size="40"> + <input type="text" name="email" value="${email | h}" size="40"></div><div style="clear: both"></div></div> Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: jmchilton: Remove seemingly unused message cruft in workflow list_for_run.mako.
by commits-noreply＠bitbucket.org 08 Dec '14

08 Dec '14

1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/a8b8961827ec/ Changeset: a8b8961827ec User: jmchilton Date: 2014-12-08 16:02:03+00:00 Summary: Remove seemingly unused message cruft in workflow list_for_run.mako. Affected #: 1 file diff -r 222404d100db80657e22dbcc9b51147563b19973 -r a8b8961827ec2475a20748f5151bd96c49566e98 templates/webapps/galaxy/workflow/list_for_run.mako --- a/templates/webapps/galaxy/workflow/list_for_run.mako +++ b/templates/webapps/galaxy/workflow/list_for_run.mako @@ -2,19 +2,6 @@ <%def name="title()">Workflow home</%def> -%if message: -<% - try: - messagetype - except: - messagetype = "done" -%> -<p /> -<div class="${messagetype}message"> - ${message} -</div> -%endif - <h2>Your workflows</h2><ul class="manage-table-actions"> Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: 2 new changesets
by commits-noreply＠bitbucket.org 08 Dec '14

08 Dec '14

2 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/caebda8c654a/ Changeset: caebda8c654a Branch: next-stable User: carlfeberhard Date: 2014-12-08 15:11:44+00:00 Summary: Fix to history_contents, dataset.url: use legacy route to prevent intermittent url_for GenerationException Affected #: 1 file diff -r 0a0dc401129472073a93a095ced211179ff1c5a4 -r caebda8c654aa079b68be736879df61c75f23faf lib/galaxy/webapps/galaxy/api/history_contents.py --- a/lib/galaxy/webapps/galaxy/api/history_contents.py +++ b/lib/galaxy/webapps/galaxy/api/history_contents.py @@ -154,7 +154,11 @@ 'resubmitted': hda._state == trans.app.model.Dataset.states.RESUBMITTED, 'hid' : hda.hid, 'history_content_type' : hda.history_content_type, - 'url' : url_for( 'history_content_typed', history_id=encoded_history_id, id=encoded_id, type="dataset" ), + #'url' : url_for( 'history_content_typed', history_id=encoded_history_id, id=encoded_id, type="dataset" ), + #TODO: this intermittently causes a routes.GenerationException - temp use the legacy route to prevent this + # see also: https://trello.com/c/5d6j4X5y + # see also: https://sentry.galaxyproject.org/galaxy/galaxy-main/group/20769/events/9352… + 'url' : url_for( 'history_content', history_id=encoded_history_id, id=encoded_id ), } def __collection_dict( self, trans, dataset_collection_instance, view="collection" ): https://bitbucket.org/galaxy/galaxy-central/commits/222404d100db/ Changeset: 222404d100db User: carlfeberhard Date: 2014-12-08 15:12:00+00:00 Summary: merge Affected #: 1 file diff -r 896c18ca6b2f1922f73fc74ba9f2bb6229fb54a1 -r 222404d100db80657e22dbcc9b51147563b19973 lib/galaxy/webapps/galaxy/api/history_contents.py --- a/lib/galaxy/webapps/galaxy/api/history_contents.py +++ b/lib/galaxy/webapps/galaxy/api/history_contents.py @@ -154,7 +154,11 @@ 'resubmitted': hda._state == trans.app.model.Dataset.states.RESUBMITTED, 'hid' : hda.hid, 'history_content_type' : hda.history_content_type, - 'url' : url_for( 'history_content_typed', history_id=encoded_history_id, id=encoded_id, type="dataset" ), + #'url' : url_for( 'history_content_typed', history_id=encoded_history_id, id=encoded_id, type="dataset" ), + #TODO: this intermittently causes a routes.GenerationException - temp use the legacy route to prevent this + # see also: https://trello.com/c/5d6j4X5y + # see also: https://sentry.galaxyproject.org/galaxy/galaxy-main/group/20769/events/9352… + 'url' : url_for( 'history_content', history_id=encoded_history_id, id=encoded_id ), } def __collection_dict( self, trans, dataset_collection_instance, view="collection" ): Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: 8 new changesets
by commits-noreply＠bitbucket.org 07 Dec '14

07 Dec '14

