1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/511fbb67b820/ Changeset: 511fbb67b820 User: jmchilton Date: 2014-12-09 14:17:25+00:00 Summary: Merge next-stable. Affected #: 44 files diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e .hgtags --- a/.hgtags +++ b/.hgtags @@ -20,4 +20,4 @@ ca45b78adb4152fc6e7395514d46eba6b7d0b838 release_2014.08.11 548ab24667d6206780237bd807f7d857a484c461 latest_2014.08.11 2092948937ac30ef82f71463a235c66d34987088 release_2014.10.06 -acb2548443ae42d39ef200d035ccc0481d6b930c latest_2014.10.06 +782cf1a1f6b56f8a9c0b3e5e9ffd29fd93b16ce3 latest_2014.10.06 diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e lib/galaxy/security/validate_user_input.py --- a/lib/galaxy/security/validate_user_input.py +++ b/lib/galaxy/security/validate_user_input.py @@ -1,3 +1,9 @@ +""" +Utilities for validating inputs related to user objects. + +The validate_* methods in this file return simple messages that do not contain +user inputs - so these methods do not need to be escaped. +""" import logging import re diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e lib/galaxy/tools/__init__.py --- a/lib/galaxy/tools/__init__.py +++ b/lib/galaxy/tools/__init__.py @@ -67,6 +67,7 @@ from galaxy.util.template import fill_template from galaxy.web import url_for from galaxy.web.form_builder import SelectField +from galaxy.web.framework.helpers import escape from galaxy.model.item_attrs import Dictifiable from galaxy.model import Workflow from tool_shed.util import common_util @@ -791,7 +792,7 @@ success = True # Make sure the tool is actually loaded. if tool_id not in self.tools_by_id: - return None, False, "No tool with id %s" % tool_id + return None, False, "No tool with id %s" % escape( tool_id ) else: tool = self.tools_by_id[ tool_id ] tarball_files = [] @@ -902,7 +903,7 @@ replace the old tool. """ if tool_id not in self.tools_by_id: - message = "No tool with id %s" % tool_id + message = "No tool with id %s" % escape( tool_id ) status = 'error' else: old_tool = self.tools_by_id[ tool_id ] @@ -939,7 +940,7 @@ Attempt to remove the tool identified by 'tool_id'. """ if tool_id not in self.tools_by_id: - message = "No tool with id %s" % tool_id + message = "No tool with id %s" % escape( tool_id ) status = 'error' else: tool = self.tools_by_id[ tool_id ] diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e lib/galaxy/tools/filters/__init__.py --- a/lib/galaxy/tools/filters/__init__.py +++ b/lib/galaxy/tools/filters/__init__.py @@ -1,6 +1,10 @@ +import logging from galaxy.util import listify from copy import deepcopy +log = logging.getLogger( __name__ ) + + class FilterFactory( object ): """ An instance of this class is responsible for filtering the list @@ -37,17 +41,21 @@ elif name == 'toolbox_label_filters': category = "label" if category: - self.__init_filters( category, user_filters, filters ) + validate = getattr( trans.app.config, 'user_%s_filters' % category, [] ) + self.__init_filters( category, user_filters, filters, validate=validate ) else: if kwds.get( "trackster", False ): filters[ "tool" ].append( _has_trackster_conf ) return filters - def __init_filters( self, key, filters, toolbox_filters ): + def __init_filters( self, key, filters, toolbox_filters, validate=None ): for filter in filters: - filter_function = self.__build_filter_function( filter ) - toolbox_filters[ key ].append( filter_function ) + if validate is None or filter in validate or filter in self.default_filters: + filter_function = self.__build_filter_function( filter ) + toolbox_filters[ key ].append( filter_function ) + else: + log.warning( "Refusing to load %s filter '%s' which is not defined in config", key, filter ) return toolbox_filters def __build_filter_function( self, filter_name ): diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e lib/galaxy/web/base/controller.py --- a/lib/galaxy/web/base/controller.py +++ b/lib/galaxy/web/base/controller.py @@ -1664,7 +1664,8 @@ stored.user = trans.user stored.published = publish if data[ 'annotation' ]: - self.add_item_annotation( trans.sa_session, stored.user, stored, data[ 'annotation' ] ) + annotation = sanitize_html( data[ 'annotation' ], 'utf-8', 'text/html' ) + self.add_item_annotation( trans.sa_session, stored.user, stored, annotation ) # Persist trans.sa_session.add( stored ) @@ -2571,6 +2572,8 @@ def set_public_username( self, trans, id, username, **kwargs ): """ Set user's public username and delegate to sharing() """ user = trans.get_user() + # message from validate_publicname does not contain input, no need + # to escape. message = validate_publicname( trans, username, user ) if message: return trans.fill_template( '/sharing_base.mako', item=self.get_item( trans, id ), message=message, status='error' ) diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e lib/galaxy/web/form_builder.py --- a/lib/galaxy/web/form_builder.py +++ b/lib/galaxy/web/form_builder.py @@ -563,7 +563,7 @@ html += '<input name="__switch_default__" type="hidden" value="%s" />' % self.default_field options = [] for name, delegate_field in self.delegate_fields.items(): - field = dumps( delegate_field.to_dict() ) + field = escape( dumps( delegate_field.to_dict() ) ) option = " '%s': %s" % ( name, field ) options.append( option ) html += '<script>$(document).ready( function() {\nvar switchOptions = {\n' diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e lib/galaxy/webapps/galaxy/controllers/history.py --- a/lib/galaxy/webapps/galaxy/controllers/history.py +++ b/lib/galaxy/webapps/galaxy/controllers/history.py @@ -718,7 +718,9 @@ for husa in husas: trans.sa_session.delete( husa ) if not deleted_sharing_relation: - message = "History '%s' does not seem to be shared with user '%s'" % ( history.name, user.email ) + history_name = escape( history.name ) + user_email = escape( user.email ) + message = "History '%s' does not seem to be shared with user '%s'" % ( history_name, user_email ) return trans.fill_template( '/sharing_base.mako', item=history, message=message, status='error' ) diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e lib/galaxy/webapps/galaxy/controllers/mobile.py --- a/lib/galaxy/webapps/galaxy/controllers/mobile.py +++ b/lib/galaxy/webapps/galaxy/controllers/mobile.py @@ -1,60 +1,71 @@ +from galaxy import web from galaxy.web.base.controller import * + class Mobile( BaseUIController ): + @web.expose def index( self, trans, **kwargs ): - return trans.fill_template( "mobile/index.mako" ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # return trans.fill_template( "mobile/index.mako" ) @web.expose def history_list( self, trans ): - return trans.fill_template( "mobile/history/list.mako" ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # return trans.fill_template( "mobile/history/list.mako" ) @web.expose def history_detail( self, trans, id ): - history = trans.sa_session.query( trans.app.model.History ).get( id ) - assert history.user == trans.user - return trans.fill_template( "mobile/history/detail.mako", history=history ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # history = trans.sa_session.query( trans.app.model.History ).get( id ) + # assert history.user == trans.user + # return trans.fill_template( "mobile/history/detail.mako", history=history ) @web.expose def dataset_detail( self, trans, id ): - dataset = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( id ) - assert dataset.history.user == trans.user - return trans.fill_template( "mobile/dataset/detail.mako", dataset=dataset ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # dataset = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( id ) + # assert dataset.history.user == trans.user + # return trans.fill_template( "mobile/dataset/detail.mako", dataset=dataset ) @web.expose def dataset_peek( self, trans, id ): - dataset = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( id ) - assert dataset.history.user == trans.user - return trans.fill_template( "mobile/dataset/peek.mako", dataset=dataset ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # dataset = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( id ) + # assert dataset.history.user == trans.user + # return trans.fill_template( "mobile/dataset/peek.mako", dataset=dataset ) @web.expose def settings( self, trans, email=None, password=None ): - message = None - if email is not None and password is not None: - if email == "": - self.