6 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/37e0a3b5e39b/ Changeset: 37e0a3b5e39b Branch: stable User: guerler Date: 2014-12-08 17:50:09+00:00 Summary: Security fixes for assigned templates Affected #: 4 files diff -r 546ff6ef27b4b83e26ae228c292fd981173ac550 -r 37e0a3b5e39b4b9f300790c79336b08ad959c2ea templates/webapps/galaxy/tracks/history_datasets_select_grid.mako --- a/templates/webapps/galaxy/tracks/history_datasets_select_grid.mako +++ b/templates/webapps/galaxy/tracks/history_datasets_select_grid.mako @@ -1,5 +1,6 @@ <%inherit file="/tracks/history_select_grid.mako"/><%def name="title()"> - <h2>History '${grid.get_current_item( trans, **kwargs ).name}'</h2> + <%from galaxy.web.framework.helpers import escape%> + <h2>History '${escape(grid.get_current_item( trans, **kwargs ).name)}'</h2></%def> diff -r 546ff6ef27b4b83e26ae228c292fd981173ac550 -r 37e0a3b5e39b4b9f300790c79336b08ad959c2ea templates/webapps/galaxy/tracks/index.mako --- a/templates/webapps/galaxy/tracks/index.mako +++ /dev/null @@ -1,38 +0,0 @@ -<form id="form" method="POST"> - <div class="form-row"> - <label for="dbkey">Browser name:</label> - <div class="form-row-input"> - <input type="text" name="title" id="title" value="Unnamed Browser"></input> - </div> - <div style="clear: both;"></div> - </div> - <div class="form-row"> - <label for="dbkey">Reference genome build (dbkey): </label> - <div class="form-row-input"> - <select name="dbkey" id="dbkey" refresh_on_change="true"> - %for tmp_dbkey in dbkey_set: - <option value="${tmp_dbkey}" - %if tmp_dbkey == dbkey: - selected="selected" - %endif - >${tmp_dbkey}</option> - %endfor - </select> - </div> - <div style="clear: both;"></div> - </div> - <div class="form-row"> - <label for="dataset_ids">Datasets to visualize: (${", ".join(available_tracks)} files are supported)</label> - %for dataset_id, (dataset_ext, dataset_name) in datasets.iteritems(): - <div> - <input type="checkbox" id="${dataset_id}" name="dataset_ids" value="${dataset_id}" /> - <label style="display:inline; font-weight: normal" for="${dataset_id}">[${dataset_ext}] ${dataset_name}</label> - </div> - %endfor - - <div style="clear: both;"></div> - </div> - <div class="form-row"> - <input type="submit" name="browse" value="Browse"/> - </div> -</form> diff -r 546ff6ef27b4b83e26ae228c292fd981173ac550 -r 37e0a3b5e39b4b9f300790c79336b08ad959c2ea templates/webapps/galaxy/tracks/library_datasets_select_grid.mako --- a/templates/webapps/galaxy/tracks/library_datasets_select_grid.mako +++ b/templates/webapps/galaxy/tracks/library_datasets_select_grid.mako @@ -2,7 +2,8 @@ <%namespace file='/library/common/browse_library.mako' import="render_content, grid_javascripts" /><%def name="title()"> - <h2>History '${grid.get_current_item( trans, **kwargs ).name}'</h2> + <%from galaxy.web.framework.helpers import escape%> + <h2>History '${escape(grid.get_current_item( trans, **kwargs ).name)}'</h2></%def> ${select_header()} diff -r 546ff6ef27b4b83e26ae228c292fd981173ac550 -r 37e0a3b5e39b4b9f300790c79336b08ad959c2ea templates/webapps/galaxy/visualization/phyloviz.mako --- a/templates/webapps/galaxy/visualization/phyloviz.mako +++ b/templates/webapps/galaxy/visualization/phyloviz.mako @@ -180,7 +180,7 @@ <%def name="center_panel()"> - + <%from galaxy.web.framework.helpers import escape%><div class="unified-panel-header" unselectable="on"><div class="unified-panel-header-inner"><div style="float:left;" id="title"></div> @@ -196,7 +196,7 @@ <p>Select a tree to view: <select id="phylovizNexSelector"> % for tree, index in data["trees"]: - <option value="${index}">${tree}</option> + <option value="${index}">${escape(tree)}</option> % endfor </select></p> https://bitbucket.org/galaxy/galaxy-central/commits/dad0f6d2a871/ Changeset: dad0f6d2a871 Branch: stable User: guerler Date: 2014-11-21 21:41:44+00:00 Summary: JS-santization of filter options before displaying them FIX 2.2 Affected #: 6 files diff -r 37e0a3b5e39b4b9f300790c79336b08ad959c2ea -r dad0f6d2a871f089d74b35b880e4354fbf050ccb client/galaxy/scripts/mvc/grid/grid-template.js --- a/client/galaxy/scripts/mvc/grid/grid-template.js +++ b/client/galaxy/scripts/mvc/grid/grid-template.js @@ -1,5 +1,5 @@ // dependencies -define([], function() { +define(['utils/utils'], function(Utils) { // grid view templates return { @@ -605,6 +605,7 @@ // template for filter items filter_element: function(filter_key, filter_value) { + filter_value = Utils.sanitize(filter_value); return '<span class="text-filter-val">' + filter_value + '<a href="javascript:void(0);" filter_key="' + filter_key + '" filter_val="' + filter_value + '">' + '<i class="fa fa-times" style="padding-left: 5px; padding-bottom: 6px;"/>' + diff -r 37e0a3b5e39b4b9f300790c79336b08ad959c2ea -r dad0f6d2a871f089d74b35b880e4354fbf050ccb client/galaxy/scripts/utils/utils.js --- a/client/galaxy/scripts/utils/utils.js +++ b/client/galaxy/scripts/utils/utils.js @@ -6,6 +6,14 @@ // dependencies define(["libs/underscore"], function(_) { +/** + * Sanitize/escape a string + * @param{String} content - Content to be sanitized + */ +function sanitize(content) { + return $('<div/>').text(content).html(); +}; + // generic function to recieve json from url function get (url, success, error) { request('GET', url, {}, success, error); @@ -151,7 +159,8 @@ uuid: uuid, time: time, wrap: wrap, - request: request + request: request, + sanitize: sanitize }; }); diff -r 37e0a3b5e39b4b9f300790c79336b08ad959c2ea -r dad0f6d2a871f089d74b35b880e4354fbf050ccb static/scripts/mvc/grid/grid-template.js --- a/static/scripts/mvc/grid/grid-template.js +++ b/static/scripts/mvc/grid/grid-template.js @@ -1,5 +1,5 @@ // dependencies -define([], function() { +define(['utils/utils'], function(Utils) { // grid view templates return { @@ -605,6 +605,7 @@ // template for filter items filter_element: function(filter_key, filter_value) { + filter_value = Utils.sanitize(filter_value); return '<span class="text-filter-val">' + filter_value + '<a href="javascript:void(0);" filter_key="' + filter_key + '" filter_val="' + filter_value + '">' + '<i class="fa fa-times" style="padding-left: 5px; padding-bottom: 6px;"/>' + diff -r 37e0a3b5e39b4b9f300790c79336b08ad959c2ea -r dad0f6d2a871f089d74b35b880e4354fbf050ccb static/scripts/packed/mvc/grid/grid-template.js --- a/static/scripts/packed/mvc/grid/grid-template.js +++ b/static/scripts/packed/mvc/grid/grid-template.js @@ -1,1 +1,1 @@ -define([],function(){return{grid:function(b){var a="";if(b.embedded){a=this.grid_header(b)+this.grid_table(b)}else{a='<div class="loading-elt-overlay"></div><table><tr><td width="75%">'+this.grid_header(b)+'</td><td></td><td></td></tr><tr><td width="100%" id="grid-message" valign="top"></td><td></td><td></td></tr></table>'+this.grid_table(b)}if(b.info_text){a+='<br><div class="toolParamHelp" style="clear: both;">'+b.info_text+"</div>"}return a},grid_table:function(a){return'<form method="post" onsubmit="return false;"><table id="grid-table" class="grid"><thead id="grid-table-header"></thead><tbody id="grid-table-body"></tbody><tfoot id="grid-table-footer"></tfoot></table></form>'},grid_header:function(c){var b='<div class="grid-header">';if(!c.embedded){b+="<h2>"+c.title+"</h2>"}if(c.global_actions){b+='<ul class="manage-table-actions">';var d=(c.global_actions.length>=3);if(d){b+='<li><a class="action-button" id="popup-global-actions" class="menubutton">Actions</a></li><div popupmenu="popup-global-actions">'}for(i