8 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/e8400d6f1dc3/ Changeset: e8400d6f1dc3 User: jmchilton Date: 2014-12-08 05:21:47+00:00 Summary: Drop psu_production stuff from scripts/functional_tests.py. These tests need to runnable against running servers but should be more general and updated. Affected #: 1 file diff -r 690ea2dc6cab18cdacfcd59ba0e5c2178df2bff4 -r e8400d6f1dc31cf8f63d00922231b66dbc83f300 scripts/functional_tests.py --- a/scripts/functional_tests.py +++ b/scripts/functional_tests.py @@ -256,78 +256,33 @@ database_auto_migrate = False galaxy_test_proxy_port = None - psu_production = False if start_server: - if 'GALAXY_TEST_PSU_PRODUCTION' in os.environ: - if not galaxy_test_port: - raise Exception( 'Please set GALAXY_TEST_PORT to the port to which the proxy server will proxy' ) - galaxy_test_proxy_port = os.environ.get( 'GALAXY_TEST_PROXY_PORT', None ) - if not galaxy_test_proxy_port: - raise Exception( 'Please set GALAXY_TEST_PROXY_PORT to the port on which the proxy server is listening' ) - base_file_path = os.environ.get( 'GALAXY_TEST_BASE_FILE_PATH', None ) - if not base_file_path: - raise Exception( 'Please set GALAXY_TEST_BASE_FILE_PATH to the directory which will contain the dataset files directory' ) - base_new_file_path = os.environ.get( 'GALAXY_TEST_BASE_NEW_FILE_PATH', None ) - if not base_new_file_path: - raise Exception( 'Please set GALAXY_TEST_BASE_NEW_FILE_PATH to the directory which will contain the temporary directory' ) - database_connection = os.environ.get( 'GALAXY_TEST_DBURI', None ) - if not database_connection: - raise Exception( 'Please set GALAXY_TEST_DBURI to the URI of the database to be used for tests' ) - nginx_upload_store = os.environ.get( 'GALAXY_TEST_NGINX_UPLOAD_STORE', None ) - if not nginx_upload_store: - raise Exception( 'Please set GALAXY_TEST_NGINX_UPLOAD_STORE to the path where the nginx upload module places uploaded files' ) - tool_config_file = 'tool_conf.xml.main' - default_cluster_job_runner = os.environ.get( 'GALAXY_TEST_DEFAULT_CLUSTER_JOB_RUNNER', 'pbs:///' ) - file_path = tempfile.mkdtemp( dir=base_file_path ) - new_file_path = tempfile.mkdtemp( dir=base_new_file_path ) - cluster_files_directory = os.path.join( new_file_path, 'pbs' ) - job_working_directory = os.path.join( new_file_path, 'job_working_directory' ) - os.mkdir( cluster_files_directory ) - os.mkdir( job_working_directory ) - kwargs = dict( database_engine_option_pool_size='10', - database_engine_option_max_overflow='20', - database_engine_option_strategy='threadlocal', - nginx_x_accel_redirect_base='/_x_accel_redirect', - nginx_upload_store=nginx_upload_store, - nginx_upload_path='/_upload', - allow_library_path_paste='True', - cluster_files_directory=cluster_files_directory, - job_working_directory=job_working_directory, - outputs_to_working_directory='True', - static_enabled='False', - debug='False', - track_jobs_in_database='True', - job_scheduler_policy='FIFO', - start_job_runners='pbs', - default_cluster_job_runner=default_cluster_job_runner ) - psu_production = True + tempdir = tempfile.mkdtemp( dir=galaxy_test_tmp_dir ) + # Configure the database path. + if 'GALAXY_TEST_DBPATH' in os.environ: + galaxy_db_path = os.environ[ 'GALAXY_TEST_DBPATH' ] else: - tempdir = tempfile.mkdtemp( dir=galaxy_test_tmp_dir ) - # Configure the database path. - if 'GALAXY_TEST_DBPATH' in os.environ: - galaxy_db_path = os.environ[ 'GALAXY_TEST_DBPATH' ] - else: - galaxy_db_path = os.path.join( tempdir, 'database' ) - # Configure the paths Galaxy needs to test tools. - file_path = os.path.join( galaxy_db_path, 'files' ) - new_file_path = tempfile.mkdtemp( prefix='new_files_path_', dir=tempdir ) - job_working_directory = tempfile.mkdtemp( prefix='job_working_directory_', dir=tempdir ) - install_database_connection = os.environ.get( 'GALAXY_TEST_INSTALL_DBURI', None ) - if 'GALAXY_TEST_DBURI' in os.environ: - database_connection = os.environ['GALAXY_TEST_DBURI'] - else: - db_path = os.path.join( galaxy_db_path, 'universe.sqlite' ) - if 'GALAXY_TEST_DB_TEMPLATE' in os.environ: - # Middle ground between recreating a completely new - # database and pointing at existing database with - # GALAXY_TEST_DBURI. The former requires a lot of setup - # time, the latter results in test failures in certain - # cases (namely tool shed tests expecting clean database). - log.debug( "Copying database template from %s.", os.environ['GALAXY_TEST_DB_TEMPLATE'] ) - __copy_database_template(os.environ['GALAXY_TEST_DB_TEMPLATE'], db_path) - database_auto_migrate = True - database_connection = 'sqlite:///%s' % db_path - kwargs = {} + galaxy_db_path = os.path.join( tempdir, 'database' ) + # Configure the paths Galaxy needs to test tools. + file_path = os.path.join( galaxy_db_path, 'files' ) + new_file_path = tempfile.mkdtemp( prefix='new_files_path_', dir=tempdir ) + job_working_directory = tempfile.mkdtemp( prefix='job_working_directory_', dir=tempdir ) + install_database_connection = os.environ.get( 'GALAXY_TEST_INSTALL_DBURI', None ) + if 'GALAXY_TEST_DBURI' in os.environ: + database_connection = os.environ['GALAXY_TEST_DBURI'] + else: + db_path = os.path.join( galaxy_db_path, 'universe.sqlite' ) + if 'GALAXY_TEST_DB_TEMPLATE' in os.environ: + # Middle ground between recreating a completely new + # database and pointing at existing database with + # GALAXY_TEST_DBURI. The former requires a lot of setup + # time, the latter results in test failures in certain + # cases (namely tool shed tests expecting clean database). + log.debug( "Copying database template from %s.", os.environ['GALAXY_TEST_DB_TEMPLATE'] ) + __copy_database_template(os.environ['GALAXY_TEST_DB_TEMPLATE'], db_path) + database_auto_migrate = True + database_connection = 'sqlite:///%s' % db_path + kwargs = {} for dir in file_path, new_file_path: try: if not os.path.exists( dir ): @@ -376,8 +331,6 @@ ) if install_database_connection is not None: kwargs[ 'install_database_connection' ] = install_database_connection - if psu_production: - kwargs[ 'global_conf' ] = None if not database_connection.startswith( 'sqlite://' ): kwargs[ 'database_engine_option_max_overflow' ] = '20' kwargs[ 'database_engine_option_pool_size' ] = '10' @@ -448,12 +401,6 @@ time.sleep( 0.1 ) else: raise Exception( "Test HTTP server did not return '200 OK' after 10 tries" ) - # Test if the proxy server is up - if psu_production: - conn = httplib.HTTPConnection( galaxy_test_host, galaxy_test_proxy_port ) # directly test the app, not the proxy - conn.request( "GET", "/" ) - if not conn.getresponse().status == 200: - raise Exception( "Test HTTP proxy server did not return '200 OK'" ) log.info( "Embedded web server started" ) # ---- Load toolbox for generated tests ----------------------------------- # We don't add the tests to the path until everything is up and running @@ -571,14 +518,6 @@ log.info( "GALAXY_TEST_NO_CLEANUP is on. Temporary files in %s" % tempdir ) except: pass - if psu_production and 'GALAXY_TEST_NO_CLEANUP' not in os.environ: - for dir in ( file_path, new_file_path ): - try: - if os.path.exists( dir ): - log.info( 'Cleaning up temporary files in %s' % dir ) - shutil.rmtree( dir ) - except: - pass if success: return 0 else: https://bitbucket.org/galaxy/galaxy-central/commits/ad012fc04856/ Changeset: ad012fc04856 User: jmchilton Date: 2014-12-08 05:21:47+00:00 Summary: Remove redundant lines in scripts/functional_tests.py. This stuff is already imported at the top of the file - my guess is the need to import it later is not longer needed. Affected #: 1 file diff -r e8400d6f1dc31cf8f63d00922231b66dbc83f300 -r ad012fc04856b1423378f2309a9e02bdfbcdf360 scripts/functional_tests.py --- a/scripts/functional_tests.py +++ b/scripts/functional_tests.py @@ -402,11 +402,6 @@ else: raise Exception( "Test HTTP server did not return '200 OK' after 10 tries" ) log.info( "Embedded web server started" ) - # ---- Load toolbox for generated tests ----------------------------------- - # We don't add the tests to the path until everything is up and running - new_path = [ os.path.join( cwd, "test" ) ] - new_path.extend( sys.path[1:] ) - sys.path = new_path # ---- Find tests --------------------------------------------------------- if galaxy_test_proxy_port: https://bitbucket.org/galaxy/galaxy-central/commits/bcae5db5956a/ Changeset: bcae5db5956a User: jmchilton Date: 2014-12-08 05:21:47+00:00 Summary: Reduce some duplication related to nose running. Affected #: 4 files diff -r ad012fc04856b1423378f2309a9e02bdfbcdf360 -r bcae5db5956ac836c90ee0e2f14f8b901606c86b scripts/functional_tests.py --- a/scripts/functional_tests.py +++ b/scripts/functional_tests.py @@ -54,6 +54,7 @@ from functional import database_contexts from base.api_util import get_master_api_key from base.api_util import get_user_api_key +from base.nose_util import run import nose.core import nose.config @@ -160,18 +161,7 @@ def run_tests( test_config ): - loader = nose.loader.TestLoader( config=test_config ) - plug_loader = test_config.plugins.prepareTestLoader( loader ) - if plug_loader is not None: - loader = plug_loader - tests = loader.loadTestsFromNames( test_config.testNames ) - test_runner = nose.core.TextTestRunner( stream=test_config.stream, - verbosity=test_config.verbosity, - config=test_config ) - plug_runner = test_config.plugins.prepareTestRunner( test_runner ) - if plug_runner is not None: - test_runner = plug_runner - return test_runner.run( tests ) + return run( test_config ) def __copy_database_template( source, db_path ): diff -r ad012fc04856b1423378f2309a9e02bdfbcdf360 -r bcae5db5956ac836c90ee0e2f14f8b901606c86b test/base/nose_util.py --- /dev/null +++ b/test/base/nose_util.py @@ -0,0 +1,32 @@ +""" Utilities for dealing with nose. + +There was some duplication between Galaxy, Tool Shed, and Install/Test, +trying to reduce that here. +""" + +try: + from galaxy import eggs + eggs.require( "nose" ) +except ImportError: + pass +import nose + + +def run( test_config, plugins=[] ): + loader = nose.loader.TestLoader( config=test_config ) + for plugin in plugins: + test_config.plugins.addPlugin( plugin ) + plug_loader = test_config.plugins.prepareTestLoader( loader ) + if plug_loader is not None: + loader = plug_loader + tests = loader.loadTestsFromNames( test_config.testNames ) + test_runner = nose.core.TextTestRunner( + stream=test_config.stream, + verbosity=test_config.verbosity, + config=test_config + ) + plug_runner = test_config.plugins.prepareTestRunner( test_runner ) + if plug_runner is not None: + test_runner = plug_runner + result = test_runner.run( tests ) + return result diff -r ad012fc04856b1423378f2309a9e02bdfbcdf360 -r bcae5db5956ac836c90ee0e2f14f8b901606c86b test/install_and_test_tool_shed_repositories/base/util.py --- a/test/install_and_test_tool_shed_repositories/base/util.py +++ b/test/install_and_test_tool_shed_repositories/base/util.py @@ -1058,6 +1058,10 @@ return base_url def run_tests( test_config ): + ## TODO: replace whole method with... + # from base import nose_util + # result = nose_util.run( test_config, plugins=[ new ReportResults() ] ) + # return result, test_config.plugins._plugins loader = nose.loader.TestLoader( config=test_config ) test_config.plugins.addPlugin( ReportResults() ) plug_loader = test_config.plugins.prepareTestLoader( loader ) diff -r ad012fc04856b1423378f2309a9e02bdfbcdf360 -r bcae5db5956ac836c90ee0e2f14f8b901606c86b test/tool_shed/functional_tests.py --- a/test/tool_shed/functional_tests.py +++ b/test/tool_shed/functional_tests.py @@ -1,4 +1,5 @@ #!/usr/bin/env python +from __future__ import absolute_import import os import sys @@ -66,6 +67,7 @@ from functional import database_contexts +from base import nose_util log = logging.getLogger( "tool_shed_functional_tests.py" ) @@ -147,19 +149,10 @@ </data_managers> ''' + def run_tests( test_config ): - loader = nose.loader.TestLoader( config=test_config ) - plug_loader = test_config.plugins.prepareTestLoader( loader ) - if plug_loader is not None: - loader = plug_loader - tests = loader.loadTestsFromNames( test_config.testNames ) - test_runner = nose.core.TextTestRunner( stream=test_config.stream, - verbosity=test_config.verbosity, - config=test_config ) - plug_runner = test_config.plugins.prepareTestRunner( test_runner ) - if plug_runner is not None: - test_runner = plug_runner - return test_runner.run( tests ) + return nose_util.run( test_config ) + def main(): # ---- Configuration ------------------------------------------------------ https://bitbucket.org/galaxy/galaxy-central/commits/c33f0de648fc/ Changeset: c33f0de648fc User: jmchilton Date: 2014-12-08 05:21:47+00:00 Summary: Remove unused method now that twill interactor is gone. Affected #: 1 file diff -r bcae5db5956ac836c90ee0e2f14f8b901606c86b -r c33f0de648fc6cbbeedcc75afe1dc36f74ace89f test/base/twilltestcase.py --- a/test/base/twilltestcase.py +++ b/test/base/twilltestcase.py @@ -1771,20 +1771,6 @@ tc.submit( "reset_user_password_button" ) self.check_page_for_string( "Passwords reset for 1 user." ) - def run_tool( self, tool_id, repeat_name=None, **kwd ): - """Runs the tool 'tool_id' and passes it the key/values from the *kwd""" - params = dict( tool_id=tool_id ) - self.visit_url( "/tool_runner/index", params ) - # Must click somewhere in tool_form, to disambiguate what form - # is being targetted. - tc.browser.clicked( tc.browser.get_form( 'tool_form' ), None ) - if repeat_name is not None: - repeat_button = '%s_add' % repeat_name - # Submit the "repeat" form button to add an input) - tc.submit( repeat_button ) - tc.find( 'runtool_btn' ) - self.submit_form( **kwd ) - def run_ucsc_main( self, track_params, output_params ): """Gets Data From UCSC""" tool_id = "ucsc_table_direct1" https://bitbucket.org/galaxy/galaxy-central/commits/bc3432c21cc7/ Changeset: bc3432c21cc7 User: jmchilton Date: 2014-12-08 05:21:47+00:00 Summary: Adjust test/functional/test_data_managers.py for run_tool ret val change in 21e3d69. Affected #: 1 file diff -r c33f0de648fc6cbbeedcc75afe1dc36f74ace89f -r bc3432c21cc75ff1ac5aa8ac8445ab80b95b7f94 test/functional/test_data_managers.py --- a/test/functional/test_data_managers.py +++ b/test/functional/test_data_managers.py @@ -27,7 +27,7 @@ stage_data_in_history( galaxy_interactor, testdef.test_data(), test_history, shed_tool_id ) - data_list = galaxy_interactor.run_tool( testdef, test_history ) #test_history will have inputs only, outputs are placed in the specialized data manager history + galaxy_interactor.run_tool( testdef, test_history ) #test_history will have inputs only, outputs are placed in the specialized data manager history #FIXME: Move history determination and switching into the interactor data_manager_history = None https://bitbucket.org/galaxy/galaxy-central/commits/ccd35e79ac1f/ Changeset: ccd35e79ac1f User: jmchilton Date: 2014-12-08 05:21:47+00:00 Summary: Slightly improved error message for tool tests if job submission fails. Affected #: 1 file diff -r bc3432c21cc75ff1ac5aa8ac8445ab80b95b7f94 -r ccd35e79ac1fbe89acd55bf3c95978bc30c5c2e9 test/base/interactor.py --- a/test/base/interactor.py +++ b/test/base/interactor.py @@ -212,7 +212,8 @@ try: return self.__dictify_outputs( submit_response_object ), submit_response_object[ 'jobs' ] except KeyError: - raise Exception( submit_response_object[ 'message' ] ) + message = "Error creating a job for these tool inputs - %s" % submit_response_object[ 'message' ] + raise Exception( message ) def _create_collection( self, history_id, collection_def ): create_payload = dict( https://bitbucket.org/galaxy/galaxy-central/commits/38b2fa3d3e49/ Changeset: 38b2fa3d3e49 User: jmchilton Date: 2014-12-08 05:21:47+00:00 Summary: Give admins more data via the jobs API. More raw information about job metrics and the command-line (visible to them via the UI). Affected #: 1 file diff -r ccd35e79ac1fbe89acd55bf3c95978bc30c5c2e9 -r 38b2fa3d3e4973e40998215fae6a9b14d1fecf71 lib/galaxy/webapps/galaxy/api/jobs.py --- a/lib/galaxy/webapps/galaxy/api/jobs.py +++ b/lib/galaxy/webapps/galaxy/api/jobs.py @@ -103,9 +103,20 @@ if full_output: job_dict.update( dict( stderr=job.stderr, stdout=job.stdout ) ) if trans.user_is_admin(): + job_dict['command_line'] = job.command_line def metric_to_dict(metric): - return dict(zip(['title', 'value'], trans.app.job_metrics.format(metric.plugin, metric.metric_name, metric.metric_value))) + metric_name = metric.metric_name + metric_value = metric.metric_value + metric_plugin = metric.plugin + title, value = trans.app.job_metrics.format(metric_plugin, metric_name, metric_value) + return dict( + title=title, + value=value, + plugin=metric_plugin, + name=metric_name, + raw_value=str(metric_value), + ) job_dict['job_metrics'] = [metric_to_dict(metric) for metric in job.metrics] return job_dict https://bitbucket.org/galaxy/galaxy-central/commits/896c18ca6b2f/ Changeset: 896c18ca6b2f User: jmchilton Date: 2014-12-08 05:21:47+00:00 Summary: Implement structured tool test data. Rather than relying solely on exceptions back to nose/test framework - add option (--structured_data_report_file) to run_tests.sh that causes a bunch of detailed data to be dumped to the specified file in a very structured way. Includes full to_dict of the job from the API which in turn includes job metrics, command-line, job's standard error and outputs (instead of the test frameworks), as well as the tool inputs, and exceptions broken out for tool execution versus output checking. Its all indexed in the file by the test id (without the actual test toolbox depending on knowing the test id) - so one could pair this information with the XUnit output to produce much more detailed breakdowns of the tests. Affected #: 5 files diff -r 38b2fa3d3e4973e40998215fae6a9b14d1fecf71 -r 896c18ca6b2f1922f73fc74ba9f2bb6229fb54a1 run_tests.sh --- a/run_tests.sh +++ b/run_tests.sh @@ -47,6 +47,7 @@ test_script="./scripts/functional_tests.py" report_file="run_functional_tests.html" xunit_report_file="" +structured_data_report_file="" with_framework_test_tools_arg="" driver="python" @@ -156,6 +157,15 @@ exit 1 fi ;; + --structured_data_report_file) + if [ $# -gt 1 ]; then + structured_data_report_file=$2 + shift 2 + else + echo "--structured_data_report_file requires an argument" 1>&2 + exit 1 + fi + ;; -c|--coverage) # Must have coverage installed (try `which coverage`) - only valid with --unit # for now. Would be great to get this to work with functional tests though. @@ -249,7 +259,12 @@ else xunit_args="" fi - python $test_script $coverage_arg -v --with-nosehtml --html-report-file $report_file $xunit_args $with_framework_test_tools_arg $extra_args + if [ -n "$structured_data_report_file" ]; then + structured_data_args="--with-structureddata --structured-data-file $structured_data_report_file" + else + structured_data_args="" + fi + python $test_script $coverage_arg -v --with-nosehtml --html-report-file $report_file $xunit_args $structured_data_args $with_framework_test_tools_arg $extra_args else ensure_grunt if [ -n "$watch" ]; then diff -r 38b2fa3d3e4973e40998215fae6a9b14d1fecf71 -r 896c18ca6b2f1922f73fc74ba9f2bb6229fb54a1 scripts/functional_tests.py --- a/scripts/functional_tests.py +++ b/scripts/functional_tests.py @@ -55,6 +55,7 @@ from base.api_util import get_master_api_key from base.api_util import get_user_api_key from base.nose_util import run +from base.instrument import StructuredTestDataPlugin import nose.core import nose.config @@ -439,6 +440,7 @@ user_api_key=get_user_api_key(), ) test_config = nose.config.Config( env=os.environ, ignoreFiles=ignore_files, plugins=nose.plugins.manager.DefaultPluginManager() ) + test_config.plugins.addPlugin( StructuredTestDataPlugin() ) test_config.configure( sys.argv ) result = run_tests( test_config ) success = result.wasSuccessful() diff -r 38b2fa3d3e4973e40998215fae6a9b14d1fecf71 -r 896c18ca6b2f1922f73fc74ba9f2bb6229fb54a1 test/base/instrument.py --- /dev/null +++ b/test/base/instrument.py @@ -0,0 +1,89 @@ +""" Utilities to help instrument tool tests. + +Including structed data nose plugin that allows storing arbitrary structured +data on a per test case basis - used by tool test to store inputs, +output problems, job tests, etc... but could easily by used by other test +types in a different way. +""" + +import json +import threading + +try: + from galaxy import eggs + eggs.require( "nose" ) +except ImportError: + pass + + +from nose.plugins