__logout( trans ) - message = "Logged out" - else: - error = self.__login( trans, email, password ) - message = error or "Login changed" - return trans.fill_template( "mobile/settings.mako", message=message ) + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # message = None + # if email is not None and password is not None: + # if email == "": + # self.__logout( trans ) + # message = "Logged out" + # else: + # error = self.__login( trans, email, password ) + # message = error or "Login changed" + # return trans.fill_template( "mobile/settings.mako", message=message ) def __logout( self, trans ): - trans.log_event( "User logged out" ) - trans.handle_user_logout() + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # trans.log_event( "User logged out" ) + # trans.handle_user_logout() def __login( self, trans, email="", password="" ): - error = password_error = None - user = trans.sa_session.query( model.User ).filter_by( email = email ).first() - if not user: - error = "No such user (please note that login is case sensitive)" - elif user.deleted: - error = "This account has been marked deleted, contact your Galaxy administrator to restore the account." - elif user.external: - error = "This account was created for use with an external authentication method, contact your local Galaxy administrator to activate it." - elif not user.check_password( password ): - error = "Invalid password" - else: - trans.handle_user_login( user ) - trans.log_event( "User logged in" ) - return error + return trans.response.send_redirect( web.url_for(controller='root', action='index' ) ) + # error = password_error = None + # user = trans.sa_session.query( model.User ).filter_by( email = email ).first() + # if not user: + # error = "No such user (please note that login is case sensitive)" + # elif user.deleted: + # error = "This account has been marked deleted, contact your Galaxy administrator to restore the account." + # elif user.external: + # error = "This account was created for use with an external authentication method, contact your local Galaxy administrator to activate it." + # elif not user.check_password( password ): + # error = "Invalid password" + # else: + # trans.handle_user_login( user ) + # trans.log_event( "User logged in" ) + # return error diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e lib/galaxy/webapps/galaxy/controllers/page.py --- a/lib/galaxy/webapps/galaxy/controllers/page.py +++ b/lib/galaxy/webapps/galaxy/controllers/page.py @@ -500,14 +500,14 @@ .first() if not other: mtype = "error" - msg = ( "User '%s' does not exist" % email ) + msg = ( "User '%s' does not exist" % escape( email ) ) elif other == trans.get_user(): mtype = "error" msg = ( "You cannot share a page with yourself" ) elif trans.sa_session.query( model.PageUserShareAssociation ) \ .filter_by( user=other, page=page ).count() > 0: mtype = "error" - msg = ( "Page already shared with '%s'" % email ) + msg = ( "Page already shared with '%s'" % escape( email ) ) else: share = model.PageUserShareAssociation() share.page = page @@ -516,7 +516,9 @@ session.add( share ) self.create_item_slug( session, page ) session.flush() - trans.set_message( "Page '%s' shared with user '%s'" % ( page.title, other.email ) ) + page_title = escape( page.title ) + other_email = escape( other.email ) + trans.set_message( "Page '%s' shared with user '%s'" % ( page_title, other_email ) ) return trans.response.send_redirect( url_for( controller='page', action='sharing', id=id ) ) return trans.fill_template( "/ind_share_base.mako", message = msg, diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e lib/galaxy/webapps/galaxy/controllers/visualization.py --- a/lib/galaxy/webapps/galaxy/controllers/visualization.py +++ b/lib/galaxy/webapps/galaxy/controllers/visualization.py @@ -535,14 +535,14 @@ .first() if not other: mtype = "error" - msg = ( "User '%s' does not exist" % email ) + msg = ( "User '%s' does not exist" % escape( email ) ) elif other == trans.get_user(): mtype = "error" msg = ( "You cannot share a visualization with yourself" ) elif trans.sa_session.query( model.VisualizationUserShareAssociation ) \ .filter_by( user=other, visualization=visualization ).count() > 0: mtype = "error" - msg = ( "Visualization already shared with '%s'" % email ) + msg = ( "Visualization already shared with '%s'" % escape( email ) ) else: share = model.VisualizationUserShareAssociation() share.visualization = visualization @@ -551,7 +551,9 @@ session.add( share ) self.create_item_slug( session, visualization ) session.flush() - trans.set_message( "Visualization '%s' shared with user '%s'" % ( visualization.title, other.email ) ) + viz_title = escape( visualization.title ) + other_email = escape( other.email ) + trans.set_message( "Visualization '%s' shared with user '%s'" % ( viz_title, other_email ) ) return trans.response.send_redirect( web.url_for(controller='visualization', action='sharing', id=id ) ) return trans.fill_template( "/ind_share_base.mako", message = msg, diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -310,14 +310,14 @@ .first() if not other: mtype = "error" - msg = ( "User '%s' does not exist" % email ) + msg = ( "User '%s' does not exist" % escape( email ) ) elif other == trans.get_user(): mtype = "error" msg = ( "You cannot share a workflow with yourself" ) elif trans.sa_session.query( model.StoredWorkflowUserShareAssociation ) \ .filter_by( user=other, stored_workflow=stored ).count() > 0: mtype = "error" - msg = ( "Workflow already shared with '%s'" % email ) + msg = ( "Workflow already shared with '%s'" % escape( email ) ) else: share = model.StoredWorkflowUserShareAssociation() share.stored_workflow = stored @@ -325,7 +325,7 @@ session = trans.sa_session session.add( share ) session.flush() - trans.set_message( "Workflow '%s' shared with user '%s'" % ( stored.name, other.email ) ) + trans.set_message( "Workflow '%s' shared with user '%s'" % ( escape( stored.name ), escape( other.email ) ) ) return trans.response.send_redirect( url_for( controller='workflow', action='sharing', id=id ) ) return trans.fill_template( "/ind_share_base.mako", message=msg, @@ -415,7 +415,7 @@ stored.latest_workflow.name = san_new_name trans.sa_session.flush() # For current workflows grid: - trans.set_message( "Workflow renamed to '%s'." % new_name ) + trans.set_message( "Workflow renamed to '%s'." % san_new_name ) return self.list( trans ) # For new workflows grid: #message = "Workflow renamed to '%s'." % new_name @@ -535,7 +535,7 @@ session.add( new_stored ) session.flush() # Display the management page - trans.set_message( 'Created new workflow with name "%s"' % new_stored.name ) + trans.set_message( 'Created new workflow with name "%s"' % escape( new_stored.name ) ) return self.list( trans ) @web.expose @@ -582,7 +582,7 @@ trans.sa_session.add( stored ) trans.sa_session.flush() # Display the management page - trans.set_message( "Workflow '%s' deleted" % stored.name ) + trans.set_message( "Workflow '%s' deleted" % escape( stored.name ) ) return self.list( trans ) @web.expose @@ -1089,7 +1089,7 @@ message += "Imported, but this workflow contains cycles. " status = "error" else: - message += "Workflow <b>%s</b> imported successfully. " % workflow.name + message += "Workflow <b>%s</b> imported successfully. " % escape( workflow.name ) if missing_tool_tups: if trans.user_is_admin(): # A required tool is not available in the local Galaxy instance. @@ -1103,7 +1103,7 @@ message += "You can likely install the required tools from one of the Galaxy tool sheds listed below.