[galaxy-commits] commit/galaxy-central: 3 new changesets

3 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/a4b74b3d6f0d/ Changeset: a4b74b3d6f0d Branch: stable User: davebgx Date: 2014-12-10 16:31:21+00:00 Summary: Escape anything that could be user input in mako templates, add markupsafe.escape to username and email in users API controller. Affected #: 46 files diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 lib/galaxy/webapps/galaxy/api/users.py --- a/lib/galaxy/webapps/galaxy/api/users.py +++ b/lib/galaxy/webapps/galaxy/api/users.py @@ -11,6 +11,7 @@ from galaxy.web.base.controller import BaseAPIController, UsesTagsMixin from galaxy.web.base.controller import CreatesApiKeysMixin from galaxy.web.base.controller import CreatesUsersMixin +from markupsafe import escape log = logging.getLogger( __name__ ) @@ -38,10 +39,10 @@ query = query.filter( trans.app.model.User.table.c.deleted == False ) # noqa # special case: user can see only their own user if not trans.user_is_admin(): - item = trans.user.to_dict( value_mapper={ 'id': trans.security.encode_id } ) + item = trans.user.to_dict( value_mapper={ 'id': trans.security.encode_id, 'email': escape } ) return [item] for user in query: - item = user.to_dict( value_mapper={ 'id': trans.security.encode_id } ) + item = user.to_dict( value_mapper={ 'id': trans.security.encode_id, 'email': escape } ) # TODO: move into api_values rval.append( item ) return rval @@ -78,7 +79,9 @@ else: raise HTTPBadRequest( detail='Invalid user id ( %s ) specified' % id ) item = user.to_dict( view='element', value_mapper={ 'id': trans.security.encode_id, - 'total_disk_usage': float } ) + 'total_disk_usage': float, + 'email': escape, + 'username': escape } ) # add a list of tags used by the user (as strings) item[ 'tags_used' ] = self.get_user_tags_used( trans, user=user ) # TODO: move into api_values (needs trans, tho - can we do that with api_keys/@property??) diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/dataset_security/group/group.mako --- a/templates/admin/dataset_security/group/group.mako +++ b/templates/admin/dataset_security/group/group.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Group '${group.name}'</div> + <div class="toolFormTitle">Group '${group.name|h}'</div><div class="toolFormBody"><form name="associate_group_role_user" id="associate_group_role_user" action="${h.url_for(controller='admin', action='manage_users_and_roles_for_group', id=trans.security.encode_id( group.id ) )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Roles associated with '${group.name}'</label> + <label>Roles associated with '${group.name|h}'</label> ${render_select( "in_roles", in_roles )}<br/><input type="submit" id="roles_remove_button" value=">>"/></div><div> - <label>Roles not associated with '${group.name}'</label> + <label>Roles not associated with '${group.name|h}'</label> ${render_select( "out_roles", out_roles )}<br/><input type="submit" id="roles_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${group.name}'</label> + <label>Users associated with '${group.name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${group.name}'</label> + <label>Users not associated with '${group.name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/dataset_security/group/group_create.mako --- a/templates/admin/dataset_security/group/group_create.mako +++ b/templates/admin/dataset_security/group/group_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -60,7 +60,7 @@ <form name="associate_group_role_user" id="associate_group_role_user" action="${h.url_for(controller='admin', action='create_group' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><div style="float: left; margin-right: 10px;"> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/dataset_security/group/group_rename.mako --- a/templates/admin/dataset_security/group/group_rename.mako +++ b/templates/admin/dataset_security/group/group_rename.mako @@ -12,7 +12,7 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${group.name}" size="40"/> + <input type="text" name="name" value="${group.name|h}" size="40"/></div><div style="clear: both"></div></div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/dataset_security/role/role.mako --- a/templates/admin/dataset_security/role/role.mako +++ b/templates/admin/dataset_security/role/role.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Role '${role.name}'</div> + <div class="toolFormTitle">Role '${role.name|h}'</div><div class="toolFormBody"><form name="associate_role_user_group" id="associate_role_user_group" action="${h.url_for(controller='admin', action='manage_users_and_groups_for_role', id=trans.security.encode_id( role.id ) )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${role.name}'</label> + <label>Users associated with '${role.name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${role.name}'</label> + <label>Users not associated with '${role.name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Groups associated with '${role.name}'</label> + <label>Groups associated with '${role.name|h}'</label> ${render_select( "in_groups", in_groups )}<br/><input type="submit" id="groups_remove_button" value=">>"/></div><div> - <label>Groups not associated with '${role.name}'</label> + <label>Groups not associated with '${role.name|h}'</label> ${render_select( "out_groups", out_groups )}<br/><input type="submit" id="groups_add_button" value="<<"/></div> @@ -84,7 +84,7 @@ <br clear="left"/><br/> %if len( library_dataset_actions ) > 0: - <h3>Data library datasets associated with role '${role.name}'</h3> + <h3>Data library datasets associated with role '${role.name|h}'</h3><table class="manage-table colored" border="0" cellspacing="0" cellpadding="0" width="100%"><tr><td> @@ -92,16 +92,16 @@ %for ctr, library, in enumerate( library_dataset_actions.keys() ): <li><img src="${h.url_for( '/static/images/silk/book_open.png' )}" class="rowIcon"/> - ${library.name} + ${library.name|h} <ul> %for folder_path, permissions in library_dataset_actions[ library ].items(): <li><img src="/static/images/silk/folder_page.png" class="rowIcon"/> - ${folder_path} + ${folder_path|h} <ul> % for permission in permissions: <ul> - <li>${permission}</li> + <li>${permission|h}</li></ul> %endfor </ul> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/dataset_security/role/role_create.mako --- a/templates/admin/dataset_security/role/role_create.mako +++ b/templates/admin/dataset_security/role/role_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -60,11 +60,11 @@ <form name="associate_role_group_user" id="associate_role_group_user" action="${h.url_for(controller='admin', action='create_role' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><label>Description:</label> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div class="form-row"><div style="float: left; margin-right: 10px;"> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/dataset_security/role/role_rename.mako --- a/templates/admin/dataset_security/role/role_rename.mako +++ b/templates/admin/dataset_security/role/role_rename.mako @@ -12,14 +12,14 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${role.name}" size="40"/> + <input type="text" name="name" value="${role.name|h}" size="40"/></div><div style="clear: both"></div></div><div class="form-row"><label>Description:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input name="description" type="textfield" value="${role.description}" size=40"/> + <input name="description" type="textfield" value="${role.description|h}" size=40"/></div><div style="clear: both"></div></div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/external_service/create_external_service.mako --- a/templates/admin/external_service/create_external_service.mako +++ b/templates/admin/external_service/create_external_service.mako @@ -12,10 +12,10 @@ %if widgets: %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field['label']}:</label> + <label>${field['label']|h}:</label> ${field['widget'].get_html()} <div class="toolParamHelp" style="clear: both;"> - ${field['helptext']} + ${field['helptext']|h} </div><div style="clear: both"></div></div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/external_service/edit_external_service.mako --- a/templates/admin/external_service/edit_external_service.mako +++ b/templates/admin/external_service/edit_external_service.mako @@ -25,10 +25,10 @@ <div class="toolFormTitle">Edit external service</div> %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field['label']}:</label> + <label>${field['label']|h}:</label> ${field['widget'].get_html()} <div class="toolParamHelp" style="clear: both;"> - ${field['helptext']} + ${field['helptext']|h} </div><div style="clear: both"></div></div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/jobs.mako --- a/templates/admin/jobs.mako +++ b/templates/admin/jobs.mako @@ -63,12 +63,12 @@ </td><td>${job.id}</td> %if job.history and job.history.user: - <td>${job.history.user.email}</td> + <td>${job.history.user.email|h}</td> %else: <td>anonymous</td> %endif <td>${last_updated[job.id]} ago</td> - <td>${job.tool_id}</td> + <td>${job.tool_id|h}</td><td>${job.state}</td><% try: @@ -77,8 +77,8 @@ inputs = 'Unable to determine inputs' %><td>${inputs}</td> - <td>${job.command_line}</td> - <td>${job.job_runner_name}</td> + <td>${job.command_line|h}</td> + <td>${job.job_runner_name|h}</td><td>${job.job_runner_external_id}</td></tr> %endfor @@ -131,12 +131,12 @@ %for job in recent_jobs: <td><a href="${h.url_for( controller="admin", action="job_info" )}?jobid=${job.id}">${job.id}</a></td> %if job.history and job.history.user: - <td>${job.history.user.email}</td> + <td>${job.history.user.email|h}</td> %else: <td>anonymous</td> %endif <td>${finished[job.id]} ago</td> - <td>${job.tool_id}</td> + <td>${job.tool_id|h}</td><td>${job.state}</td><% try: @@ -145,9 +145,9 @@ inputs = 'Unable to determine inputs' %><td>${inputs}</td> - <td>${job.command_line}</td> - <td>${job.job_runner_name}</td> - <td>${job.job_runner_external_id}</td> + <td>${job.command_line|h}</td> + <td>${job.job_runner_name|h}</td> + <td>${job.job_runner_external_id|h}</td></tr> %endfor </table> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/memdump.mako --- a/templates/admin/memdump.mako +++ b/templates/admin/memdump.mako @@ -55,7 +55,7 @@ <br/> You are here: ${breadcrumb}<br/> %if breadcrumb.endswith( 'theone' ): - ${heap} + ${heap|h} %else: <nobr> Sort: diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/package_tool.mako --- a/templates/admin/package_tool.mako +++ b/templates/admin/package_tool.mako @@ -28,9 +28,9 @@ <select name="tool_id"> %for key, val in toolbox.tool_panel.items(): %if isinstance( val, Tool ): - <option value="${val.id}">${val.name}</option> + <option value="${val.id|h}">${val.name|h}</option> %elif isinstance( val, ToolSection ): - <optgroup label="${val.name}"> + <optgroup label="${val.name|h}"><% section = val %> %for section_key, section_val in section.elems.items(): %if isinstance( section_val, Tool ): @@ -38,7 +38,7 @@ %if section_val.id == tool_id: <% selected_str = " selected=\"selected\"" %> %endif - <option value="${section_val.id}"${selected_str}>${section_val.name}</option> + <option value="${section_val.id|h}"${selected_str}>${section_val.name|h}</option> %endif %endfor %endif diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/quota/quota.mako --- a/templates/admin/quota/quota.mako +++ b/templates/admin/quota/quota.