import Plugin + +NO_JOB_DATA = object() +JOB_DATA = threading.local() +JOB_DATA.new = True +JOB_DATA.data = NO_JOB_DATA + + +def register_job_data(data): + if not JOB_DATA.new: + return + JOB_DATA.data = data + JOB_DATA.new = False + + +def fetch_job_data(): + try: + if JOB_DATA.new: + return NO_JOB_DATA + else: + return JOB_DATA.data + finally: + JOB_DATA.new = True + + +class StructuredTestDataPlugin( Plugin ): + name = 'structureddata' + + def options(self, parser, env): + super(StructuredTestDataPlugin, self).options(parser, env=env) + parser.add_option( + '--structured-data-file', action='store', + dest='structured_data_file', metavar="FILE", + default=env.get('NOSE_STRUCTURED_DATA', 'structured_test_data.json'), + help=("Path to JSON file to store the Galaxy structured data report in." + "Default is structured_test_data.json in the working directory " + "[NOSE_STRUCTURED_DATA]")) + + def configure(self, options, conf): + super(StructuredTestDataPlugin, self).configure(options, conf) + self.conf = conf + if not self.enabled: + return + self.tests = [] + self.structured_data_report_file = open(options.structured_data_file, 'w') + + def finalize(self, result): + pass + + def _handle_result(self, test, *args, **kwds): + job_data = fetch_job_data() + id = test.id() + has_data = job_data is not NO_JOB_DATA + entry = { + 'id': id, + 'has_data': has_data, + 'data': job_data if has_data else None, + } + self.tests.append(entry) + + addError = _handle_result + addFailure = _handle_result + addSuccess = _handle_result + + def report(self, stream): + report_obj = { + 'version': '0.1', + 'tests': self.tests, + } + json.dump(report_obj, self.structured_data_report_file) + self.structured_data_report_file.close() diff -r 38b2fa3d3e4973e40998215fae6a9b14d1fecf71 -r 896c18ca6b2f1922f73fc74ba9f2bb6229fb54a1 test/base/interactor.py --- a/test/base/interactor.py +++ b/test/base/interactor.py @@ -6,6 +6,7 @@ eggs.require( "requests" ) from galaxy import util from galaxy.util.odict import odict +from galaxy.util.bunch import Bunch from requests import get from requests import post from json import dumps @@ -210,10 +211,14 @@ submit_response = self.__submit_tool( history_id, tool_id=testdef.tool.id, tool_input=inputs_tree ) submit_response_object = submit_response.json() try: - return self.__dictify_outputs( submit_response_object ), submit_response_object[ 'jobs' ] + return Bunch( + inputs=inputs_tree, + outputs=self.__dictify_outputs( submit_response_object ), + jobs=submit_response_object[ 'jobs' ], + ) except KeyError: message = "Error creating a job for these tool inputs - %s" % submit_response_object[ 'message' ] - raise Exception( message ) + raise RunToolException( message, inputs_tree ) def _create_collection( self, history_id, collection_def ): create_payload = dict( @@ -404,6 +409,13 @@ return get( url, params=data ) +class RunToolException(Exception): + + def __init__(self, message, inputs=None): + super(RunToolException, self).__init__(message) + self.inputs = inputs + + GALAXY_INTERACTORS = { 'api': GalaxyInteractorApi, } diff -r 38b2fa3d3e4973e40998215fae6a9b14d1fecf71 -r 896c18ca6b2f1922f73fc74ba9f2bb6229fb54a1 test/functional/test_toolbox.py --- a/test/functional/test_toolbox.py +++ b/test/functional/test_toolbox.py @@ -1,7 +1,8 @@ import new import sys from base.twilltestcase import TwillTestCase -from base.interactor import build_interactor, stage_data_in_history +from base.interactor import build_interactor, stage_data_in_history, RunToolException +from base.instrument import register_job_data from galaxy.tools import DataManagerTool from galaxy.util import bunch import logging @@ -34,10 +35,48 @@ stage_data_in_history( galaxy_interactor, testdef.test_data(), test_history, shed_tool_id ) - data_list, jobs = galaxy_interactor.run_tool( testdef, test_history ) - self.assertTrue( data_list ) + # Once data is ready, run the tool and check the outputs - record API + # input, job info, tool run exception, as well as exceptions related to + # job output checking and register