in c.global_actions){var e=c.global_actions[i];var a="";if(e.inbound){a="use-inbound"}else{a="use-outbound"}b+='<li><a class="action-button '+a+'" href="'+e.url_args+'" onclick="return false;">'+e.label+"</a></li>"}if(d){b+="</div>"}b+="</ul>"}if(c.insert){b+=c.insert}b+=this.grid_filters(c);b+="</div>";return b},header:function(b){var a="<tr>";if(b.show_item_checkboxes){a+="<th>";if(b.items.length>0){a+='<input type="checkbox" id="check_all" name=select_all_checkbox value="true"><input type="hidden" name=select_all_checkbox value="true">'}a+="</th>"}for(var c in b.columns){var d=b.columns[c];if(d.visible){a+='<th id="'+d.key+'-header">';if(d.href){a+='<a href="'+d.href+'" class="sort-link" sort_key="'+d.key+'">'+d.label+"</a>"}else{a+=d.label}a+='<span class="sort-arrow">'+d.extra+"</span></th>"}}a+="</tr>";return a},body:function(r){var k="";var s=0;var e=r.items.length;if(e==0){k+='<tr><td colspan="100"><em>No Items</em></td></tr>';s=1}for(var f in r.items){var p=r.items[f];var a=p.encode_id;var g="grid-"+f+"-popup";k+="<tr ";if(r.current_item_id==p.id){k+='class="current"'}k+=">";if(r.show_item_checkboxes){k+='<td style="width: 1.5em;"><input type="checkbox" name="id" value="'+a+'" id="'+a+'" class="grid-row-select-checkbox" /></td>'}for(j in r.columns){var d=r.columns[j];if(d.visible){var c="";if(d.nowrap){c='style="white-space:nowrap;"'}var q=p.column_config[d.label];var h=q.link;var l=q.value;var o=q.inbound;if(jQuery.type(l)==="string"){l=l.replace(/\/\//g,"/")}var b="";var n="";if(d.attach_popup){b="grid-"+f+"-popup";n="menubutton";if(h!=""){n+=" split"}n+=" popup"}k+="<td "+c+">";if(h){if(r.operations.length!=0){k+='<div id="'+b+'" class="'+n+'" style="float: left;">'}var m="";if(o){m="use-inbound"}else{m="use-outbound"}k+='<a class="label '+m+'" href="'+h+'" onclick="return false;">'+l+"</a>";if(r.operations.length!=0){k+="</div>"}}else{k+='<div id="'+b+'" class="'+n+'"><label id="'+d.label_id_prefix+a+'" for="'+a+'">'+(l||"")+"</label></div>"}k+="</td>"}}k+="</tr>";s++}return k},footer:function(o){var k="";if(o.use_paging&&o.num_pages>1){var m=o.num_page_links;var a=o.cur_page_num;var n=o.num_pages;var h=m/2;var g=a-h;var e=0;if(g<=0){g=1;e=h-(a-g)}var d=h+e;var c=a+d;if(c<=n){max_offset=0}else{c=n;max_offset=d-(c+1-a)}if(max_offset!=0){g-=max_offset;if(g<1){g=1}}k+='<tr id="page-links-row">';if(o.show_item_checkboxes){k+="<td></td>"}k+='<td colspan="100"><span id="page-link-container">Page:';if(g>1){k+='<span class="page-link" id="page-link-1"><a href="javascript:void(0);" page_num="1" onclick="return false;">1</a></span> ...'}for(var l=g;l<c+1;l++){if(l==o.cur_page_num){k+='<span class="page-link inactive-link" id="page-link-'+l+'">'+l+"</span>"}else{k+='<span class="page-link" id="page-link-'+l+'"><a href="javascript:void(0);" onclick="return false;" page_num="'+l+'">'+l+"</a></span>"}}if(c<n){k+='...<span class="page-link" id="page-link-'+n+'"><a href="javascript:void(0);" onclick="return false;" page_num="'+n+'">'+n+"</a></span>"}k+="</span>";k+='<span class="page-link" id="show-all-link-span"> | <a href="javascript:void(0);" onclick="return false;" page_num="all">Show All</a></span></td></tr>'}if(o.show_item_checkboxes){k+='<tr><input type="hidden" id="operation" name="operation" value=""><td></td><td colspan="100">For <span class="grid-selected-count"></span> selected '+o.get_class_plural+": ";for(i in o.operations){var b=o.operations[i];if(b.allow_multiple){k+='<input type="button" value="'+b.label+'" class="operation-button action-button"> '}}k+="</td></tr>"}var f=false;for(i in o.operations){if(o.operations[i].global_operation){f=true;break}}if(f){k+='<tr><td colspan="100">';for(i in o.operations){var b=o.operations[i];if(b.global_operation){k+='<a class="action-button" href="'+b.global_operation+'">'+b.label+"</a>"}}k+="</td></tr>"}if(o.legend){k+='<tr><td colspan="100">'+o.legend+"</td></tr>"}return k},message:function(a){return'<p><div class="'+a.status+'message transient-message">'+a.message+'</div><div style="clear: both"></div></p>'},grid_filters:function(n){var a=n.default_filter_dict;var b=n.filters;var e="none";if(n.advanced_search){e="block"}var m=false;for(var g in n.columns){var d=n.columns[g];if(d.filterable=="advanced"){var l=d.key;var c=b[l];var f=a[l];if(c&&f&&c!=f){e="block"}m=true}}var k="block";if(e=="block"){k="none"}var h='<div id="standard-search" style="display: '+k+';"><table><tr><td style="padding: 0;"><table>';for(var g in n.columns){var d=n.columns[g];if(d.filterable=="standard"){h+=this.grid_column_filter(n,d)}}h+="</table></td></tr><tr><td>";if(m){h+='<a href="" class="advanced-search-toggle">Advanced Search</a>'}h+="</td></tr></table></div>";h+='<div id="advanced-search" style="display: '+e+'; margin-top: 5px; border: 1px solid #ccc;"><table><tr><td style="text-align: left" colspan="100"><a href="" class="advanced-search-toggle">Close Advanced Search</a></td></tr>';for(var g in n.columns){var d=n.columns[g];if(d.filterable=="advanced"){h+=this.grid_column_filter(n,d)}}h+="</table></div>";return h},grid_column_filter:function(e,c){var t=e.default_filter_dict;var l=e.filters;var a=c.label;var b=c.key;if(c.filterable=="advanced"){a=a.toLowerCase()}var k="<tr>";if(c.filterable=="advanced"){k+='<td align="left" style="padding-left: 10px">'+a+":</td>"}k+='<td style="padding-bottom: 1px;">';if(c.is_text){k+='<form class="text-filter-form" column_key="'+b+'" action="'+e.url+'" method="get" >';for(u in e.columns){var g=e.columns[u];var p=l[g.key];if(p){if(p!="All"){if(g.is_text){p=JSON.stringify(p)}k+='<input type="hidden" id="'+g.key+'" name="f-'+g.key+'" value="'+p+'"/>'}}}k+='<span id="'+b+'-filtering-criteria">';var h=l[b];if(h){var f=jQuery.type(h);if(f=="string"){if(h!="All"){k+=this.filter_element(b,h)}}if(f=="array"){for(var u in h){var n=h[u];var v=h;v=v.slice(u);k+=this.filter_element(b,n)}}}k+="</span>";var r="";if(c.filterable=="standard"){r=c.label.toLowerCase();var q=r.length;if(q<20){q=20}q=q+4}k+='<span class="search-box"><input class="search-box-input" id="input-'+b+'-filter" name="f-'+b+'" type="text" placeholder="'+r+'" size="'+q+'"/><button type="submit" style="background: transparent; border: none; padding: 4px; margin: 0px;"><i class="fa fa-search"></i></button></span></form>'}else{k+='<span id="'+b+'-filtering-criteria">';var s=false;for(cf_label in e.categorical_filters[b]){var o=e.categorical_filters[b][cf_label];var d="";var m="";for(key in o){d=key;m=o[key]}if(s){k+=" | "}s=true;var n=l[b];if(n&&o[b]&&n==m){k+='<span class="categorical-filter '+b+'-filter current-filter">'+cf_label+"</span>"}else{k+='<span class="categorical-filter '+b+'-filter"><a href="javascript:void(0);" filter_key="'+d+'" filter_val="'+m+'">'+cf_label+"</a></span>"}}k+="</span>"}k+="</td></tr>";return k},filter_element:function(b,a){return'<span class="text-filter-val">'+a+'<a href="javascript:void(0);" filter_key="'+b+'" filter_val="'+a+'"><i class="fa fa-times" style="padding-left: 5px; padding-bottom: 6px;"/></a></span>'}}}); \ No newline at end of file +define(["utils/utils"],function(a){return{grid:function(c){var b="";if(c.embedded){b=this.grid_header(c)+this.grid_table(c)}else{b='<div class="loading-elt-overlay"></div><table><tr><td width="75%">'+this.grid_header(c)+'</td><td></td><td></td></tr><tr><td width="100%" id="grid-message" valign="top"></td><td></td><td></td></tr></table>'+this.grid_table(c)}if(c.info_text){b+='<br><div