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Quota '${name}'</div> + <div class="toolFormTitle">Quota '${name|h}'</div><div class="toolFormBody"><form name="associate_quota_user_group" id="associate_quota_user_group" action="${h.url_for(controller='admin', action='manage_users_and_groups_for_quota', id=id )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${name}'</label> + <label>Users associated with '${name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${name}'</label> + <label>Users not associated with '${name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Groups associated with '${name}'</label> + <label>Groups associated with '${name|h}'</label> ${render_select( "in_groups", in_groups )}<br/><input type="submit" id="groups_remove_button" value=">>"/></div><div> - <label>Groups not associated with '${name}'</label> + <label>Groups not associated with '${name|h}'</label> ${render_select( "out_groups", out_groups )}<br/><input type="submit" id="groups_add_button" value="<<"/></div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/quota/quota_create.mako --- a/templates/admin/quota/quota_create.mako +++ b/templates/admin/quota/quota_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -69,15 +69,15 @@ <form name="associate_quota_group_user" id="associate_quota_group_user" action="${h.url_for(controller='admin', action='create_quota' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><label>Description:</label> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div class="form-row"><label>Amount</label> - <input name="amount" type="textfield" value="${amount}" size=40"/> + <input name="amount" type="textfield" value="${amount|h}" size=40"/><div class="toolParamHelp" style="clear: both;"> Examples: "10000MB", "99 gb", "0.2T", "unlimited" </div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/quota/quota_edit.mako --- a/templates/admin/quota/quota_edit.mako +++ b/templates/admin/quota/quota_edit.mako @@ -29,7 +29,7 @@ <input name="id" type="hidden" value="${id}"/><div class="form-row"><label>Amount</label> - <input name="amount" type="textfield" value="${display_amount}" size=40"/> + <input name="amount" type="textfield" value="${display_amount|h}" size=40"/><div class="toolParamHelp" style="clear: both;"> Examples: "10000MB", "99 gb", "0.2T", "unlimited" </div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/quota/quota_rename.mako --- a/templates/admin/quota/quota_rename.mako +++ b/templates/admin/quota/quota_rename.mako @@ -21,14 +21,14 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${name}" size="40"/> + <input type="text" name="name" value="${name|h}" size="40"/></div><div style="clear: both"></div></div><div class="form-row"><label>Description:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div style="clear: both"></div></div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/reload_tool.mako --- a/templates/admin/reload_tool.mako +++ b/templates/admin/reload_tool.mako @@ -28,9 +28,9 @@ <select name="tool_id"> %for key, val in toolbox.tool_panel.items(): %if isinstance( val, Tool ): - <option value="${val.id}">${val.name}</option> + <option value="${val.id}">${val.name|h}</option> %elif isinstance( val, ToolSection ): - <optgroup label="${val.name}"> + <optgroup label="${val.name|h}"><% section = val %> %for section_key, section_val in section.elems.items(): %if isinstance( section_val, Tool ): @@ -38,7 +38,7 @@ %if section_val.id == tool_id: <% selected_str = " selected=\"selected\"" %> %endif - <option value="${section_val.id}"${selected_str}>${section_val.name}</option> + <option value="${section_val.id}"${selected_str}>${section_val.name|h}</option> %endif %endfor %endif diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/review_tool_migration_stages.mako --- a/templates/admin/review_tool_migration_stages.mako +++ b/templates/admin/review_tool_migration_stages.mako @@ -4,7 +4,9 @@ %if message: ${render_msg( message, status )} %endif - +<% +from markupsafe import escape +%><div class="toolForm"><div class="toolFormTitle">Tool migrations that can be performed on this Galaxy instance</div><div class="toolFormBody"> @@ -51,7 +53,7 @@ repository_names.sort() repository_names = ', '.join( repository_names ) %> - <tr><td bgcolor="#D8D8D8"><b>Tool migration stage ${stage} - repositories: ${repository_names}</b></td></tr> + <tr><td bgcolor="#D8D8D8"><b>Tool migration stage ${stage} - repositories: ${repository_names|h}</b></td></tr><tr><td bgcolor="#FFFFCC"><div class="form-row"> @@ -59,11 +61,11 @@ <p> %if tool_dependencies: This migration stage includes tools that have tool dependencies that can be automatically installed. To install them, run:<br/> - <b>${install_dependencies}</b><br/><br/> + <b>${install_dependencies|h}</b><br/><br/> To skip tool dependency installation run:<br/> - <b>${migration_command}</b> + <b>${migration_command|h}</b> %else: - <b>${migration_command}</b> + <b>${migration_command|h}</b> %endif </p></div> @@ -74,7 +76,7 @@ <tr><td bgcolor="#DADFEF"><div class="form-row"> - <b>Repository:</b> ${repository_name} + <b>Repository:</b> ${repository_name|h} </div></td></tr> @@ -88,10 +90,10 @@ </tr> %for tool_dependencies_tup in tool_dependencies: <% - tool_dependency_name = tool_dependencies_tup[0] - tool_dependency_version = tool_dependencies_tup[1] - tool_dependency_type = tool_dependencies_tup[2] - installation_requirements = tool_dependencies_tup[3].replace( '\n', '<br/>' ) + tool_dependency_name = escape( tool_dependencies_tup[0] ) + tool_dependency_version = escape( tool_dependencies_tup[1] ) + tool_dependency_type = escape( tool_dependencies_tup[2] ) + installation_requirements = escape( tool_dependencies_tup[3] ).replace( '\n', '<br/>' ) %><tr><td> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/browse_repository.mako --- a/templates/admin/tool_shed_repository/browse_repository.mako +++ b/templates/admin/tool_shed_repository/browse_repository.mako @@ -21,7 +21,7 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Browse ${repository.name} revision ${repository.changeset_revision} files</div> + <div class="toolFormTitle">Browse ${repository.name|h} revision ${repository.changeset_revision} files</div><div class="toolFormBody"><div class="form-row" ><label>Contents:</label> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/browse_tool_dependency.mako --- a/templates/admin/tool_shed_repository/browse_tool_dependency.mako +++ b/templates/admin/tool_shed_repository/browse_tool_dependency.mako @@ -23,33 +23,33 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Browse tool dependency ${tool_dependency.name} installation directory</div> + <div class="toolFormTitle">Browse tool dependency ${tool_dependency.name|h} installation directory</div><div class="toolFormBody"><div class="form-row" ><label>Tool shed repository:</label> - ${repository.name} + ${repository.name|h} <div style="clear: both"></div></div><div class="form-row" ><label>Tool shed repository changeset revision:</label> - ${repository.changeset_revision} + ${repository.changeset_revision|h} <div style="clear: both"></div></div><div class="form-row" ><label>Tool dependency status:</label> - ${tool_dependency.status} + ${tool_dependency.status|h} <div style="clear: both"></div></div> %if tool_dependency.in_error_state: <div class="form-row" ><label>Tool dependency installation error:</label> - ${tool_dependency.error_message} + ${tool_dependency.error_message|h} <div style="clear: both"></div></div> %endif <div class="form-row" ><label>Tool dependency installation directory:</label> - ${tool_dependency.installation_directory( trans.app )} + ${tool_dependency.installation_directory( trans.app )|h} <div style="clear: both"></div></div><div class="form-row" > diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/common.mako --- a/templates/admin/tool_shed_repository/common.mako +++ b/templates/admin/tool_shed_repository/common.mako @@ -8,7 +8,7 @@ }); // --- Initialize sample trees $("#tree").dynatree({ - title: "${title_text}", + title: "${title_text|h}", rootVisible: true, minExpandLevel: 0, // 1: root node is not collapsible persist: false, @@ -24,7 +24,7 @@ // initAjax is hard to fake, so we pass the children as object array: initAjax: {url: "${h.url_for( controller='admin_toolshed', action='open_folder' )}", dataType: "json", - data: { folder_path: "${directory_path}" }, + data: { folder_path: "${directory_path|h}" }, }, onLazyRead: function(dtnode){ dtnode.appendAjax({ @@ -45,7 +45,7 @@ var cell = $("#file_contents"); var selected_value; if (dtnode.data.key == 'root') { - selected_value = "${directory_path}/"; + selected_value = "${directory_path|h}/"; } else { selected_value = dtnode.data.key; }; @@ -81,6 +81,7 @@ line-break:strict; } </style><% + from markupsafe import escape class RowCounter( object ): def __init__( self ): self.count = 0 @@ -96,7 +97,7 @@ env_settings_heaader_row_displayed = False package_header_row_displayed = False if revision_label: - revision_label_str = ' revision <b>%s</b> of ' % str( revision_label ) + revision_label_str = ' revision <b>%s</b> of ' % escape( str( revision_label ) ) else: revision_label_str = ' ' %> @@ -104,7 +105,7 @@ <div class="toolParamHelp" style="clear: both;"><p> %if export: - The following additional repositories are required by${revision_label_str}the <b>${repository.name}</b> repository + The following additional repositories are required by${revision_label_str}the <b>${repository.name|h}</b> repository and they can be exported as well. %else: These dependencies can be automatically handled with${revision_label_str}the installed repository, providing significant diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/deactivate_or_uninstall_repository.mako --- a/templates/admin/tool_shed_repository/deactivate_or_uninstall_repository.mako +++ b/templates/admin/tool_shed_repository/deactivate_or_uninstall_repository.mako @@ -10,30 +10,30 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">${repository.name}</div> + <div class="toolFormTitle">${repository.name|h}</div><div class="toolFormBody"><form name="deactivate_or_uninstall_repository" id="deactivate_or_uninstall_repository" action="${h.url_for( controller='admin_toolshed', action='deactivate_or_uninstall_repository', id=trans.security.encode_id( repository.id ) )}" method="post" ><div class="form-row"><label>Description:</label> - ${repository.description} + ${repository.description|h} <div style="clear: both"></div></div><div class="form-row"><label>Revision:</label> - ${repository.changeset_revision}</a> + ${repository.changeset_revision|h}</a></div><div class="form-row"><label>Tool shed:</label> - ${repository.tool_shed} + ${repository.tool_shed|h} <div style="clear: both"></div></div><div class="form-row"><label>Owner:</label> - ${repository.owner} + ${repository.owner|h} </div><div class="form-row"><label>Deleted:</label> - ${repository.deleted} + ${repository.deleted|h} </div><div class="form-row"><% @@ -186,7 +186,7 @@ ##hack to mimic check box <input type="hidden" name="remove_from_disk" value="true"/><input type="hidden" name="remove_from_disk" value="true"/> %endif - <input type="submit" name="deactivate_or_uninstall_repository_button" value="${deactivate_uninstall_button_text}"/> + <input type="submit" name="deactivate_or_uninstall_repository_button" value="${deactivate_uninstall_button_text|h}"/></div></form></div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/initiate_repository_installation.mako --- a/templates/admin/tool_shed_repository/initiate_repository_installation.mako +++ b/templates/admin/tool_shed_repository/initiate_repository_installation.mako @@ -53,18 +53,18 @@ <td> %if link_to_manage_tool_dependencies: <a class="view-info" href="${h.url_for( controller='admin_toolshed', action='manage_tool_dependencies', tool_dependency_ids=ids_of_tool_dependencies_missing_or_being_installed )}"> - ${tool_shed_repository.name} + ${tool_shed_repository.name|h} </a> %else: <a class="view-info" href="${h.url_for( controller='admin_toolshed', action='manage_repository', id=encoded_repository_id )}"> - ${tool_shed_repository.name} + ${tool_shed_repository.name|h} </a> %endif </td><td>${tool_shed_repository.description}</td><td>${tool_shed_repository.owner}</td><td>${tool_shed_repository.changeset_revision}</td> - <td><div id="RepositoryStatus-${encoded_repository_id}">${tool_shed_repository.status}</div></td> + <td><div id="RepositoryStatus-${encoded_repository_id}">${tool_shed_repository.status|h}</div></td></tr> %endfor </table> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/install_tool_dependencies_with_update.mako --- a/templates/admin/tool_shed_repository/install_tool_dependencies_with_update.mako +++ b/templates/admin/tool_shed_repository/install_tool_dependencies_with_update.mako @@ -20,12 +20,12 @@ <div class="toolForm"><div class="toolFormBody"><form name="install_tool_dependencies_with_update" id="install_tool_dependencies_with_update" action="${h.url_for( controller='admin_toolshed', action='install_tool_dependencies_with_update' )}" method="post" > - <input type="hidden" name="updating_repository_id" value="${updating_repository_id}"/> - <input type="hidden" name="updating_to_ctx_rev" value="${updating_to_ctx_rev}"/> - <input