<br/>" for missing_tool_tup in missing_tool_tups: missing_tool_id, missing_tool_name, missing_tool_version = missing_tool_tup - message += "<b>Tool name</b> %s, <b>id</b> %s, <b>version</b> %s<br/>" % ( missing_tool_name, missing_tool_id, missing_tool_version ) + message += "<b>Tool name</b> %s, <b>id</b> %s, <b>version</b> %s<br/>" % ( escape( missing_tool_name ), escape( missing_tool_id ), escape( missing_tool_version ) ) message += "<br/>" for shed_name, shed_url in trans.app.tool_shed_registry.tool_sheds.items(): if shed_url.endswith( '/' ): @@ -1113,7 +1113,7 @@ url += '&tool_id=' for missing_tool_tup in missing_tool_tups: missing_tool_id = missing_tool_tup[0] - url += '%s,' % missing_tool_id + url += '%s,' % escape( missing_tool_id ) message += '<a href="%s">%s</a><br/>' % ( url, shed_name ) status = 'error' if installed_repository_file or tool_shed_url: @@ -1133,13 +1133,13 @@ pass if tool_shed_url: # We've received the textual representation of a workflow from a Galaxy tool shed. - message = "Workflow <b>%s</b> imported successfully." % workflow.name + message = "Workflow <b>%s</b> imported successfully." % escape( workflow.name ) url = '%s/workflow/view_workflow?repository_metadata_id=%s&workflow_name=%s&message=%s' % \ ( tool_shed_url, repository_metadata_id, encoding_util.tool_shed_encode( workflow_name ), message ) return trans.response.send_redirect( url ) elif installed_repository_file: # The workflow was read from a file included with an installed tool shed repository. - message = "Workflow <b>%s</b> imported successfully." % workflow.name + message = "Workflow <b>%s</b> imported successfully." % escape( workflow.name ) if cntrller == 'api': return status, message return trans.response.send_redirect( web.url_for( controller='admin_toolshed', @@ -1184,7 +1184,7 @@ # Index page with message workflow_id = trans.security.encode_id( stored_workflow.id ) return trans.show_message( 'Workflow "%s" created from current history. You can <a href="%s" target="_parent">edit</a> or <a href="%s">run</a> the workflow.' % - ( workflow_name, url_for( controller='workflow', action='editor', id=workflow_id ), + ( escape( workflow_name ), url_for( controller='workflow', action='editor', id=workflow_id ), url_for( controller='workflow', action='run', id=workflow_id ) ) ) @web.expose diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e templates/embed_base.mako --- a/templates/embed_base.mako +++ b/templates/embed_base.mako @@ -51,7 +51,7 @@ </div><h4><a class="toggle-embed" href="${display_href}" title="Show or hide ${item_display_name} content">Galaxy ${get_class_display_name( item.__class__ )} | ${get_item_name( item ) | h}</a></h4> %if hasattr( item, "annotation") and item.annotation: - <div class="annotation">${item.annotation}</div> + <div class="annotation">${item.annotation | h}</div> %endif ## Use a hidden var to store the ajax URL for getting an item's content. diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e templates/ind_share_base.mako --- a/templates/ind_share_base.mako +++ b/templates/ind_share_base.mako @@ -91,7 +91,7 @@ Email address of user to share with </label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="email" value="${email}" size="40"> + <input type="text" name="email" value="${email | h}" size="40"></div><div style="clear: both"></div></div> diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e templates/user/dbkeys.mako --- a/templates/user/dbkeys.mako +++ b/templates/user/dbkeys.mako @@ -148,7 +148,7 @@ Processing % endif </td> - <td><form action="dbkeys" method="post"><input type="hidden" name="key" value="${key}" /><input type="submit" name="delete" value="Delete" /></form></td> + <td><form action="dbkeys" method="post"><input type="hidden" name="key" value="${key | h}" /><input type="submit" name="delete" value="Delete" /></form></td></tr> % endfor </table> @@ -194,7 +194,7 @@ <div style="clear: both; padding-bottom: 0.5em"></div><select id="fasta_input" name="dataset_id"> %for dataset in fasta_hdas: - <option value="${trans.security.encode_id( dataset.id )}">${dataset.hid}: ${dataset.name}</option> + <option value="${trans.security.encode_id( dataset.id )}">${dataset.hid | h}: ${dataset.name | h}</option> %endfor </select><input type="file" id="len_file_input" name="len_file" /></input> diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e templates/user/openid_associate.mako --- a/templates/user/openid_associate.mako +++ b/templates/user/openid_associate.mako @@ -48,13 +48,13 @@ The following OpenIDs will be associated with the account chosen or created below. <ul> %for openid in openids: - <li>${openid.openid}</li> + <li>${openid.openid | h}</li> %endfor </ul></div> %else: <div> - The