2 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/0f0cca84c94a/ Changeset: 0f0cca84c94a Branch: stable User: dan Date: 2014-12-08 17:27:48+00:00 Summary: HTML escape user-settable values in Data Libraries. Update tests to reflect that e.g. quotes are now html escaped within pages. Eliminate the unnecessary use of Params() object for these controllers. Affected #: 17 files diff -r ed67b05dc0402bf9ff9fbf35198ea2cac92e2c22 -r 0f0cca84c94ac88e6e9d347a57fd08b99d7c9176 lib/galaxy/webapps/galaxy/controllers/library.py --- a/lib/galaxy/webapps/galaxy/controllers/library.py +++ b/lib/galaxy/webapps/galaxy/controllers/library.py @@ -3,7 +3,7 @@ from galaxy import web from galaxy.model.orm import and_, not_, or_ from galaxy.web.base.controller import BaseUIController -from galaxy.web.framework.helpers import grids +from galaxy.web.framework.helpers import escape, grids from library_common import get_comptypes, lucene_search, whoosh_search @@ -79,7 +79,6 @@ @web.expose def list( self, trans, **kwd ): - params = util.Params( kwd ) # define app configuration for generic mako template app = { 'jscript' : "galaxy.library" @@ -89,10 +88,9 @@ @web.expose def index( self, trans, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - default_action = params.get( 'default_action', None ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'done' ) ) + default_action = kwd.get( 'default_action', None ) return trans.fill_template( "/library/index.mako", default_action=default_action, message=message, diff -r ed67b05dc0402bf9ff9fbf35198ea2cac92e2c22 -r 0f0cca84c94ac88e6e9d347a57fd08b99d7c9176 lib/galaxy/webapps/galaxy/controllers/library_admin.py --- a/lib/galaxy/webapps/galaxy/controllers/library_admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_admin.py @@ -5,7 +5,7 @@ from galaxy import web from galaxy.web.base.controller import BaseUIController -from galaxy.web.framework.helpers import grids, time_ago +from galaxy.web.framework.helpers import escape, grids, time_ago from library_common import get_comptypes, lucene_search, whoosh_search # from galaxy.model.orm import * @@ -141,20 +141,19 @@ lddas=lddas, show_deleted=show_deleted, use_panels=use_panels, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) # Render the list view return self.library_list_grid( trans, **kwd ) @web.expose @web.require_admin def create_library( self, trans, **kwd ): - params = galaxy.util.Params( kwd ) - message = galaxy.util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - if params.get( 'create_library_button', False ): - name = galaxy.util.restore_text( params.get( 'name', 'No name' ) ) - description = galaxy.util.restore_text( params.get( 'description', '' ) ) - synopsis = galaxy.util.restore_text( params.get( 'synopsis', '' ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + if kwd.get( 'create_library_button', False ): + name = kwd.get( 'name', 'No name' ) + description = kwd.get( 'description', '' ) + synopsis = kwd.get( 'synopsis', '' ) if synopsis in [ 'None', None ]: synopsis = '' library = trans.app.model.Library( name=name, description=description, synopsis=synopsis ) @@ -167,9 +166,9 @@ action='browse_library', cntrller='library_admin', id=trans.security.encode_id( library.id ), - message=galaxy.util.sanitize_text( message ), + message=message, status='done' ) ) - return trans.fill_template( '/admin/library/new_library.mako', message=message, status=status ) + return trans.fill_template( '/admin/library/new_library.mako', message=escape( message ), status=escape( status ) ) @web.expose @web.require_admin def delete_library( self, trans, id, **kwd ): @@ -196,8 +195,7 @@ # TODO: change this function to purge_library_item, behaving similar to delete_library_item # assuming we want the ability to purge libraries. # This function is currently only used by the functional tests. - params = galaxy.util.Params( kwd ) - library = trans.sa_session.query( trans.app.model.Library ).get( trans.security.decode_id( params.id ) ) + library = trans.sa_session.query( trans.app.model.Library ).get( trans.security.decode_id( kwd.get( 'id' ) ) ) def purge_folder( library_folder ): for lf in library_folder.folders: purge_folder( lf ) @@ -226,7 +224,7 @@ message = "Library '%s' has not been marked deleted, so it cannot be purged" % ( library.name ) return trans.response.send_redirect( web.url_for( controller='library_admin', action='browse_libraries', - message=galaxy.util.sanitize_text( message ), + message=message, status='error' ) ) else: purge_folder( library.root_folder ) @@ -236,5 +234,5 @@ message = "Library '%s' and all of its contents have been purged, datasets will be removed from disk via the cleanup_datasets script" % library.name return trans.response.send_redirect( web.url_for( controller='library_admin', action='browse_libraries', - message=galaxy.util.sanitize_text( message ), + message=message, status='done' ) ) diff -r ed67b05dc0402bf9ff9fbf35198ea2cac92e2c22 -r 0f0cca84c94ac88e6e9d347a57fd08b99d7c9176 lib/galaxy/webapps/galaxy/controllers/library_common.py --- a/lib/galaxy/webapps/galaxy/controllers/library_common.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_common.py @@ -20,6 +20,7 @@ from galaxy.util.streamball import StreamBall from galaxy.web.base.controller import BaseUIController, UsesFormDefinitionsMixin, UsesExtendedMetadataMixin, UsesLibraryMixinItems from galaxy.web.form_builder import AddressField, CheckboxField, SelectField, build_select_field +from galaxy.web.framework.helpers import escape from galaxy.model.orm import and_, eagerload_all # Whoosh is compatible with Python 2.5+ Try to import Whoosh and set flag to indicate whether tool search is enabled. @@ -92,14 +93,13 @@ @web.expose def browse_library( self, trans, cntrller='library', **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) # If use_panels is True, the library is being accessed via an external link # which did not originate from within the Galaxy instance, and the library will # be displayed correctly with the mast head. - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - library_id = params.get( 'id', None ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + library_id = kwd.get( 'id', None ) if not library_id: # To handle bots message = "You must specify a library id." @@ -116,9 +116,9 @@ message = "Invalid library id ( %s ) specified." % str( library_id ) status = 'error' else: - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - created_ldda_ids = params.get( 'created_ldda_ids', '' ) - hidden_folder_ids = util.listify( params.get( 'hidden_folder_ids', '' ) ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + created_ldda_ids = kwd.get( 'created_ldda_ids', '' ) + hidden_folder_ids = util.listify( kwd.get( 'hidden_folder_ids', '' ) ) if created_ldda_ids and not message: message = "%d datasets are uploading in the background to the library '%s' (each is selected). " % \ ( len( created_ldda_ids.split( ',' ) ), library.name ) @@ -137,8 +137,8 @@ show_deleted=show_deleted, comptypes=comptypes, current_user_roles=current_user_roles, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) else: return trans.fill_template( 'library/common/browse_library.mako', cntrller=cntrller, @@ -149,44 +149,43 @@ show_deleted=show_deleted, comptypes=comptypes, current_user_roles=current_user_roles, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) except Exception, e: message = 'Error attempting to display contents of library (%s): %s.' % ( str( library.name ), str( e ) ) status = 'error' - default_action = params.get( 'default_action', None ) + default_action = kwd.get( 'default_action', None ) return trans.response.send_redirect( web.url_for( use_panels=use_panels, controller=cntrller, action='browse_libraries', default_action=default_action, - message=util.sanitize_text( message ), + message=message, status=status ) ) @web.expose def library_info( self, trans, cntrller, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() - library_id = params.get( 'id', None ) + library_id = kwd.get( 'id', None ) try: library = trans.sa_session.query( trans.app.model.Library ).get( trans.security.decode_id( library_id ) ) except: library = None self._check_access( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'library_info_button', False ): + if kwd.get( 'library_info_button', False ): self._check_modify( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) old_name = library.name - new_name = util.restore_text( params.get( 'name', 'No name' ) ) + new_name = kwd.get( 'name', 'No name' ) if not new_name: message = 'Enter a valid name' status='error' else: - new_description = util.restore_text( params.get( 'description', '' ) ) - new_synopsis = util.restore_text( params.get( 'synopsis', '' ) ) + new_description = kwd.get( 'description', '' ) + new_synopsis = kwd.get( 'synopsis', '' ) if new_synopsis in [ None, 'None' ]: new_synopsis = '' library.name = new_name @@ -204,7 +203,7 @@ use_panels=use_panels, id=trans.security.encode_id( library.id ), show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) # See if we have any associated templates info_association, inherited = library.get_info_association() @@ -220,29 +219,28 @@ show_deleted=show_deleted, info_association=info_association, inherited=inherited, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def library_permissions( self, trans, cntrller, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() - library_id = params.get( 'id', None ) + library_id = kwd.get( 'id', None ) try: library = trans.sa_session.query( trans.app.model.Library ).get( trans.security.decode_id( library_id ) ) except: library = None self._check_access( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) self._check_manage( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'update_roles_button', False ): + if kwd.get( 'update_roles_button', False ): # The user clicked the Save button on the 'Associate With Roles' form permissions = {} for k, v in trans.app.model.Library.permitted_actions.items(): - in_roles = [ trans.sa_session.query( trans.app.model.Role ).get( x ) for x in util.listify( params.get( k + '_in', [] ) ) ] + in_roles = [ trans.sa_session.query( trans.app.model.Role ).get( x ) for x in util.listify( kwd.get( k + '_in', [] ) ) ] permissions[ trans.app.security_agent.get_action( v.action ) ] = in_roles trans.app.security_agent.set_all_library_permissions( trans, library, permissions ) trans.sa_session.refresh( library ) @@ -255,7 +253,7 @@ use_panels=use_panels, id=trans.security.encode_id( library.id ), show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) roles = trans.app.security_agent.get_legitimate_roles( trans, library, cntrller ) all_roles = trans.app.security_agent.get_all_roles( trans, cntrller ) @@ -267,15 +265,14 @@ roles=roles, all_roles=all_roles, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def create_folder( self, trans, cntrller, parent_id, library_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller in ( 'library_admin', 'api' ) current_user_roles = trans.get_current_user_roles() try: @@ -288,9 +285,9 @@ parent_library = parent_folder.parent_library self._check_access( trans, cntrller, is_admin, parent_folder, current_user_roles, use_panels, library_id, show_deleted ) self._check_add( trans, cntrller, is_admin, parent_folder, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'new_folder_button', False ) or cntrller == 'api': - new_folder = trans.app.model.LibraryFolder( name=util.restore_text( params.name ), - description=util.restore_text( params.description ) ) + if kwd.get( 'new_folder_button', False ) or cntrller == 'api': + new_folder = trans.app.model.LibraryFolder( name=kwd.get( 'name', '' ), + description=kwd.get( 'description', '' ) ) # We are associating the last used genome build with folders, so we will always # initialize a new folder with the first dbkey in genome builds list which is currently # ? unspecified (?) @@ -322,7 +319,7 @@ show_deleted=show_deleted, info_association=info_association, inherited=inherited, - message=message, + message=escape( message ), status='done' ) # If not inheritable info_association, redirect to the library. message = "The new folder named '%s' has been added to the data library." % new_folder.name @@ -334,7 +331,7 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) # We do not render any template widgets on creation pages since saving the info_association # cannot occur before the associated item is saved. @@ -344,15 +341,14 @@ library_id=library_id, folder=parent_folder, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def folder_info( self, trans, cntrller, id, library_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -360,11 +356,11 @@ except: folder = None self._check_access( trans, cntrller, is_admin, folder, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'rename_folder_button', False ): + if kwd.get( 'rename_folder_button', False ): self._check_modify( trans, cntrller, is_admin, folder, current_user_roles, use_panels, library_id, show_deleted ) old_name = folder.name - new_name = util.restore_text( params.name ) - new_description = util.restore_text( params.description ) + new_name = kwd.get( 'name', '' ) + new_description = kwd.get( 'description', '' ) if not new_name: message = 'Enter a valid name' status='error' @@ -381,7 +377,7 @@ id=id, library_id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) # See if we have any associated templates widgets = [] @@ -401,15 +397,14 @@ show_deleted=show_deleted, info_association=info_association, inherited=inherited, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def folder_permissions( self, trans, cntrller, id, library_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -418,14 +413,14 @@ folder = None self._check_access( trans, cntrller, is_admin, folder, current_user_roles, use_panels, library_id, show_deleted ) self._check_manage( trans, cntrller, is_admin, folder, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'update_roles_button', False ): + if kwd.get( 'update_roles_button', False ): # The user clicked the Save button on the 'Associate With Roles' form permissions = {} for k, v in trans.app.model.Library.permitted_actions.items(): if k != 'LIBRARY_ACCESS': # LIBRARY_ACCESS is a special permission set only at the library level # and it is not inherited. - in_roles = [ trans.sa_session.query( trans.app.model.Role ).get( int( x ) ) for x in util.listify( params.get( k + '_in', [] ) ) ] + in_roles = [ trans.sa_session.query( trans.app.model.Role ).get( int( x ) ) for x in util.listify( kwd.get( k + '_in', [] ) ) ] permissions[ trans.app.security_agent.get_action( v.action ) ] = in_roles trans.app.security_agent.set_all_library_permissions( trans, folder, permissions ) trans.sa_session.refresh( folder ) @@ -437,7 +432,7 @@ id=trans.security.encode_id( folder.id ), library_id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) # If the library is public all roles are legitimate, but if the library # is restricted, only those roles associated with the LIBRARY_ACCESS @@ -451,15 +446,14 @@ current_user_roles=current_user_roles, roles=roles, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def ldda_edit_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -468,7 +462,7 @@ ldda = None self._check_access( trans, cntrller, is_admin, ldda, current_user_roles, use_panels, library_id, show_deleted ) self._check_modify( trans, cntrller, is_admin, ldda, current_user_roles, use_panels, library_id, show_deleted ) - dbkey = params.get( 'dbkey', '?' ) + dbkey = kwd.get( 'dbkey', '?' ) if isinstance( dbkey, list ): dbkey = dbkey[0] file_formats = [ dtype_name for dtype_name, dtype_value in trans.app.datatypes_registry.datatypes_by_extension.iteritems() if dtype_value.allow_datatype_change ] @@ -492,26 +486,26 @@ info_association, inherited = ldda.get_info_association() if info_association and ( not( inherited ) or info_association.inheritable ): widgets = ldda.get_template_widgets( trans ) - if params.get( 'change', False ): + if kwd.get( 'change', False ): # The user clicked the Save button on the 'Change data type' form if __ok_to_edit_metadata( ldda.id ): - if ldda.datatype.allow_datatype_change and trans.app.datatypes_registry.get_datatype_by_extension( params.datatype ).allow_datatype_change: - trans.app.datatypes_registry.change_datatype( ldda, params.datatype ) + if ldda.datatype.allow_datatype_change and trans.app.datatypes_registry.get_datatype_by_extension( kwd.get( 'datatype' ) ).allow_datatype_change: + trans.app.datatypes_registry.change_datatype( ldda, kwd.get( 'datatype' ) ) trans.sa_session.flush() message = "Data type changed for library dataset '%s'." % ldda.name status = 'done' else: - message = "You are unable to change datatypes in this manner. Changing %s to %s is not allowed." % ( ldda.extension, params.datatype ) + message = "You are unable to change datatypes in this manner. Changing %s to %s is not allowed." % ( ldda.extension, kwd.get( 'datatype' ) ) status = 'error' else: message = "This dataset is currently being used as input or output. You cannot change datatype until the jobs have completed or you have canceled them." status = "error" - elif params.get( 'save', False ): + elif kwd.get( 'save', False ): # The user clicked the Save button on the 'Edit Attributes' form old_name = ldda.name - new_name = util.restore_text( params.get( 'name', '' ) ) - new_info = util.restore_text( params.get( 'info', '' ) ) - new_message = util.restore_text( params.get( 'message', '' ) ) + new_name = kwd.get( 'name', '' ) + new_info = kwd.get( 'info', '' ) + new_message = kwd.get( 'message', '' ) if not new_name: message = 'Enter a valid name' status = 'error' @@ -524,12 +518,12 @@ for name, spec in ldda.datatype.metadata_spec.items(): if spec.get("readonly"): continue - optional = params.get( "is_" + name, None ) + optional = kwd.get( "is_" + name, None ) if optional and optional == 'true': # optional element... == 'true' actually means it is NOT checked (and therefore ommitted) setattr( ldda.metadata, name, None ) else: - setattr( ldda.metadata, name, spec.unwrap( params.get ( name, None ) ) ) + setattr( ldda.metadata, name, spec.unwrap( kwd.get( name, None ) ) ) ldda.metadata.dbkey = dbkey ldda.datatype.after_setting_metadata( ldda ) message = "Attributes updated for library dataset '%s'." % ldda.name @@ -538,7 +532,7 @@ message = "Attributes updated, but metadata could not be changed because this dataset is currently being used as input or output. You must cancel or wait for these jobs to complete before changing metadata." status = 'warning' trans.sa_session.flush() - elif params.get( 'detect', False ): + elif kwd.get( 'detect', False ): # The user clicked the Auto-detect button on the 'Edit Attributes' form if __ok_to_edit_metadata( ldda.id ): for name, spec in ldda.datatype.metadata_spec.items(): @@ -553,8 +547,8 @@ message = "This dataset is currently being used as input or output. You cannot change metadata until the jobs have completed or you have canceled them." status = 'error' trans.sa_session.flush() - elif params.get( 'change_extended_metadata', False): - em_string = util.restore_text( params.get("extended_metadata", "") ) + elif kwd.get( 'change_extended_metadata', False): + em_string = kwd.get("extended_metadata", "" ) if len(em_string): payload = None try: @@ -604,16 +598,15 @@ show_deleted=show_deleted, info_association=info_association, inherited=inherited, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def ldda_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - show_associated_hdas_and_lddas = util.string_as_bool( params.get( 'show_associated_hdas_and_lddas', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + show_associated_hdas_and_lddas = util.string_as_bool( kwd.get( 'show_associated_hdas_and_lddas', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() ldda = trans.sa_session.query( trans.app.model.LibraryDatasetDatasetAssociation ).get( trans.security.decode_id( id ) ) @@ -653,15 +646,14 @@ current_user_roles=current_user_roles, info_association=info_association, inherited=inherited, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def ldda_permissions( self, trans, cntrller, library_id, folder_id, id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) ids = util.listify( id ) lddas = [] libraries = [] @@ -685,7 +677,7 @@ id=library_id, cntrller=cntrller, use_panels=use_panels, - message=util.sanitize_text( message ), + message=message, status='error' ) ) # If access to the dataset is restricted, then use the roles associated with the DATASET_ACCESS permission to # determine the legitimate roles. If the dataset is public, see if access to the library is restricted. If @@ -698,7 +690,7 @@ roles = trans.app.security_agent.get_legitimate_roles( trans, library, cntrller ) else: roles = trans.app.security_agent.get_legitimate_roles( trans, ldda.dataset, cntrller ) - if params.get( 'update_roles_button', False ): + if kwd.get( 'update_roles_button', False ): # Dataset permissions access_action = trans.app.security_agent.get_action( trans.app.security_agent.permitted_actions.DATASET_ACCESS.action ) manage_permissions_action = trans.app.security_agent.get_action( trans.app.security_agent.permitted_actions.DATASET_MANAGE_PERMISSIONS.action ) @@ -755,8 +747,8 @@ library_id=library_id, roles=roles, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) if len( ids ) > 1: # Ensure that the permissions across all library items are identical, otherwise we can't update them together. check_list = [] @@ -781,7 +773,7 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) # Display permission form, permissions will be updated for all lddas simultaneously. return trans.fill_template( "/library/common/ldda_permissions.mako", @@ -791,31 +783,30 @@ library_id=library_id, roles=roles, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def upload_library_dataset( self, trans, cntrller, library_id, folder_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - ldda_message = util.restore_text( params.get( 'ldda_message', '' ) ) - deleted = util.string_as_bool( params.get( 'deleted', False ) ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - replace_id = params.get( 'replace_id', None ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + ldda_message = kwd.get( 'ldda_message', '' ) + deleted = util.string_as_bool( kwd.get( 'deleted', False ) ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + replace_id = kwd.get( 'replace_id', None ) replace_dataset = None - upload_option = params.get( 'upload_option', 'upload_file' ) - if params.get( 'files_0|space_to_tab', False ): - space_to_tab = params.get( 'files_0|space_to_tab', '' ) + upload_option = kwd.get( 'upload_option', 'upload_file' ) + if kwd.get( 'files_0|space_to_tab', False ): + space_to_tab = kwd.get( 'files_0|space_to_tab', '' ) else: - space_to_tab = params.get( 'space_to_tab', '' ) - link_data_only = params.get( 'link_data_only', 'copy_files' ) - dbkey = params.get( 'dbkey', '?' ) + space_to_tab = kwd.get( 'space_to_tab', '' ) + link_data_only = kwd.get( 'link_data_only', 'copy_files' ) + dbkey = kwd.get( 'dbkey', '?' ) if isinstance( dbkey, list ): last_used_build = dbkey[0] else: last_used_build = dbkey - roles = params.get( 'roles', '' ) + roles = kwd.get( 'roles', '' ) is_admin = trans.user_is_admin() and cntrller in ( 'library_admin', 'api' ) current_user_roles = trans.get_current_user_roles() widgets = [] @@ -844,7 +835,7 @@ library = folder.parent_library if folder and last_used_build in [ 'None', None, '?' ]: last_used_build = folder.genome_build - if params.get( 'runtool_btn', False ) or params.get( 'ajax_upload', False ) or cntrller == 'api': + if kwd.get( 'runtool_btn', False ) or kwd.get( 'ajax_upload', False ) or cntrller == 'api': error = False if upload_option == 'upload_paths' and not trans.app.config.allow_library_path_paste: error = True @@ -869,7 +860,7 @@ replace_id=replace_id, upload_option=upload_option, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) else: # See if we have any inherited templates. @@ -883,7 +874,7 @@ for index, widget_dict in enumerate( widgets ): widget = widget_dict[ 'widget' ] if isinstance( widget, AddressField ): - value = util.restore_text( params.get( widget.name, '' ) ) + value = kwd.get( widget.name, '' ) if value == 'new': if self.field_param_values_ok( widget.name, 'AddressField', **kwd ): # Save the new address @@ -966,7 +957,7 @@ default_action=default_action, created_ldda_ids=created_ldda_ids, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) else: created_ldda_ids = '' @@ -981,7 +972,7 @@ id=library_id, created_ldda_ids=created_ldda_ids, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status=status ) ) # Note: if the upload form was submitted due to refresh_on_change for a form field, we cannot re-populate # the field for the selected file ( files_0|file_data ) if the user selected one. This is because the value @@ -1040,8 +1031,8 @@ link_data_only=link_data_only, show_deleted=show_deleted, ldda_message=ldda_message, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) def upload_dataset( self, trans, cntrller, library_id, folder_id, replace_dataset=None, **kwd ): # Set up the traditional tool state/params tool_id = 'upload1' @@ -1054,16 +1045,15 @@ if input.type == "upload_dataset": dataset_upload_inputs.append( input ) # Library-specific params - params = util.Params( kwd ) # is this filetoolparam safe? - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - server_dir = util.restore_text( params.get( 'server_dir', '' ) ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + server_dir = kwd.get( 'server_dir', '' ) if replace_dataset not in [ None, 'None' ]: replace_id = trans.security.encode_id( replace_dataset.id ) else: replace_id = None - upload_option = params.get( 'upload_option', 'upload_file' ) + upload_option = kwd.get( 'upload_option', 'upload_file' ) response_code = 200 if upload_option == 'upload_directory': if server_dir in [ None, 'None', '' ]: @@ -1092,7 +1082,7 @@ try: # FIXME: instead of passing params here ( which have been processed by util.Params(), the original kwd # should be passed so that complex objects that may have been included in the initial request remain. - library_bunch = upload_common.handle_library_params( trans, params, folder_id, replace_dataset ) + library_bunch = upload_common.handle_library_params( trans, kwd, folder_id, replace_dataset ) except: response_code = 500 message = "Unable to parse upload parameters, please report this error." @@ -1103,9 +1093,9 @@ tool_params = upload_common.persist_uploads( tool_params ) uploaded_datasets = upload_common.get_uploaded_datasets( trans, cntrller, tool_params, precreated_datasets, dataset_upload_inputs, library_bunch=library_bunch ) elif upload_option == 'upload_directory': - uploaded_datasets, response_code, message = self.get_server_dir_uploaded_datasets( trans, cntrller, params, full_dir, import_dir_desc, library_bunch, response_code, message ) + uploaded_datasets, response_code, message = self.get_server_dir_uploaded_datasets( trans, cntrller, kwd, full_dir, import_dir_desc, library_bunch, response_code, message ) elif upload_option == 'upload_paths': - uploaded_datasets, response_code, message = self.get_path_paste_uploaded_datasets( trans, cntrller, params, library_bunch, response_code, message ) + uploaded_datasets, response_code, message = self.get_path_paste_uploaded_datasets( trans, cntrller, kwd, library_bunch, response_code, message ) upload_common.cleanup_unused_precreated_datasets( precreated_datasets ) if upload_option == 'upload_file' and not uploaded_datasets: response_code = 400 @@ -1121,7 +1111,7 @@ replace_id=replace_id, upload_option=upload_option, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) json_file_path = upload_common.create_paramfile( trans, uploaded_datasets ) data_list = [ ud.data for ud in uploaded_datasets ] @@ -1135,7 +1125,7 @@ def