type="hidden" name="updating_to_changeset_revision" value="${updating_to_changeset_revision}"/> - <input type="hidden" name="encoded_updated_metadata" value="${encoded_updated_metadata}"/> - <input type="hidden" name="encoded_relative_install_dir" value="${encoded_relative_install_dir}"/> - <input type="hidden" name="encoded_tool_dependencies_dict" value="${encoded_tool_dependencies_dict}"/> + <input type="hidden" name="updating_repository_id" value="${updating_repository_id|h}"/> + <input type="hidden" name="updating_to_ctx_rev" value="${updating_to_ctx_rev|h}"/> + <input type="hidden" name="updating_to_changeset_revision" value="${updating_to_changeset_revision|h}"/> + <input type="hidden" name="encoded_updated_metadata" value="${encoded_updated_metadata|h}"/> + <input type="hidden" name="encoded_relative_install_dir" value="${encoded_relative_install_dir|h}"/> + <input type="hidden" name="encoded_tool_dependencies_dict" value="${encoded_tool_dependencies_dict|h}"/> %if tool_dependencies_dict: %if install_tool_dependencies_check_box is not None: <div class="form-row"> @@ -71,12 +71,12 @@ %> %if not os.path.exists( install_dir ): <tr> - <td>${key_name}</td> - <td>${key_version}</td> - <td>${install_dir}</td> + <td>${key_name|h}</td> + <td>${key_version|h}</td> + <td>${install_dir|h}</td></tr> %if readme_text: - <tr><td colspan="4" bgcolor="#FFFFCC">${key_name} ${key_version} requirements and installation information</td></tr> + <tr><td colspan="4" bgcolor="#FFFFCC">${key_name|h} ${key_version|h} requirements and installation information</td></tr><tr><td colspan="4"><pre>${readme_text}</pre></td></tr> %endif %endif diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/manage_repository.mako --- a/templates/admin/tool_shed_repository/manage_repository.mako +++ b/templates/admin/tool_shed_repository/manage_repository.mako @@ -22,50 +22,50 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Installed tool shed repository '${repository.name}'</div> + <div class="toolFormTitle">Installed tool shed repository '${repository.name|h}'</div><div class="toolFormBody"><form name="edit_repository" id="edit_repository" action="${h.url_for( controller='admin_toolshed', action='manage_repository', id=trans.security.encode_id( repository.id ) )}" method="post" ><div class="form-row"><label>Tool shed:</label> - ${repository.tool_shed} + ${repository.tool_shed|h} <div style="clear: both"></div></div><div class="form-row"><label>Name:</label> - ${repository.name} + ${repository.name|h} <div style="clear: both"></div></div><div class="form-row"><label>Description:</label> %if in_error_state: - ${description} + ${description|h} %else: - <input name="description" type="textfield" value="${description}" size="80"/> + <input name="description" type="textfield" value="${description|h}" size="80"/> %endif <div style="clear: both"></div></div><div class="form-row"><label>Revision:</label> - ${repository.changeset_revision} + ${repository.changeset_revision|h} </div><div class="form-row"><label>Owner:</label> - ${repository.owner} + ${repository.owner|h} </div> %if in_error_state: <div class="form-row"><label>Repository installation error:</label> - ${repository.error_message} + ${repository.error_message|h} </div> %else: <div class="form-row"><label>Location:</label> - ${repo_files_dir} + ${repo_files_dir|h} </div> %endif <div class="form-row"><label>Deleted:</label> - ${repository.deleted} + ${repository.deleted|h} </div> %if not in_error_state: <div class="form-row"> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/manage_repository_tool_dependencies.mako --- a/templates/admin/tool_shed_repository/manage_repository_tool_dependencies.mako +++ b/templates/admin/tool_shed_repository/manage_repository_tool_dependencies.mako @@ -20,7 +20,7 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Tool shed repository '${repository.name}' tool dependencies</div> + <div class="toolFormTitle">Tool shed repository '${repository.name|h}' tool dependencies</div><% can_install = False can_uninstall = False @@ -48,16 +48,16 @@ <td> %if tool_dependency.status not in [ trans.install_model.ToolDependency.installation_status.UNINSTALLED ]: <a target="galaxy_main" href="${h.url_for( controller='admin_toolshed', action='manage_repository_tool_dependencies', operation='browse', tool_dependency_ids=trans.security.encode_id( tool_dependency.id ), repository_id=trans.security.encode_id( repository.id ) )}"> - ${tool_dependency.name} + ${tool_dependency.name|h} </a> %else: - ${tool_dependency.name} + ${tool_dependency.name|h} %endif </td> - <td>${tool_dependency.version}</td> - <td>${tool_dependency.type}</td> - <td>${tool_dependency.status}</td> - <td>${error_message}</td> + <td>${tool_dependency.version|h}</td> + <td>${tool_dependency.type|h}</td> + <td>${tool_dependency.status|h}</td> + <td>${error_message|h}</td></tr> %endfor </table> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/purge_repository_confirmation.mako --- a/templates/admin/tool_shed_repository/purge_repository_confirmation.mako +++ b/templates/admin/tool_shed_repository/purge_repository_confirmation.mako @@ -19,14 +19,14 @@ <div class="warningmessage"><p> - Purging the repository named <b>${repository.name}</b> will result in deletion of all records for the + Purging the repository named <b>${repository.name|h}</b> will result in deletion of all records for the following associated items from the database. Click the <b>Purge</b> button to purge this repository and its associated items. </p></div><div class="toolForm"> - <div class="toolFormTitle">Purge tool shed repository <b>${repository.name}</b></div> + <div class="toolFormTitle">Purge tool shed repository <b>${repository.name|h}</b></div><form name="purge_repository" id="purge_repository" action="${h.url_for( controller='admin_toolshed', action='purge_repository', id=trans.security.encode_id( repository.id ) )}" method="post" ><% tool_versions = 0 @@ -59,11 +59,11 @@ orphan_repository_dependency_records += 1 %><table class="grid"> - <tr><td>Tool version records</td><td>${tool_versions}</td><tr> - <tr><td>Tool dependency records</td><td>${tool_dependencies}</td><tr> - <tr><td>Repository dependency records</td><td>${required_repositories}</td><tr> - <tr><td>Orphan repository_repository_dependency_association records</td><td>${orphan_repository_repository_dependency_association_records}</td><tr> - <tr><td>Orphan repository_dependency records</td><td>${orphan_repository_dependency_records}</td><tr> + <tr><td>Tool version records</td><td>${tool_versions|h}</td><tr> + <tr><td>Tool dependency records</td><td>${tool_dependencies|h}</td><tr> + <tr><td>Repository dependency records</td><td>${required_repositories|h}</td><tr> + <tr><td>Orphan repository_repository_dependency_association records</td><td>${orphan_repository_repository_dependency_association_records|h}</td><tr> + <tr><td>Orphan repository_dependency records</td><td>${orphan_repository_dependency_records|h}</td><tr></table><div style="clear: both"></div><div class="form-row"> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/repair_repository.mako --- a/templates/admin/tool_shed_repository/repair_repository.mako +++ b/templates/admin/tool_shed_repository/repair_repository.mako @@ -37,9 +37,9 @@ </div><div class="toolForm"> - <div class="toolFormTitle">Repair tool shed repository <b>${repository.name}</b></div> + <div class="toolFormTitle">Repair tool shed repository <b>${repository.name|h}</b></div><form name="repair_repository" id="repair_repository" action="${h.url_for( controller='admin_toolshed', action='repair_repository', id=trans.security.encode_id( repository.id ) )}" method="post" > - <input type="hidden" name="repair_dict" value="${encoded_repair_dict}"/> + <input type="hidden" name="repair_dict" value="${encoded_repair_dict|h}"/><% from tool_shed.util.shed_util_common import get_tool_shed_repository_status_label ordered_repo_info_dicts = repair_dict.get( 'ordered_repo_info_dicts', [] ) diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/repository_installation_status.mako --- a/templates/admin/tool_shed_repository/repository_installation_status.mako +++ b/templates/admin/tool_shed_repository/repository_installation_status.mako @@ -1,5 +1,6 @@ <%def name="render_repository_status( repository )"><% + from markupsafe import escape if repository.status in [ trans.install_model.ToolShedRepository.installation_status.CLONING, trans.install_model.ToolShedRepository.installation_status.SETTING_TOOL_VERSIONS, trans.install_model.ToolShedRepository.installation_status.INSTALLING_TOOL_DEPENDENCIES, @@ -20,7 +21,7 @@ else: bgcolor = trans.install_model.ToolShedRepository.states.ERROR rval = '<div class="count-box state-color-%s" id="RepositoryStatus-%s">' % ( bgcolor, trans.security.encode_id( repository.id ) ) - rval += '%s</div>' % repository.status + rval += '%s</div>' % escape( repository.status ) return rval %> ${rval} diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/reselect_tool_panel_section.mako --- a/templates/admin/tool_shed_repository/reselect_tool_panel_section.mako +++ b/templates/admin/tool_shed_repository/reselect_tool_panel_section.mako @@ -62,12 +62,12 @@ <label>Shed tool configuration file:</label> ${shed_tool_conf_select_field.get_html()} <div class="toolParamHelp" style="clear: both;"> - ${select_help} + ${select_help|h} </div></div><div style="clear: both"></div> %else: - <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf}"/> + <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf|h}"/> %endif %if includes_tools_for_display_in_tool_panel: <div style="clear: both"></div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/select_shed_tool_panel_config.mako --- a/templates/admin/tool_shed_repository/select_shed_tool_panel_config.mako +++ b/templates/admin/tool_shed_repository/select_shed_tool_panel_config.mako @@ -71,7 +71,7 @@ <input type="hidden" name="includes_tools" value="${includes_tools}" /><input type="hidden" name="includes_tool_dependencies" value="${includes_tool_dependencies}" /><input type="hidden" name="includes_tools_for_display_in_tool_panel" value="${includes_tools_for_display_in_tool_panel}" /> - <input type="hidden" name="tool_shed_url" value="${tool_shed_url}" /> + <input type="hidden" name="tool_shed_url" value="${tool_shed_url|h}" /></div><div style="clear: both"></div><% readme_files_dict = containers_dict.get( 'readme_files', None ) %> @@ -111,12 +111,12 @@ <label>Shed tool configuration file:</label> ${shed_tool_conf_select_field.get_html()} <div class="toolParamHelp" style="clear: both;"> - ${select_help} + ${select_help|h} </div></div><div style="clear: both"></div> %else: - <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf}"/> + <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf|h}"/> %endif <div class="form-row"><input type="submit" name="select_shed_tool_panel_config_button" value="Install"/> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/select_tool_panel_section.mako --- a/templates/admin/tool_shed_repository/select_tool_panel_section.mako +++ b/templates/admin/tool_shed_repository/select_tool_panel_section.mako @@ -111,16 +111,16 @@ <label>Shed tool configuration file:</label> ${shed_tool_conf_select_field.get_html()} <div class="toolParamHelp" style="clear: both;"> - ${select_help} + ${select_help|h} </div></div><div style="clear: both"></div> %else: - <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf}"/> + <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf|h}"/> %endif <div class="form-row"><label>Add new tool panel section:</label> - <input name="new_tool_panel_section_label" type="textfield" value="${new_tool_panel_section_label}" size="40"/> + <input name="new_tool_panel_section_label" type="textfield" value="${new_tool_panel_section_label|h}" size="40"/><div class="toolParamHelp" style="clear: both;"> Add a new tool panel section to contain the installed tools (optional). </div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/uninstall_tool_dependencies.mako --- a/templates/admin/tool_shed_repository/uninstall_tool_dependencies.mako +++ b/templates/admin/tool_shed_repository/uninstall_tool_dependencies.mako @@ -43,10 +43,10 @@ install_dir = "This dependency's installation directory does not exist, click <b>Uninstall</b> to reset for