4 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/c2bed0a496f8/ Changeset: c2bed0a496f8 Branch: stable User: davebgx Date: 2014-12-11 16:10:30+00:00 Summary: Escape messages passed in through kwd. Affected #: 14 files diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/web/base/controllers/admin.py --- a/lib/galaxy/web/base/controllers/admin.py +++ b/lib/galaxy/web/base/controllers/admin.py @@ -7,6 +7,7 @@ from galaxy.web.form_builder import CheckboxField from string import punctuation as PUNCTUATION import galaxy.queue_worker +from markupsafe import escape from tool_shed.util import shed_util_common as suc @@ -28,7 +29,7 @@ @web.expose @web.require_admin def index( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if trans.webapp.name == 'galaxy': installed_repositories = trans.install_model.context.query( trans.install_model.ToolShedRepository ).first() @@ -46,7 +47,7 @@ @web.expose @web.require_admin def center( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if trans.webapp.name == 'galaxy': return trans.fill_template( '/webapps/galaxy/admin/center.mako', diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/demo_sequencer/controllers/common.py --- a/lib/galaxy/webapps/demo_sequencer/controllers/common.py +++ b/lib/galaxy/webapps/demo_sequencer/controllers/common.py @@ -4,6 +4,7 @@ import time, socket, urllib, urllib2, base64, copy from galaxy.util.json import * from urllib import quote_plus, unquote_plus +from markupsafe import escape import logging log = logging.getLogger( __name__ ) @@ -16,7 +17,7 @@ titles = util.listify( titles ) JobId = util.restore_text( kwd.get( 'JobId', '' ) ) sample_id = util.restore_text( kwd.get( 'sample_id', '' ) ) - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) redirect_delay = trans.app.sequencer_actions_registry.redirect_delay sequencer_redirects = copy.deepcopy( trans.app.sequencer_actions_registry.sequencer_redirects ) @@ -144,7 +145,7 @@ titles = util.restore_text( kwd.get( 'titles', '' ) ) JobId = util.restore_text( kwd.get( 'JobId', '' ) ) sample_id = util.restore_text( kwd.get( 'sample_id', '' ) ) - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) url, http_method, request_params, response_type = request_tup url = unquote_plus( url ) diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/galaxy/controllers/admin.py --- a/lib/galaxy/webapps/galaxy/controllers/admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/admin.py @@ -17,6 +17,7 @@ from galaxy.web.params import QuotaParamParser from tool_shed.util import common_util from tool_shed.util import encoding_util +from markupsafe import escape log = logging.getLogger( __name__ ) @@ -838,7 +839,7 @@ @web.expose @web.require_admin def review_tool_migration_stages( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) migration_stages_dict = odict() migration_modules = [] @@ -870,13 +871,13 @@ @web.expose @web.require_admin def view_datatypes_registry( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) return trans.fill_template( 'admin/view_datatypes_registry.mako', message=message, status=status ) @web.expose @web.require_admin def view_tool_data_tables( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) return trans.fill_template( 'admin/view_data_tables_registry.mako', message=message, status=status ) diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py --- a/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py +++ b/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py @@ -8,6 +8,7 @@ from galaxy.web.form_builder import CheckboxField from galaxy.util import json from galaxy.model.orm import or_ +from markupsafe import escape import tool_shed.repository_types.util as rt_util @@ -72,7 +73,7 @@ @web.expose @web.require_admin def browse_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = repository_util.get_installed_tool_shed_repository( trans.app, kwd[ 'id' ] ) return trans.fill_template( '/admin/tool_shed_repository/browse_repository.mako', @@ -169,7 +170,7 @@ @web.expose @web.require_admin def browse_tool_dependency( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) tool_dependency = tool_dependency_util.get_tool_dependency( trans.app, tool_dependency_ids[ 0 ] ) @@ -197,7 +198,7 @@ @web.expose @web.require_admin def browse_tool_sheds( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.fill_template( '/webapps/galaxy/admin/tool_sheds.mako', message=message, @@ -230,7 +231,7 @@ require the same entry. For now we'll never delete entries from config.shed_tool_data_table_config, but we may choose to do so in the future if it becomes necessary. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) remove_from_disk = kwd.get( 'remove_from_disk', '' ) remove_from_disk_checked = CheckboxField.is_checked( remove_from_disk ) @@ -442,7 +443,7 @@ @web.require_admin def import_workflow( self, trans, workflow_name, repository_id, **kwd ): """Import a workflow contained in an installed tool shed repository into Galaxy.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if workflow_name: workflow_name = encoding_util.tool_shed_decode( workflow_name ) @@ -479,7 +480,7 @@ tool shed repository. """ # Get the tool_shed_repository from one of the tool_dependencies. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) err_msg = '' tool_shed_repository = tool_dependencies[ 0 ].tool_shed_repository @@ -512,7 +513,7 @@ @web.require_admin def install_latest_repository_revision( self, trans, **kwd ): """Install the latest installable revision of a repository that has been previously installed.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id is not None: @@ -589,7 +590,7 @@ updating_to_changeset_revision = kwd.get( 'updating_to_changeset_revision', None ) updating_to_ctx_rev = kwd.get( 'updating_to_ctx_rev', None ) encoded_updated_metadata = kwd.get( 'encoded_updated_metadata', None ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) install_tool_dependencies = CheckboxField.is_checked( kwd.get( 'install_tool_dependencies', '' ) ) if 'install_tool_dependencies_with_update_button' in kwd: @@ -665,7 +666,7 @@ @web.expose @web.require_admin def manage_repositories( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tsridslist = common_util.get_tool_shed_repository_ids( **kwd ) if 'operation' in kwd: @@ -744,7 +745,7 @@ @web.expose @web.require_admin def manage_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id is None: @@ -808,7 +809,7 @@ @web.expose @web.require_admin def manage_repository_tool_dependencies( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) if tool_dependency_ids: @@ -890,7 +891,7 @@ def manage_tool_dependencies( self, trans, **kwd ): # This method is called when tool dependencies are being installed. See the related manage_repository_tool_dependencies # method for managing the tool dependencies for a specified installed tool shed repository. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) repository_id = kwd.get( 'repository_id', None ) @@ -978,7 +979,7 @@ message += 'of Galaxy Tool Shed repository tools into a local Galaxy instance</a> section of the Galaxy Tool ' message += 'Shed wiki for all of the details.' return trans.show_error_message( message ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) shed_tool_conf = kwd.get( 'shed_tool_conf', None ) tool_shed_url = kwd.get( 'tool_shed_url', '' ) @@ -1314,7 +1315,7 @@ and tool dependencies of the repository. """ rdim = repository_dependency_manager.RepositoryDependencyInstallManager( trans.app ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd[ 'id' ] tool_shed_repository = repository_util.get_installed_tool_shed_repository( trans.app, repository_id ) @@ -1450,7 +1451,7 @@ Inspect the repository dependency hierarchy for a specified repository and attempt to make sure they are all properly installed as well as each repository's tool dependencies. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if not repository_id: @@ -1715,7 +1716,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = irmm.reset_metadata_on_selected_repositories( trans.user, **kwd ) else: - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = irmm.build_repository_ids_select_field() return trans.fill_template( '/admin/tool_shed_repository/reset_metadata_on_selected_repositories.mako', @@ -1852,7 +1853,7 @@ @web.expose @web.require_admin def uninstall_tool_dependencies( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) if not tool_dependency_ids: @@ -1897,7 +1898,7 @@ @web.require_admin def update_to_changeset_revision( self, trans, **kwd ): """Update a cloned repository to the latest revision possible.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_shed_url = kwd.get( 'tool_shed_url', '' ) # Handle protocol changes over time. @@ -2070,7 +2071,7 @@ @web.expose @web.require_admin def update_tool_shed_status_for_installed_repository( self, trans, all_installed_repositories=False, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if all_installed_repositories: success_count = 0 @@ -2112,7 +2113,7 @@ @web.expose @web.require_admin def view_tool_metadata( self, trans, repository_id, tool_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = repository_util.get_installed_tool_shed_repository( trans.app, repository_id ) repository_metadata = repository.metadata @@ -2146,7 +2147,7 @@ @web.require_admin def view_workflow( self, trans, workflow_name=None, repository_id=None, **kwd ): """Retrieve necessary information about a workflow from the database so that it can be displayed in an svg image.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if workflow_name: workflow_name = encoding_util.tool_shed_decode( workflow_name ) diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/galaxy/controllers/library_admin.py --- a/lib/galaxy/webapps/galaxy/controllers/library_admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_admin.py @@ -5,8 +5,9 @@ from galaxy import web from galaxy.web.base.controller import BaseUIController -from galaxy.web.framework.helpers import escape, grids, time_ago +from galaxy.web.framework.helpers import grids, time_ago from library_common import get_comptypes, lucene_search, whoosh_search +from markupsafe import escape # from galaxy.model.orm import * log = logging.getLogger( __name__ ) @@ -148,7 +149,7 @@ @web.expose @web.require_admin def create_library( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if kwd.get( 'create_library_button', False ): name = kwd.get( 'name', 'No name' ) diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/galaxy/controllers/library_common.py --- a/lib/galaxy/webapps/galaxy/controllers/library_common.