OpenID <strong>${openids[0].openid}</strong> will be associated with the account chosen or created. + The OpenID <strong>${openids[0].openid | h}</strong> will be associated with the account chosen or created. </div> %endif <br/> diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e templates/user/toolbox_filters.mako --- a/templates/user/toolbox_filters.mako +++ b/templates/user/toolbox_filters.mako @@ -15,7 +15,7 @@ %if tool_filters or section_filters or label_filters: <div class="toolForm"> - <form name="toolbox_filter" id="toolbox_filter" action="${h.url_for( controller='user', action='edit_toolbox_filters', cntrller=cntrller, user_id=trans.security.encode_id( user.id ) )}" method="post" > + <form name="toolbox_filter" id="toolbox_filter" action="${h.url_for( controller='user', action='edit_toolbox_filters', cntrller=cntrller )}" method="post" > % if tool_filters: <div class="toolFormTitle">Edit ToolBox filters :: Tools</div><div class="toolFormBody"> @@ -87,5 +87,5 @@ </form></div> %else: - ${render_msg( 'No filter available. Contact you system administrator or check your configuration file.', 'info' )} + ${render_msg( 'No filters available. Contact your system administrator or check your configuration file.', 'info' )} %endif diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e templates/user/username.mako --- a/templates/user/username.mako +++ b/templates/user/username.mako @@ -1,4 +1,9 @@ <%inherit file="/base.mako"/> +<%namespace file="/message.mako" import="render_msg" /> + +%if message: + ${render_msg( message, status )} +%endif <% is_admin = cntrller == 'admin' and trans.user_is_admin() %> diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e templates/webapps/galaxy/root/tool_menu.mako --- a/templates/webapps/galaxy/root/tool_menu.mako +++ b/templates/webapps/galaxy/root/tool_menu.mako @@ -82,7 +82,7 @@ %if t.user.stored_workflow_menu_entries: %for m in t.user.stored_workflow_menu_entries: <div class="toolTitle"> - <a href="${h.url_for( controller='workflow', action='run', id=trans.security.encode_id(m.stored_workflow_id) )}" target="galaxy_main">${ util.unicodify( m.stored_workflow.name ) }</a> + <a href="${h.url_for( controller='workflow', action='run', id=trans.security.encode_id(m.stored_workflow_id) )}" target="galaxy_main">${ util.unicodify( m.stored_workflow.name ) | h}</a></div> %endfor %endif diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e templates/webapps/galaxy/tool_executed.mako --- a/templates/webapps/galaxy/tool_executed.mako +++ b/templates/webapps/galaxy/tool_executed.mako @@ -61,7 +61,7 @@ ${jobs_str} been successfully added to the queue - resulting in the following ${datasets_str}: </p> %for _, data in out_data: - <div style="padding: 10px"><b> ${data.hid}: ${data.name}</b></div> + <div style="padding: 10px"><b> ${data.hid}: ${data.name | h}</b></div> %endfor <p> @@ -83,7 +83,7 @@ <ul><!-- Styling on this list is a little flat. Consider identing these error messages. --> %for job_error in job_errors: - <li><b>${job_error}</b></li> + <li><b>${job_error | h}</b></li> %endfor </ul></div> diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e templates/webapps/galaxy/visualization/phyloviz.mako --- a/templates/webapps/galaxy/visualization/phyloviz.mako +++ b/templates/webapps/galaxy/visualization/phyloviz.mako @@ -180,7 +180,6 @@ <%def name="center_panel()"> - <div class="unified-panel-header" unselectable="on"><div class="unified-panel-header-inner"><div style="float:left;" id="title"></div> diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e templates/webapps/galaxy/workflow/configure_menu.mako --- a/templates/webapps/galaxy/workflow/configure_menu.mako +++ b/templates/webapps/galaxy/workflow/configure_menu.mako @@ -1,4 +1,5 @@ <%inherit file="/webapps/galaxy/base_panels.mako"/> +<%page expression_filter="h"/><%def name="init()"><% diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e templates/webapps/galaxy/workflow/display.mako --- a/templates/webapps/galaxy/workflow/display.mako +++ b/templates/webapps/galaxy/workflow/display.mako @@ -40,7 +40,7 @@ <%def name="row_for_param( param, value, other_values, prefix, step )"><% cls = "form-row" %><div class="${cls}"> - <label>${param.get_label()}</label> + <label>${param.get_label() | h}</label><div> %if isinstance( param, DataToolParameter ) or isinstance( param, DataCollectionToolParameter ): %if ( prefix + param.name ) in step.input_connections_by_name: @@ -93,19 +93,19 @@ %><div class="toolForm"> %if tool: - <div class="toolFormTitle">Step ${int(step.order_index)+1}: ${tool.name}</div> + <div class="toolFormTitle">Step ${int(step.order_index)+1}: ${tool.name | h}</div><div class="toolFormBody"> ${do_inputs( tool.inputs, step.state.inputs, "", step )} </div> %else: - <div class="toolFormTitle">Step ${int(step.order_index)+1}: Unknown Tool with id '${step.tool_id}'</div> + <div class="toolFormTitle">Step ${int(step.order_index)+1}: Unknown Tool with id '${step.tool_id | h}'</div> %endif </div> %else: ## TODO: always input dataset? <% module = step.module %><div class="toolForm"> - <div class="toolFormTitle">Step ${int(step.order_index)+1}: ${module.name}</div> + <div class="toolFormTitle">Step ${int(step.order_index)+1}: ${module.name | h}</div><div class="toolFormBody"> ${do_inputs( module.get_runtime_inputs(), step.state.inputs, "", step )} </div> diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e templates/webapps/galaxy/workflow/list.mako --- a/templates/webapps/galaxy/workflow/list.mako +++ b/templates/webapps/galaxy/workflow/list.mako @@ -94,7 +94,7 @@ <% workflow = association.stored_workflow %><tr><td> - <a class="menubutton" id="shared-${i}-popup" href="${h.url_for( controller='workflow', action='run', id=trans.security.encode_id(workflow.id) )}">${h.to_unicode( workflow.name )}</a> + <a class="menubutton" id="shared-${i}-popup" href="${h.url_for( controller='workflow', action='run', id=trans.security.encode_id(workflow.id) )}">${h.to_unicode( workflow.name ) | h}</a></td><td>${workflow.user.email}</td><td>${len(workflow.latest_workflow.steps)}</td> diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e templates/webapps/galaxy/workflow/list_for_run.mako --- a/templates/webapps/galaxy/workflow/list_for_run.mako +++ b/templates/webapps/galaxy/workflow/list_for_run.mako @@ -23,7 +23,7 @@ %for i, workflow in enumerate( workflows ): <tr><td> - <a href="${h.url_for(controller='workflow', action='run', id=trans.security.encode_id(workflow.id) )}">${h.to_unicode( workflow.name )}</a> + <a href="${h.url_for(controller='workflow', action='run', id=trans.security.encode_id(workflow.id) )}">${h.to_unicode( workflow.name ) | h}</a><a id="wf-${i}-popup" class="popup-arrow" style="display: none;">▼</a></td><td>${len(workflow.latest_workflow.steps)}</td> @@ -51,10 +51,10 @@ <% workflow = association.stored_workflow %><tr><td> - <a href="${h.url_for( controller='workflow', action='run', id=trans.security.encode_id(workflow.id) )}">${workflow.name}</a> + <a href="${h.url_for( controller='workflow', action='run', id=trans.security.encode_id(workflow.id) )}">${workflow.name | h}</a><a id="shared-${i}-popup" class="popup-arrow" style="display: none;">▼</a></td> - <td>${workflow.user.email}</td> + <td>${workflow.user.email | h}</td><td>${len(workflow.latest_workflow.steps)}</td></tr> %endfor diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e templates/webapps/galaxy/workflow/missing_tools.mako --- a/templates/webapps/galaxy/workflow/missing_tools.mako +++ b/templates/webapps/galaxy/workflow/missing_tools.mako @@ -1,6 +1,6 @@ <%inherit file="/base.mako"/> -<h2>Cannot run workflow "${h.to_unicode( workflow.name )}"</h2> +<h2>Cannot run workflow "${h.to_unicode( workflow.name ) | h}"</h2> %if workflow.annotation: <div class="workflow-annotation">${workflow.annotation}</div> @@ -11,7 +11,7 @@ <strong>This workflow utilizes tools which are unavailable, and cannot be run. Enable the tools listed below, or <a href="${h.url_for(controller='workflow', action='editor', id=trans.security.encode_id(workflow.id) )}" target="_parent">edit the workflow</a> to correct these errors.