make_library_uploaded_dataset( self, trans, cntrller, params, name, path, type, library_bunch, in_folder=None ): link_data_only = params.get( 'link_data_only', 'copy_files' ) uuid_str = params.get( 'uuid', None ) - file_type = params.file_type + file_type = params.get( 'file_type' ) library_bunch.replace_dataset = None # not valid for these types of upload uploaded_dataset = util.bunch.Bunch() new_name = name @@ -1151,8 +1141,8 @@ uploaded_dataset.type = type uploaded_dataset.ext = None uploaded_dataset.file_type = file_type - uploaded_dataset.dbkey = params.dbkey - uploaded_dataset.space_to_tab = params.space_to_tab + uploaded_dataset.dbkey = params.get( 'dbkey' ) + uploaded_dataset.space_to_tab = params.get( 'space_to_tab' ) if in_folder: uploaded_dataset.in_folder = in_folder uploaded_dataset.data = upload_common.new_upload( trans, cntrller, uploaded_dataset, library_bunch ) @@ -1247,7 +1237,7 @@ files_and_folders.append((file_path, file, in_folder)) return files_and_folders def _paths_list(self, params): - return [ (l.strip(), os.path.abspath(l.strip())) for l in params.filesystem_paths.splitlines() if l.strip() ] + return [ (l.strip(), os.path.abspath(l.strip())) for l in params.get( 'filesystem_paths', '' ).splitlines() if l.strip() ] def _check_path_paste_params(self, params): if params.get( 'filesystem_paths', '' ) == '': @@ -1259,33 +1249,32 @@ if not os.path.exists( path ): bad_paths.append( path ) if bad_paths: - message = "Invalid paths:<br><ul><li>%s</li></ul>" % "</li><li>".join( bad_paths ) + message = 'Invalid paths: "%s".' % '", "'.join( bad_paths ) response_code = 400 return None, response_code, message return None @web.expose def add_history_datasets_to_library( self, trans, cntrller, library_id, folder_id, hda_ids='', **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - ldda_message = util.restore_text( params.get( 'ldda_message', '' ) ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - replace_id = params.get( 'replace_id', None ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + ldda_message = kwd.get( 'ldda_message', '' ) + show_deleted = kwd.get( 'show_deleted', False ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + replace_id = kwd.get( 'replace_id', None ) replace_dataset = None - upload_option = params.get( 'upload_option', 'import_from_history' ) - if params.get( 'files_0|space_to_tab', False ): - space_to_tab = params.get( 'files_0|space_to_tab', '' ) + upload_option = kwd.get( 'upload_option', 'import_from_history' ) + if kwd.get( 'files_0|space_to_tab', False ): + space_to_tab = kwd.get( 'files_0|space_to_tab', '' ) else: - space_to_tab = params.get( 'space_to_tab', '' ) - link_data_only = params.get( 'link_data_only', 'copy_files' ) - dbkey = params.get( 'dbkey', '?' ) + space_to_tab = kwd.get( 'space_to_tab', '' ) + link_data_only = kwd.get( 'link_data_only', 'copy_files' ) + dbkey = kwd.get( 'dbkey', '?' ) if isinstance( dbkey, list ): last_used_build = dbkey[0] else: last_used_build = dbkey - roles = params.get( 'roles', '' ) + roles = kwd.get( 'roles', '' ) is_admin = trans.user_is_admin() and cntrller in ( 'library_admin', 'api' ) current_user_roles = trans.get_current_user_roles() widgets = [] @@ -1323,9 +1312,9 @@ cntrller=cntrller, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) - if params.get( 'add_history_datasets_to_library_button', False ): + if kwd.get( 'add_history_datasets_to_library_button', False ): hda_ids = util.listify( hda_ids ) if hda_ids: dataset_names = [] @@ -1354,7 +1343,7 @@ trans.app.security_agent.copy_library_permissions( trans, folder, ldda ) trans.app.security_agent.copy_library_permissions( trans, folder, ldda.library_dataset ) else: - library_bunch = upload_common.handle_library_params( trans, params, folder_id, replace_dataset ) + library_bunch = upload_common.handle_library_params( trans, kwd, folder_id, replace_dataset ) if library_bunch.template and library_bunch.template_field_contents: # Since information templates are inherited, the template fields can be displayed on the upload form. # If the user has added field contents, we'll need to create a new form_values and info_association @@ -1422,12 +1411,12 @@ id=library_id, created_ldda_ids=created_ldda_ids, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) else: message = 'Select at least one dataset from the list of active datasets in your current history' status = 'error' - upload_option = params.get( 'upload_option', 'import_from_history' ) + upload_option = kwd.get( 'upload_option', 'import_from_history' ) widgets = self._get_populated_widgets( folder ) # Send list of data formats to the upload form so the "extension" select list can be populated dynamically file_formats = trans.app.datatypes_registry.upload_file_formats @@ -1461,8 +1450,8 @@ link_data_only=link_data_only, show_deleted=show_deleted, ldda_message=ldda_message, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) def _build_roles_select_list( self, trans, cntrller, library, selected_role_ids=[] ): # Get the list of legitimate roles to display on the upload form. If the library is public, # all active roles are legitimate. If the library is restricted by the LIBRARY_ACCESS permission, only @@ -1521,8 +1510,7 @@ def download_dataset_from_folder( self, trans, cntrller, id, library_id=None, **kwd ): """Catches the dataset id and displays file contents as directed""" show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) - params = util.Params( kwd ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -1555,15 +1543,14 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) @web.expose def library_dataset_info( self, trans, cntrller, id, library_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -1571,11 +1558,11 @@ except: library_dataset = None self._check_access( trans, cntrller, is_admin, library_dataset, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'edit_attributes_button', False ): + if kwd.get( 'edit_attributes_button', False ): self._check_modify( trans, cntrller, is_admin, library_dataset, current_user_roles, use_panels, library_id, show_deleted ) old_name = library_dataset.name - new_name = util.restore_text( params.get( 'name', '' ) ) - new_info = util.restore_text( params.get( 'info', '' ) ) + new_name = kwd.get( 'name', '' ) + new_info = kwd.get( 'info', '' ) if not new_name: message = 'Enter a valid name' status = 'error' @@ -1604,15 +1591,14 @@ widgets=widgets, widget_fields_have_contents=widget_fields_have_contents, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def library_dataset_permissions( self, trans, cntrller, id, library_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -1621,7 +1607,7 @@ library_dataset = None self._check_access( trans, cntrller, is_admin, library_dataset, current_user_roles, use_panels, library_id, show_deleted ) self._check_manage( trans, cntrller, is_admin, library_dataset, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'update_roles_button', False ): + if kwd.get( 'update_roles_button', False ): # The