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_common.py @@ -20,7 +20,7 @@ from galaxy.util.streamball import StreamBall from galaxy.web.base.controller import BaseUIController, UsesFormDefinitionsMixin, UsesExtendedMetadataMixin, UsesLibraryMixinItems from galaxy.web.form_builder import AddressField, CheckboxField, SelectField, build_select_field -from galaxy.web.framework.helpers import escape +from markupsafe import escape from galaxy.model.orm import and_, eagerload_all # Whoosh is compatible with Python 2.5+ Try to import Whoosh and set flag to indicate whether tool search is enabled. @@ -93,7 +93,7 @@ @web.expose def browse_library( self, trans, cntrller='library', **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # If use_panels is True, the library is being accessed via an external link # which did not originate from within the Galaxy instance, and the library will @@ -121,7 +121,7 @@ hidden_folder_ids = util.listify( kwd.get( 'hidden_folder_ids', '' ) ) if created_ldda_ids and not message: message = "%d datasets are uploading in the background to the library '%s' (each is selected). " % \ - ( len( created_ldda_ids.split( ',' ) ), library.name ) + ( len( created_ldda_ids.split( ',' ) ), escape( library.name ) ) message += "Don't navigate away from Galaxy or use the browser's \"stop\" or \"reload\" buttons (on this tab) until the " message += "message \"This job is running\" is cleared from the \"Information\" column below for each selected dataset." status = "info" @@ -152,7 +152,7 @@ message=escape( message ), status=escape( status ) ) except Exception, e: - message = 'Error attempting to display contents of library (%s): %s.' % ( str( library.name ), str( e ) ) + message = 'Error attempting to display contents of library (%s): %s.' % ( escape( str( library.name ) ), str( e ) ) status = 'error' default_action = kwd.get( 'default_action', None ) @@ -164,7 +164,7 @@ status=status ) ) @web.expose def library_info( self, trans, cntrller, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) @@ -223,7 +223,7 @@ status=escape( status ) ) @web.expose def library_permissions( self, trans, cntrller, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) @@ -269,7 +269,7 @@ status=escape( status ) ) @web.expose def create_folder( self, trans, cntrller, parent_id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -345,7 +345,7 @@ status=escape( status ) ) @web.expose def folder_info( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -401,7 +401,7 @@ status=escape( status ) ) @web.expose def folder_permissions( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -450,7 +450,7 @@ status=escape( status ) ) @web.expose def ldda_edit_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -505,7 +505,7 @@ old_name = ldda.name new_name = kwd.get( 'name', '' ) new_info = kwd.get( 'info', '' ) - new_message = kwd.get( 'message', '' ) + new_message = escape( kwd.get( 'message', '' ) ) if not new_name: message = 'Enter a valid name' status = 'error' @@ -602,7 +602,7 @@ status=escape( status ) ) @web.expose def ldda_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) show_associated_hdas_and_lddas = util.string_as_bool( kwd.get( 'show_associated_hdas_and_lddas', False ) ) @@ -650,7 +650,7 @@ status=escape( status ) ) @web.expose def ldda_permissions( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -787,9 +787,9 @@ status=escape( status ) ) @web.expose def upload_library_dataset( self, trans, cntrller, library_id, folder_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - ldda_message = kwd.get( 'ldda_message', '' ) + ldda_message = escape( kwd.get( 'ldda_message', '' ) ) deleted = util.string_as_bool( kwd.get( 'deleted', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1046,7 +1046,7 @@ dataset_upload_inputs.append( input ) # Library-specific params show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) server_dir = kwd.get( 'server_dir', '' ) if replace_dataset not in [ None, 'None' ]: @@ -1256,9 +1256,9 @@ @web.expose def add_history_datasets_to_library( self, trans, cntrller, library_id, folder_id, hda_ids='', **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - ldda_message = kwd.get( 'ldda_message', '' ) + ldda_message = escape( kwd.get( 'ldda_message', '' ) ) show_deleted = kwd.get( 'show_deleted', False ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) replace_id = kwd.get( 'replace_id', None ) @@ -1547,7 +1547,7 @@ status='error' ) ) @web.expose def library_dataset_info( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1595,7 +1595,7 @@ status=escape( status ) ) @web.expose def library_dataset_permissions( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1642,7 +1642,7 @@ status=escape( status ) ) @web.expose def make_library_item_public( self, trans, cntrller, library_id, item_type, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1703,7 +1703,7 @@ rval += '%s %i %s%s %s\r\n' % ( crc, size, self.url_base, quoted_fname, relpath ) return rval # Perform an action on a list of library datasets. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1979,7 +1979,7 @@ # - a select list option for acting on multiple selected datasets within a library # ( ldda_ids is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( ldda_ids is a comma separated string of ldda ids ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -2102,7 +2102,7 @@ def manage_template_inheritance( self, trans, cntrller, item_type, library_id, folder_id=None, ldda_id=None, **kwd ): show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) is_admin = ( trans.user_is_admin() and cntrller == 'library_admin' ) current_user_roles = trans.get_current_user_roles() @@ -2152,7 +2152,7 @@ # 'ldda' and item_id is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( item_type is 'ldda' and item_id is a # comma separated string of ldda ids ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -2723,7 +2723,7 @@ return map( operator.getitem, intermed, ( -1, ) * len( intermed ) ) def lucene_search( trans, cntrller, search_term, search_url, **kwd ): """Return display of results from a full-text lucene search of data libraries.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) full_url = "%s/find?%s" % ( search_url, urllib.urlencode( { "kwd" : search_term } ) ) response = urllib2.urlopen( full_url ) @@ -2733,7 +2733,7 @@ return status, message, get_sorted_accessible_library_items( trans, cntrller, lddas, 'name' ) def whoosh_search( trans, cntrller, search_term, **kwd ): """Return display of results from a full-text whoosh search of data libraries.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) ok = True if whoosh_search_enabled: diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/galaxy/controllers/user.py --- a/lib/galaxy/webapps/galaxy/controllers/user.py +++ b/lib/galaxy/webapps/galaxy/controllers/user.py @@ -28,9 +28,10 @@ from galaxy.web.base.controller import CreatesApiKeysMixin from galaxy.web.form_builder import CheckboxField from galaxy.web.form_builder import build_select_field -from galaxy.web.framework.helpers import time_ago, grids, escape +from galaxy.web.framework.helpers import time_ago, grids from datetime import datetime, timedelta from galaxy.util import hash_util, biostar +from markupsafe import escape log = logging.getLogger( __name__ ) @@ -254,7 +255,7 @@ if not trans.app.config.enable_openid: return trans.show_error_message( 'OpenID authentication is not enabled in this instance of Galaxy' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) email = kwd.get( 'email', '' ) username = kwd.get( 'username', '' ) @@ -502,7 +503,7 @@ """ Function validates numerous cases that might happen during the login time. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'error' ) email = kwd.get( 'email', '' ) password = kwd.get( 'password', '' ) @@ -719,7 +720,7 @@ email = util.restore_text( kwd.get( 'email', '' ) ) password = kwd.get( 'password', '' ) username = util.restore_text( kwd.get( 'username', '' ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) is_admin = cntrller == 'admin' and trans.user_is_admin() user = self.create_user( trans=trans, email=email, username=username, password=password ) @@ -1093,7 +1094,7 @@ def reset_password( self, trans, email=None, **kwd ): if trans.app.config.smtp_server is None: return trans.show_error_message( "Mail is not configured for this Galaxy instance. Please contact your local Galaxy administrator." ) - message = util.sanitize_text(util.restore_text( kwd.get( 'message', '' ) )) + message = util.sanitize_text( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) if kwd.get( 'reset_password_button', False ): reset_user = trans.sa_session.query( trans.app.model.User ).filter( trans.app.model.User.table.c.email == email ).first() diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -22,7 +22,7 @@ from galaxy.web import error, url_for from galaxy.web.base.controller import BaseUIController, SharableMixin, UsesStoredWorkflowMixin from galaxy.web.framework.formbuilder import form -from galaxy.web.framework.helpers import grids, time_ago, to_unicode, escape +from galaxy.web.framework.helpers import grids, time_ago, to_unicode from galaxy.workflow.modules import WorkflowModuleInjector from galaxy.workflow.modules import MissingToolException from galaxy.workflow.modules import module_factory, is_tool_module_type @@ -37,6 +37,7 @@ order_workflow_steps_with_levels, ) from galaxy.workflow.render import WorkflowCanvas, MARGIN, LINE_SPACING +from markupsafe import escape class StoredWorkflowListGrid( grids.Grid ): @@ -1021,7 +1022,7 @@ """ url = kwd.get( 'url', '' ) workflow_text = kwd.get( 'workflow_text', '' ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) import_button = kwd.get( 'import_button', False ) # The special Galaxy integration landing page's URL on myExperiment diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/reports/controllers/users.py --- a/lib/galaxy/webapps/reports/controllers/users.py +++ b/lib/galaxy/webapps/reports/controllers/users.py @@ -9,17 +9,19 @@ pkg_resources.require( "SQLAlchemy >= 0.4" ) import sqlalchemy as sa import logging +from markupsafe import escape + log = logging.getLogger( __name__ ) class Users( BaseUIController ): @web.expose def registered_users( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) num_users = trans.sa_session.query( galaxy.model.User ).count() return trans.fill_template( '/webapps/reports/registered_users.mako', num_users=num_users, message=message ) @web.expose def registered_users_per_month( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) q = sa.select( ( sa.func.date_trunc( 'month', sa.func.date( galaxy.model.User.table.c.create_time ) ).label( 'date' ), sa.func.count( galaxy.model.User.table.c.id ).label( 'num_users' ) ), from_obj = [ galaxy.model.User.table ], @@ -36,7 +38,7 @@ message=message ) @web.expose def specified_month( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) # If specified_date is not received, we'll default to the current month specified_date = kwd.get( 'specified_date', datetime.utcnow().strftime( "%Y-%m-%d" ) ) specified_month = specified_date[ :7 ] @@ -66,7 +68,7 @@ message=message ) @web.expose def specified_date( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) # If specified_date is not received, we'll default to the current month specified_date = kwd.get( 'specified_date', datetime.utcnow().strftime( "%Y-%m-%d" ) ) year, month, day = map( int, specified_date.split( "-" ) ) @@ -95,7 +97,7 @@ message=message ) @web.expose def last_access_date( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) not_logged_in_for_days = kwd.get( 'not_logged_in_for_days', 90 ) if not not_logged_in_for_days: not_logged_in_for_days = 0 @@ -120,7 +122,7 @@ @web.expose def user_disk_usage( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) user_cutoff = int( kwd.get( 'user_cutoff', 60 ) ) # disk_usage isn't indexed users = sorted( trans.sa_session.query( galaxy.model.User ).all(), key=operator.attrgetter( 'disk_usage' ), reverse=True ) diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/tool_shed/controllers/admin.py --- a/lib/galaxy/webapps/tool_shed/controllers/admin.py +++ b/lib/galaxy/webapps/tool_shed/controllers/admin.py @@ -3,6 +3,7 @@ from galaxy import util from galaxy.util import inflector from galaxy import web +from markupsafe import escape from galaxy.web.base.controller import BaseUIController from galaxy.web.base.controllers.admin import Admin @@ -121,7 +122,7 @@ @web.expose @web.require_admin def create_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) name = kwd.get( 'name', '' ).strip() description = kwd.get( 'description', '' ).strip() @@ -154,7 +155,7 @@ @web.expose @web.require_admin def delete_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -197,7 +198,7 @@ @web.expose @web.require_admin def delete_repository_metadata( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -221,7 +222,7 @@ @web.expose @web.require_admin def edit_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -306,7 +307,7 @@ @web.expose @web.require_admin def regenerate_statistics( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'regenerate_statistics_button' in kwd: trans.app.shed_counter.generate_statistics() @@ -352,7 +353,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = rmm.reset_metadata_on_selected_repositories( **kwd ) else: - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = rmm.build_repository_ids_select_field( name='repository_ids', multiple=True, @@ -366,7 +367,7 @@ @web.expose @web.require_admin def undelete_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -417,7 +418,7 @@ # TODO: We should probably eliminate the Category.deleted column since it really makes no # sense to mark a category as deleted (category names and descriptions can be changed instead). # If we do this, and the following 2 methods can be eliminated. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -445,7 +446,7 @@ # This method should only be called for a Category that has previously been deleted. # Purging a deleted Category deletes all of the following from the database: # - RepoitoryCategoryAssociations where category_id == Category.id - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -473,7 +474,7 @@ @web.expose @web.require_admin def undelete_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/tool_shed/controllers/repository.py --- a/lib/galaxy/webapps/tool_shed/controllers/repository.py +++ b/lib/galaxy/webapps/tool_shed/controllers/repository.py @@ -6,6 +6,7 @@ from time import strftime from datetime import date from datetime import datetime +from markupsafe import escape from galaxy import util from galaxy import web @@ -385,7 +386,7 @@ action='reviewed_repositories_i_own' ) ) elif operation == "repositories_by_category": category_id = kwd.get( 'id', None ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.response.send_redirect( web.url_for( controller='repository', action='browse_repositories_in_category', @@ -721,9 +722,9 @@ @web.expose def browse_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Deleted selected files' ) + commit_message = escape( kwd.get( 'commit_message', 'Deleted selected files' ) ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) # Update repository files for browsing. @@ -891,7 +892,7 @@ @web.expose def check_for_updates( self, trans, **kwd ): """Handle a request from a local Galaxy instance.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # If the request originated with the UpdateRepositoryManager, it will not include a galaxy_url. galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) @@ -976,7 +977,7 @@ @web.expose def contact_owner( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) metadata = metadata_util.get_repository_metadata_by_repository_id_changeset_revision( trans.app, @@ -995,7 +996,7 @@ @web.expose def create_galaxy_docker_image( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_ids = util.listify( kwd.get( 'id', '' ) ) if 'operation' in kwd: @@ -1051,7 +1052,7 @@ @web.expose def create_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) categories = suc.get_categories( trans ) if not categories: @@ -1108,7 +1109,7 @@ # Marking a repository in the tool shed as deprecated has no effect on any downloadable changeset # revisions that may be associated with the repository. Revisions are not marked as not downlaodable # because those that have installed the repository must be allowed to get updates. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -1164,7 +1165,7 @@ @web.expose def display_tool( self, trans, repository_id, tool_config, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) tv = tool_validator.ToolValidator( trans.app ) @@ -1229,7 +1230,7 @@ @web.expose def export( self, trans, repository_id, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) export_repository_dependencies = kwd.get( 'export_repository_dependencies', '' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -1309,7 +1310,7 @@ @web.expose def find_tools( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) if 'operation' in kwd: @@ -1400,7 +1401,7 @@ @web.expose def find_workflows( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) if 'operation' in kwd: @@ -2020,13 +2021,13 @@ @web.expose def help( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.fill_template( '/webapps/tool_shed/repository/help.mako', message=message, status=status, **kwd ) @web.expose def import_capsule( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) capsule_file_name = kwd.get( 'capsule_file_name', None ) encoded_file_path = kwd.get( 'encoded_file_path', None ) @@ -2069,7 +2070,7 @@ @web.expose def index( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # See if there are any RepositoryMetadata records since menu items require them. repository_metadata = trans.sa_session.query( trans.model.RepositoryMetadata ).first() @@ -2151,7 +2152,7 @@ @web.expose def load_invalid_tool( self, trans, repository_id, tool_config, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'error' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) tv = tool_validator.ToolValidator( trans.app ) @@ -2203,7 +2204,7 @@ @web.expose @web.require_login( "manage email alerts" ) def manage_email_alerts( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) new_repo_alert = kwd.get( 'new_repo_alert', '' ) new_repo_alert_checked = CheckboxField.is_checked( new_repo_alert ) @@ -2234,7 +2235,7 @@ @web.expose @web.require_login( "manage repository" ) def manage_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repository_type = kwd.get( 'repository_type', str( repository.type ) ) @@ -2500,7 +2501,7 @@ @web.expose @web.require_login( "manage repository administrators" ) def manage_repository_admins( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) changeset_revision = kwd.get( 'changeset_revision', repository.tip( trans.app ) ) @@ -2558,7 +2559,7 @@ @web.expose @web.require_login( "multi select email alerts" ) def multi_select_email_alerts( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: operation = kwd[ 'operation' ].lower() @@ -2607,7 +2608,7 @@ @web.expose def preview_tools_in_changeset( self, trans, repository_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -2714,7 +2715,7 @@ @web.require_login( "rate repositories" ) def rate_repository( self, trans, **kwd ): """ Rate a repository and return updated rating data. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -2787,7 +2788,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = rmm.reset_metadata_on_selected_repositories( **kwd ) else: - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = rmm.build_repository_ids_select_field( name='repository_ids', multiple=True, @@ -2800,9 +2801,9 @@ @web.expose def select_files_to_delete( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Deleted selected files' ) + commit_message = escape( kwd.get( 'commit_message', 'Deleted selected files' ) ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo_dir = repository.repo_path( trans.app ) repo = hg_util.get_repo_for_repository( trans.app, repository=None, repo_path=repo_dir, create=False ) @@ -3145,7 +3146,7 @@ @web.expose def upload_capsule( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) url = kwd.get( 'url', '' ) if 'upload_capsule_button' in kwd: @@ -3175,7 +3176,7 @@ @web.expose def view_changelog( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3210,7 +3211,7 @@ @web.expose def view_changeset( self, trans, id, ctx_str, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3302,7 +3303,7 @@ @web.expose def view_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3390,7 +3391,7 @@ @web.expose def view_tool_metadata( self, trans, repository_id, changeset_revision, tool_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -3471,7 +3472,7 @@ @web.expose def view_workflow( self, trans, workflow_name, repository_metadata_id, **kwd ): """Retrieve necessary information about a workflow from the database so that it can be displayed in an svg image.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) if workflow_name: diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/tool_shed/controllers/repository_review.py --- a/lib/galaxy/webapps/tool_shed/controllers/repository_review.py +++ b/lib/galaxy/webapps/tool_shed/controllers/repository_review.py @@ -2,6 +2,7 @@ import os from sqlalchemy.sql.expression import func +from markupsafe import escape from galaxy import util from galaxy import web @@ -40,7 +41,7 @@ @web.require_login( "approve repository review" ) def approve_repository_review( self, trans, **kwd ): # The value of the received id is the encoded review id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) encoded_review_id = kwd[ 'id' ] review = review_util.get_review( trans.app, encoded_review_id ) @@ -74,7 +75,7 @@ @web.expose @web.require_login( "browse review" ) def browse_review( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) review = review_util.get_review( trans.app, kwd[ 'id' ] ) repository = review.repository @@ -105,7 +106,7 @@ @web.expose @web.require_login( "create component" ) def create_component( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) name = kwd.get( 'name', '' ) description = kwd.get( 'description', '' ) @@ -136,7 +137,7 @@ @web.require_login( "create review" ) def create_review( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) changeset_revision = kwd.get( 'changeset_revision', None ) @@ -201,7 +202,7 @@ @web.expose @web.require_login( "edit component" ) def edit_component( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -232,7 +233,7 @@ @web.require_login( "edit review" ) def edit_review( self, trans, **kwd ): # The value of the received id is the encoded review id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) review_id = kwd.get( 'id', None ) review = review_util.get_review( trans.app, review_id ) @@ -408,7 +409,7 @@ @web.require_login( "manage repositories reviewed by me" ) def manage_repositories_reviewed_by_me( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: kwd[ 'mine' ] = True @@ -475,7 +476,7 @@ @web.require_login( "manage repository reviews" ) def manage_repository_reviews( self, trans, mine=False, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id: @@ -524,7 +525,7 @@ @web.require_login( "manage repository reviews of revision" ) def manage_repository_reviews_of_revision( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) changeset_revision = kwd.get( 'changeset_revision', None ) @@ -547,7 +548,7 @@ @web.expose @web.require_login( "repository reviews by user" ) def repository_reviews_by_user( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: @@ -573,7 +574,7 @@ @web.expose @web.require_login( "reviewed repositories i own" ) def reviewed_repositories_i_own( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # The value of the received id is the encoded repository id. if 'operation' in kwd: @@ -592,7 +593,7 @@ @web.require_login( "select previous review" ) def select_previous_review( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, kwd[ 'id' ] ) changeset_revision = kwd.get( 'changeset_revision', None ) diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/galaxy/webapps/tool_shed/controllers/upload.py --- a/lib/galaxy/webapps/tool_shed/controllers/upload.py +++ b/lib/galaxy/webapps/tool_shed/controllers/upload.py @@ -9,6 +9,7 @@ from galaxy import web from