installation." %><tr> - <td>${tool_dependency.name}</td> - <td>${tool_dependency.version}</td> - <td>${tool_dependency.type}</td> - <td>${install_dir}</td> + <td>${tool_dependency.name|h}</td> + <td>${tool_dependency.version|h}</td> + <td>${tool_dependency.type|h}</td> + <td>${install_dir|h}</td></tr> %endfor </table> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/view_tool_metadata.mako --- a/templates/admin/tool_shed_repository/view_tool_metadata.mako +++ b/templates/admin/tool_shed_repository/view_tool_metadata.mako @@ -11,7 +11,7 @@ %if tool_metadata: <p/><div class="toolForm"> - <div class="toolFormTitle">${tool_metadata[ 'name' ]} tool metadata</div> + <div class="toolFormTitle">${tool_metadata[ 'name' ]|h} tool metadata</div><div class="toolFormBody"><div class="form-row"><table width="100%"> @@ -20,41 +20,41 @@ </div><div class="form-row"><label>Name:</label> - ${tool_metadata[ 'name' ]} + ${tool_metadata[ 'name' ]|h} <div style="clear: both"></div></div> %if 'description' in tool_metadata: <div class="form-row"><label>Description:</label> - ${tool_metadata[ 'description' ]} + ${tool_metadata[ 'description' ]|h} <div style="clear: both"></div></div> %endif %if 'id' in tool_metadata: <div class="form-row"><label>Id:</label> - ${tool_metadata[ 'id' ]} + ${tool_metadata[ 'id' ]|h} <div style="clear: both"></div></div> %endif %if 'guid' in tool_metadata: <div class="form-row"><label>Guid:</label> - ${tool_metadata[ 'guid' ]} + ${tool_metadata[ 'guid' ]|h} <div style="clear: both"></div></div> %endif %if 'version' in tool_metadata: <div class="form-row"><label>Version:</label> - ${tool_metadata[ 'version' ]} + ${tool_metadata[ 'version' ]|h} <div style="clear: both"></div></div> %endif %if 'version_string_cmd' in tool_metadata: <div class="form-row"><label>Version command string:</label> - ${tool_metadata[ 'version_string_cmd' ]} + ${tool_metadata[ 'version_string_cmd' ]|h} <div style="clear: both"></div></div> %endif @@ -70,9 +70,9 @@ <tr><td> %if guid == tool_metadata[ 'guid' ]: - ${guid} <b>(this tool)</b> + ${guid|h} <b>(this tool)</b> %else: - ${guid} + ${guid|h} %endif </td></tr> @@ -109,9 +109,9 @@ requirement_type = requirement_dict[ 'type' ] or 'not provided' %><tr> - <td>${requirement_name}</td> - <td>${requirement_version}</td> - <td>${requirement_type}</td> + <td>${requirement_name|h}</td> + <td>${requirement_version|h}</td> + <td>${requirement_type|h}</td></tr> %endfor </table> @@ -130,27 +130,27 @@ </div><div class="form-row"><label>Command:</label> - <pre>${tool.command}</pre> + <pre>${tool.command|h}</pre><div style="clear: both"></div></div><div class="form-row"><label>Interpreter:</label> - ${tool.interpreter} + ${tool.interpreter|h} <div style="clear: both"></div></div><div class="form-row"><label>Is multi-byte:</label> - ${tool.is_multi_byte} + ${tool.is_multi_byte|h} <div style="clear: both"></div></div><div class="form-row"><label>Forces a history refresh:</label> - ${tool.force_history_refresh} + ${tool.force_history_refresh|h} <div style="clear: both"></div></div><div class="form-row"><label>Parallelism:</label> - ${tool.parallelism} + ${tool.parallelism|h} <div style="clear: both"></div></div> %endif @@ -181,20 +181,20 @@ required_files = test_dict[ 'required_files' ] %><tr> - <td>${test_dict[ 'name' ]}</td> + <td>${test_dict[ 'name' ]|h}</td><td> %for input in inputs: - <b>${input[0]}:</b> ${input[1]}<br/> + <b>${input[0]|h}:</b> ${input[1]|h}<br/> %endfor </td><td> %for output in outputs: - <b>${output[0]}:</b> ${output[1]}<br/> + <b>${output[0]|h}:</b> ${output[1]|h}<br/> %endfor </td><td> %for required_file in required_files: - ${required_file}<br/> + ${required_file|h}<br/> %endfor </td></tr> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/tool_shed_repository/view_workflow.mako --- a/templates/admin/tool_shed_repository/view_workflow.mako +++ b/templates/admin/tool_shed_repository/view_workflow.mako @@ -17,7 +17,7 @@ <%def name="render_workflow( workflow_name, repository_id )"><% center_url = h.url_for( controller='admin_toolshed', action='generate_workflow_image', workflow_name=tool_shed_encode( workflow_name ), repository_id=repository_id ) %> - <iframe name="workflow_image" id="workflow_image" frameborder="0" style="position: absolute; width: 100%; height: 100%;" src="${center_url}"></iframe> + <iframe name="workflow_image" id="workflow_image" frameborder="0" style="position: absolute; width: 100%; height: 100%;" src="${center_url|h}"></iframe></%def> ${render_galaxy_repository_actions( repository )} diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/user/reset_password.mako --- a/templates/admin/user/reset_password.mako +++ b/templates/admin/user/reset_password.mako @@ -13,7 +13,7 @@ %for user in users: <div class="form-row"><label>Email:</label> - ${user.email} + ${user.email|h} <div style="clear: both"></div></div> %endfor diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/user/user.mako --- a/templates/admin/user/user.mako +++ b/templates/admin/user/user.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">User '${user.email}'</div> + <div class="toolFormTitle">User '${user.email|h}'</div><div class="toolFormBody"><form name="associate_user_role_group" id="associate_user_role_group" action="${h.url_for(controller='admin', action='manage_roles_and_groups_for_user', id=trans.security.encode_id( user.id ) )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Roles associated with '${user.email}'</label> + <label>Roles associated with '${user.email|h}'</label> ${render_select( "in_roles", in_roles )}<br/><input type="submit" id="roles_remove_button" value=">>"/></div><div> - <label>Roles not associated with '${user.email}'</label> + <label>Roles not associated with '${user.email|h}'</label> ${render_select( "out_roles", out_roles )}<br/><input type="submit" id="roles_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Groups associated with '${user.email}'</label> + <label>Groups associated with '${user.email|h}'</label> ${render_select( "in_groups", in_groups )}<br/><input type="submit" id="groups_remove_button" value=">>"/></div><div> - <label>Groups not associated with '${user.email}'</label> + <label>Groups not associated with '${user.email|h}'</label> ${render_select( "out_groups", out_groups )}<br/><input type="submit" id="groups_add_button" value="<<"/></div> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/admin/view_datatypes_registry.mako --- a/templates/admin/view_datatypes_registry.mako +++ b/templates/admin/view_datatypes_registry.mako @@ -37,16 +37,16 @@ %else: <tr class="tr"> %endif - <td>${datatype.extension}</td> - <td>${datatype.dtype}</td> + <td>${datatype.extension|h}</td> + <td>${datatype.dtype|h}</td><td> %if datatype.mimetype: - ${datatype.mimetype} + ${datatype.mimetype|h} %endif </td><td> %if datatype.display_in_upload: - ${datatype.display_in_upload} + ${datatype.display_in_upload|h} %endif </td></tr> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/base.mako --- a/templates/base.mako +++ b/templates/base.mako @@ -39,7 +39,7 @@ <script> Raven.config('${app.config.sentry_dsn_public}').install(); %if trans.user: - Raven.setUser( { email: "${trans.user.email}" } ); + Raven.setUser( { email: "${trans.user.email|h}" } ); %endif </script> %endif diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/galaxy_client_app.mako --- a/templates/galaxy_client_app.mako +++ b/templates/galaxy_client_app.mako @@ -70,11 +70,12 @@ ## Return a dictionary of user or anonymous user data including: ## email, id, disk space used, quota percent, and tags used <% + from markupsafe import escape user_dict = {} try: if trans.user: user_dict = trans.user.to_dict( view='element', - value_mapper={ 'id': trans.security.encode_id, 'total_disk_usage': float } ) + value_mapper={ 'id': trans.security.encode_id, 'total_disk_usage': float, 'email': escape, 'username': escape } ) user_dict[ 'quota_percent' ] = trans.app.quota_agent.get_percent( trans=trans ) user_dict[ 'is_admin' ] = trans.user_is_admin() diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/user/index.mako --- a/templates/user/index.mako +++ b/templates/user/index.mako @@ -2,7 +2,7 @@ %if trans.user: <h2>${_('User preferences')}</h2> - <p>You are currently logged in as ${trans.user.email}.</p> + <p>You are currently logged in as ${trans.user.email|h}.</p><ul> %if t.webapp.name == 'galaxy': %if not trans.app.config.use_remote_user: diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/webapps/galaxy/admin/tool_sheds.mako --- a/templates/webapps/galaxy/admin/tool_sheds.mako +++ b/templates/webapps/galaxy/admin/tool_sheds.mako @@ -22,7 +22,7 @@ <tr class="libraryTitle"><td><div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${shed_id}-popup"> - <a class="view-info" href="${h.url_for( controller='admin_toolshed', action='browse_tool_shed', tool_shed_url=url )}">${name}</a> + <a class="view-info" href="${h.url_for( controller='admin_toolshed', action='browse_tool_shed', tool_shed_url=url )}">${name|h}</a></div><div popupmenu="dataset-${shed_id}-popup"><a class="action-button" href="${h.url_for( controller='admin_toolshed', action='browse_tool_shed', tool_shed_url=url )}">Browse valid repositories</a> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/webapps/galaxy/dataset/errors.mako --- a/templates/webapps/galaxy/dataset/errors.mako +++ b/templates/webapps/galaxy/dataset/errors.mako @@ -95,7 +95,7 @@ <input type="hidden" name="id" value="${trans.security.encode_id( hda.id)}" /><div class="form-row"><label>Your email</label> - <input type="text" name="email" size="40" value="${user_email}" /> + <input type="text" name="email" size="40" value="${user_email|h}" /></div><div class="form-row"><label>Message</label> diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/webapps/galaxy/galaxy.masthead.mako --- a/templates/webapps/galaxy/galaxy.masthead.mako +++ b/templates/webapps/galaxy/galaxy.masthead.mako @@ -3,6 +3,7 @@ ## masthead head generator <%def name="load(active_view = None)"><% + from markupsafe import escape ## get configuration masthead_config = { ## inject configuration @@ -32,7 +33,7 @@ ## user details 'user' : { 'requests' : bool(trans.user and (trans.user.requests or trans.app.security_agent.get_accessible_request_types(trans, trans.user))), - 'email' : trans.user.email if (trans.user) else "", + 'email' : escape( trans.user.email ) if (trans.user) else "", 'valid' : bool(trans.user != None), 'json' : get_user_dict() } diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/webapps/galaxy/galaxy.panels.mako --- a/templates/webapps/galaxy/galaxy.panels.mako +++ b/templates/webapps/galaxy/galaxy.panels.mako @@ -49,7 +49,7 @@ <script> Raven.config('${app.config.sentry_dsn_public}').install(); %if trans.user: - Raven.setUser( { email: "${trans.user.email}" } ); + Raven.setUser( { email: "${trans.user.email|h}" } ); %endif </script> %endif diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 templates/webapps/tool_shed/base_panels.mako --- a/templates/webapps/tool_shed/base_panels.mako +++ b/templates/webapps/tool_shed/base_panels.mako @@ -91,7 +91,8 @@ %> ## User tabs. - <% + <% + from markupsafe import escape # Menu for user who is not logged in. menu_options = [ [ _("Login"), h.url_for( controller='/user', action='login' ), "galaxy_main" ] ] if app.config.allow_user_creation: @@ -101,7 +102,7 @@ tab( "user", _("User"), None, visible=visible, menu_options=menu_options ) # Menu for user who is logged in. if trans.user: - email = trans.user.email + email = escape( trans.user.email ) else: email = "" menu_options = [ [ '<a>Logged in as <span id="user-email">%s</span></a>' % email ] ] https://bitbucket.org/galaxy/galaxy-central/commits/ad38faf1b0b6/ Changeset: ad38faf1b0b6 Branch: stable User: davebgx Date: 2014-12-10 17:49:42+00:00 Summary: Revert html escaping in API controller, per input on pull request. Affected #: 1 file diff -r a4b74b3d6f0d14a38a3f17c2a437b8968563a114 -r ad38faf1b0b6768c31ed972ad5434079a2cd1225 lib/galaxy/webapps/galaxy/api/users.py --- a/lib/galaxy/webapps/galaxy/api/users.py +++ b/lib/galaxy/webapps/galaxy/api/users.py @@ -11,7 +11,6 @@ from galaxy.web.base.controller import BaseAPIController, UsesTagsMixin from galaxy.web.base.controller import CreatesApiKeysMixin from galaxy.web.base.controller import CreatesUsersMixin -from markupsafe import escape log = logging.getLogger( __name__ ) @@ -39,10 +38,10 @@ query = query.filter( trans.app.model.User.table.c.deleted == False ) # noqa # special case: user can see only their own user if not trans.user_is_admin(): - item = trans.user.to_dict( value_mapper={ 'id': trans.security.encode_id, 'email': escape } ) + item = trans.user.to_dict( value_mapper={ 'id': trans.security.encode_id } ) return [item] for user in query: - item = user.to_dict( value_mapper={ 'id': trans.security.encode_id, 'email': escape } ) + item = user.to_dict( value_mapper={ 'id': trans.security.encode_id } ) # TODO: move into api_values rval.append( item ) return rval @@ -79,9 +78,7 @@ else: raise HTTPBadRequest( detail='Invalid user id ( %s ) specified' % id ) item = user.to_dict( view='element', value_mapper={ 'id': trans.security.encode_id, - 'total_disk_usage': float, - 'email': escape, - 'username': escape } ) + 'total_disk_usage': float } ) # add a list of tags used by the user (as strings) item[ 'tags_used' ] = self.get_user_tags_used( trans, user=user ) # TODO: move into api_values (needs trans, tho - can we do that with api_keys/@property??) https://bitbucket.org/galaxy/galaxy-central/commits/f0f1f78b54c5/ Changeset: f0f1f78b54c5 Branch: stable User: dannon Date: 2014-12-11 14:50:35+00:00 Summary: Merged in davebgx/galaxy-central/stable (pull request #603) [STABLE] Escape anything that could be user input in my assigned mako templates, add markupsafe.escape to username and email in users API controller. Affected #: 46 files diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/dataset_security/group/group.mako --- a/templates/admin/dataset_security/group/group.mako +++ b/templates/admin/dataset_security/group/group.