they with the test plugin so it can + # record structured information. + tool_inputs = None + job_stdio = None + job_output_exceptions = None + tool_execution_exception = None + try: + try: + tool_response = galaxy_interactor.run_tool( testdef, test_history ) + data_list, jobs, tool_inputs = tool_response.outputs, tool_response.jobs, tool_response.inputs + except RunToolException as e: + tool_inputs = e.inputs + tool_execution_exception = e + raise e + except Exception as e: + tool_execution_exception = e + raise e - self._verify_outputs( testdef, test_history, jobs, shed_tool_id, data_list, galaxy_interactor ) + self.assertTrue( data_list ) + + try: + job_stdio = self._verify_outputs( testdef, test_history, jobs, shed_tool_id, data_list, galaxy_interactor ) + except JobOutputsError as e: + job_stdio = e.job_stdio + job_output_exceptions = e.output_exceptions + raise e + except Exception as e: + job_output_exceptions = [e] + raise e + finally: + job_data = {} + if tool_inputs is not None: + job_data["inputs"] = tool_inputs + if job_stdio is not None: + job_data["job"] = job_stdio + if job_output_exceptions: + job_data["output_problems"] = map(str, job_output_exceptions) + if tool_execution_exception: + job_data["execution_problem"] = str(tool_execution_exception) + register_job_data(job_data) galaxy_interactor.delete_history( test_history ) @@ -63,6 +102,7 @@ raise Exception( message ) found_exceptions = [] + job_stdio = None for output_index, output_tuple in enumerate(testdef.outputs): # Get the correct hid name, outfile, attributes = output_tuple @@ -89,9 +129,22 @@ if stream in job_stdio: print >>sys.stderr, self._format_stream( job_stdio[ stream ], stream=stream, format=True ) found_exceptions.append(e) + if job_stdio is None: + job_stdio = galaxy_interactor.get_job_stdio( jobs[0][ 'id' ] ) + if found_exceptions: - big_message = "\n".join(map(str, found_exceptions)) - raise AssertionError(big_message) + raise JobOutputsError(found_exceptions, job_stdio) + else: + return job_stdio + + +class JobOutputsError(AssertionError): + + def __init__(self, output_exceptions, job_stdio): + big_message = "\n".join(map(str, output_exceptions)) + super(JobOutputsError, self).__init__(big_message) + self.job_stdio = job_stdio + self.output_exceptions = output_exceptions @nottest Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0

commit/galaxy-central: jmchilton: Add --xunit_report_file option to run_tests.sh.
by commits-noreply＠bitbucket.org 05 Dec '14

05 Dec '14

1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/690ea2dc6cab/ Changeset: 690ea2dc6cab User: jmchilton Date: 2014-12-06 05:14:20+00:00 Summary: Add --xunit_report_file option to run_tests.sh. If supplied - python based tests will output a xunit style test to the specified file. Affected #: 1 file diff -r 34ed52176b054166d687c3a402391f0d40f339db -r 690ea2dc6cab18cdacfcd59ba0e5c2178df2bff4 run_tests.sh --- a/run_tests.sh +++ b/run_tests.sh @@ -46,6 +46,7 @@ test_script="./scripts/functional_tests.py" report_file="run_functional_tests.html" +xunit_report_file="" with_framework_test_tools_arg="" driver="python" @@ -146,6 +147,15 @@ exit 1 fi ;; + --xunit_report_file) + if [ $# -gt 1 ]; then + xunit_report_file=$2 + shift 2 + else + echo "--xunit_report_file requires an argument" 1>&2 + exit 1 + fi + ;; -c|--coverage) # Must have coverage installed (try `which coverage`) - only valid with --unit # for now. Would be great to get this to work with functional tests though. @@ -234,7 +244,12 @@ fi if [ "$driver" = "python" ]; then - python $test_script $coverage_arg -v --with-nosehtml --html-report-file $report_file $with_framework_test_tools_arg $extra_args + if [ -n "$xunit_report_file" ]; then + xunit_args="--with-xunit --xunit-file $xunit_report_file" + else + xunit_args="" + fi + python $test_script $coverage_arg -v --with-nosehtml --html-report-file $report_file $xunit_args $with_framework_test_tools_arg $extra_args else ensure_grunt if [ -n "$watch" ]; then Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.

1 0