class="toolParamHelp" style="clear: both;">'+c.info_text+"</div>"}return b},grid_table:function(b){return'<form method="post" onsubmit="return false;"><table id="grid-table" class="grid"><thead id="grid-table-header"></thead><tbody id="grid-table-body"></tbody><tfoot id="grid-table-footer"></tfoot></table></form>'},grid_header:function(d){var c='<div class="grid-header">';if(!d.embedded){c+="<h2>"+d.title+"</h2>"}if(d.global_actions){c+='<ul class="manage-table-actions">';var e=(d.global_actions.length>=3);if(e){c+='<li><a class="action-button" id="popup-global-actions" class="menubutton">Actions</a></li><div popupmenu="popup-global-actions">'}for(i in d.global_actions){var f=d.global_actions[i];var b="";if(f.inbound){b="use-inbound"}else{b="use-outbound"}c+='<li><a class="action-button '+b+'" href="'+f.url_args+'" onclick="return false;">'+f.label+"</a></li>"}if(e){c+="</div>"}c+="</ul>"}if(d.insert){c+=d.insert}c+=this.grid_filters(d);c+="</div>";return c},header:function(c){var b="<tr>";if(c.show_item_checkboxes){b+="<th>";if(c.items.length>0){b+='<input type="checkbox" id="check_all" name=select_all_checkbox value="true"><input type="hidden" name=select_all_checkbox value="true">'}b+="</th>"}for(var d in c.columns){var e=c.columns[d];if(e.visible){b+='<th id="'+e.key+'-header">';if(e.href){b+='<a href="'+e.href+'" class="sort-link" sort_key="'+e.key+'">'+e.label+"</a>"}else{b+=e.label}b+='<span class="sort-arrow">'+e.extra+"</span></th>"}}b+="</tr>";return b},body:function(s){var l="";var t=0;var f=s.items.length;if(f==0){l+='<tr><td colspan="100"><em>No Items</em></td></tr>';t=1}for(var g in s.items){var q=s.items[g];var b=q.encode_id;var h="grid-"+g+"-popup";l+="<tr ";if(s.current_item_id==q.id){l+='class="current"'}l+=">";if(s.show_item_checkboxes){l+='<td style="width: 1.5em;"><input type="checkbox" name="id" value="'+b+'" id="'+b+'" class="grid-row-select-checkbox" /></td>'}for(j in s.columns){var e=s.columns[j];if(e.visible){var d="";if(e.nowrap){d='style="white-space:nowrap;"'}var r=q.column_config[e.label];var k=r.link;var m=r.value;var p=r.inbound;if(jQuery.type(m)==="string"){m=m.replace(/\/\//g,"/")}var c="";var o="";if(e.attach_popup){c="grid-"+g+"-popup";o="menubutton";if(k!=""){o+=" split"}o+=" popup"}l+="<td "+d+">";if(k){if(s.operations.length!=0){l+='<div id="'+c+'" class="'+o+'" style="float: left;">'}var n="";if(p){n="use-inbound"}else{n="use-outbound"}l+='<a class="label '+n+'" href="'+k+'" onclick="return false;">'+m+"</a>";if(s.operations.length!=0){l+="</div>"}}else{l+='<div id="'+c+'" class="'+o+'"><label id="'+e.label_id_prefix+b+'" for="'+b+'">'+(m||"")+"</label></div>"}l+="</td>"}}l+="</tr>";t++}return l},footer:function(p){var l="";if(p.use_paging&&p.num_pages>1){var n=p.num_page_links;var b=p.cur_page_num;var o=p.num_pages;var k=n/2;var h=b-k;var f=0;if(h<=0){h=1;f=k-(b-h)}var e=k+f;var d=b+e;if(d<=o){max_offset=0}else{d=o;max_offset=e-(d+1-b)}if(max_offset!=0){h-=max_offset;if(h<1){h=1}}l+='<tr id="page-links-row">';if(p.show_item_checkboxes){l+="<td></td>"}l+='<td colspan="100"><span id="page-link-container">Page:';if(h>1){l+='<span class="page-link" id="page-link-1"><a href="javascript:void(0);" page_num="1" onclick="return false;">1</a></span> ...'}for(var m=h;m<d+1;m++){if(m==p.cur_page_num){l+='<span class="page-link inactive-link" id="page-link-'+m+'">'+m+"</span>"}else{l+='<span class="page-link" id="page-link-'+m+'"><a href="javascript:void(0);" onclick="return false;" page_num="'+m+'">'+m+"</a></span>"}}if(d<o){l+='...<span class="page-link" id="page-link-'+o+'"><a href="javascript:void(0);" onclick="return false;" page_num="'+o+'">'+o+"</a></span>"}l+="</span>";l+='<span class="page-link" id="show-all-link-span"> | <a href="javascript:void(0);" onclick="return false;" page_num="all">Show All</a></span></td></tr>'}if(p.show_item_checkboxes){l+='<tr><input type="hidden" id="operation" name="operation" value=""><td></td><td colspan="100">For <span class="grid-selected-count"></span> selected '+p.get_class_plural+": ";for(i in p.operations){var c=p.operations[i];if(c.allow_multiple){l+='<input type="button" value="'+c.label+'" class="operation-button action-button"> '}}l+="</td></tr>"}var g=false;for(i in p.operations){if(p.operations[i].global_operation){g=true;break}}if(g){l+='<tr><td colspan="100">';for(i in p.operations){var c=p.operations[i];if(c.global_operation){l+='<a class="action-button" href="'+c.global_operation+'">'+c.label+"</a>"}}l+="</td></tr>"}if(p.legend){l+='<tr><td colspan="100">'+p.legend+"</td></tr>"}return l},message:function(b){return'<p><div class="'+b.status+'message transient-message">'+b.message+'</div><div style="clear: both"></div></p>'},grid_filters:function(o){var b=o.default_filter_dict;var c=o.filters;var f="none";if(o.advanced_search){f="block"}var n=false;for(var h in o.columns){var e=o.columns[h];if(e.filterable=="advanced"){var m=e.key;var d=c[m];var g=b[m];if(d&&g&&d!=g){f="block"}n=true}}var l="block";if(f=="block"){l="none"}var k='<div id="standard-search" style="display: '+l+';"><table><tr><td style="padding: 0;"><table>';for(var h in o.columns){var e=o.columns[h];if(e.filterable=="standard"){k+=this.grid_column_filter(o,e)}}k+="</table></td></tr><tr><td>";if(n){k+='<a href="" class="advanced-search-toggle">Advanced Search</a>'}k+="</td></tr></table></div>";k+='<div id="advanced-search" style="display: '+f+'; margin-top: 5px; border: 1px solid #ccc;"><table><tr><td style="text-align: left" colspan="100"><a href="" class="advanced-search-toggle">Close Advanced Search</a></td></tr>';for(var h in o.columns){var e=o.columns[h];if(e.filterable=="advanced"){k+=this.grid_column_filter(o,e)}}k+="</table></div>";return k},grid_column_filter:function(f,d){var u=f.default_filter_dict;var m=f.filters;var b=d.label;var c=d.key;if(d.filterable=="advanced"){b=b.toLowerCase()}var l="<tr>";if(d.filterable=="advanced"){l+='<td align="left" style="padding-left: 10px">'+b+":</td>"}l+='<td style="padding-bottom: 1px;">';if(d.is_text){l+='<form class="text-filter-form" column_key="'+c+'" action="'+f.url+'" method="get" >';for(v in f.columns){var h=f.columns[v];var q=m[h.key];if(q){if(q!="All"){if(h.is_text){q=JSON.stringify(q)}l+='<input type="hidden" id="'+h.key+'" name="f-'+h.key+'" value="'+q+'"/>'}}}l+='<span id="'+c+'-filtering-criteria">';var k=m[c];if(k){var g=jQuery.type(k);if(g=="string"){if(k!="All"){l+=this.filter_element(c,k)}}if(g=="array"){for(var v in k){var o=k[v];var w=k;w=w.slice(v);l+=this.filter_element(c,o)}}}l+="</span>";var s="";if(d.filterable=="standard"){s=d.label.toLowerCase();var r=s.length;if(r<20){r=20}r=r+4}l+='<span class="search-box"><input class="search-box-input" id="input-'+c+'-filter" name="f-'+c+'" type="text" placeholder="'+s+'" size="'+r+'"/><button type="submit" style="background: transparent; border: none; padding: 4px; margin: 0px;"><i class="fa fa-search"></i></button></span></form>'}else{l+='<span id="'+c+'-filtering-criteria">';var t=false;for(cf_label in f.categorical_filters[c]){var p=f.categorical_filters[c][cf_label];var e="";var n="";for(key in p){e=key;n=p[key]}if(t){l+=" | "}t=true;var o=m[c];if(o&&p[c]&&o==n){l+='<span class="categorical-filter '+c+'-filter current-filter">'+cf_label+"</span>"}else{l+='<span class="categorical-filter '+c+'-filter"><a href="javascript:void(0);" filter_key="'+e+'" filter_val="'+n+'">'+cf_label+"</a></span>"}}l+="</span>"}l+="</td></tr>";return l},filter_element:function(c,b){b=a.sanitize(b);return'<span class="text-filter-val">'+b+'<a href="javascript:void(0);" filter_key="'+c+'" filter_val="'+b+'"><i class="fa fa-times" style="padding-left: 5px; padding-bottom: 6px;"/></a></span>'}}}); \ No newline at end of file diff -r 37e0a3b5e39b4b9f300790c79336b08ad959c2ea -r dad0f6d2a871f089d74b35b880e4354fbf050ccb static/scripts/packed/utils/utils.js --- a/static/scripts/packed/utils/utils.js +++ b/static/scripts/packed/utils/utils.js @@ -1,1 +1,1 @@ -define(["libs/underscore"],function(j){function d(l,m,k){g("GET",l,{},m,k)}function g(p,l,m,o,k){if(p=="GET"||p=="DELETE"){if(l.indexOf("?")