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Group '${group.name}'</div> + <div class="toolFormTitle">Group '${group.name|h}'</div><div class="toolFormBody"><form name="associate_group_role_user" id="associate_group_role_user" action="${h.url_for(controller='admin', action='manage_users_and_roles_for_group', id=trans.security.encode_id( group.id ) )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Roles associated with '${group.name}'</label> + <label>Roles associated with '${group.name|h}'</label> ${render_select( "in_roles", in_roles )}<br/><input type="submit" id="roles_remove_button" value=">>"/></div><div> - <label>Roles not associated with '${group.name}'</label> + <label>Roles not associated with '${group.name|h}'</label> ${render_select( "out_roles", out_roles )}<br/><input type="submit" id="roles_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${group.name}'</label> + <label>Users associated with '${group.name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${group.name}'</label> + <label>Users not associated with '${group.name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/dataset_security/group/group_create.mako --- a/templates/admin/dataset_security/group/group_create.mako +++ b/templates/admin/dataset_security/group/group_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -60,7 +60,7 @@ <form name="associate_group_role_user" id="associate_group_role_user" action="${h.url_for(controller='admin', action='create_group' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><div style="float: left; margin-right: 10px;"> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/dataset_security/group/group_rename.mako --- a/templates/admin/dataset_security/group/group_rename.mako +++ b/templates/admin/dataset_security/group/group_rename.mako @@ -12,7 +12,7 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${group.name}" size="40"/> + <input type="text" name="name" value="${group.name|h}" size="40"/></div><div style="clear: both"></div></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/dataset_security/role/role.mako --- a/templates/admin/dataset_security/role/role.mako +++ b/templates/admin/dataset_security/role/role.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Role '${role.name}'</div> + <div class="toolFormTitle">Role '${role.name|h}'</div><div class="toolFormBody"><form name="associate_role_user_group" id="associate_role_user_group" action="${h.url_for(controller='admin', action='manage_users_and_groups_for_role', id=trans.security.encode_id( role.id ) )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${role.name}'</label> + <label>Users associated with '${role.name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${role.name}'</label> + <label>Users not associated with '${role.name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Groups associated with '${role.name}'</label> + <label>Groups associated with '${role.name|h}'</label> ${render_select( "in_groups", in_groups )}<br/><input type="submit" id="groups_remove_button" value=">>"/></div><div> - <label>Groups not associated with '${role.name}'</label> + <label>Groups not associated with '${role.name|h}'</label> ${render_select( "out_groups", out_groups )}<br/><input type="submit" id="groups_add_button" value="<<"/></div> @@ -84,7 +84,7 @@ <br clear="left"/><br/> %if len( library_dataset_actions ) > 0: - <h3>Data library datasets associated with role '${role.name}'</h3> + <h3>Data library datasets associated with role '${role.name|h}'</h3><table class="manage-table colored" border="0" cellspacing="0" cellpadding="0" width="100%"><tr><td> @@ -92,16 +92,16 @@ %for ctr, library, in enumerate( library_dataset_actions.keys() ): <li><img src="${h.url_for( '/static/images/silk/book_open.png' )}" class="rowIcon"/> - ${library.name} + ${library.name|h} <ul> %for folder_path, permissions in library_dataset_actions[ library ].items(): <li><img src="/static/images/silk/folder_page.png" class="rowIcon"/> - ${folder_path} + ${folder_path|h} <ul> % for permission in permissions: <ul> - <li>${permission}</li> + <li>${permission|h}</li></ul> %endfor </ul> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/dataset_security/role/role_create.mako --- a/templates/admin/dataset_security/role/role_create.mako +++ b/templates/admin/dataset_security/role/role_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -60,11 +60,11 @@ <form name="associate_role_group_user" id="associate_role_group_user" action="${h.url_for(controller='admin', action='create_role' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><label>Description:</label> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div class="form-row"><div style="float: left; margin-right: 10px;"> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/dataset_security/role/role_rename.mako --- a/templates/admin/dataset_security/role/role_rename.mako +++ b/templates/admin/dataset_security/role/role_rename.mako @@ -12,14 +12,14 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${role.name}" size="40"/> + <input type="text" name="name" value="${role.name|h}" size="40"/></div><div style="clear: both"></div></div><div class="form-row"><label>Description:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input name="description" type="textfield" value="${role.description}" size=40"/> + <input name="description" type="textfield" value="${role.description|h}" size=40"/></div><div style="clear: both"></div></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/external_service/create_external_service.mako --- a/templates/admin/external_service/create_external_service.mako +++ b/templates/admin/external_service/create_external_service.mako @@ -12,10 +12,10 @@ %if widgets: %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field['label']}:</label> + <label>${field['label']|h}:</label> ${field['widget'].get_html()} <div class="toolParamHelp" style="clear: both;"> - ${field['helptext']} + ${field['helptext']|h} </div><div style="clear: both"></div></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/external_service/edit_external_service.mako --- a/templates/admin/external_service/edit_external_service.mako +++ b/templates/admin/external_service/edit_external_service.mako @@ -25,10 +25,10 @@ <div class="toolFormTitle">Edit external service</div> %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field['label']}:</label> + <label>${field['label']|h}:</label> ${field['widget'].get_html()} <div class="toolParamHelp" style="clear: both;"> - ${field['helptext']} + ${field['helptext']|h} </div><div style="clear: both"></div></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/jobs.mako --- a/templates/admin/jobs.mako +++ b/templates/admin/jobs.mako @@ -63,12 +63,12 @@ </td><td>${job.id}</td> %if job.history and job.history.user: - <td>${job.history.user.email}</td> + <td>${job.history.user.email|h}</td> %else: <td>anonymous</td> %endif <td>${last_updated[job.id]} ago</td> - <td>${job.tool_id}</td> + <td>${job.tool_id|h}</td><td>${job.state}</td><% try: @@ -77,8 +77,8 @@ inputs = 'Unable to determine inputs' %><td>${inputs}</td> - <td>${job.command_line}</td> - <td>${job.job_runner_name}</td> + <td>${job.command_line|h}</td> + <td>${job.job_runner_name|h}</td><td>${job.job_runner_external_id}</td></tr> %endfor @@ -131,12 +131,12 @@ %for job in recent_jobs: <td><a href="${h.url_for( controller="admin", action="job_info" )}?jobid=${job.id}">${job.id}</a></td> %if job.history and job.history.user: - <td>${job.history.user.email}</td> + <td>${job.history.user.email|h}</td> %else: <td>anonymous</td> %endif <td>${finished[job.id]} ago</td> - <td>${job.tool_id}</td> + <td>${job.tool_id|h}</td><td>${job.state}</td><% try: @@ -145,9 +145,9 @@ inputs = 'Unable to determine inputs' %><td>${inputs}</td> - <td>${job.command_line}</td> - <td>${job.job_runner_name}</td> - <td>${job.job_runner_external_id}</td> + <td>${job.command_line|h}</td> + <td>${job.job_runner_name|h}</td> + <td>${job.job_runner_external_id|h}</td></tr> %endfor </table> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/memdump.mako --- a/templates/admin/memdump.mako +++ b/templates/admin/memdump.mako @@ -55,7 +55,7 @@ <br/> You are here: ${breadcrumb}<br/> %if breadcrumb.endswith( 'theone' ): - ${heap} + ${heap|h} %else: <nobr> Sort: diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/package_tool.mako --- a/templates/admin/package_tool.mako +++ b/templates/admin/package_tool.mako @@ -28,9 +28,9 @@ <select name="tool_id"> %for key, val in toolbox.tool_panel.items(): %if isinstance( val, Tool ): - <option value="${val.id}">${val.name}</option> + <option value="${val.id|h}">${val.name|h}</option> %elif isinstance( val, ToolSection ): - <optgroup label="${val.name}"> + <optgroup label="${val.name|h}"><% section = val %> %for section_key, section_val in section.elems.items(): %if isinstance( section_val, Tool ): @@ -38,7 +38,7 @@ %if section_val.id == tool_id: <% selected_str = " selected=\"selected\"" %> %endif - <option value="${section_val.id}"${selected_str}>${section_val.name}</option> + <option value="${section_val.id|h}"${selected_str}>${section_val.name|h}</option> %endif %endfor %endif diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/quota/quota.mako --- a/templates/admin/quota/quota.mako +++ b/templates/admin/quota/quota.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Quota '${name}'</div> + <div class="toolFormTitle">Quota '${name|h}'</div><div class="toolFormBody"><form name="associate_quota_user_group" id="associate_quota_user_group" action="${h.url_for(controller='admin', action='manage_users_and_groups_for_quota', id=id )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Users associated with '${name}'</label> + <label>Users associated with '${name|h}'</label> ${render_select( "in_users", in_users )}<br/><input type="submit" id="users_remove_button" value=">>"/></div><div> - <label>Users not associated with '${name}'</label> + <label>Users not associated with '${name|h}'</label> ${render_select( "out_users", out_users )}<br/><input type="submit" id="users_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Groups associated with '${name}'</label> + <label>Groups associated with '${name|h}'</label> ${render_select( "in_groups", in_groups )}<br/><input type="submit" id="groups_remove_button" value=">>"/></div><div> - <label>Groups not associated with '${name}'</label> + <label>Groups not associated with '${name|h}'</label> ${render_select( "out_groups", out_groups )}<br/><input type="submit" id="groups_add_button" value="<<"/></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/quota/quota_create.mako --- a/templates/admin/quota/quota_create.mako +++ b/templates/admin/quota/quota_create.