galaxy.datatypes import checkers from galaxy.web.base.controller import BaseUIController +from markupsafe import escape from tool_shed.dependencies import attribute_handlers from tool_shed.galaxy_install import dependency_display @@ -34,9 +35,9 @@ @web.expose @web.require_login( 'upload', use_panels=True ) def upload( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Uploaded' ) + commit_message = escape( kwd.get( 'commit_message', 'Uploaded' ) ) category_ids = util.listify( kwd.get( 'category_id', '' ) ) categories = suc.get_categories( trans.app ) repository_id = kwd.get( 'repository_id', '' ) diff -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 -r c2bed0a496f8fee8685977df733b06dfeac763e6 lib/tool_shed/util/repository_util.py --- a/lib/tool_shed/util/repository_util.py +++ b/lib/tool_shed/util/repository_util.py @@ -7,6 +7,7 @@ from galaxy import web from galaxy.web.form_builder import build_select_field from galaxy.webapps.tool_shed.model import directory_hash_id +from markupsafe import escape from tool_shed.dependencies.repository import relation_builder @@ -256,7 +257,7 @@ def handle_role_associations( app, role, repository, **kwd ): sa_session = app.model.context.current - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_owner = repository.user if kwd.get( 'manage_role_associations_button', False ): https://bitbucket.org/galaxy/galaxy-central/commits/8d371e7b28dc/ Changeset: 8d371e7b28dc Branch: stable User: davebgx Date: 2014-12-11 16:36:55+00:00 Summary: Also escape repository names, just in case. Affected #: 1 file diff -r c2bed0a496f8fee8685977df733b06dfeac763e6 -r 8d371e7b28dc02d732d59f6477adb48d651a97ac lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py --- a/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py +++ b/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py @@ -53,7 +53,7 @@ try: trans.app.installed_repository_manager.activate_repository( repository ) except Exception, e: - error_message = "Error activating repository %s: %s" % ( repository.name, str( e ) ) + error_message = "Error activating repository %s: %s" % ( escape( repository.name ), str( e ) ) log.exception( error_message ) message = '%s.<br/>You may be able to resolve this by uninstalling and then reinstalling the repository. Click <a href="%s">here</a> to uninstall the repository.' \ % ( error_message, web.url_for( controller='admin_toolshed', action='deactivate_or_uninstall_repository', id=trans.security.encode_id( repository.id ) ) ) @@ -63,7 +63,7 @@ id=repository_id, message=message, status=status ) ) - message = 'The <b>%s</b> repository has been activated.' % repository.name + message = 'The <b>%s</b> repository has been activated.' % escape( repository.name ) status = 'done' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -142,7 +142,7 @@ action='reselect_tool_panel_section', **kwd ) ) else: - message = "Unable to get latest revision for repository <b>%s</b> from " % str( repository.name ) + message = "Unable to get latest revision for repository <b>%s</b> from " % escape( str( repository.name ) ) message += "the Tool Shed, so repository re-installation is not possible at this time." status = "error" return trans.response.send_redirect( web.url_for( controller='admin_toolshed', @@ -304,14 +304,14 @@ trans.install_model.context.add( tool_shed_repository ) trans.install_model.context.flush() if remove_from_disk_checked: - message = 'The repository named <b>%s</b> has been uninstalled. ' % tool_shed_repository.name + message = 'The repository named <b>%s</b> has been uninstalled. ' % escape( tool_shed_repository.name ) if errors: message += 'Attempting to uninstall tool dependencies resulted in errors: %s' % errors status = 'error' else: status = 'done' else: - message = 'The repository named <b>%s</b> has been deactivated. ' % tool_shed_repository.name + message = 'The repository named <b>%s</b> has been deactivated. ' % escape( tool_shed_repository.name ) status = 'done' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -454,7 +454,7 @@ workflow_name = encoding_util.tool_shed_encode( str( workflow.name ) ) else: message += 'Unable to locate a workflow named <b>%s</b> within the installed tool shed repository named <b>%s</b>' % \ - ( str( workflow_name ), str( repository.name ) ) + ( escape( str( workflow_name ) ), escape( str( repository.name ) ) ) status = 'error' else: message = 'Invalid repository id <b>%s</b> received.' % str( repository_id ) @@ -610,7 +610,7 @@ relative_install_dir, set_status=False ) message = "The installed repository named '%s' has been updated to change set revision '%s'. " % \ - ( str( repository.name ), updating_to_changeset_revision ) + ( escape( str( repository.name ) ), updating_to_changeset_revision ) self.initiate_tool_dependency_installation( trans, tool_dependencies, message=message, status=status ) # Handle tool dependencies check box. if trans.app.config.tool_dependency_dir is None: @@ -903,7 +903,7 @@ # The user must be on the manage_repository_tool_dependencies page and clicked the button to either install or uninstall a # tool dependency, but they didn't check any of the available tool dependencies on which to perform the action. tool_shed_repository = suc.get_tool_shed_repository_by_id( trans.app, repository_id ) - self.tool_dependency_grid.title = "Tool shed repository '%s' tool dependencies" % tool_shed_repository.name + self.tool_dependency_grid.title = "Tool shed repository '%s' tool dependencies" % escape( tool_shed_repository.name ) if 'operation' in kwd: operation = kwd[ 'operation' ].lower() if not tool_dependency_ids: @@ -1031,7 +1031,7 @@ # The Tool Shed cannot handle the get_repository_id request, so the code must be older than the # 04/2014 Galaxy release when it was introduced. It will be safest to error out and let the # Tool Shed admin update the Tool Shed to a later release. - message = 'The updates available for the repository <b>%s</b> ' % str( repository.name ) + message = 'The updates available for the repository <b>%s</b> ' % escape( str( repository.name ) ) message += 'include newly defined repository or tool dependency definitions, and attempting ' message += 'to update the repository resulted in the following error. Contact the Tool Shed ' message += 'administrator if necessary.<br/>%s' % str( e ) @@ -1649,12 +1649,12 @@ no_changes_check_box = CheckboxField( 'no_changes', checked=True ) if original_section_name: message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel section <b>%s</b>. " \ - % ( tool_shed_repository.name, original_section_name ) + % ( escape( tool_shed_repository.name ), original_section_name ) message += "Uncheck the <b>No changes</b> check box and select a different tool panel section to load the tools in a " message += "different section in the tool panel. " status = 'warning' else: - message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel outside of any sections. " % tool_shed_repository.name + message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel outside of any sections. " % escape( tool_shed_repository.name ) message += "Uncheck the <b>No changes</b> check box and select a tool panel section to load the tools into that section. " status = 'warning' else: @@ -1750,13 +1750,13 @@ irmm.update_in_shed_tool_config() trans.install_model.context.add( repository ) trans.install_model.context.flush() - message = 'Metadata has been reset on repository <b>%s</b>.' % repository.name + message = 'Metadata has been reset on repository <b>%s</b>.' % escape( repository.name ) status = 'done' else: - message = 'Metadata did not need to be reset on repository <b>%s</b>.' % repository.name + message = 'Metadata did not need to be reset on repository <b>%s</b>.' % escape( repository.name ) status = 'done' else: - message = 'Error locating installation directory for repository <b>%s</b>.' % repository.name + message = 'Error locating installation directory for repository <b>%s</b>.' % escape( repository.name ) status = 'error' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='manage_repository', @@ -1778,7 +1778,7 @@ uninstalled=False, remove_from_disk=True ) new_kwd = {} - new_kwd[ 'message' ] = "You can now attempt to install the repository named <b>%s</b> again." % str( repository.name ) + new_kwd[ 'message' ] = "You can now attempt to install the repository named <b>%s</b> again." % escape( str( repository.name ) ) new_kwd[ 'status' ] = "done" return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -1809,7 +1809,7 @@ message = "Tool versions have been set for all included tools." status = 'done' else: - message = "Version information for the tools included in the <b>%s</b> repository is missing. " % repository.name + message = "Version information for the tools included in the <b>%s</b> repository is missing. " % escape( repository.name ) message += "Reset all of this reppository's metadata in the tool shed, then set the installed tool versions " message ++ "from the installed repository's <b>Repository Actions</b> menu. " status = 'error' @@ -2084,7 +2084,7 @@ if ok: success_count += 1 else: - repository_names_not_updated.append( '<b>%s</b>' % str( repository.name ) ) + repository_names_not_updated.append( '<b>%s</b>' % escape( str( repository.name ) ) ) if updated: updated_count += 1 message = "Checked the status in the tool shed for %d repositories. " % success_count @@ -2099,11 +2099,11 @@ repository_util.check_or_update_tool_shed_status_for_installed_repository( trans.app, repository ) if ok: if updated: - message = "The tool shed status for repository <b>%s</b> has been updated." % str( repository.name ) + message = "The tool shed status for repository <b>%s</b> has been updated." % escape( str( repository.name ) ) else: - message = "The status has not changed in the tool shed for repository <b>%s</b>." % str( repository.name ) + message = "The status has not changed in the tool shed for repository <b>%s</b>." % escape( str( repository.name ) ) else: - message = "Unable to retrieve status from the tool shed for repository <b>%s</b>." % str( repository.name ) + message = "Unable to retrieve status from the tool shed for repository <b>%s</b>." % escape( str( repository.name ) ) status = 'error' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', https://bitbucket.org/galaxy/galaxy-central/commits/77528372d36c/ Changeset: 77528372d36c Branch: stable User: davebgx Date: 2014-12-11 16:39:50+00:00 Summary: One message was left unescaped. Affected #: 1 file diff -r 8d371e7b28dc02d732d59f6477adb48d651a97ac -r 77528372d36c367e5af62f2185d0b332cb901d97 lib/galaxy/webapps/galaxy/controllers/library_admin.py --- a/lib/galaxy/webapps/galaxy/controllers/library_admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_admin.py @@ -162,12 +162,12 @@ library.root_folder = root_folder trans.sa_session.add_all( ( library, root_folder ) ) trans.sa_session.flush() - message = "The new library named '%s' has been created" % library.name + message = "The new library named '%s' has been created" return trans.response.send_redirect( web.url_for( controller='library_common', action='browse_library', cntrller='library_admin', id=trans.security.encode_id( library.id ), - message=message, + message=escape( message ), status='done' ) ) return trans.fill_template( '/admin/library/new_library.mako', message=escape( message ), status=escape( status ) ) @web.expose https://bitbucket.org/galaxy/galaxy-central/commits/e416697be38e/ Changeset: e416697be38e Branch: stable User: martenson Date: 2014-12-11 18:08:35+00:00 Summary: Merged in davebgx/galaxy-central/stable (pull request #606) [STABLE] Escape instances of message passed in through