</strong><br/><ul> %for i, tool in enumerate( missing_tools ): - <li>${tool}</li> + <li>${tool | h}</li> %endfor </ul></div> \ No newline at end of file diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e templates/webapps/galaxy/workflow/myexp_export.mako --- a/templates/webapps/galaxy/workflow/myexp_export.mako +++ b/templates/webapps/galaxy/workflow/myexp_export.mako @@ -9,7 +9,7 @@ ## Generate request. <?xml version="1.0"?><workflow> - <title>${workflow_name}</title> + <title>${workflow_name | h}</title><description>${workflow_description}</description><type>Galaxy</type><content encoding="base64" type="binary"> diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e templates/webapps/galaxy/workflow/rename.mako --- a/templates/webapps/galaxy/workflow/rename.mako +++ b/templates/webapps/galaxy/workflow/rename.mako @@ -15,7 +15,7 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Rename workflow '${stored.name}'</div> + <div class="toolFormTitle">Rename workflow '${stored.name | h}'</div><div class="toolFormBody"><form action="${h.url_for(controller='workflow', action='rename', id=trans.security.encode_id(stored.id) )}" method="POST"><div class="form-row"> @@ -23,7 +23,7 @@ New name </label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="new_name" value="${stored.name}" size="40"> + <input type="text" name="new_name" value="${stored.name | h}" size="40"></div><div style="clear: both"></div></div> diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e templates/webapps/galaxy/workflow/run.mako --- a/templates/webapps/galaxy/workflow/run.mako +++ b/templates/webapps/galaxy/workflow/run.mako @@ -372,7 +372,7 @@ <% cls = "form-row" %> %endif <div class="${cls}"> - <label>${param.get_label()}</label> + <label>${param.get_label() | h}</label><div> %if isinstance( param, DataToolParameter ) or isinstance( param, DataCollectionToolParameter ): %if ( prefix + param.name ) in step.input_connections_by_name: @@ -444,7 +444,7 @@ %else: <span class="workflow_parameters"><span class="uneditable_field"> - ${param.value_to_display_text( value, app )} + ${param.value_to_display_text( value, app ) | h} </span><span class="editable_field"><span class="editable"> @@ -474,7 +474,7 @@ <span class="action-button" id="hide_all_tool_body">Collapse</span></div> -<h2>Running workflow "${h.to_unicode( workflow.name )}"</h2> +<h2>Running workflow "${h.to_unicode( workflow.name ) | h}"</h2> %if has_upgrade_messages: <div class="warningmessage"> @@ -574,6 +574,7 @@ <% pja_ss_all = [] for pja_ss in [ActionBox.get_short_str(pja) for pja in step.post_job_actions]: + pja_ss = h.escape( pja_ss ) for rematch in re.findall('\$\{.+?\}', pja_ss): pja_ss = pja_ss.replace(rematch, '<span style="background-color:%s" class="wfpspan wf_parm__%s pja_wfp">%s</span>' % (wf_parms[rematch[2:-1]], rematch[2:-1], rematch[2:-1])) pja_ss_all.append(pja_ss) @@ -586,7 +587,7 @@ %else: <div class="toolForm"><div class="toolFormTitle"> - <span class='title_ul_text'>Step ${int(step.order_index)+1}: ${module.name}</span> + <span class='title_ul_text'>Step ${int(step.order_index)+1}: ${module.name | h}</span> % if step.annotations: <div class="step-annotation">${step.annotations[0].annotation}</div> % endif diff -r 8d8bce91a289e040d47f9b757aae4051a0501743 -r 511fbb67b820735128ee02e526fb6873beaa961e templates/webapps/galaxy/workflow/run_complete.mako --- a/templates/webapps/galaxy/workflow/run_complete.mako +++ b/templates/webapps/galaxy/workflow/run_complete.mako @@ -1,4 +1,5 @@ <%inherit file="/base.mako"/> +<%page expression_filter="h"/><div class="donemessagelarge"> %if scheduled: @@ -7,7 +8,7 @@ <div class="workflow-invocation-complete"> %if invocation['new_history']: <p>These datasets will appear in a new history: - <a target='galaxy_history' href="${h.url_for( controller='history', action='list', operation="Switch", id=trans.security.encode_id(invocation['new_history'].id), use_panels=False, show_deleted=False )}"> + <a target='galaxy_history' href="${h.url_for( controller='history', action='list', operation="Switch", id=trans.security.encode_id(invocation['new_history'].id), use_panels=False, show_deleted=False ) | n}"> '${h.to_unicode(invocation['new_history'].name)}'. </a></p> %endif Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.