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -69,15 +69,15 @@ <form name="associate_quota_group_user" id="associate_quota_group_user" action="${h.url_for(controller='admin', action='create_quota' )}" method="post" ><div class="form-row"><label>Name:</label> - <input name="name" type="textfield" value="${name}" size=40"/> + <input name="name" type="textfield" value="${name|h}" size=40"/></div><div class="form-row"><label>Description:</label> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div class="form-row"><label>Amount</label> - <input name="amount" type="textfield" value="${amount}" size=40"/> + <input name="amount" type="textfield" value="${amount|h}" size=40"/><div class="toolParamHelp" style="clear: both;"> Examples: "10000MB", "99 gb", "0.2T", "unlimited" </div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/quota/quota_edit.mako --- a/templates/admin/quota/quota_edit.mako +++ b/templates/admin/quota/quota_edit.mako @@ -29,7 +29,7 @@ <input name="id" type="hidden" value="${id}"/><div class="form-row"><label>Amount</label> - <input name="amount" type="textfield" value="${display_amount}" size=40"/> + <input name="amount" type="textfield" value="${display_amount|h}" size=40"/><div class="toolParamHelp" style="clear: both;"> Examples: "10000MB", "99 gb", "0.2T", "unlimited" </div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/quota/quota_rename.mako --- a/templates/admin/quota/quota_rename.mako +++ b/templates/admin/quota/quota_rename.mako @@ -21,14 +21,14 @@ <div class="form-row"><label>Name:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="name" value="${name}" size="40"/> + <input type="text" name="name" value="${name|h}" size="40"/></div><div style="clear: both"></div></div><div class="form-row"><label>Description:</label><div style="float: left; width: 250px; margin-right: 10px;"> - <input name="description" type="textfield" value="${description}" size=40"/> + <input name="description" type="textfield" value="${description|h}" size=40"/></div><div style="clear: both"></div></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/reload_tool.mako --- a/templates/admin/reload_tool.mako +++ b/templates/admin/reload_tool.mako @@ -28,9 +28,9 @@ <select name="tool_id"> %for key, val in toolbox.tool_panel.items(): %if isinstance( val, Tool ): - <option value="${val.id}">${val.name}</option> + <option value="${val.id}">${val.name|h}</option> %elif isinstance( val, ToolSection ): - <optgroup label="${val.name}"> + <optgroup label="${val.name|h}"><% section = val %> %for section_key, section_val in section.elems.items(): %if isinstance( section_val, Tool ): @@ -38,7 +38,7 @@ %if section_val.id == tool_id: <% selected_str = " selected=\"selected\"" %> %endif - <option value="${section_val.id}"${selected_str}>${section_val.name}</option> + <option value="${section_val.id}"${selected_str}>${section_val.name|h}</option> %endif %endfor %endif diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/review_tool_migration_stages.mako --- a/templates/admin/review_tool_migration_stages.mako +++ b/templates/admin/review_tool_migration_stages.mako @@ -4,7 +4,9 @@ %if message: ${render_msg( message, status )} %endif - +<% +from markupsafe import escape +%><div class="toolForm"><div class="toolFormTitle">Tool migrations that can be performed on this Galaxy instance</div><div class="toolFormBody"> @@ -51,7 +53,7 @@ repository_names.sort() repository_names = ', '.join( repository_names ) %> - <tr><td bgcolor="#D8D8D8"><b>Tool migration stage ${stage} - repositories: ${repository_names}</b></td></tr> + <tr><td bgcolor="#D8D8D8"><b>Tool migration stage ${stage} - repositories: ${repository_names|h}</b></td></tr><tr><td bgcolor="#FFFFCC"><div class="form-row"> @@ -59,11 +61,11 @@ <p> %if tool_dependencies: This migration stage includes tools that have tool dependencies that can be automatically installed. To install them, run:<br/> - <b>${install_dependencies}</b><br/><br/> + <b>${install_dependencies|h}</b><br/><br/> To skip tool dependency installation run:<br/> - <b>${migration_command}</b> + <b>${migration_command|h}</b> %else: - <b>${migration_command}</b> + <b>${migration_command|h}</b> %endif </p></div> @@ -74,7 +76,7 @@ <tr><td bgcolor="#DADFEF"><div class="form-row"> - <b>Repository:</b> ${repository_name} + <b>Repository:</b> ${repository_name|h} </div></td></tr> @@ -88,10 +90,10 @@ </tr> %for tool_dependencies_tup in tool_dependencies: <% - tool_dependency_name = tool_dependencies_tup[0] - tool_dependency_version = tool_dependencies_tup[1] - tool_dependency_type = tool_dependencies_tup[2] - installation_requirements = tool_dependencies_tup[3].replace( '\n', '<br/>' ) + tool_dependency_name = escape( tool_dependencies_tup[0] ) + tool_dependency_version = escape( tool_dependencies_tup[1] ) + tool_dependency_type = escape( tool_dependencies_tup[2] ) + installation_requirements = escape( tool_dependencies_tup[3] ).replace( '\n', '<br/>' ) %><tr><td> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/browse_repository.mako --- a/templates/admin/tool_shed_repository/browse_repository.mako +++ b/templates/admin/tool_shed_repository/browse_repository.mako @@ -21,7 +21,7 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Browse ${repository.name} revision ${repository.changeset_revision} files</div> + <div class="toolFormTitle">Browse ${repository.name|h} revision ${repository.changeset_revision} files</div><div class="toolFormBody"><div class="form-row" ><label>Contents:</label> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/browse_tool_dependency.mako --- a/templates/admin/tool_shed_repository/browse_tool_dependency.mako +++ b/templates/admin/tool_shed_repository/browse_tool_dependency.mako @@ -23,33 +23,33 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Browse tool dependency ${tool_dependency.name} installation directory</div> + <div class="toolFormTitle">Browse tool dependency ${tool_dependency.name|h} installation directory</div><div class="toolFormBody"><div class="form-row" ><label>Tool shed repository:</label> - ${repository.name} + ${repository.name|h} <div style="clear: both"></div></div><div class="form-row" ><label>Tool shed repository changeset revision:</label> - ${repository.changeset_revision} + ${repository.changeset_revision|h} <div style="clear: both"></div></div><div class="form-row" ><label>Tool dependency status:</label> - ${tool_dependency.status} + ${tool_dependency.status|h} <div style="clear: both"></div></div> %if tool_dependency.in_error_state: <div class="form-row" ><label>Tool dependency installation error:</label> - ${tool_dependency.error_message} + ${tool_dependency.error_message|h} <div style="clear: both"></div></div> %endif <div class="form-row" ><label>Tool dependency installation directory:</label> - ${tool_dependency.installation_directory( trans.app )} + ${tool_dependency.installation_directory( trans.app )|h} <div style="clear: both"></div></div><div class="form-row" > diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/common.mako --- a/templates/admin/tool_shed_repository/common.mako +++ b/templates/admin/tool_shed_repository/common.mako @@ -8,7 +8,7 @@ }); // --- Initialize sample trees $("#tree").dynatree({ - title: "${title_text}", + title: "${title_text|h}", rootVisible: true, minExpandLevel: 0, // 1: root node is not collapsible persist: false, @@ -24,7 +24,7 @@ // initAjax is hard to fake, so we pass the children as object array: initAjax: {url: "${h.url_for( controller='admin_toolshed', action='open_folder' )}", dataType: "json", - data: { folder_path: "${directory_path}" }, + data: { folder_path: "${directory_path|h}" }, }, onLazyRead: function(dtnode){ dtnode.appendAjax({ @@ -45,7 +45,7 @@ var cell = $("#file_contents"); var selected_value; if (dtnode.data.key == 'root') { - selected_value = "${directory_path}/"; + selected_value = "${directory_path|h}/"; } else { selected_value = dtnode.data.key; }; @@ -81,6 +81,7 @@ line-break:strict; } </style><% + from markupsafe import escape class RowCounter( object ): def __init__( self ): self.count = 0 @@ -96,7 +97,7 @@ env_settings_heaader_row_displayed = False package_header_row_displayed = False if revision_label: - revision_label_str = ' revision <b>%s</b> of ' % str( revision_label ) + revision_label_str = ' revision <b>%s</b> of ' % escape( str( revision_label ) ) else: revision_label_str = ' ' %> @@ -104,7 +105,7 @@ <div class="toolParamHelp" style="clear: both;"><p> %if export: - The following additional repositories are required by${revision_label_str}the <b>${repository.name}</b> repository + The following additional repositories are required by${revision_label_str}the <b>${repository.name|h}</b> repository and they can be exported as well. %else: These dependencies can be automatically handled with${revision_label_str}the installed repository, providing significant diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/deactivate_or_uninstall_repository.mako --- a/templates/admin/tool_shed_repository/deactivate_or_uninstall_repository.mako +++ b/templates/admin/tool_shed_repository/deactivate_or_uninstall_repository.mako @@ -10,30 +10,30 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">${repository.name}</div> + <div class="toolFormTitle">${repository.name|h}</div><div class="toolFormBody"><form name="deactivate_or_uninstall_repository" id="deactivate_or_uninstall_repository" action="${h.url_for( controller='admin_toolshed', action='deactivate_or_uninstall_repository', id=trans.security.encode_id( repository.id ) )}" method="post" ><div class="form-row"><label>Description:</label> - ${repository.description} + ${repository.description|h} <div style="clear: both"></div></div><div class="form-row"><label>Revision:</label> - ${repository.changeset_revision}</a> + ${repository.changeset_revision|h}</a></div><div class="form-row"><label>Tool shed:</label> - ${repository.tool_shed} + ${repository.tool_shed|h} <div style="clear: both"></div></div><div class="form-row"><label>Owner:</label> - ${repository.owner} + ${repository.owner|h} </div><div class="form-row"><label>Deleted:</label> - ${repository.deleted} + ${repository.deleted|h} </div><div class="form-row"><% @@ -186,7 +186,7 @@ ##hack to mimic check box <input type="hidden" name="remove_from_disk" value="true"/><input type="hidden" name="remove_from_disk" value="true"/> %endif - <input type="submit" name="deactivate_or_uninstall_repository_button" value="${deactivate_uninstall_button_text}"/> + <input type="submit" name="deactivate_or_uninstall_repository_button" value="${deactivate_uninstall_button_text|h}"/></div></form></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/initiate_repository_installation.mako --- a/templates/admin/tool_shed_repository/initiate_repository_installation.mako +++ b/templates/admin/tool_shed_repository/initiate_repository_installation.mako @@ -53,18 +53,18 @@ <td> %if link_to_manage_tool_dependencies: <a class="view-info" href="${h.url_for( controller='admin_toolshed', action='manage_tool_dependencies', tool_dependency_ids=ids_of_tool_dependencies_missing_or_being_installed )}"> - ${tool_shed_repository.name} + ${tool_shed_repository.name|h} </a> %else: <a class="view-info" href="${h.url_for( controller='admin_toolshed', action='manage_repository', id=encoded_repository_id )}"> - ${tool_shed_repository.name} + ${tool_shed_repository.name|h} </a> %endif </td><td>${tool_shed_repository.description}</td><td>${tool_shed_repository.owner}</td><td>${tool_shed_repository.changeset_revision}</td> - <td><div id="RepositoryStatus-${encoded_repository_id}">${tool_shed_repository.status}</div></td> + <td><div id="RepositoryStatus-${encoded_repository_id}">${tool_shed_repository.status|h}</div></td></tr> %endfor </table> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/install_tool_dependencies_with_update.mako --- a/templates/admin/tool_shed_repository/install_tool_dependencies_with_update.mako +++ b/templates/admin/tool_shed_repository/install_tool_dependencies_with_update.mako @@ -20,12 +20,12 @@ <div class="toolForm"><div class="toolFormBody"><form name="install_tool_dependencies_with_update" id="install_tool_dependencies_with_update" action="${h.url_for( controller='admin_toolshed', action='install_tool_dependencies_with_update' )}" method="post" > - <input