==-1){l+="?"}else{l+="&"}l+=$.param(m)}var n=new XMLHttpRequest();n.open(p,l,true);n.setRequestHeader("Accept","application/json");n.setRequestHeader("Cache-Control","no-cache");n.setRequestHeader("X-Requested-With","XMLHttpRequest");n.setRequestHeader("Content-Type","application/json");n.onloadend=function(){var q=n.status;try{response=jQuery.parseJSON(n.responseText)}catch(r){response=n.responseText}if(q==200){o&&o(response)}else{k&&k(response)}};if(p=="GET"||p=="DELETE"){n.send()}else{n.send(JSON.stringify(m))}}function h(n,k){var l=$('<div class="'+n+'"></div>');l.appendTo(":eq(0)");var m=l.css(k);l.remove();return m}function f(k){if(!$('link[href^="'+k+'"]').length){$('<link href="'+galaxy_config.root+k+'" rel="stylesheet">').appendTo("head")}}function i(k,l){if(k){return j.defaults(k,l)}else{return l}}function b(l,n){var m="";if(l>=100000000000){l=l/100000000000;m="TB"}else{if(l>=100000000){l=l/100000000;m="GB"}else{if(l>=100000){l=l/100000;m="MB"}else{if(l>=100){l=l/100;m="KB"}else{if(l>0){l=l*10;m="b"}else{return"<strong>-</strong>"}}}}}var k=(Math.round(l)/10);if(n){return k+" "+m}else{return"<strong>"+k+"</strong> "+m}}function a(){return"x"+Math.random().toString(36).substring(2,9)}function c(k){var l=$("<p></p>");l.append(k);return l}function e(){var m=new Date();var k=(m.getHours()<10?"0":"")+m.getHours();var l=(m.getMinutes()<10?"0":"")+m.getMinutes();var n=m.getDate()+"/"+(m.getMonth()+1)+"/"+m.getFullYear()+", "+k+":"+l;return n}return{cssLoadFile:f,cssGetAttribute:h,get:d,merge:i,bytesToString:b,uuid:a,time:e,wrap:c,request:g}}); \ No newline at end of file +define(["libs/underscore"],function(k){function d(l){return $("<div/>").text(l).html()}function e(m,n,l){h("GET",m,{},n,l)}function h(q,m,n,p,l){if(q=="GET"||q=="DELETE"){if(m.indexOf("?")==-1){m+="?"}else{m+="&"}m+=$.param(n)}var o=new XMLHttpRequest();o.open(q,m,true);o.setRequestHeader("Accept","application/json");o.setRequestHeader("Cache-Control","no-cache");o.setRequestHeader("X-Requested-With","XMLHttpRequest");o.setRequestHeader("Content-Type","application/json");o.onloadend=function(){var r=o.status;try{response=jQuery.parseJSON(o.responseText)}catch(s){response=o.responseText}if(r==200){p&&p(response)}else{l&&l(response)}};if(q=="GET"||q=="DELETE"){o.send()}else{o.send(JSON.stringify(n))}}function i(o,l){var m=$('<div class="'+o+'"></div>');m.appendTo(":eq(0)");var n=m.css(l);m.remove();return n}function g(l){if(!$('link[href^="'+l+'"]').length){$('<link href="'+galaxy_config.root+l+'" rel="stylesheet">').appendTo("head")}}function j(l,m){if(l){return k.defaults(l,m)}else{return m}}function b(m,o){var n="";if(m>=100000000000){m=m/100000000000;n="TB"}else{if(m>=100000000){m=m/100000000;n="GB"}else{if(m>=100000){m=m/100000;n="MB"}else{if(m>=100){m=m/100;n="KB"}else{if(m>0){m=m*10;n="b"}else{return"<strong>-</strong>"}}}}}var l=(Math.round(m)/10);if(o){return l+" "+n}else{return"<strong>"+l+"</strong> "+n}}function a(){return"x"+Math.random().toString(36).substring(2,9)}function c(l){var m=$("<p></p>");m.append(l);return m}function f(){var n=new Date();var l=(n.getHours()<10?"0":"")+n.getHours();var m=(n.getMinutes()<10?"0":"")+n.getMinutes();var o=n.getDate()+"/"+(n.getMonth()+1)+"/"+n.getFullYear()+", "+l+":"+m;return o}return{cssLoadFile:g,cssGetAttribute:i,get:e,merge:j,bytesToString:b,uuid:a,time:f,wrap:c,request:h,sanitize:d}}); \ No newline at end of file diff -r 37e0a3b5e39b4b9f300790c79336b08ad959c2ea -r dad0f6d2a871f089d74b35b880e4354fbf050ccb static/scripts/utils/utils.js --- a/static/scripts/utils/utils.js +++ b/static/scripts/utils/utils.js @@ -6,6 +6,14 @@ // dependencies define(["libs/underscore"], function(_) { +/** + * Sanitize/escape a string + * @param{String} content - Content to be sanitized + */ +function sanitize(content) { + return $('<div/>').text(content).html(); +}; + // generic function to recieve json from url function get (url, success, error) { request('GET', url, {}, success, error); @@ -151,7 +159,8 @@ uuid: uuid, time: time, wrap: wrap, - request: request + request: request, + sanitize: sanitize }; }); https://bitbucket.org/galaxy/galaxy-central/commits/c8b92d4eddcc/ Changeset: c8b92d4eddcc Branch: stable User: guerler Date: 2014-11-25 19:04:43+00:00 Summary: Fixes security issue 2.2 for regular grid values Affected #: 1 file diff -r dad0f6d2a871f089d74b35b880e4354fbf050ccb -r c8b92d4eddcc6f2cf4ae8c4ca43b7f80b10af67f lib/galaxy/web/framework/helpers/grids.py --- a/lib/galaxy/web/framework/helpers/grids.py +++ b/lib/galaxy/web/framework/helpers/grids.py @@ -8,6 +8,7 @@ from galaxy.web.framework import decorators from galaxy.web.framework import url_for from galaxy.web.framework.helpers import iff +from markupsafe import escape from sqlalchemy.sql.expression import and_, func, or_ @@ -362,7 +363,7 @@ value = None if self.format: value = self.format( value ) - return value + return escape(value) def get_link( self, trans, grid, item ): if self.link and self.link( item ): return self.link( item ) https://bitbucket.org/galaxy/galaxy-central/commits/04967539e326/ Changeset: 04967539e326 Branch: stable User: guerler Date: 2014-12-01 17:52:01+00:00 Summary: Pages: Sanitize name column in items grid Affected #: 1 file diff -r c8b92d4eddcc6f2cf4ae8c4ca43b7f80b10af67f -r 04967539e32612f432b8ee96975de3b7d1f4ecc1 lib/galaxy/webapps/galaxy/controllers/page.py --- a/lib/galaxy/webapps/galaxy/controllers/page.py +++ b/lib/galaxy/webapps/galaxy/controllers/page.py @@ -8,6 +8,7 @@ from galaxy import util from galaxy.util.sanitize_html import sanitize_html, _BaseHTMLProcessor from galaxy.util.json import loads +from markupsafe import escape def format_bool( b ): if b: @@ -89,9 +90,9 @@ class NameColumn( grids.TextColumn ): def get_value(self, trans, grid, item): if hasattr( item, "get_display_name" ): - return item.get_display_name() + return escape(item.get_display_name()) else: - return item.name + return escape(item.name) # Grid definition. show_item_checkboxes = True https://bitbucket.org/galaxy/galaxy-central/commits/c92310019777/ Changeset: c92310019777 Branch: stable User: guerler Date: 2014-12-08 19:00:57+00:00 Summary: Use h instead of escape for sanitization Affected #: 3 files diff -r 04967539e32612f432b8ee96975de3b7d1f4ecc1 -r c923100197773cae2795fcc5741a7917ffd1e907 templates/webapps/galaxy/tracks/history_datasets_select_grid.mako --- a/templates/webapps/galaxy/tracks/history_datasets_select_grid.mako +++ b/templates/webapps/galaxy/tracks/history_datasets_select_grid.mako @@ -1,6 +1,5 @@ <%inherit file="/tracks/history_select_grid.mako"/><%def name="title()"> - <%from galaxy.web.framework.helpers import escape%> - <h2>History '${escape(grid.get_current_item( trans, **kwargs ).name)}'</h2> + <h2>History '${grid.get_current_item( trans, **kwargs ).name | h}'</h2></%def> diff -r 04967539e32612f432b8ee96975de3b7d1f4ecc1 -r c923100197773cae2795fcc5741a7917ffd1e907 templates/webapps/galaxy/tracks/library_datasets_select_grid.mako --- a/templates/webapps/galaxy/tracks/library_datasets_select_grid.mako +++ b/templates/webapps/galaxy/tracks/library_datasets_select_grid.mako @@ -2,8 +2,7 @@ <%namespace file='/library/common/browse_library.mako' import="render_content, grid_javascripts" /><%def name="title()"> - <%from galaxy.web.framework.helpers import escape%> - <h2>History '${escape(grid.get_current_item( trans, **kwargs ).name)}'</h2> + <h2>History '${grid.get_current_item( trans, **kwargs ).name | h}'</h2></%def> ${select_header()} diff -r 04967539e32612f432b8ee96975de3b7d1f4ecc1 -r c923100197773cae2795fcc5741a7917ffd1e907 templates/webapps/galaxy/visualization/phyloviz.mako --- a/templates/webapps/galaxy/visualization/phyloviz.mako +++ b/templates/webapps/galaxy/visualization/phyloviz.mako @@ -180,7 +180,6 @@ <%def name="center_panel()"> - <%from galaxy.web.framework.helpers import escape%><div class="unified-panel-header" unselectable="on"><div class="unified-panel-header-inner"><div style="float:left;" id="title"></div> @@ -196,7 +195,7 @@ <p>Select a tree to view: <select id="phylovizNexSelector"> % for tree, index in data["trees"]: - <option value="${index}">${escape(tree)}</option> + <option value="${index | h}">${tree | h}</option> % endfor </select></p> https://bitbucket.org/galaxy/galaxy-central/commits/704efd2f5e06/ Changeset: 704efd2f5e06 Branch: stable User: dannon Date: 2014-12-08 19:11:14+00:00 Summary: Merged in guerler/guerler-galaxy-central/stable (pull request #598) Security fixes for assigned templates Affected #: 12 files diff -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 -r 704efd2f5e06b9f6e63246d2324874cf7f28d83a client/galaxy/scripts/mvc/grid/grid-template.js --- a/client/galaxy/scripts/mvc/grid/grid-template.js +++ b/client/galaxy/scripts/mvc/grid/grid-template.js @@ -1,5 +1,5 @@ // dependencies -define([], function() { +define(['utils/utils'], function(Utils) { // grid view templates return { @@ -605,6 +605,7 @@ // template for filter items filter_element: function(filter_key, filter_value) { + filter_value = Utils.sanitize(filter_value); return '<span class="text-filter-val">' + filter_value + '<a href="javascript:void(0);" filter_key="' + filter_key + '" filter_val="' + filter_value + '">' + '<i class="fa fa-times" style="padding-left: 5px; padding-bottom: 6px;"/>' + diff -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 -r 704efd2f5e06b9f6e63246d2324874cf7f28d83a client/galaxy/scripts/utils/utils.js --- a/client/galaxy/scripts/utils/utils.js +++ b/client/galaxy/scripts/utils/utils.js @@ -6,6 +6,14 @@ // dependencies define(["libs/underscore"], function(_) { +/** + * Sanitize/escape a string + * @param{String} content - Content to be sanitized + */ +function sanitize(content) { + return $('<div/>').text(content).html(); +}; + // generic function to recieve json from url function get (url, success, error) { request('GET', url, {}, success, error); @@ -151,7 +159,8 @@ uuid: uuid, time: time, wrap: wrap, - request: request + request: request, + sanitize: sanitize }; }); diff -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 -r 704efd2f5e06b9f6e63246d2324874cf7f28d83a lib/galaxy/web/framework/helpers/grids.py --- a/lib/galaxy/web/framework/helpers/grids.py +++ b/lib/galaxy/web/framework/helpers/grids.py @@ -8,6 +8,7 @@ from galaxy.web.framework import decorators from galaxy.web.framework import url_for from galaxy.web.framework.helpers import iff +from markupsafe import escape from sqlalchemy.sql.expression import and_, func, or_ @@ -362,7 +363,7 @@ value = None if self.format: value = self.format( value ) - return value + return escape(value) def get_link( self, trans, grid, item ): if self.link and self.link( item ): return self.link( item ) diff -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 -r 704efd2f5e06b9f6e63246d2324874cf7f28d83a lib/galaxy/webapps/galaxy/controllers/page.py --- a/lib/galaxy/webapps/galaxy/controllers/page.py +++ b/lib/galaxy/webapps/galaxy/controllers/page.py @@ -8,6 +8,7 @@ from galaxy import util from galaxy.util.sanitize_html import sanitize_html, _BaseHTMLProcessor from galaxy.util.json import loads +from markupsafe import escape def format_bool( b ): if b: @@ -89,9 +90,9 @@ class NameColumn( grids.TextColumn ): def get_value(self, trans, grid, item): if hasattr( item, "get_display_name" ): - return item.get_display_name() + return escape(item.get_display_name()) else: - return item.name + return escape(item.name) # Grid definition. show_item_checkboxes = True diff -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 -r 704efd2f5e06b9f6e63246d2324874cf7f28d83a static/scripts/mvc/grid/grid-template.js --- a/static/scripts/mvc/grid/grid-template.js +++ b/static/scripts/mvc/grid/grid-template.js @@ -1,5 +1,5 @@ // dependencies -define([], function() { +define(['utils/utils'], function(Utils) { // grid view templates return { @@ -605,6 +605,7 @@ // template for filter items filter_element: function(filter_key, filter_value) { + filter_value = Utils.sanitize(filter_value); return '<span class="text-filter-val">' + filter_value + '<a href="javascript:void(0);" filter_key="' + filter_key + '" filter_val="' + filter_value + '">' + '<i class="fa fa-times" style="padding-left: 5px; padding-bottom: 6px;"/>' + diff -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 -r 704efd2f5e06b9f6e63246d2324874cf7f28d83a static/scripts/packed/mvc/grid/grid-template.js --- a/static/scripts/packed/mvc/grid/grid-template.js +++ b/static/scripts/packed/mvc/grid/grid-template.js @@ -1,1 +1,1 @@ -define([],function(){return{grid:function(b){var a="";if(b.embedded){a=this.grid_header(b)+this.grid_table(b)}else{a='<div class="loading-elt-overlay"></div><table><tr><td width="75%">'+this.grid_header(b)+'</td><td></td><td></td></tr><tr><td width="100%" id="grid-message" valign="top"></td><td></td><td></td></tr></table>'+this.grid_table(b)}if(b.info_text){a+='<br><div class="toolParamHelp" style="clear: both;">'+b.info_text+"</div>"}return a},grid_table:function(a){return'<form method="post" onsubmit="return false;"><table id="grid-table" class="grid"><thead id="grid-table-header"></thead><tbody id="grid-table-body"></tbody><tfoot id="grid-table-footer"></tfoot></table></form>'},grid_header:function(c){var b='<div class="grid-header">';if(!c.embedded){b+="<h2>"+c.title+"</h2>"}if(c.global_actions){b+='<ul class="manage-table-actions">';var d=(c.global_actions.length>=3);if(d){b+='<li><a class="action-button" id="popup-global-actions" class="menubutton">Actions</a></li><div popupmenu="popup-global-actions">'}for(i in c.global_actions){var e=c.global_actions[i];var a="";if(e.inbound){a="use-inbound"}else{a="use-outbound"}b+='<li><a class="action-button '+a+'" href="'+e.url_args+'" onclick="return false;">'+e.label+"</a></li>"}if(d){b+="</div>"}b+="</ul>"}if(c.insert){b+=c.insert}b+=this.grid_filters(c);b+="</div>";return b},header:function(b){var a="<tr>";if(b.show_item_checkboxes){a+="<th>";if(b.items.length>0){a+='<input type="checkbox" id="check_all" name=select_all_checkbox value="true"><input type="hidden" name=select_all_checkbox value="true">'}a+="</th>"}for(var c in b.columns){var d=b.columns[c];if(d.visible){a+='<th id="'+d.key+'-header">';if(d.href){a+='<a href="'+d.href+'" class="sort-link" sort_key="'+d.key+'">'+d.label+"</a>"}else{a+=d.label}a+='<span class="sort-arrow">'+d.extra+"</span></th>"}}a+="</tr>";return a},body:function(r){var k="";var s=0;var e=r.items.length;if(e==0){k+='<tr><td colspan="100"><em>No Items</em></td></tr>';s=1}for(var f in r.items){var p=r.items[f];var a=p.encode_id;var g="grid-"+f+"-popup";k+="<tr ";if(r.current_item_id==p.id){k+='class="current"'}k+=">";if(r.show_item_checkboxes){k+='<td style="width: 1.5em;"><input type="checkbox" name="id" value="'+a+'" id="'+a+'" class="grid-row-select-checkbox" /></td>'}for(j in r.columns){var d=r.columns[j];if(d.visible){var c="";if(d.nowrap){c='style="white-space:nowrap;"'}var q=p.column_config[d.label];var h=q.link;var l=q.value;var o=q.inbound;if(jQuery.type(l)==="string"){l=l.replace(/\/\//g,"/")}var b="";var n="";if(d.attach_popup){b="grid-"+f+"-popup";n="menubutton";if(h!