kwd before pushing them back out to mako. Affected #: 14 files diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/web/base/controllers/admin.py --- a/lib/galaxy/web/base/controllers/admin.py +++ b/lib/galaxy/web/base/controllers/admin.py @@ -7,6 +7,7 @@ from galaxy.web.form_builder import CheckboxField from string import punctuation as PUNCTUATION import galaxy.queue_worker +from markupsafe import escape from tool_shed.util import shed_util_common as suc @@ -28,7 +29,7 @@ @web.expose @web.require_admin def index( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if trans.webapp.name == 'galaxy': installed_repositories = trans.install_model.context.query( trans.install_model.ToolShedRepository ).first() @@ -46,7 +47,7 @@ @web.expose @web.require_admin def center( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if trans.webapp.name == 'galaxy': return trans.fill_template( '/webapps/galaxy/admin/center.mako', diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/demo_sequencer/controllers/common.py --- a/lib/galaxy/webapps/demo_sequencer/controllers/common.py +++ b/lib/galaxy/webapps/demo_sequencer/controllers/common.py @@ -4,6 +4,7 @@ import time, socket, urllib, urllib2, base64, copy from galaxy.util.json import * from urllib import quote_plus, unquote_plus +from markupsafe import escape import logging log = logging.getLogger( __name__ ) @@ -16,7 +17,7 @@ titles = util.listify( titles ) JobId = util.restore_text( kwd.get( 'JobId', '' ) ) sample_id = util.restore_text( kwd.get( 'sample_id', '' ) ) - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) redirect_delay = trans.app.sequencer_actions_registry.redirect_delay sequencer_redirects = copy.deepcopy( trans.app.sequencer_actions_registry.sequencer_redirects ) @@ -144,7 +145,7 @@ titles = util.restore_text( kwd.get( 'titles', '' ) ) JobId = util.restore_text( kwd.get( 'JobId', '' ) ) sample_id = util.restore_text( kwd.get( 'sample_id', '' ) ) - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) url, http_method, request_params, response_type = request_tup url = unquote_plus( url ) diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/galaxy/controllers/admin.py --- a/lib/galaxy/webapps/galaxy/controllers/admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/admin.py @@ -17,6 +17,7 @@ from galaxy.web.params import QuotaParamParser from tool_shed.util import common_util from tool_shed.util import encoding_util +from markupsafe import escape log = logging.getLogger( __name__ ) @@ -838,7 +839,7 @@ @web.expose @web.require_admin def review_tool_migration_stages( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) migration_stages_dict = odict() migration_modules = [] @@ -870,13 +871,13 @@ @web.expose @web.require_admin def view_datatypes_registry( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) return trans.fill_template( 'admin/view_datatypes_registry.mako', message=message, status=status ) @web.expose @web.require_admin def view_tool_data_tables( self, trans, **kwd ): - message = galaxy.util.restore_text( kwd.get( 'message', '' ) ) + message = escape( galaxy.util.restore_text( kwd.get( 'message', '' ) ) ) status = galaxy.util.restore_text( kwd.get( 'status', 'done' ) ) return trans.fill_template( 'admin/view_data_tables_registry.mako', message=message, status=status ) diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py --- a/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py +++ b/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py @@ -8,6 +8,7 @@ from galaxy.web.form_builder import CheckboxField from galaxy.util import json from galaxy.model.orm import or_ +from markupsafe import escape import tool_shed.repository_types.util as rt_util @@ -52,7 +53,7 @@ try: trans.app.installed_repository_manager.activate_repository( repository ) except Exception, e: - error_message = "Error activating repository %s: %s" % ( repository.name, str( e ) ) + error_message = "Error activating repository %s: %s" % ( escape( repository.name ), str( e ) ) log.exception( error_message ) message = '%s.<br/>You may be able to resolve this by uninstalling and then reinstalling the repository. Click <a href="%s">here</a> to uninstall the repository.' \ % ( error_message, web.url_for( controller='admin_toolshed', action='deactivate_or_uninstall_repository', id=trans.security.encode_id( repository.id ) ) ) @@ -62,7 +63,7 @@ id=repository_id, message=message, status=status ) ) - message = 'The <b>%s</b> repository has been activated.' % repository.name + message = 'The <b>%s</b> repository has been activated.' % escape( repository.name ) status = 'done' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -72,7 +73,7 @@ @web.expose @web.require_admin def browse_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = repository_util.get_installed_tool_shed_repository( trans.app, kwd[ 'id' ] ) return trans.fill_template( '/admin/tool_shed_repository/browse_repository.mako', @@ -141,7 +142,7 @@ action='reselect_tool_panel_section', **kwd ) ) else: - message = "Unable to get latest revision for repository <b>%s</b> from " % str( repository.name ) + message = "Unable to get latest revision for repository <b>%s</b> from " % escape( str( repository.name ) ) message += "the Tool Shed, so repository re-installation is not possible at this time." status = "error" return trans.response.send_redirect( web.url_for( controller='admin_toolshed', @@ -169,7 +170,7 @@ @web.expose @web.require_admin def browse_tool_dependency( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) tool_dependency = tool_dependency_util.get_tool_dependency( trans.app, tool_dependency_ids[ 0 ] ) @@ -197,7 +198,7 @@ @web.expose @web.require_admin def browse_tool_sheds( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.fill_template( '/webapps/galaxy/admin/tool_sheds.mako', message=message, @@ -230,7 +231,7 @@ require the same entry. For now we'll never delete entries from config.shed_tool_data_table_config, but we may choose to do so in the future if it becomes necessary. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) remove_from_disk = kwd.get( 'remove_from_disk', '' ) remove_from_disk_checked = CheckboxField.is_checked( remove_from_disk ) @@ -303,14 +304,14 @@ trans.install_model.context.add( tool_shed_repository ) trans.install_model.context.flush() if remove_from_disk_checked: - message = 'The repository named <b>%s</b> has been uninstalled. ' % tool_shed_repository.name + message = 'The repository named <b>%s</b> has been uninstalled. ' % escape( tool_shed_repository.name ) if errors: message += 'Attempting to uninstall tool dependencies resulted in errors: %s' % errors status = 'error' else: status = 'done' else: - message = 'The repository named <b>%s</b> has been deactivated. ' % tool_shed_repository.name + message = 'The repository named <b>%s</b> has been deactivated. ' % escape( tool_shed_repository.name ) status = 'done' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -442,7 +443,7 @@ @web.require_admin def import_workflow( self, trans, workflow_name, repository_id, **kwd ): """Import a workflow contained in an installed tool shed repository into Galaxy.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if workflow_name: workflow_name = encoding_util.tool_shed_decode( workflow_name ) @@ -453,7 +454,7 @@ workflow_name = encoding_util.tool_shed_encode( str( workflow.name ) ) else: message += 'Unable to locate a workflow named <b>%s</b> within the installed tool shed repository named <b>%s</b>' % \ - ( str( workflow_name ), str( repository.name ) ) + ( escape( str( workflow_name ) ), escape( str( repository.name ) ) ) status = 'error' else: message = 'Invalid repository id <b>%s</b> received.' % str( repository_id ) @@ -479,7 +480,7 @@ tool shed repository. """ # Get the tool_shed_repository from one of the tool_dependencies. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) err_msg = '' tool_shed_repository = tool_dependencies[ 0 ].tool_shed_repository @@ -512,7 +513,7 @@ @web.require_admin def install_latest_repository_revision( self, trans, **kwd ): """Install the latest installable revision of a repository that has been previously installed.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id is not None: @@ -589,7 +590,7 @@ updating_to_changeset_revision = kwd.get( 'updating_to_changeset_revision', None ) updating_to_ctx_rev = kwd.get( 'updating_to_ctx_rev', None ) encoded_updated_metadata = kwd.get( 'encoded_updated_metadata', None ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) install_tool_dependencies = CheckboxField.is_checked( kwd.get( 'install_tool_dependencies', '' ) ) if 'install_tool_dependencies_with_update_button' in kwd: @@ -609,7 +610,7 @@ relative_install_dir, set_status=False ) message = "The installed repository named '%s' has been updated to change set revision '%s'. " % \ - ( str( repository.name ), updating_to_changeset_revision ) + ( escape( str( repository.name ) ), updating_to_changeset_revision ) self.initiate_tool_dependency_installation( trans, tool_dependencies, message=message, status=status ) # Handle tool dependencies check box. if trans.app.config.tool_dependency_dir is None: @@ -665,7 +666,7 @@ @web.expose @web.require_admin def manage_repositories( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tsridslist = common_util.get_tool_shed_repository_ids( **kwd ) if 'operation' in kwd: @@ -744,7 +745,7 @@ @web.expose @web.require_admin def manage_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id is None: @@ -808,7 +809,7 @@ @web.expose @web.require_admin def manage_repository_tool_dependencies( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) if tool_dependency_ids: @@ -890,7 +891,7 @@ def manage_tool_dependencies( self, trans, **kwd ): # This method is called when tool dependencies are being installed. See the related manage_repository_tool_dependencies # method for managing the tool dependencies for a specified installed tool shed repository. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) repository_id = kwd.get( 'repository_id', None ) @@ -902,7 +903,7 @@ # The user must be on the manage_repository_tool_dependencies page and clicked the button to either install or uninstall a # tool dependency, but they didn't check any of the available tool dependencies on which to perform the action. tool_shed_repository = suc.get_tool_shed_repository_by_id( trans.app, repository_id ) - self.tool_dependency_grid.title = "Tool shed repository '%s' tool dependencies" % tool_shed_repository.name + self.tool_dependency_grid.title = "Tool shed repository '%s' tool dependencies" % escape( tool_shed_repository.name ) if 'operation' in kwd: operation = kwd[ 'operation' ].lower() if not tool_dependency_ids: @@ -978,7 +979,7 @@ message += 'of Galaxy Tool Shed repository tools into a local Galaxy instance</a> section of the Galaxy Tool ' message += 'Shed wiki for all of the details.' return trans.show_error_message( message ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) shed_tool_conf = kwd.get( 'shed_tool_conf', None ) tool_shed_url = kwd.get( 'tool_shed_url', '' ) @@ -1030,7 +1031,7 @@ # The Tool Shed cannot handle the get_repository_id request, so the code must be older than the # 04/2014 Galaxy release when it was introduced. It will be safest to error out and let the # Tool Shed admin update the Tool Shed to a later release. - message = 'The updates available for the repository <b>%s</b> ' % str( repository.name ) + message = 'The updates available for the repository <b>%s</b> ' % escape( str( repository.name ) ) message += 'include newly defined repository or tool dependency definitions, and attempting ' message += 'to update the repository resulted in the following error. Contact the Tool Shed ' message += 'administrator if necessary.