type="hidden" name="updating_repository_id" value="${updating_repository_id}"/> - <input type="hidden" name="updating_to_ctx_rev" value="${updating_to_ctx_rev}"/> - <input type="hidden" name="updating_to_changeset_revision" value="${updating_to_changeset_revision}"/> - <input type="hidden" name="encoded_updated_metadata" value="${encoded_updated_metadata}"/> - <input type="hidden" name="encoded_relative_install_dir" value="${encoded_relative_install_dir}"/> - <input type="hidden" name="encoded_tool_dependencies_dict" value="${encoded_tool_dependencies_dict}"/> + <input type="hidden" name="updating_repository_id" value="${updating_repository_id|h}"/> + <input type="hidden" name="updating_to_ctx_rev" value="${updating_to_ctx_rev|h}"/> + <input type="hidden" name="updating_to_changeset_revision" value="${updating_to_changeset_revision|h}"/> + <input type="hidden" name="encoded_updated_metadata" value="${encoded_updated_metadata|h}"/> + <input type="hidden" name="encoded_relative_install_dir" value="${encoded_relative_install_dir|h}"/> + <input type="hidden" name="encoded_tool_dependencies_dict" value="${encoded_tool_dependencies_dict|h}"/> %if tool_dependencies_dict: %if install_tool_dependencies_check_box is not None: <div class="form-row"> @@ -71,12 +71,12 @@ %> %if not os.path.exists( install_dir ): <tr> - <td>${key_name}</td> - <td>${key_version}</td> - <td>${install_dir}</td> + <td>${key_name|h}</td> + <td>${key_version|h}</td> + <td>${install_dir|h}</td></tr> %if readme_text: - <tr><td colspan="4" bgcolor="#FFFFCC">${key_name} ${key_version} requirements and installation information</td></tr> + <tr><td colspan="4" bgcolor="#FFFFCC">${key_name|h} ${key_version|h} requirements and installation information</td></tr><tr><td colspan="4"><pre>${readme_text}</pre></td></tr> %endif %endif diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/manage_repository.mako --- a/templates/admin/tool_shed_repository/manage_repository.mako +++ b/templates/admin/tool_shed_repository/manage_repository.mako @@ -22,50 +22,50 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Installed tool shed repository '${repository.name}'</div> + <div class="toolFormTitle">Installed tool shed repository '${repository.name|h}'</div><div class="toolFormBody"><form name="edit_repository" id="edit_repository" action="${h.url_for( controller='admin_toolshed', action='manage_repository', id=trans.security.encode_id( repository.id ) )}" method="post" ><div class="form-row"><label>Tool shed:</label> - ${repository.tool_shed} + ${repository.tool_shed|h} <div style="clear: both"></div></div><div class="form-row"><label>Name:</label> - ${repository.name} + ${repository.name|h} <div style="clear: both"></div></div><div class="form-row"><label>Description:</label> %if in_error_state: - ${description} + ${description|h} %else: - <input name="description" type="textfield" value="${description}" size="80"/> + <input name="description" type="textfield" value="${description|h}" size="80"/> %endif <div style="clear: both"></div></div><div class="form-row"><label>Revision:</label> - ${repository.changeset_revision} + ${repository.changeset_revision|h} </div><div class="form-row"><label>Owner:</label> - ${repository.owner} + ${repository.owner|h} </div> %if in_error_state: <div class="form-row"><label>Repository installation error:</label> - ${repository.error_message} + ${repository.error_message|h} </div> %else: <div class="form-row"><label>Location:</label> - ${repo_files_dir} + ${repo_files_dir|h} </div> %endif <div class="form-row"><label>Deleted:</label> - ${repository.deleted} + ${repository.deleted|h} </div> %if not in_error_state: <div class="form-row"> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/manage_repository_tool_dependencies.mako --- a/templates/admin/tool_shed_repository/manage_repository_tool_dependencies.mako +++ b/templates/admin/tool_shed_repository/manage_repository_tool_dependencies.mako @@ -20,7 +20,7 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Tool shed repository '${repository.name}' tool dependencies</div> + <div class="toolFormTitle">Tool shed repository '${repository.name|h}' tool dependencies</div><% can_install = False can_uninstall = False @@ -48,16 +48,16 @@ <td> %if tool_dependency.status not in [ trans.install_model.ToolDependency.installation_status.UNINSTALLED ]: <a target="galaxy_main" href="${h.url_for( controller='admin_toolshed', action='manage_repository_tool_dependencies', operation='browse', tool_dependency_ids=trans.security.encode_id( tool_dependency.id ), repository_id=trans.security.encode_id( repository.id ) )}"> - ${tool_dependency.name} + ${tool_dependency.name|h} </a> %else: - ${tool_dependency.name} + ${tool_dependency.name|h} %endif </td> - <td>${tool_dependency.version}</td> - <td>${tool_dependency.type}</td> - <td>${tool_dependency.status}</td> - <td>${error_message}</td> + <td>${tool_dependency.version|h}</td> + <td>${tool_dependency.type|h}</td> + <td>${tool_dependency.status|h}</td> + <td>${error_message|h}</td></tr> %endfor </table> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/purge_repository_confirmation.mako --- a/templates/admin/tool_shed_repository/purge_repository_confirmation.mako +++ b/templates/admin/tool_shed_repository/purge_repository_confirmation.mako @@ -19,14 +19,14 @@ <div class="warningmessage"><p> - Purging the repository named <b>${repository.name}</b> will result in deletion of all records for the + Purging the repository named <b>${repository.name|h}</b> will result in deletion of all records for the following associated items from the database. Click the <b>Purge</b> button to purge this repository and its associated items. </p></div><div class="toolForm"> - <div class="toolFormTitle">Purge tool shed repository <b>${repository.name}</b></div> + <div class="toolFormTitle">Purge tool shed repository <b>${repository.name|h}</b></div><form name="purge_repository" id="purge_repository" action="${h.url_for( controller='admin_toolshed', action='purge_repository', id=trans.security.encode_id( repository.id ) )}" method="post" ><% tool_versions = 0 @@ -59,11 +59,11 @@ orphan_repository_dependency_records += 1 %><table class="grid"> - <tr><td>Tool version records</td><td>${tool_versions}</td><tr> - <tr><td>Tool dependency records</td><td>${tool_dependencies}</td><tr> - <tr><td>Repository dependency records</td><td>${required_repositories}</td><tr> - <tr><td>Orphan repository_repository_dependency_association records</td><td>${orphan_repository_repository_dependency_association_records}</td><tr> - <tr><td>Orphan repository_dependency records</td><td>${orphan_repository_dependency_records}</td><tr> + <tr><td>Tool version records</td><td>${tool_versions|h}</td><tr> + <tr><td>Tool dependency records</td><td>${tool_dependencies|h}</td><tr> + <tr><td>Repository dependency records</td><td>${required_repositories|h}</td><tr> + <tr><td>Orphan repository_repository_dependency_association records</td><td>${orphan_repository_repository_dependency_association_records|h}</td><tr> + <tr><td>Orphan repository_dependency records</td><td>${orphan_repository_dependency_records|h}</td><tr></table><div style="clear: both"></div><div class="form-row"> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/repair_repository.mako --- a/templates/admin/tool_shed_repository/repair_repository.mako +++ b/templates/admin/tool_shed_repository/repair_repository.mako @@ -37,9 +37,9 @@ </div><div class="toolForm"> - <div class="toolFormTitle">Repair tool shed repository <b>${repository.name}</b></div> + <div class="toolFormTitle">Repair tool shed repository <b>${repository.name|h}</b></div><form name="repair_repository" id="repair_repository" action="${h.url_for( controller='admin_toolshed', action='repair_repository', id=trans.security.encode_id( repository.id ) )}" method="post" > - <input type="hidden" name="repair_dict" value="${encoded_repair_dict}"/> + <input type="hidden" name="repair_dict" value="${encoded_repair_dict|h}"/><% from tool_shed.util.shed_util_common import get_tool_shed_repository_status_label ordered_repo_info_dicts = repair_dict.get( 'ordered_repo_info_dicts', [] ) diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/repository_installation_status.mako --- a/templates/admin/tool_shed_repository/repository_installation_status.mako +++ b/templates/admin/tool_shed_repository/repository_installation_status.mako @@ -1,5 +1,6 @@ <%def name="render_repository_status( repository )"><% + from markupsafe import escape if repository.status in [ trans.install_model.ToolShedRepository.installation_status.CLONING, trans.install_model.ToolShedRepository.installation_status.SETTING_TOOL_VERSIONS, trans.install_model.ToolShedRepository.installation_status.INSTALLING_TOOL_DEPENDENCIES, @@ -20,7 +21,7 @@ else: bgcolor = trans.install_model.ToolShedRepository.states.ERROR rval = '<div class="count-box state-color-%s" id="RepositoryStatus-%s">' % ( bgcolor, trans.security.encode_id( repository.id ) ) - rval += '%s</div>' % repository.status + rval += '%s</div>' % escape( repository.status ) return rval %> ${rval} diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/reselect_tool_panel_section.mako --- a/templates/admin/tool_shed_repository/reselect_tool_panel_section.mako +++ b/templates/admin/tool_shed_repository/reselect_tool_panel_section.mako @@ -62,12 +62,12 @@ <label>Shed tool configuration file:</label> ${shed_tool_conf_select_field.get_html()} <div class="toolParamHelp" style="clear: both;"> - ${select_help} + ${select_help|h} </div></div><div style="clear: both"></div> %else: - <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf}"/> + <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf|h}"/> %endif %if includes_tools_for_display_in_tool_panel: <div style="clear: both"></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/select_shed_tool_panel_config.mako --- a/templates/admin/tool_shed_repository/select_shed_tool_panel_config.mako +++ b/templates/admin/tool_shed_repository/select_shed_tool_panel_config.mako @@ -71,7 +71,7 @@ <input type="hidden" name="includes_tools" value="${includes_tools}" /><input type="hidden" name="includes_tool_dependencies" value="${includes_tool_dependencies}" /><input type="hidden" name="includes_tools_for_display_in_tool_panel" value="${includes_tools_for_display_in_tool_panel}" /> - <input type="hidden" name="tool_shed_url" value="${tool_shed_url}" /> + <input type="hidden" name="tool_shed_url" value="${tool_shed_url|h}" /></div><div style="clear: both"></div><% readme_files_dict = containers_dict.get( 'readme_files', None ) %> @@ -111,12 +111,12 @@ <label>Shed tool configuration file:</label> ${shed_tool_conf_select_field.get_html()} <div class="toolParamHelp" style="clear: both;"> - ${select_help} + ${select_help|h} </div></div><div style="clear: both"></div> %else: - <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf}"/> + <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf|h}"/> %endif <div class="form-row"><input type="submit" name="select_shed_tool_panel_config_button" value="Install"/> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/select_tool_panel_section.mako --- a/templates/admin/tool_shed_repository/select_tool_panel_section.mako +++ b/templates/admin/tool_shed_repository/select_tool_panel_section.mako @@ -111,16 +111,16 @@ <label>Shed tool configuration file:</label> ${shed_tool_conf_select_field.get_html()} <div class="toolParamHelp" style="clear: both;"> - ${select_help} + ${select_help|h} </div></div><div style="clear: both"></div> %else: - <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf}"/> + <input type="hidden" name="shed_tool_conf" value="${shed_tool_conf|h}"/> %endif <div class="form-row"><label>Add new tool panel section:</label> - <input name="new_tool_panel_section_label" type="textfield" value="${new_tool_panel_section_label}" size="40"/> + <input name="new_tool_panel_section_label" type="textfield" value="${new_tool_panel_section_label|h}" size="40"/><div class="toolParamHelp" style="clear: both;"> Add a new tool panel section to contain the installed tools (optional). </div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/uninstall_tool_dependencies.mako --- a/templates/admin/tool_shed_repository/uninstall_tool_dependencies.mako +++ b/templates/admin/tool_shed_repository/uninstall_tool_dependencies.mako @@ -43,10 +43,10 @@ install_dir = "This dependency's installation directory does not exist, click <b>Uninstall</b> to reset for installation." %><tr> - <td>${tool_dependency.name}</td> - <td>${tool_dependency.version}</td> - <td>${tool_dependency.type}</td> - <td>${install_dir}</td> + <td>${tool_dependency.name|h}</td> + <td>${tool_dependency.version|h}</td> + <td>${tool_dependency.type|h}</td> + <td>${install_dir|h}</td></tr> %endfor </table> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/view_tool_metadata.mako --- a/templates/admin/tool_shed_repository/view_tool_metadata.mako +++ b/templates/admin/tool_shed_repository/view_tool_metadata.mako @@ -11,7 +11,7 @@ %if tool_metadata: <p/><div class="toolForm"> - <div class="toolFormTitle">${tool_metadata[ 'name' ]} tool metadata</div> + <div class="toolFormTitle">${tool_metadata[ 'name' ]|h} tool metadata</div><div class="toolFormBody"><div class="form-row"><table width="100%"> @@ -20,41 +20,41 @@ </div><div class="form-row"><label>Name:</label> - ${tool_metadata[ 'name' ]} + ${tool_metadata[ 'name' ]|h} <div style="clear: both"></div></div> %if 'description' in tool_metadata: <div class="form-row"><label>Description:</label> - ${tool_metadata[ 'description' ]} + ${tool_metadata[ 'description' ]|h} <div style="clear: both"></div></div> %endif %if 'id' in tool_metadata: <div class="form-row"><label>Id:</label> - ${tool_metadata[ 'id' ]} + ${tool_metadata[ 'id' ]|h} <div style="clear: both"></div></div> %endif %if 'guid' in tool_metadata: <div class="form-row"><label>Guid:</label> - ${tool_metadata[ 'guid' ]} + ${tool_metadata[ 'guid' ]|h} <div style="clear: both"></div></div> %endif %if 'version' in tool_metadata: <div class="form-row"><label>Version:</label> - ${tool_metadata[ 'version' ]} + ${tool_metadata[ 'version' ]|h} <div style="clear: both"></div></div> %endif %if 'version_string_cmd' in tool_metadata: <div class="form-row"><label>Version command string:</label> - ${tool_metadata[ 'version_string_cmd' ]} + ${tool_metadata[ 'version_string_cmd' ]|h} <div style="clear: both"></div></div> %endif @@ -70,9 +70,9 @@ <tr><td> %if guid == tool_metadata[ 'guid' ]: - ${guid} <b>(this tool)</b> + ${guid|h} <b>(this tool)</b> %else: - ${guid} + ${guid|h} %endif </td></tr> @@ -109,9 +109,9 @@ requirement_type = requirement_dict[ 'type' ] or 'not provided' %><tr> - <td>${requirement_name}</td> - <td>${requirement_version}</td> - <td>${requirement_type}</td> + <td>${requirement_name|h}</td> + <td>${requirement_version|h}</td> + <td>${requirement_type|h}</td></tr> %endfor </table> @@ -130,27 +130,27 @@ </div><div class="form-row"><label>Command:</label> - <pre>${tool.command}</pre> + <pre>${tool.command|h}</pre><div style="clear: both"></div></div><div class="form-row"><label>Interpreter:</label> - ${tool.interpreter} + ${tool.interpreter|h} <div style="clear: both"></div></div><div class="form-row"><label>Is multi-byte:</label> - ${tool.is_multi_byte} + ${tool.is_multi_byte|h} <div style="clear: both"></div></div><div class="form-row"><label>Forces a history refresh:</label> - ${tool.force_history_refresh} + ${tool.force_history_refresh|h} <div style="clear: both"></div></div><div class="form-row"><label>Parallelism:</label> - ${tool.parallelism} + ${tool.parallelism|h} <div style="clear: both"></div></div> %endif @@ -181,20 +181,20 @@ required_files = test_dict[ 'required_files' ] %><tr> - <td>${test_dict[ 'name' ]}</td> + <td>${test_dict[ 'name' ]|h}</td><td> %for input in inputs: - <b>${input[0]}:</b> ${input[1]}<br/> + <b>${input[0]|h}:</b> ${input[1]|h}<br/> %endfor </td><td> %for output in outputs: - <b>${output[0]}:</b> ${output[1]}<br/> + <b>${output[0]|h}:</b> ${output[1]|h}<br/> %endfor </td><td> %for required_file in required_files: - ${required_file}<br/> + ${required_file|h}<br/> %endfor </td></tr> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/tool_shed_repository/view_workflow.mako --- a/templates/admin/tool_shed_repository/view_workflow.mako +++ b/templates/admin/tool_shed_repository/view_workflow.mako @@ -17,7 +17,7 @@ <%def name="render_workflow( workflow_name, repository_id )"><% center_url = h.url_for( controller='admin_toolshed', action='generate_workflow_image', workflow_name=tool_shed_encode( workflow_name ), repository_id=repository_id ) %> - <iframe name="workflow_image" id="workflow_image" frameborder="0" style="position: absolute; width: 100%; height: 100%;" src="${center_url}"></iframe> + <iframe name="workflow_image" id="workflow_image" frameborder="0" style="position: absolute; width: 100%; height: 100%;" src="${center_url|h}"></iframe></%def> ${render_galaxy_repository_actions( repository )} diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/user/reset_password.mako --- a/templates/admin/user/reset_password.mako +++ b/templates/admin/user/reset_password.mako @@ -13,7 +13,7 @@ %for user in users: <div class="form-row"><label>Email:</label> - ${user.email} + ${user.email|h} <div style="clear: both"></div></div> %endfor diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/user/user.mako --- a/templates/admin/user/user.mako +++ b/templates/admin/user/user.mako @@ -11,9 +11,9 @@ </%def><%def name="render_select( name, options )"> - <select name="${name}" id="${name}" style="min-width: 250px; height: 150px;" multiple> + <select name="${name|h}" id="${name|h}" style="min-width: 250px; height: 150px;" multiple> %for option in options: - <option value="${option[0]}">${option[1]}</option> + <option value="${option[0]|h}">${option[1]|h}</option> %endfor </select></%def> @@ -48,29 +48,29 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">User '${user.email}'</div> + <div class="toolFormTitle">User '${user.email|h}'</div><div class="toolFormBody"><form name="associate_user_role_group" id="associate_user_role_group" action="${h.url_for(controller='admin', action='manage_roles_and_groups_for_user', id=trans.security.encode_id( user.id ) )}" method="post" ><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Roles associated with '${user.email}'</label> + <label>Roles associated with '${user.email|h}'</label> ${render_select( "in_roles", in_roles )}<br/><input type="submit" id="roles_remove_button" value=">>"/></div><div> - <label>Roles not associated with '${user.email}'</label> + <label>Roles not associated with '${user.email|h}'</label> ${render_select( "out_roles", out_roles )}<br/><input type="submit" id="roles_add_button" value="<<"/></div></div><div class="form-row"><div style="float: left; margin-right: 10px;"> - <label>Groups associated with '${user.email}'</label> + <label>Groups associated with '${user.email|h}'</label> ${render_select( "in_groups", in_groups )}<br/><input type="submit" id="groups_remove_button" value=">>"/></div><div> - <label>Groups not associated with '${user.email}'</label> + <label>Groups not associated with '${user.email|h}'</label> ${render_select( "out_groups", out_groups )}<br/><input type="submit" id="groups_add_button" value="<<"/></div> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/admin/view_datatypes_registry.mako --- a/templates/admin/view_datatypes_registry.mako +++ b/templates/admin/view_datatypes_registry.mako @@ -37,16 +37,16 @@ %else: <tr class="tr"> %endif - <td>${datatype.extension}</td> - <td>${datatype.dtype}</td> + <td>${datatype.extension|h}</td> + <td>${datatype.dtype|h}</td><td> %if datatype.mimetype: - ${datatype.mimetype} + ${datatype.mimetype|h} %endif </td><td> %if datatype.display_in_upload: - ${datatype.display_in_upload} + ${datatype.display_in_upload|h} %endif </td></tr> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/base.mako --- a/templates/base.mako +++ b/templates/base.mako @@ -39,7 +39,7 @@ <script> Raven.config('${app.config.sentry_dsn_public}').install(); %if trans.user: - Raven.setUser( { email: "${trans.user.email}" } ); + Raven.setUser( { email: "${trans.user.email|h}" } ); %endif </script> %endif diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/galaxy_client_app.mako --- a/templates/galaxy_client_app.mako +++ b/templates/galaxy_client_app.mako @@ -70,11 +70,12 @@ ## Return a dictionary of user or anonymous user data including: ## email, id, disk space used, quota percent, and tags used <% + from markupsafe import escape user_dict = {} try: if trans.user: user_dict = trans.user.to_dict( view='element', - value_mapper={ 'id': trans.security.encode_id, 'total_disk_usage': float } ) + value_mapper={ 'id': trans.security.encode_id, 'total_disk_usage': float, 'email': escape, 'username': escape } ) user_dict[ 'quota_percent' ] = trans.app.quota_agent.get_percent( trans=trans ) user_dict[ 'is_admin' ] = trans.user_is_admin() diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/user/index.mako --- a/templates/user/index.mako +++ b/templates/user/index.mako @@ -2,7 +2,7 @@ %if trans.user: <h2>${_('User preferences')}</h2> - <p>You are currently logged in as ${trans.user.email}.</p> + <p>You are currently logged in as ${trans.user.email|h}.</p><ul> %if t.webapp.name == 'galaxy': %if not trans.app.config.use_remote_user: diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/webapps/galaxy/admin/tool_sheds.mako --- a/templates/webapps/galaxy/admin/tool_sheds.mako +++ b/templates/webapps/galaxy/admin/tool_sheds.mako @@ -22,7 +22,7 @@ <tr class="libraryTitle"><td><div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${shed_id}-popup"> - <a class="view-info" href="${h.url_for( controller='admin_toolshed', action='browse_tool_shed', tool_shed_url=url )}">${name}</a> + <a class="view-info" href="${h.url_for( controller='admin_toolshed', action='browse_tool_shed', tool_shed_url=url )}">${name|h}</a></div><div popupmenu="dataset-${shed_id}-popup"><a class="action-button" href="${h.url_for( controller='admin_toolshed', action='browse_tool_shed', tool_shed_url=url )}">Browse valid repositories</a> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/webapps/galaxy/dataset/errors.mako --- a/templates/webapps/galaxy/dataset/errors.mako +++ b/templates/webapps/galaxy/dataset/errors.mako @@ -95,7 +95,7 @@ <input type="hidden" name="id" value="${trans.security.encode_id( hda.id)}" /><div class="form-row"><label>Your email</label> - <input type="text" name="email" size="40" value="${user_email}" /> + <input type="text" name="email" size="40" value="${user_email|h}" /></div><div class="form-row"><label>Message</label> diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/webapps/galaxy/galaxy.masthead.mako --- a/templates/webapps/galaxy/galaxy.masthead.mako +++ b/templates/webapps/galaxy/galaxy.masthead.mako @@ -3,6 +3,7 @@ ## masthead head generator <%def name="load(active_view = None)"><% + from markupsafe import escape ## get configuration masthead_config = { ## inject configuration @@ -32,7 +33,7 @@ ## user details 'user' : { 'requests' : bool(trans.user and (trans.user.requests or trans.app.security_agent.get_accessible_request_types(trans, trans.user))), - 'email' : trans.user.email if (trans.user) else "", + 'email' : escape( trans.user.email ) if (trans.user) else "", 'valid' : bool(trans.user != None), 'json' : get_user_dict() } diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/webapps/galaxy/galaxy.panels.mako --- a/templates/webapps/galaxy/galaxy.panels.mako +++ b/templates/webapps/galaxy/galaxy.panels.mako @@ -49,7 +49,7 @@ <script> Raven.config('${app.config.sentry_dsn_public}').install(); %if trans.user: - Raven.setUser( { email: "${trans.user.email}" } ); + Raven.setUser( { email: "${trans.user.email|h}" } ); %endif </script> %endif diff -r 5fc83b69fe241d469ad27235a39e93d847764bbc -r f0f1f78b54c55c8569bd1e3ed7fc15726b0b64a4 templates/webapps/tool_shed/base_panels.mako --- a/templates/webapps/tool_shed/base_panels.mako +++ b/templates/webapps/tool_shed/base_panels.mako @@ -91,7 +91,8 @@ %> ## User tabs. - <% + <% + from markupsafe import escape # Menu for user who is not logged in. menu_options = [ [ _("Login"), h.url_for( controller='/user', action='login' ), "galaxy_main" ] ] if app.config.allow_user_creation: @@ -101,7 +102,7 @@ tab( "user", _("User"), None, visible=visible, menu_options=menu_options ) # Menu for user who is logged in. if trans.user: - email = trans.user.email + email = escape( trans.user.email ) else: email = "" menu_options = [ [ '<a>Logged in as <span id="user-email">%s</span></a>' % email ] ] Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.