=""){n+=" split"}n+=" popup"}k+="<td "+c+">";if(h){if(r.operations.length!=0){k+='<div id="'+b+'" class="'+n+'" style="float: left;">'}var m="";if(o){m="use-inbound"}else{m="use-outbound"}k+='<a class="label '+m+'" href="'+h+'" onclick="return false;">'+l+"</a>";if(r.operations.length!=0){k+="</div>"}}else{k+='<div id="'+b+'" class="'+n+'"><label id="'+d.label_id_prefix+a+'" for="'+a+'">'+(l||"")+"</label></div>"}k+="</td>"}}k+="</tr>";s++}return k},footer:function(o){var k="";if(o.use_paging&&o.num_pages>1){var m=o.num_page_links;var a=o.cur_page_num;var n=o.num_pages;var h=m/2;var g=a-h;var e=0;if(g<=0){g=1;e=h-(a-g)}var d=h+e;var c=a+d;if(c<=n){max_offset=0}else{c=n;max_offset=d-(c+1-a)}if(max_offset!=0){g-=max_offset;if(g<1){g=1}}k+='<tr id="page-links-row">';if(o.show_item_checkboxes){k+="<td></td>"}k+='<td colspan="100"><span id="page-link-container">Page:';if(g>1){k+='<span class="page-link" id="page-link-1"><a href="javascript:void(0);" page_num="1" onclick="return false;">1</a></span> ...'}for(var l=g;l<c+1;l++){if(l==o.cur_page_num){k+='<span class="page-link inactive-link" id="page-link-'+l+'">'+l+"</span>"}else{k+='<span class="page-link" id="page-link-'+l+'"><a href="javascript:void(0);" onclick="return false;" page_num="'+l+'">'+l+"</a></span>"}}if(c<n){k+='...<span class="page-link" id="page-link-'+n+'"><a href="javascript:void(0);" onclick="return false;" page_num="'+n+'">'+n+"</a></span>"}k+="</span>";k+='<span class="page-link" id="show-all-link-span"> | <a href="javascript:void(0);" onclick="return false;" page_num="all">Show All</a></span></td></tr>'}if(o.show_item_checkboxes){k+='<tr><input type="hidden" id="operation" name="operation" value=""><td></td><td colspan="100">For <span class="grid-selected-count"></span> selected '+o.get_class_plural+": ";for(i in o.operations){var b=o.operations[i];if(b.allow_multiple){k+='<input type="button" value="'+b.label+'" class="operation-button action-button"> '}}k+="</td></tr>"}var f=false;for(i in o.operations){if(o.operations[i].global_operation){f=true;break}}if(f){k+='<tr><td colspan="100">';for(i in o.operations){var b=o.operations[i];if(b.global_operation){k+='<a class="action-button" href="'+b.global_operation+'">'+b.label+"</a>"}}k+="</td></tr>"}if(o.legend){k+='<tr><td colspan="100">'+o.legend+"</td></tr>"}return k},message:function(a){return'<p><div class="'+a.status+'message transient-message">'+a.message+'</div><div style="clear: both"></div></p>'},grid_filters:function(n){var a=n.default_filter_dict;var b=n.filters;var e="none";if(n.advanced_search){e="block"}var m=false;for(var g in n.columns){var d=n.columns[g];if(d.filterable=="advanced"){var l=d.key;var c=b[l];var f=a[l];if(c&&f&&c!=f){e="block"}m=true}}var k="block";if(e=="block"){k="none"}var h='<div id="standard-search" style="display: '+k+';"><table><tr><td style="padding: 0;"><table>';for(var g in n.columns){var d=n.columns[g];if(d.filterable=="standard"){h+=this.grid_column_filter(n,d)}}h+="</table></td></tr><tr><td>";if(m){h+='<a href="" class="advanced-search-toggle">Advanced Search</a>'}h+="</td></tr></table></div>";h+='<div id="advanced-search" style="display: '+e+'; margin-top: 5px; border: 1px solid #ccc;"><table><tr><td style="text-align: left" colspan="100"><a href="" class="advanced-search-toggle">Close Advanced Search</a></td></tr>';for(var g in n.columns){var d=n.columns[g];if(d.filterable=="advanced"){h+=this.grid_column_filter(n,d)}}h+="</table></div>";return h},grid_column_filter:function(e,c){var t=e.default_filter_dict;var l=e.filters;var a=c.label;var b=c.key;if(c.filterable=="advanced"){a=a.toLowerCase()}var k="<tr>";if(c.filterable=="advanced"){k+='<td align="left" style="padding-left: 10px">'+a+":</td>"}k+='<td style="padding-bottom: 1px;">';if(c.is_text){k+='<form class="text-filter-form" column_key="'+b+'" action="'+e.url+'" method="get" >';for(u in e.columns){var g=e.columns[u];var p=l[g.key];if(p){if(p!="All"){if(g.is_text){p=JSON.stringify(p)}k+='<input type="hidden" id="'+g.key+'" name="f-'+g.key+'" value="'+p+'"/>'}}}k+='<span id="'+b+'-filtering-criteria">';var h=l[b];if(h){var f=jQuery.type(h);if(f=="string"){if(h!="All"){k+=this.filter_element(b,h)}}if(f=="array"){for(var u in h){var n=h[u];var v=h;v=v.slice(u);k+=this.filter_element(b,n)}}}k+="</span>";var r="";if(c.filterable=="standard"){r=c.label.toLowerCase();var q=r.length;if(q<20){q=20}q=q+4}k+='<span class="search-box"><input class="search-box-input" id="input-'+b+'-filter" name="f-'+b+'" type="text" placeholder="'+r+'" size="'+q+'"/><button type="submit" style="background: transparent; border: none; padding: 4px; margin: 0px;"><i class="fa fa-search"></i></button></span></form>'}else{k+='<span id="'+b+'-filtering-criteria">';var s=false;for(cf_label in e.categorical_filters[b]){var o=e.categorical_filters[b][cf_label];var d="";var m="";for(key in o){d=key;m=o[key]}if(s){k+=" | "}s=true;var n=l[b];if(n&&o[b]&&n==m){k+='<span class="categorical-filter '+b+'-filter current-filter">'+cf_label+"</span>"}else{k+='<span class="categorical-filter '+b+'-filter"><a href="javascript:void(0);" filter_key="'+d+'" filter_val="'+m+'">'+cf_label+"</a></span>"}}k+="</span>"}k+="</td></tr>";return k},filter_element:function(b,a){return'<span class="text-filter-val">'+a+'<a href="javascript:void(0);" filter_key="'+b+'" filter_val="'+a+'"><i class="fa fa-times" style="padding-left: 5px; padding-bottom: 6px;"/></a></span>'}}}); \ No newline at end of file +define(["utils/utils"],function(a){return{grid:function(c){var b="";if(c.embedded){b=this.grid_header(c)+this.grid_table(c)}else{b='<div class="loading-elt-overlay"></div><table><tr><td width="75%">'+this.grid_header(c)+'</td><td></td><td></td></tr><tr><td width="100%" id="grid-message" valign="top"></td><td></td><td></td></tr></table>'+this.grid_table(c)}if(c.info_text){b+='<br><div class="toolParamHelp" style="clear: both;">'+c.info_text+"</div>"}return b},grid_table:function(b){return'<form method="post" onsubmit="return false;"><table id="grid-table" class="grid"><thead id="grid-table-header"></thead><tbody id="grid-table-body"></tbody><tfoot id="grid-table-footer"></tfoot></table></form>'},grid_header:function(d){var c='<div class="grid-header">';if(!d.embedded){c+="<h2>"+d.title+"</h2>"}if(d.global_actions){c+='<ul class="manage-table-actions">';var e=(d.global_actions.length>=3);if(e){c+='<li><a class="action-button" id="popup-global-actions" class="menubutton">Actions</a></li><div popupmenu="popup-global-actions">'}for(i in d.global_actions){var f=d.global_actions[i];var