<br/>%s' % str( e ) @@ -1314,7 +1315,7 @@ and tool dependencies of the repository. """ rdim = repository_dependency_manager.RepositoryDependencyInstallManager( trans.app ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd[ 'id' ] tool_shed_repository = repository_util.get_installed_tool_shed_repository( trans.app, repository_id ) @@ -1450,7 +1451,7 @@ Inspect the repository dependency hierarchy for a specified repository and attempt to make sure they are all properly installed as well as each repository's tool dependencies. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if not repository_id: @@ -1648,12 +1649,12 @@ no_changes_check_box = CheckboxField( 'no_changes', checked=True ) if original_section_name: message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel section <b>%s</b>. " \ - % ( tool_shed_repository.name, original_section_name ) + % ( escape( tool_shed_repository.name ), original_section_name ) message += "Uncheck the <b>No changes</b> check box and select a different tool panel section to load the tools in a " message += "different section in the tool panel. " status = 'warning' else: - message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel outside of any sections. " % tool_shed_repository.name + message += "The tools contained in your <b>%s</b> repository were last loaded into the tool panel outside of any sections. " % escape( tool_shed_repository.name ) message += "Uncheck the <b>No changes</b> check box and select a tool panel section to load the tools into that section. " status = 'warning' else: @@ -1715,7 +1716,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = irmm.reset_metadata_on_selected_repositories( trans.user, **kwd ) else: - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = irmm.build_repository_ids_select_field() return trans.fill_template( '/admin/tool_shed_repository/reset_metadata_on_selected_repositories.mako', @@ -1749,13 +1750,13 @@ irmm.update_in_shed_tool_config() trans.install_model.context.add( repository ) trans.install_model.context.flush() - message = 'Metadata has been reset on repository <b>%s</b>.' % repository.name + message = 'Metadata has been reset on repository <b>%s</b>.' % escape( repository.name ) status = 'done' else: - message = 'Metadata did not need to be reset on repository <b>%s</b>.' % repository.name + message = 'Metadata did not need to be reset on repository <b>%s</b>.' % escape( repository.name ) status = 'done' else: - message = 'Error locating installation directory for repository <b>%s</b>.' % repository.name + message = 'Error locating installation directory for repository <b>%s</b>.' % escape( repository.name ) status = 'error' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='manage_repository', @@ -1777,7 +1778,7 @@ uninstalled=False, remove_from_disk=True ) new_kwd = {} - new_kwd[ 'message' ] = "You can now attempt to install the repository named <b>%s</b> again." % str( repository.name ) + new_kwd[ 'message' ] = "You can now attempt to install the repository named <b>%s</b> again." % escape( str( repository.name ) ) new_kwd[ 'status' ] = "done" return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -1808,7 +1809,7 @@ message = "Tool versions have been set for all included tools." status = 'done' else: - message = "Version information for the tools included in the <b>%s</b> repository is missing. " % repository.name + message = "Version information for the tools included in the <b>%s</b> repository is missing. " % escape( repository.name ) message += "Reset all of this reppository's metadata in the tool shed, then set the installed tool versions " message ++ "from the installed repository's <b>Repository Actions</b> menu. " status = 'error' @@ -1852,7 +1853,7 @@ @web.expose @web.require_admin def uninstall_tool_dependencies( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_dependency_ids = tool_dependency_util.get_tool_dependency_ids( as_string=False, **kwd ) if not tool_dependency_ids: @@ -1897,7 +1898,7 @@ @web.require_admin def update_to_changeset_revision( self, trans, **kwd ): """Update a cloned repository to the latest revision possible.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) tool_shed_url = kwd.get( 'tool_shed_url', '' ) # Handle protocol changes over time. @@ -2070,7 +2071,7 @@ @web.expose @web.require_admin def update_tool_shed_status_for_installed_repository( self, trans, all_installed_repositories=False, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if all_installed_repositories: success_count = 0 @@ -2083,7 +2084,7 @@ if ok: success_count += 1 else: - repository_names_not_updated.append( '<b>%s</b>' % str( repository.name ) ) + repository_names_not_updated.append( '<b>%s</b>' % escape( str( repository.name ) ) ) if updated: updated_count += 1 message = "Checked the status in the tool shed for %d repositories. " % success_count @@ -2098,11 +2099,11 @@ repository_util.check_or_update_tool_shed_status_for_installed_repository( trans.app, repository ) if ok: if updated: - message = "The tool shed status for repository <b>%s</b> has been updated." % str( repository.name ) + message = "The tool shed status for repository <b>%s</b> has been updated." % escape( str( repository.name ) ) else: - message = "The status has not changed in the tool shed for repository <b>%s</b>." % str( repository.name ) + message = "The status has not changed in the tool shed for repository <b>%s</b>." % escape( str( repository.name ) ) else: - message = "Unable to retrieve status from the tool shed for repository <b>%s</b>." % str( repository.name ) + message = "Unable to retrieve status from the tool shed for repository <b>%s</b>." % escape( str( repository.name ) ) status = 'error' return trans.response.send_redirect( web.url_for( controller='admin_toolshed', action='browse_repositories', @@ -2112,7 +2113,7 @@ @web.expose @web.require_admin def view_tool_metadata( self, trans, repository_id, tool_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = repository_util.get_installed_tool_shed_repository( trans.app, repository_id ) repository_metadata = repository.metadata @@ -2146,7 +2147,7 @@ @web.require_admin def view_workflow( self, trans, workflow_name=None, repository_id=None, **kwd ): """Retrieve necessary information about a workflow from the database so that it can be displayed in an svg image.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if workflow_name: workflow_name = encoding_util.tool_shed_decode( workflow_name ) diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/galaxy/controllers/library_admin.py --- a/lib/galaxy/webapps/galaxy/controllers/library_admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_admin.py @@ -5,8 +5,9 @@ from galaxy import web from galaxy.web.base.controller import BaseUIController -from galaxy.web.framework.helpers import escape, grids, time_ago +from galaxy.web.framework.helpers import grids, time_ago from library_common import get_comptypes, lucene_search, whoosh_search +from markupsafe import escape # from galaxy.model.orm import * log = logging.getLogger( __name__ ) @@ -148,7 +149,7 @@ @web.expose @web.require_admin def create_library( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if kwd.get( 'create_library_button', False ): name = kwd.get( 'name', 'No name' ) @@ -161,12 +162,12 @@ library.root_folder = root_folder trans.sa_session.add_all( ( library, root_folder ) ) trans.sa_session.flush() - message = "The new library named '%s' has been created" % library.name + message = "The new library named '%s' has been created" return trans.response.send_redirect( web.url_for( controller='library_common', action='browse_library', cntrller='library_admin', id=trans.security.encode_id( library.id ), - message=message, + message=escape( message ), status='done' ) ) return trans.fill_template( '/admin/library/new_library.mako', message=escape( message ), status=escape( status ) ) @web.expose diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/galaxy/controllers/library_common.py --- a/lib/galaxy/webapps/galaxy/controllers/library_common.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_common.py @@ -20,7 +20,7 @@ from galaxy.util.streamball import StreamBall from galaxy.web.base.controller import BaseUIController, UsesFormDefinitionsMixin, UsesExtendedMetadataMixin, UsesLibraryMixinItems from galaxy.web.form_builder import AddressField, CheckboxField, SelectField, build_select_field -from galaxy.web.framework.helpers import escape +from markupsafe import escape from galaxy.model.orm import and_, eagerload_all # Whoosh is compatible with Python 2.5+ Try to import Whoosh and set flag to indicate whether tool search is enabled. @@ -93,7 +93,7 @@ @web.expose def browse_library( self, trans, cntrller='library', **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # If use_panels is True, the library is being accessed via an external link # which did not originate from within the Galaxy instance, and the library will @@ -121,7 +121,7 @@ hidden_folder_ids = util.listify( kwd.get( 'hidden_folder_ids', '' ) ) if created_ldda_ids and not message: message = "%d datasets are uploading in the background to the library '%s' (each is selected). " % \ - ( len( created_ldda_ids.split( ',' ) ), library.name ) + ( len( created_ldda_ids.split( ',' ) ), escape( library.name ) ) message += "Don't navigate away from Galaxy or use the browser's \"stop\" or \"reload\" buttons (on this tab) until the " message += "message \"This job is running\" is cleared from the \"Information\" column below for each selected dataset." status = "info" @@ -152,7 +152,7 @@ message=escape( message ), status=escape( status ) ) except Exception, e: - message = 'Error attempting to display contents of library (%s): %s.' % ( str( library.name ), str( e ) ) + message = 'Error attempting to display contents of library (%s): %s.' % ( escape( str( library.name ) ), str( e ) ) status = 'error' default_action = kwd.get( 'default_action', None ) @@ -164,7 +164,7 @@ status=status ) ) @web.expose def library_info( self, trans, cntrller, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) @@ -223,7 +223,7 @@ status=escape( status ) ) @web.expose def library_permissions( self, trans, cntrller, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) @@ -269,7 +269,7 @@ status=escape( status ) ) @web.expose def create_folder( self, trans, cntrller, parent_id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -345,7 +345,7 @@ status=escape( status ) ) @web.expose def folder_info( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -401,7 +401,7 @@ status=escape( status ) ) @web.expose def folder_permissions( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -450,7 +450,7 @@ status=escape( status ) ) @web.expose def ldda_edit_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -505,7 +505,7 @@ old_name = ldda.name new_name = kwd.get( 'name', '' ) new_info = kwd.get( 'info', '' ) - new_message = kwd.get( 'message', '' ) + new_message = escape( kwd.get( 'message', '' ) ) if not new_name: message = 'Enter a valid name' status = 'error' @@ -602,7 +602,7 @@ status=escape( status ) ) @web.expose def ldda_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) show_associated_hdas_and_lddas = util.string_as_bool( kwd.get( 'show_associated_hdas_and_lddas', False ) ) @@ -650,7 +650,7 @@ status=escape( status ) ) @web.expose def ldda_permissions( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -787,9 +787,9 @@ status=escape( status ) ) @web.expose def upload_library_dataset( self, trans, cntrller, library_id, folder_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - ldda_message = kwd.get( 'ldda_message', '' ) + ldda_message = escape( kwd.get( 'ldda_message', '' ) ) deleted = util.string_as_bool( kwd.get( 'deleted', False ) ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1046,7 +1046,7 @@ dataset_upload_inputs.append( input ) # Library-specific params show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) server_dir = kwd.get( 'server_dir', '' ) if replace_dataset not in [ None, 'None' ]: @@ -1256,9 +1256,9 @@ @web.expose def add_history_datasets_to_library( self, trans, cntrller, library_id, folder_id, hda_ids='', **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - ldda_message = kwd.get( 'ldda_message', '' ) + ldda_message = escape( kwd.get( 'ldda_message', '' ) ) show_deleted = kwd.get( 'show_deleted', False ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) replace_id = kwd.get( 'replace_id', None ) @@ -1547,7 +1547,7 @@ status='error' ) ) @web.expose def library_dataset_info( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1595,7 +1595,7 @@ status=escape( status ) ) @web.expose def library_dataset_permissions( self, trans, cntrller, id, library_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1642,7 +1642,7 @@ status=escape( status ) ) @web.expose def make_library_item_public( self, trans, cntrller, library_id, item_type, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1703,7 +1703,7 @@ rval += '%s %i %s%s %s\r\n' % ( crc, size, self.url_base, quoted_fname, relpath ) return rval # Perform an action on a list of library datasets. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -1979,7 +1979,7 @@ # - a select list option for acting on multiple selected datasets within a library # ( ldda_ids is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( ldda_ids is a comma separated string of ldda ids ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -2102,7 +2102,7 @@ def manage_template_inheritance( self, trans, cntrller, item_type, library_id, folder_id=None, ldda_id=None, **kwd ): show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) is_admin = ( trans.user_is_admin() and cntrller == 'library_admin' ) current_user_roles = trans.get_current_user_roles() @@ -2152,7 +2152,7 @@ # 'ldda' and item_id is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( item_type is 'ldda' and item_id is a # comma separated string of ldda ids ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -2723,7 +2723,7 @@ return map( operator.getitem, intermed, ( -1, ) * len( intermed ) ) def lucene_search( trans, cntrller, search_term, search_url, **kwd ): """Return display of results from a full-text lucene search of data libraries.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) full_url = "%s/find?%s" % ( search_url, urllib.urlencode( { "kwd" : search_term } ) ) response = urllib2.urlopen( full_url ) @@ -2733,7 +2733,7 @@ return status, message, get_sorted_accessible_library_items( trans, cntrller, lddas, 'name' ) def whoosh_search( trans, cntrller, search_term, **kwd ): """Return display of results from a full-text whoosh search of data libraries.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) ok = True if whoosh_search_enabled: diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/galaxy/controllers/user.py --- a/lib/galaxy/webapps/galaxy/controllers/user.py +++ b/lib/galaxy/webapps/galaxy/controllers/user.py @@ -28,9 +28,10 @@ from galaxy.web.base.controller import CreatesApiKeysMixin from galaxy.web.form_builder import CheckboxField from galaxy.web.form_builder import build_select_field -from galaxy.web.framework.helpers import time_ago, grids, escape +from galaxy.web.framework.helpers import time_ago, grids from datetime import datetime, timedelta from galaxy.util import hash_util, biostar +from markupsafe import escape log = logging.getLogger( __name__ ) @@ -254,7 +255,7 @@ if not trans.app.config.enable_openid: return trans.show_error_message( 'OpenID authentication is not enabled in this instance of Galaxy' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) email = kwd.get( 'email', '' ) username = kwd.get( 'username', '' ) @@ -502,7 +503,7 @@ """ Function validates numerous cases that might happen during the login time. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'error' ) email = kwd.get( 'email', '' ) password = kwd.get( 'password', '' ) @@ -719,7 +720,7 @@ email = util.restore_text( kwd.get( 'email', '' ) ) password = kwd.get( 'password', '' ) username = util.restore_text( kwd.get( 'username', '' ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) is_admin = cntrller == 'admin' and trans.user_is_admin() user = self.create_user( trans=trans, email=email, username=username, password=password ) @@ -1093,7 +1094,7 @@ def reset_password( self, trans, email=None, **kwd ): if trans.app.config.smtp_server is None: return trans.show_error_message( "Mail is not configured for this Galaxy instance. Please contact your local Galaxy administrator." ) - message = util.sanitize_text(util.restore_text( kwd.get( 'message', '' ) )) + message = util.sanitize_text( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) if kwd.get( 'reset_password_button', False ): reset_user = trans.sa_session.query( trans.app.model.User ).filter( trans.app.model.User.table.c.email == email ).first() diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -22,7 +22,7 @@ from galaxy.web import error, url_for from galaxy.web.base.controller import BaseUIController, SharableMixin, UsesStoredWorkflowMixin from galaxy.web.framework.formbuilder import form -from galaxy.web.framework.helpers import grids, time_ago, to_unicode, escape +from galaxy.web.framework.helpers import grids, time_ago, to_unicode from galaxy.workflow.modules import WorkflowModuleInjector from galaxy.workflow.modules import MissingToolException from galaxy.workflow.modules import module_factory, is_tool_module_type @@ -37,6 +37,7 @@ order_workflow_steps_with_levels, ) from galaxy.workflow.render import WorkflowCanvas, MARGIN, LINE_SPACING +from markupsafe import escape class StoredWorkflowListGrid( grids.Grid ): @@ -1021,7 +1022,7 @@ """ url = kwd.get( 'url', '' ) workflow_text = kwd.get( 'workflow_text', '' ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) import_button = kwd.get( 'import_button', False ) # The special Galaxy integration landing page's URL on myExperiment diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/reports/controllers/users.py --- a/lib/galaxy/webapps/reports/controllers/users.py +++ b/lib/galaxy/webapps/reports/controllers/users.py @@ -9,17 +9,19 @@ pkg_resources.require( "SQLAlchemy >= 0.4" ) import sqlalchemy as sa import logging +from markupsafe import escape + log = logging.getLogger( __name__ ) class Users( BaseUIController ): @web.expose def registered_users( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) num_users = trans.sa_session.query( galaxy.model.User ).count() return trans.fill_template( '/webapps/reports/registered_users.mako', num_users=num_users, message=message ) @web.expose def registered_users_per_month( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) q = sa.select( ( sa.func.date_trunc( 'month', sa.func.date( galaxy.model.User.table.c.create_time ) ).label( 'date' ), sa.func.count( galaxy.model.User.table.c.id ).label( 'num_users' ) ), from_obj = [ galaxy.model.User.table ], @@ -36,7 +38,7 @@ message=message ) @web.expose def specified_month( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) # If specified_date is not received, we'll default to the current month specified_date = kwd.get( 'specified_date', datetime.utcnow().strftime( "%Y-%m-%d" ) ) specified_month = specified_date[ :7 ] @@ -66,7 +68,7 @@ message=message ) @web.expose def specified_date( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) # If specified_date is not received, we'll default to the current month specified_date = kwd.get( 'specified_date', datetime.utcnow().strftime( "%Y-%m-%d" ) ) year, month, day = map( int, specified_date.split( "-" ) ) @@ -95,7 +97,7 @@ message=message ) @web.expose def last_access_date( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) not_logged_in_for_days = kwd.get( 'not_logged_in_for_days', 90 ) if not not_logged_in_for_days: not_logged_in_for_days = 0 @@ -120,7 +122,7 @@ @web.expose def user_disk_usage( self, trans, **kwd ): - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) user_cutoff = int( kwd.get( 'user_cutoff', 60 ) ) # disk_usage isn't indexed users = sorted( trans.sa_session.query( galaxy.model.User ).all(), key=operator.attrgetter( 'disk_usage' ), reverse=True ) diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/tool_shed/controllers/admin.py --- a/lib/galaxy/webapps/tool_shed/controllers/admin.py +++ b/lib/galaxy/webapps/tool_shed/controllers/admin.py @@ -3,6 +3,7 @@ from galaxy import util from galaxy.util import inflector from galaxy import web +from markupsafe import escape from galaxy.web.base.controller import BaseUIController from galaxy.web.base.controllers.admin import Admin @@ -121,7 +122,7 @@ @web.expose @web.require_admin def create_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) name = kwd.get( 'name', '' ).strip() description = kwd.get( 'description', '' ).strip() @@ -154,7 +155,7 @@ @web.expose @web.require_admin def delete_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -197,7 +198,7 @@ @web.expose @web.require_admin def delete_repository_metadata( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -221,7 +222,7 @@ @web.expose @web.require_admin def edit_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -306,7 +307,7 @@ @web.expose @web.require_admin def regenerate_statistics( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'regenerate_statistics_button' in kwd: trans.app.shed_counter.generate_statistics() @@ -352,7 +353,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = rmm.reset_metadata_on_selected_repositories( **kwd ) else: - message = util.restore_text( kwd.get( 'message', '' ) ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = rmm.build_repository_ids_select_field( name='repository_ids', multiple=True, @@ -366,7 +367,7 @@ @web.expose @web.require_admin def undelete_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -417,7 +418,7 @@ # TODO: We should probably eliminate the Category.deleted column since it really makes no # sense to mark a category as deleted (category names and descriptions can be changed instead). # If we do this, and the following 2 methods can be eliminated. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -445,7 +446,7 @@ # This method should only be called for a Category that has previously been deleted. # Purging a deleted Category deletes all of the following from the database: # - RepoitoryCategoryAssociations where category_id == Category.id - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: @@ -473,7 +474,7 @@ @web.expose @web.require_admin def undelete_category( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if id: diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/tool_shed/controllers/repository.py --- a/lib/galaxy/webapps/tool_shed/controllers/repository.py +++ b/lib/galaxy/webapps/tool_shed/controllers/repository.py @@ -6,6 +6,7 @@ from time import strftime from datetime import date from datetime import datetime +from markupsafe import escape from galaxy import util from galaxy import web @@ -385,7 +386,7 @@ action='reviewed_repositories_i_own' ) ) elif operation == "repositories_by_category": category_id = kwd.get( 'id', None ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.response.send_redirect( web.url_for( controller='repository', action='browse_repositories_in_category', @@ -721,9 +722,9 @@ @web.expose def browse_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Deleted selected files' ) + commit_message = escape( kwd.get( 'commit_message', 'Deleted selected files' ) ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) # Update repository files for browsing. @@ -891,7 +892,7 @@ @web.expose def check_for_updates( self, trans, **kwd ): """Handle a request from a local Galaxy instance.