b="";if(f.inbound){b="use-inbound"}else{b="use-outbound"}c+='<li><a class="action-button '+b+'" href="'+f.url_args+'" onclick="return false;">'+f.label+"</a></li>"}if(e){c+="</div>"}c+="</ul>"}if(d.insert){c+=d.insert}c+=this.grid_filters(d);c+="</div>";return c},header:function(c){var b="<tr>";if(c.show_item_checkboxes){b+="<th>";if(c.items.length>0){b+='<input type="checkbox" id="check_all" name=select_all_checkbox value="true"><input type="hidden" name=select_all_checkbox value="true">'}b+="</th>"}for(var d in c.columns){var e=c.columns[d];if(e.visible){b+='<th id="'+e.key+'-header">';if(e.href){b+='<a href="'+e.href+'" class="sort-link" sort_key="'+e.key+'">'+e.label+"</a>"}else{b+=e.label}b+='<span class="sort-arrow">'+e.extra+"</span></th>"}}b+="</tr>";return b},body:function(s){var l="";var t=0;var f=s.items.length;if(f==0){l+='<tr><td colspan="100"><em>No Items</em></td></tr>';t=1}for(var g in s.items){var q=s.items[g];var b=q.encode_id;var h="grid-"+g+"-popup";l+="<tr ";if(s.current_item_id==q.id){l+='class="current"'}l+=">";if(s.show_item_checkboxes){l+='<td style="width: 1.5em;"><input type="checkbox" name="id" value="'+b+'" id="'+b+'" class="grid-row-select-checkbox" /></td>'}for(j in s.columns){var e=s.columns[j];if(e.visible){var d="";if(e.nowrap){d='style="white-space:nowrap;"'}var r=q.column_config[e.label];var k=r.link;var m=r.value;var p=r.inbound;if(jQuery.type(m)==="string"){m=m.replace(/\/\//g,"/")}var c="";var o="";if(e.attach_popup){c="grid-"+g+"-popup";o="menubutton";if(k!=""){o+=" split"}o+=" popup"}l+="<td "+d+">";if(k){if(s.operations.length!=0){l+='<div id="'+c+'" class="'+o+'" style="float: left;">'}var n="";if(p){n="use-inbound"}else{n="use-outbound"}l+='<a class="label '+n+'" href="'+k+'" onclick="return false;">'+m+"</a>";if(s.operations.length!=0){l+="</div>"}}else{l+='<div id="'+c+'" class="'+o+'"><label id="'+e.label_id_prefix+b+'" for="'+b+'">'+(m||"")+"</label></div>"}l+="</td>"}}l+="</tr>";t++}return l},footer:function(p){var l="";if(p.use_paging&&p.num_pages>1){var n=p.num_page_links;var b=p.cur_page_num;var o=p.num_pages;var k=n/2;var h=b-k;var f=0;if(h<=0){h=1;f=k-(b-h)}var e=k+f;var d=b+e;if(d<=o){max_offset=0}else{d=o;max_offset=e-(d+1-b)}if(max_offset!=0){h-=max_offset;if(h<1){h=1}}l+='<tr id="page-links-row">';if(p.show_item_checkboxes){l+="<td></td>"}l+='<td colspan="100"><span id="page-link-container">Page:';if(h>1){l+='<span class="page-link" id="page-link-1"><a href="javascript:void(0);" page_num="1" onclick="return false;">1</a></span> ...'}for(var m=h;m<d+1;m++){if(m==p.cur_page_num){l+='<span class="page-link inactive-link" id="page-link-'+m+'">'+m+"</span>"}else{l+='<span class="page-link" id="page-link-'+m+'"><a href="javascript:void(0);" onclick="return false;" page_num="'+m+'">'+m+"</a></span>"}}if(d<o){l+='...<span class="page-link" id="page-link-'+o+'"><a href="javascript:void(0);" onclick="return false;" page_num="'+o+'">'+o+"</a></span>"}l+="</span>";l+='<span class="page-link" id="show-all-link-span"> | <a href="javascript:void(0);" onclick="return false;" page_num="all">Show All</a></span></td></tr>'}if(p.show_item_checkboxes){l+='<tr><input type="hidden" id="operation" name="operation" value=""><td></td><td colspan="100">For <span class="grid-selected-count"></span> selected '+p.get_class_plural+": ";for(i in p.operations){var c=p.operations[i];if(c.allow_multiple){l+='<input type="button" value="'+c.label+'" class="operation-button action-button"> '}}l+="</td></tr>"}var g=false;for(i in p.operations){if(p.operations[i].global_operation){g=true;break}}if(g){l+='<tr><td colspan="100">';for(i in p.operations){var c=p.operations[i];if(c.global_operation){l+='<a class="action-button" href="'+c.global_operation+'">'+c.label+"</a>"}}l+="</td></tr>"}if(p.legend){l+='<tr><td colspan="100">'+p.legend+"</td></tr>"}return l},message:function(b){return'<p><div class="'+b.status+'message transient-message">'+b.message+'</div><div style="clear: both"></div></p>'},grid_filters:function(o){var b=o.default_filter_dict;var c=o.filters;var f="none";if(o.advanced_search){f="block"}var n=false;for(var h in o.columns){var e=o.columns[h];if(e.filterable=="advanced"){var m=e.key;var d=c[m];var g=b[m];if(d&&g&&d!=g){f="block"}n=true}}var l="block";if(f=="block"){l="none"}var k='<div id="standard-search" style="display: '+l+';"><table><tr><td style="padding: 0;"><table>';for(var h in o.columns){var e=o.columns[h];if(e.filterable=="standard"){k+=this.grid_column_filter(o,e)}}k+="</table></td></tr><tr><td>";if(n){k+='<a href="" class="advanced-search-toggle">Advanced Search</a>'}k+="</td></tr></table></div>";k+='<div id="advanced-search" style="display: '+f+'; margin-top: 5px; border: 1px solid #ccc;"><table><tr><td style="text-align: left" colspan="100"><a href="" class="advanced-search-toggle">Close Advanced Search</a></td></tr>';for(var h in o.columns){var e=o.columns[h];if(e.filterable=="advanced"){k+=this.grid_column_filter(o,e)}}k+="</table></div>";return k},grid_column_filter:function(f,d){var u=f.default_filter_dict;var m=f.filters;var b=d.label;var c=d.key;if(d.filterable=="advanced"){b=b.toLowerCase()}var l="<tr>";if(d.filterable=="advanced"){l+='<td align="left" style="padding-left: 10px">'+b+":</td>"}l+='<td style="padding-bottom: 1px;">';if(d.is_text){l+='<form class="text-filter-form" column_key="'+c+'" action="'+f.url+'" method="get" >';for(v in f.columns){var h=f.columns[v];var q=m[h.key];if(q){if(q!="All"){if(h.is_text){q=JSON.stringify(q)}l+='<input type="hidden" id="'+h.key+'" name="f-'+h.key+'" value="'+q+'"/>'}}}l+='<span id="'+c+'-filtering-criteria">';var k=m[c];if(k){var g=jQuery.type(k);if(g=="string"){if(k!="All"){l+=this.filter_element(c,k)}}if(g=="array"){for(var v in k){var o=k[v];var w=k;w=w.slice(v);l+=this.filter_element(c,o)}}}l+="</span>";var s="";if(d.filterable=="standard"){s=d.label.toLowerCase();var r=s.length;if(r<20){r=20}r=r+4}l+='<span class="search-box"><input class="search-box-input" id="input-'+c+'-filter" name="f-'+c+'" type="text" placeholder="'+s+'" size="'+r+'"/><button type="submit" style="background: transparent; border: none; padding: 4px; margin: 0px;"><i class="fa fa-search"></i></button></span></form>'}else{l+='<span id="'+c+'-filtering-criteria">';var t=false;for(cf_label in f.categorical_filters[c]){var p=f.categorical_filters[c][cf_label];var e="";var n="";for(key in p){e=key;n=p[key]}if(t){l+=" | "}t=true;var o=m[c];if(o&&p[c]&&o==n){l+='<span class="categorical-filter '+c+'-filter current-filter">'+cf_label+"</span>"}else{l+='<span class="categorical-filter '+c+'-filter"><a href="javascript:void(0);" filter_key="'+e+'" filter_val="'+n+'">'+cf_label+"</a></span>"}}l+="</span>"}l+="</td></tr>";return l},filter_element:function(c,b){b=a.sanitize(b);return'<span class="text-filter-val">'+b+'<a href="javascript:void(0);" filter_key="'+c+'" filter_val="'+b+'"><i class="fa fa-times" style="padding-left: 5px; padding-bottom: 6px;"/></a></span>'}}}); \ No newline at end of file diff -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 -r 704efd2f5e06b9f6e63246d2324874cf7f28d83a static/scripts/packed/utils/utils.js --- a/static/scripts/packed/utils/utils.js +++ b/static/scripts/packed/utils/utils.js @@ -1,1 +1,1 @@ -define(["libs/underscore"],function(j){function d(l,m,k){g("GET",l,{},m,k)}function g(p,l,m,o,k){if(p=="GET"||p=="DELETE"){if(l.indexOf("?")==-1){l+="?"}else{l+="&"}l+=$.param(m)}var n=new XMLHttpRequest();n.open(p,l,true);n.setRequestHeader("Accept","application/json");n.setRequestHeader("Cache-Control","no-cache");n.setRequestHeader("X-Requested-With","XMLHttpRequest");n.setRequestHeader("Content-Type","application/json");n.onloadend=function(){var q=n.status;try{response=jQuery.parseJSON(n.responseText)}catch(r){response=n.responseText}if(q==200){o&&o(response)}else{k&&k(response)}};if(p=="GET"||p=="DELETE"){n.send()}else{n.send(JSON.stringify(m))}}function h(n,k){var l=$('<div class="'+n+'"></div>');l.appendTo(":eq(0)");var m=l.css(k);l.remove();return m}function f(k){if(!$('link[href^="'+k+'"]').length){$('<link href="'+galaxy_config.root+k+'" rel="stylesheet">').appendTo("head")}}function i(k,l){if(k){return j.defaults(k,l)}else{return l}}function b(l,n){var m="";if(l>=100000000000){l=l/100000000000;m="TB"}else{if(l>=100000000){l=l/100000000;m="GB"}else{if(l>=100000){l=l/100000;m="MB"}else{if(l>=100){l=l/100;m="KB"}else{if(l>0){l=l*10;m="b"}else{return"<strong>-</strong>"}}}}}var k=(Math.round(l)/10);if(n){return k+" "+m}else{return"<strong>"+k+"</strong> "+m}}function a(){return"x"+Math.random().toString(36).substring(2,9)}function c(k){var l=$("<p></p>");l.append(k);return l}function e(){var m=new Date();var k=(m.getHours()<10?"0":"")+m.getHours();var l=(m.getMinutes()<10?"0":"")+m.getMinutes();var n=m.getDate()+"/"+(m.getMonth()+1)+"/"+m.getFullYear()+", "+k+":"+l;return n}return{cssLoadFile:f,cssGetAttribute:h,get:d,merge:i,bytesToString:b,uuid:a,time:e,wrap:c,request:g}}); \ No newline at end of file +define(["libs/underscore"],function(k){function d(l){return $("<div/>").text(l).html()}function e(m,n,l){h("GET",m,{},n,l)}function h(q,m,n,p,l){if(q=="GET"||q=="DELETE"){if(m.indexOf("?")==-1){m+="?"}else{m+="&"}m+=$.param(n)}var o=new XMLHttpRequest();o.open(q,m,true);o.setRequestHeader("Accept","application/json");o.setRequestHeader("Cache-Control","no-cache");o.setRequestHeader("X-Requested-With","XMLHttpRequest");o.setRequestHeader("Content-Type","application/json");o.onloadend=function(){var r=o.status;try{response=jQuery.parseJSON(o.responseText)}catch(s){response=o.responseText}if(r==200){p&&p(response)}else{l&&l(response)}};if(q=="GET"||q=="DELETE"){o.send()}else{o.send(JSON.stringify(n))}}function i(o,l){var m=$('<div class="'+o+'"></div>');m.appendTo(":eq(0)");var n=m.css(l);m.remove();return n}function g(l){if(!$('link[href^="'+l+'"]').length){$('<link href="'+galaxy_config.root+l+'" rel="stylesheet">').appendTo("head")}}function j(l,m){if(l){return k.defaults(l,m)}else{return m}}function b(m,o){var n="";if(m>=100000000000){m=m/100000000000;n="TB"}else{if(m>=100000000){m=m/100000000;n="GB"}else{if(m>=100000){m=m/100000;n="MB"}else{if(m>=100){m=m/100;n="KB"}else{if(m>0){m=m*10;n="b"}else{return"<strong>-</strong>"}}}}}var l=(Math.round(m)/10);if(o){return l+" "+n}else{return"<strong>"+l+"</strong> "+n}}function a(){return"x"+Math.random().toString(36).substring(2,9)}function c(l){var m=$("<p></p>");m.append(l);return m}function f(){var n=new Date();var l=(n.getHours()<10?"0":"")+n.getHours();var m=(n.getMinutes()<10?"0":"")+n.getMinutes();var o=n.getDate()+"/"+(n.getMonth()+1)+"/"+n.getFullYear()+", "+l+":"+m;return o}return{cssLoadFile:g,cssGetAttribute:i,get:e,merge:j,bytesToString:b,uuid:a,time:f,wrap:c,request:h,sanitize:d}}); \ No newline at end of file diff -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 -r 704efd2f5e06b9f6e63246d2324874cf7f28d83a static/scripts/utils/utils.js --- a/static/scripts/utils/utils.js +++ b/static/scripts/utils/utils.js @@ -6,6 +6,14 @@ // dependencies define(["libs/underscore"], function(_) { +/** + * Sanitize/escape a string + * @param{String} content - Content to be sanitized + */ +function sanitize(content) { + return $('<div/>').text(content).html(); +}; + // generic function to recieve json from url function get (url, success, error) { request('GET', url, {}, success, error); @@ -151,7 +159,8 @@ uuid: uuid, time: time, wrap: wrap, - request: request + request: request, + sanitize: sanitize }; }); diff -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 -r 704efd2f5e06b9f6e63246d2324874cf7f28d83a templates/webapps/galaxy/tracks/history_datasets_select_grid.mako --- a/templates/webapps/galaxy/tracks/history_datasets_select_grid.mako +++ b/templates/webapps/galaxy/tracks/history_datasets_select_grid.mako @@ -1,5 +1,5 @@ <%inherit file="/tracks/history_select_grid.mako"/><%def name="title()"> - <h2>History '${grid.get_current_item( trans, **kwargs ).name}'</h2> + <h2>History '${grid.get_current_item( trans, **kwargs ).name | h}'</h2></%def> diff -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 -r 704efd2f5e06b9f6e63246d2324874cf7f28d83a templates/webapps/galaxy/tracks/index.mako --- a/templates/webapps/galaxy/tracks/index.mako +++ /dev/null @@ -1,38 +0,0 @@ -<form id="form" method="POST"> - <div class="form-row"> - <label for="dbkey">Browser name:</label> - <div class="form-row-input"> - <input type="text" name="title" id="title" value="Unnamed Browser"></input> - </div> - <div style="clear: both;"></div> - </div> - <div class="form-row"> - <label for="dbkey">Reference genome build (dbkey): </label> - <div class="form-row-input"> - <select name="dbkey" id="dbkey" refresh_on_change="true"> - %for tmp_dbkey in dbkey_set: - <option value="${tmp_dbkey}" - %if tmp_dbkey == dbkey: - selected="selected" - %endif - >${tmp_dbkey}</option> - %endfor - </select> - </div> - <div style="clear: both;"></div> - </div> - <div class="form-row"> - <label for="dataset_ids">Datasets to visualize: (${", ".join(available_tracks)} files are supported)</label> - %for dataset_id, (dataset_ext, dataset_name) in datasets.iteritems(): - <div> - <input type="checkbox" id="${dataset_id}" name="dataset_ids" value="${dataset_id}" /> - <label style="display:inline; font-weight: normal" for="${dataset_id}">[${dataset_ext}] ${dataset_name}</label> - </div> - %endfor - - <div style="clear: both;"></div> - </div> - <div class="form-row"> - <input type="submit" name="browse" value="Browse"/> - </div> -</form> diff -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 -r 704efd2f5e06b9f6e63246d2324874cf7f28d83a templates/webapps/galaxy/tracks/library_datasets_select_grid.mako --- a/templates/webapps/galaxy/tracks/library_datasets_select_grid.mako +++ b/templates/webapps/galaxy/tracks/library_datasets_select_grid.mako @@ -2,7 +2,7 @@ <%namespace file='/library/common/browse_library.mako' import="render_content, grid_javascripts" /><%def name="title()"> - <h2>History '${grid.get_current_item( trans, **kwargs ).name}'</h2> + <h2>History '${grid.get_current_item( trans, **kwargs ).name | h}'</h2></%def> ${select_header()} diff -r 0c8ac7330cdd467e9c7ef6f02778dca07a577b79 -r 704efd2f5e06b9f6e63246d2324874cf7f28d83a templates/webapps/galaxy/visualization/phyloviz.mako --- a/templates/webapps/galaxy/visualization/phyloviz.mako +++ b/templates/webapps/galaxy/visualization/phyloviz.mako @@ -180,7 +180,6 @@ <%def name="center_panel()"> - <div class="unified-panel-header" unselectable="on"><div class="unified-panel-header-inner"><div style="float:left;" id="title"></div> @@ -196,7 +195,7 @@ <p>Select a tree to view: <select id="phylovizNexSelector"> % for tree, index in data["trees"]: - <option value="${index}">${tree}</option> + <option value="${index | h}">${tree | h}</option> % endfor </select></p> Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.