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # If the request originated with the UpdateRepositoryManager, it will not include a galaxy_url. galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) @@ -976,7 +977,7 @@ @web.expose def contact_owner( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) metadata = metadata_util.get_repository_metadata_by_repository_id_changeset_revision( trans.app, @@ -995,7 +996,7 @@ @web.expose def create_galaxy_docker_image( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_ids = util.listify( kwd.get( 'id', '' ) ) if 'operation' in kwd: @@ -1051,7 +1052,7 @@ @web.expose def create_repository( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) categories = suc.get_categories( trans ) if not categories: @@ -1108,7 +1109,7 @@ # Marking a repository in the tool shed as deprecated has no effect on any downloadable changeset # revisions that may be associated with the repository. Revisions are not marked as not downlaodable # because those that have installed the repository must be allowed to get updates. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -1164,7 +1165,7 @@ @web.expose def display_tool( self, trans, repository_id, tool_config, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) tv = tool_validator.ToolValidator( trans.app ) @@ -1229,7 +1230,7 @@ @web.expose def export( self, trans, repository_id, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) export_repository_dependencies = kwd.get( 'export_repository_dependencies', '' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -1309,7 +1310,7 @@ @web.expose def find_tools( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) if 'operation' in kwd: @@ -1400,7 +1401,7 @@ @web.expose def find_workflows( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) galaxy_url = common_util.handle_galaxy_url( trans, **kwd ) if 'operation' in kwd: @@ -2020,13 +2021,13 @@ @web.expose def help( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) return trans.fill_template( '/webapps/tool_shed/repository/help.mako', message=message, status=status, **kwd ) @web.expose def import_capsule( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) capsule_file_name = kwd.get( 'capsule_file_name', None ) encoded_file_path = kwd.get( 'encoded_file_path', None ) @@ -2069,7 +2070,7 @@ @web.expose def index( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # See if there are any RepositoryMetadata records since menu items require them. repository_metadata = trans.sa_session.query( trans.model.RepositoryMetadata ).first() @@ -2151,7 +2152,7 @@ @web.expose def load_invalid_tool( self, trans, repository_id, tool_config, changeset_revision, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'error' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) tv = tool_validator.ToolValidator( trans.app ) @@ -2203,7 +2204,7 @@ @web.expose @web.require_login( "manage email alerts" ) def manage_email_alerts( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) new_repo_alert = kwd.get( 'new_repo_alert', '' ) new_repo_alert_checked = CheckboxField.is_checked( new_repo_alert ) @@ -2234,7 +2235,7 @@ @web.expose @web.require_login( "manage repository" ) def manage_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repository_type = kwd.get( 'repository_type', str( repository.type ) ) @@ -2500,7 +2501,7 @@ @web.expose @web.require_login( "manage repository administrators" ) def manage_repository_admins( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) changeset_revision = kwd.get( 'changeset_revision', repository.tip( trans.app ) ) @@ -2558,7 +2559,7 @@ @web.expose @web.require_login( "multi select email alerts" ) def multi_select_email_alerts( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: operation = kwd[ 'operation' ].lower() @@ -2607,7 +2608,7 @@ @web.expose def preview_tools_in_changeset( self, trans, repository_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -2714,7 +2715,7 @@ @web.require_login( "rate repositories" ) def rate_repository( self, trans, **kwd ): """ Rate a repository and return updated rating data. """ - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -2787,7 +2788,7 @@ if 'reset_metadata_on_selected_repositories_button' in kwd: message, status = rmm.reset_metadata_on_selected_repositories( **kwd ) else: - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repositories_select_field = rmm.build_repository_ids_select_field( name='repository_ids', multiple=True, @@ -2800,9 +2801,9 @@ @web.expose def select_files_to_delete( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Deleted selected files' ) + commit_message = escape( kwd.get( 'commit_message', 'Deleted selected files' ) ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo_dir = repository.repo_path( trans.app ) repo = hg_util.get_repo_for_repository( trans.app, repository=None, repo_path=repo_dir, create=False ) @@ -3145,7 +3146,7 @@ @web.expose def upload_capsule( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) url = kwd.get( 'url', '' ) if 'upload_capsule_button' in kwd: @@ -3175,7 +3176,7 @@ @web.expose def view_changelog( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3210,7 +3211,7 @@ @web.expose def view_changeset( self, trans, id, ctx_str, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3302,7 +3303,7 @@ @web.expose def view_repository( self, trans, id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, id ) repo = hg_util.get_repo_for_repository( trans.app, repository=repository, repo_path=None, create=False ) @@ -3390,7 +3391,7 @@ @web.expose def view_tool_metadata( self, trans, repository_id, changeset_revision, tool_id, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) repository = suc.get_repository_in_tool_shed( trans.app, repository_id ) @@ -3471,7 +3472,7 @@ @web.expose def view_workflow( self, trans, workflow_name, repository_metadata_id, **kwd ): """Retrieve necessary information about a workflow from the database so that it can be displayed in an svg image.""" - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) render_repository_actions_for = kwd.get( 'render_repository_actions_for', 'tool_shed' ) if workflow_name: diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/tool_shed/controllers/repository_review.py --- a/lib/galaxy/webapps/tool_shed/controllers/repository_review.py +++ b/lib/galaxy/webapps/tool_shed/controllers/repository_review.py @@ -2,6 +2,7 @@ import os from sqlalchemy.sql.expression import func +from markupsafe import escape from galaxy import util from galaxy import web @@ -40,7 +41,7 @@ @web.require_login( "approve repository review" ) def approve_repository_review( self, trans, **kwd ): # The value of the received id is the encoded review id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) encoded_review_id = kwd[ 'id' ] review = review_util.get_review( trans.app, encoded_review_id ) @@ -74,7 +75,7 @@ @web.expose @web.require_login( "browse review" ) def browse_review( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) review = review_util.get_review( trans.app, kwd[ 'id' ] ) repository = review.repository @@ -105,7 +106,7 @@ @web.expose @web.require_login( "create component" ) def create_component( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) name = kwd.get( 'name', '' ) description = kwd.get( 'description', '' ) @@ -136,7 +137,7 @@ @web.require_login( "create review" ) def create_review( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) changeset_revision = kwd.get( 'changeset_revision', None ) @@ -201,7 +202,7 @@ @web.expose @web.require_login( "edit component" ) def edit_component( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) id = kwd.get( 'id', None ) if not id: @@ -232,7 +233,7 @@ @web.require_login( "edit review" ) def edit_review( self, trans, **kwd ): # The value of the received id is the encoded review id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) review_id = kwd.get( 'id', None ) review = review_util.get_review( trans.app, review_id ) @@ -408,7 +409,7 @@ @web.require_login( "manage repositories reviewed by me" ) def manage_repositories_reviewed_by_me( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: kwd[ 'mine' ] = True @@ -475,7 +476,7 @@ @web.require_login( "manage repository reviews" ) def manage_repository_reviews( self, trans, mine=False, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) if repository_id: @@ -524,7 +525,7 @@ @web.require_login( "manage repository reviews of revision" ) def manage_repository_reviews_of_revision( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_id = kwd.get( 'id', None ) changeset_revision = kwd.get( 'changeset_revision', None ) @@ -547,7 +548,7 @@ @web.expose @web.require_login( "repository reviews by user" ) def repository_reviews_by_user( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) if 'operation' in kwd: @@ -573,7 +574,7 @@ @web.expose @web.require_login( "reviewed repositories i own" ) def reviewed_repositories_i_own( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) # The value of the received id is the encoded repository id. if 'operation' in kwd: @@ -592,7 +593,7 @@ @web.require_login( "select previous review" ) def select_previous_review( self, trans, **kwd ): # The value of the received id is the encoded repository id. - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository = suc.get_repository_in_tool_shed( trans.app, kwd[ 'id' ] ) changeset_revision = kwd.get( 'changeset_revision', None ) diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/galaxy/webapps/tool_shed/controllers/upload.py --- a/lib/galaxy/webapps/tool_shed/controllers/upload.py +++ b/lib/galaxy/webapps/tool_shed/controllers/upload.py @@ -9,6 +9,7 @@ from galaxy import web from galaxy.datatypes import checkers from galaxy.web.base.controller import BaseUIController +from markupsafe import escape from tool_shed.dependencies import attribute_handlers from tool_shed.galaxy_install import dependency_display @@ -34,9 +35,9 @@ @web.expose @web.require_login( 'upload', use_panels=True ) def upload( self, trans, **kwd ): - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) - commit_message = kwd.get( 'commit_message', 'Uploaded' ) + commit_message = escape( kwd.get( 'commit_message', 'Uploaded' ) ) category_ids = util.listify( kwd.get( 'category_id', '' ) ) categories = suc.get_categories( trans.app ) repository_id = kwd.get( 'repository_id', '' ) diff -r 0ac7297b58491d542948ae3976732dd2c3450b89 -r e416697be38e66f18be89a4cfca70457c9784294 lib/tool_shed/util/repository_util.py --- a/lib/tool_shed/util/repository_util.py +++ b/lib/tool_shed/util/repository_util.py @@ -7,6 +7,7 @@ from galaxy import web from galaxy.web.form_builder import build_select_field from galaxy.webapps.tool_shed.model import directory_hash_id +from markupsafe import escape from tool_shed.dependencies.repository import relation_builder @@ -256,7 +257,7 @@ def handle_role_associations( app, role, repository, **kwd ): sa_session = app.model.context.current - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) repository_owner = repository.user if kwd.get( 'manage_role_associations_button', False ): Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.