user clicked the Save button on the 'Associate With Roles' form permissions = {} for k, v in trans.app.model.Library.permitted_actions.items(): @@ -1652,22 +1638,21 @@ roles=roles, current_user_roles=current_user_roles, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def make_library_item_public( self, trans, cntrller, library_id, item_type, id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) current_user_roles = trans.get_current_user_roles() is_admin = trans.user_is_admin() and cntrller == 'library_admin' if item_type == 'library': library = trans.sa_session.query( trans.model.Library ).get( trans.security.decode_id( id ) ) self._check_access( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) self._check_manage( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) - contents = util.string_as_bool( params.get( 'contents', 'False' ) ) + contents = util.string_as_bool( kwd.get( 'contents', 'False' ) ) trans.app.security_agent.make_library_public( library, contents=contents ) if contents: message = "The data library (%s) and all its contents have been made publicly accessible." % library.name @@ -1694,7 +1679,7 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status=status ) ) @web.expose def act_on_multiple_datasets( self, trans, cntrller, library_id=None, ldda_ids='', **kwd ): @@ -1718,12 +1703,11 @@ rval += '%s %i %s%s %s\r\n' % ( crc, size, self.url_base, quoted_fname, relpath ) return rval # Perform an action on a list of library datasets. - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - action = params.get( 'do_action', None ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + action = kwd.get( 'do_action', None ) lddas = [] error = False is_admin = trans.user_is_admin() and cntrller == 'library_admin' @@ -1738,7 +1722,7 @@ else: if action in [ 'import_to_current_history', 'import_to_histories' ]: new_kwd = {} - if action == 'import_to_current_history': + if current_history is not None and action == 'import_to_current_history': encoded_current_history_id = trans.security.encode_id( current_history.id ) selected_history_id = encoded_current_history_id new_kwd[ 'do_action' ] = action @@ -1809,7 +1793,7 @@ folder_id=folder_id, id=",".join( encoded_ldda_ids ), show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status=status ) ) else: message = "You are not authorized to manage permissions on any of the selected datasets." @@ -1970,11 +1954,11 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status=status ) ) else: # We arrived here from the library_dataset_search_results page, so redirect there. - search_term = params.get( 'search_term', '' ) + search_term = kwd.get( 'search_term', '' ) comptypes = get_comptypes( trans ) return trans.fill_template( '/library/common/library_dataset_search_results.mako', cntrller=cntrller, @@ -1984,8 +1968,8 @@ lddas=lddas, show_deleted=show_deleted, use_panels=use_panels, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def import_datasets_to_histories( self, trans, cntrller, library_id='', folder_id='', ldda_ids='', target_history_id='', target_history_ids='', new_history_name='', **kwd ): @@ -1995,12 +1979,11 @@ # - a select list option for acting on multiple selected datasets within a library # ( ldda_ids is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( ldda_ids is a comma separated string of ldda ids ) - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - action = params.get( 'do_action', None ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + action = kwd.get( 'do_action', None ) user = trans.get_user() current_history = trans.get_history() if library_id: @@ -2019,7 +2002,7 @@ target_history_ids = set( [ trans.security.decode_id( target_history_id ) for target_history_id in target_history_ids if target_history_id ] ) elif target_history_id: target_history_ids = [ trans.security.decode_id( target_history_id ) ] - if params.get( 'import_datasets_to_histories_button', False ): + if kwd.get( 'import_datasets_to_histories_button', False ): invalid_datasets = 0 if not ldda_ids or not ( target_history_ids or new_history_name ): message = "You must provide one or more source library datasets and one or more target histories." @@ -2083,11 +2066,13 @@ # to the lddas in order for the menu optin to be available. ldda = trans.sa_session.query( trans.model.LibraryDatasetDatasetAssociation ).get( ldda_id ) source_lddas.append( ldda ) + if current_history is None: + current_history = trans.get_history( create=True ) if current_history is not None: target_histories = [ current_history ] else: target_histories = [] - message = 'You must have a history before you can import datasets. You can do this by <a href="%s" target="_top">loading the analysis interface</a>.' % url_for(controller='root') + message = 'You must have a history before you can import datasets. You can do this by loading the analysis interface.' status = 'error' if user: target_histories = user.active_histories @@ -2097,7 +2082,7 @@ action='browse_library', cntrller=cntrller, id=library_id, - message=util.sanitize_text( message ), + message=message, status=status ) ) return trans.fill_template( "/library/common/import_datasets_to_histories.mako", cntrller=cntrller, @@ -2111,15 +2096,14 @@ new_history_name=new_history_name, show_deleted=show_deleted, use_panels=use_panels, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def manage_template_inheritance( self, trans, cntrller, item_type, library_id, folder_id=None, ldda_id=None, **kwd ): - params = util.Params( kwd ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) is_admin = ( trans.user_is_admin() and cntrller == 'library_admin' ) current_user_roles = trans.get_current_user_roles() try: @@ -2138,7 +2122,7 @@ cntrller=cntrller, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) info_association, inherited = item.get_info_association( restrict=True ) if info_association: @@ -2157,7 +2141,7 @@ folder_id=folder_id, id=id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) @web.expose def move_library_item( self, trans, cntrller, item_type, item_id, source_library_id='', make_target_current=True, **kwd ): @@ -2168,11 +2152,10 @@ # 'ldda' and item_id is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( item_type is 'ldda' and item_id is a # comma separated string of ldda ids ) - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) make_target_current = util.string_as_bool( make_target_current ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' user = trans.get_user() @@ -2186,14 +2169,14 @@ else: # Request sent from the library_dataset_search_results page. source_library = None - target_library_id = params.get( 'target_library_id', '' ) + target_library_id = kwd.get( 'target_library_id', '' ) if target_library_id not in [ '', 'none', None ]: target_library = trans.sa_session.query( trans.model.Library ).get( trans.security.decode_id( target_library_id ) ) elif make_target_current: target_library = source_library else: target_library = None - target_folder_id = params.get( 'target_folder_id', '' ) + target_folder_id = kwd.get( 'target_folder_id', '' ) if target_folder_id not in [ '', 'none', None ]: target_folder = trans.sa_session.query( trans.model.LibraryFolder ).get( trans.security.decode_id( target_folder_id ) ) if target_library is None: @@ -2208,7 +2191,7 @@ elif item_type == 'folder': move_folder_id = item_id move_folder = trans.sa_session.query( trans.model.LibraryFolder ).get( trans.security.decode_id( move_folder_id ) ) - if params.get( 'move_library_item_button', False ): + if kwd.get( 'move_library_item_button', False ): if not ( move_ldda_ids or move_folder_id ) or target_folder_id in [ '', 'none', None ]: message = "You must select a source folder or one or more source datasets, and a target folder." status = 'error' @@ -2372,8 +2355,8 @@ target_folder_id_select_field=target_folder_id_select_field, show_deleted=show_deleted, use_panels=use_panels, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def delete_library_item( self, trans, cntrller, library_id, item_id, item_type, **kwd ): # This action will handle deleting all types of library items. State is saved for libraries and @@ -2541,7 +2524,7 @@ action='browse_libraries', cntrller=cntrller, use_panels=use_panels, - message=util.sanitize_text( message ), + message=message, status='error' ) ) return trans.response.send_redirect( web.url_for( controller='library_common', action='browse_library', @@ -2549,7 +2532,7 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) def _check_add( self, trans, cntrller, is_admin, item, current_user_roles, use_panels, library_id, show_deleted ): # Deny access if the user is not an admin and does not have the LIBRARY_ADD permission. @@ -2564,7 +2547,7 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) def _check_manage( self, trans, cntrller, is_admin, item, current_user_roles, use_panels, library_id, show_deleted ): if isinstance( item, trans.model.LibraryDataset ): @@ -2580,7 +2563,7 @@ id=library_id, cntrller=cntrller, use_panels=use_panels, - message=util.sanitize_text( message ), + message=message, status='error' ) ) # Deny access if the user is not an admin and does not have the LIBRARY_MANAGE permission. if not ( is_admin or trans.app.security_agent.can_manage_library_item( current_user_roles, item ) ): @@ -2592,7 +2575,7 @@ id=library_id, cntrller=cntrller, use_panels=use_panels, - message=util.sanitize_text( message ), + message=message, status='error' ) ) def _check_modify( self, trans, cntrller, is_admin, item, current_user_roles, use_panels, library_id, show_deleted ): # Deny modification if the user is not an admin and does not have the LIBRARY_MODIFY permission. @@ -2606,7 +2589,7 @@ id=library_id, use_panels=use_panels, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) # ---- Utility methods ------------------------------------------------------- @@ -2740,9 +2723,8 @@ return map( operator.getitem, intermed, ( -1, ) * len( intermed ) ) def lucene_search( trans, cntrller, search_term, search_url, **kwd ): """Return display of results from a full-text lucene search of data libraries.""" - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) full_url = "%s/find?%s" % ( search_url, urllib.urlencode( { "kwd" : search_term } ) ) response = urllib2.urlopen( full_url ) ldda_ids = util.json.loads( response.read() )[ "ids" ] @@ -2751,9 +2733,8 @@ return status, message, get_sorted_accessible_library_items( trans, cntrller, lddas, 'name' ) def whoosh_search( trans, cntrller, search_term, **kwd ): """Return display of results from a full-text whoosh search of data libraries.""" - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) ok = True if whoosh_search_enabled: whoosh_index_dir = trans.app.config.whoosh_index_dir diff -r ed67b05dc0402bf9ff9fbf35198ea2cac92e2c22 -r 0f0cca84c94ac88e6e9d347a57fd08b99d7c9176 templates/webapps/galaxy/library/common/browse_library.mako --- a/templates/webapps/galaxy/library/common/browse_library.mako +++ b/templates/webapps/galaxy/library/common/browse_library.mako @@ -236,29 +236,29 @@ %if current_version and ( not ldda.library_dataset.deleted or show_deleted ): <tr class="datasetRow" %if parent is not None: - parent="${parent}" + parent="${parent | h}" %endif - id="libraryItem-${ldda.id}"> + id="libraryItem-${ldda.id | h}"><td style="padding-left: ${pad+20}px;"> - <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id )}" value="${trans.security.encode_id( ldda.id )}" + <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${trans.security.encode_id( ldda.id ) | h}" %if selected: checked="checked" %endif /> %if simple: - <label for="${trans.security.encode_id( ldda.id )}">${ util.unicodify( ldda.name )}</label> + <label for="${trans.security.encode_id( ldda.id ) | h}">${ util.unicodify( ldda.name ) | h}</label> %else: - <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id}-popup"> + <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id | h}-popup"><a class="view-info" href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}"> %if ldda.library_dataset.deleted: - <div class="libraryItem-error">${util.unicodify( ldda.name )}</div> + <div class="libraryItem-error">${util.unicodify( ldda.name ) | h}</div> %else: - ${util.unicodify( ldda.name )} + ${util.unicodify( ldda.name ) | h} %endif </a></div> %if not library.deleted: - <div popupmenu="dataset-${ldda.id}-popup"> + <div popupmenu="dataset-${ldda.id | h}-popup"> %if not branch_deleted( folder ) and not ldda.library_dataset.deleted and can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a><a class="action-button" href="${h.url_for( controller='library_common', action='move_library_item', cntrller=cntrller, item_type='ldda', item_id=trans.security.encode_id( ldda.id ), source_library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Move this dataset</a> @@ -287,7 +287,7 @@ %endif %if can_modify: %if not library.deleted and not branch_deleted( folder ) and not ldda.library_dataset.deleted: - <a class="action-button" confirm="Click OK to delete dataset '${util.unicodify( ldda.name )}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Delete this dataset</a> + <a class="action-button" confirm="Click OK to delete dataset '${util.unicodify( ldda.name ) | h}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Delete this dataset</a> %elif not library.deleted and not branch_deleted( folder ) and not ldda.library_dataset.purged and ldda.library_dataset.deleted: <a class="action-button" href="${h.url_for( controller='library_common', action='undelete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Undelete this dataset</a> %endif @@ -298,10 +298,10 @@ </td> % if not simple: <td id="libraryItemInfo">${render_library_item_info( ldda )}</td> - <td>${ldda.extension}</td> + <td>${ldda.extension | h}</td> % endif - <td>${ldda.create_time.strftime( trans.app.config.pretty_datetime_format )}</td> - <td>${ldda.get_size( nice_size=True )}</td> + <td>${ldda.create_time.strftime( trans.app.config.pretty_datetime_format ) | h}</td> + <td>${ldda.get_size( nice_size=True ) | h}</td></tr><% my_row = row_counter.count @@ -355,28 +355,28 @@ %> %if not root_folder and ( not folder.deleted or show_deleted ): <% encoded_id = trans.security.encode_id( folder.id ) %> - <tr id="folder-${encoded_id}" class="folderRow libraryOrFolderRow" + <tr id="folder-${encoded_id | h}" class="folderRow libraryOrFolderRow" %if parent is not None: - parent="${parent}" + parent="${parent | h}" style="display: none;" %endif > - <td style="padding-left: ${folder_pad}px;"> + <td style="padding-left: ${folder_pad | h}px;"><input type="checkbox" class="folderCheckbox"/> - <span class="expandLink folder-${encoded_id}-click"> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id}-popup"> - <a class="folder-${encoded_id}-click" href="javascript:void(0);"> + <span class="expandLink folder-${encoded_id | h}-click"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id | h}-popup"> + <a class="folder-${encoded_id | h}-click" href="javascript:void(0);"><span class="rowIcon"></span> %if folder.deleted: - <div class="libraryItem-error">${folder.name}</div> + <div class="libraryItem-error">${folder.name | h}</div> %else: - ${folder.name} + ${folder.name | h} %endif </a></div></span> %if not library.deleted: - <div popupmenu="folder_img-${folder.id}-popup"> + <div popupmenu="folder_img-${folder.id | h}-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> @@ -407,7 +407,7 @@ %endif %if can_modify: %if not library.deleted and not folder.deleted: - <a class="action-button" confirm="Click OK to delete the folder '${folder.name}.'" href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Delete this folder</a> + <a class="action-button" confirm="Click OK to delete the folder '${folder.name | h}.'" href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Delete this folder</a> %elif not library.deleted and folder.deleted and not folder.purged: <a class="action-button" href="${h.url_for( controller='library_common', action='undelete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Undelete this folder</a> %endif @@ -416,7 +416,7 @@ %endif <td> %if folder.description: - ${folder.description} + ${folder.description | h} %endif <td colspan="3"></td></tr> @@ -504,7 +504,7 @@ return str( self.count ) %> - <h2>Data Library “${library.name}”</h2> + <h2>Data Library “${library.name | h}”</h2><ul class="manage-table-actions"> %if not library.deleted and ( is_admin or can_add ): @@ -517,7 +517,7 @@ %if not library.deleted: %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='library_info', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> - <a class="action-button" confirm="Click OK to delete the library named '${library.name}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library.id ), item_type='library' )}">Delete this data library</a> + <a class="action-button" confirm="Click OK to delete the library named '${library.name | h}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library.id ), item_type='library' )}">Delete this data library</a> %if show_deleted: <a class="action-button" href="${h.url_for( controller='library_common', action='browse_library', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=False )}">Hide deleted items</a> %else: @@ -555,7 +555,7 @@ %if library.synopsis not in [ '', 'None', None ]: <div class="libraryItemBody"> - ${library.synopsis} + ${library.synopsis | h} </div> %endif @@ -610,6 +610,6 @@ ${render_compression_types_help( comptypes )} %endif %if not has_accessible_folders: - The data library '${library.name}' does not contain any datasets that you can access. + The data library '${library.name | h}' does not contain any datasets that you can access. %endif </%def> diff -r ed67b05dc0402bf9ff9fbf35198ea2cac92e2c22 -r 0f0cca84c94ac88e6e9d347a57fd08b99d7c9176 templates/webapps/galaxy/library/common/browse_library_opt.mako --- a/templates/webapps/galaxy/library/common/browse_library_opt.mako +++ b/templates/webapps/galaxy/library/common/browse_library_opt.mako @@ -228,29 +228,29 @@ %if current_version and ( not ldda.library_dataset.deleted or show_deleted ): <tr class="datasetRow" %if parent is not None: - parent="${parent}" + parent="${parent | h}" %endif - id="libraryItem-${ldda.id}"> + id="libraryItem-${ldda.id | h}"><td style="padding-left: ${pad+20}px;"> - <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id )}" value="${trans.security.encode_id( ldda.id )}" + <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${trans.security.encode_id( ldda.id ) | h}" %if selected: checked="checked" %endif /> %if simple: - <label for="${trans.security.encode_id( ldda.id )}">${ util.unicodify( ldda.name )}</label> + <label for="${trans.security.encode_id( ldda.id ) | h}">${ util.unicodify( ldda.name ) | h}</label> %else: - <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id}-popup"> + <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id | h}-popup"><a class="view-info" href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}"> %if ldda.library_dataset.deleted: - <div class="libraryItem-error">${util.unicodify( ldda.name )}</div> + <div class="libraryItem-error">${util.unicodify( ldda.name ) | h}</div> %else: - ${util.unicodify( ldda.name )} + ${util.unicodify( ldda.name ) | h} %endif </a></div> %if not library.deleted: - <div popupmenu="dataset-${ldda.id}-popup"> + <div popupmenu="dataset-${ldda.id | h}-popup"> %if not branch_deleted( folder ) and not ldda.library_dataset.deleted and can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a><a class="action-button" href="${h.url_for( controller='library_common', action='move_library_item', cntrller=cntrller, item_type='ldda', item_id=trans.security.encode_id( ldda.id ), source_library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Move this dataset</a> @@ -279,7 +279,7 @@ %endif %if can_modify: %if not library.deleted and not branch_deleted( folder ) and not ldda.library_dataset.deleted: - <a class="action-button" confirm="Click OK to delete dataset '${util.unicodify( ldda.name )}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Delete this dataset</a> + <a class="action-button" confirm="Click OK to delete dataset '${util.unicodify( ldda.name ) | h}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Delete this dataset</a> %elif not library.deleted and not branch_deleted( folder ) and not ldda.library_dataset.purged and ldda.library_dataset.deleted: <a class="action-button" href="${h.url_for( controller='library_common', action='undelete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Undelete this dataset</a> %endif @@ -290,10 +290,10 @@ </td> % if not simple: <td id="libraryItemInfo">${render_library_item_info( ldda )}</td> - <td>${ldda.extension}</td> + <td>${ldda.extension | h}</td> % endif - <td>${ldda.create_time.strftime( "%Y-%m-%d" )}</td> - <td>${ldda.get_size( nice_size=True )}</td> + <td>${ldda.create_time.strftime( "%Y-%m-%d" ) | h}</td> + <td>${ldda.get_size( nice_size=True ) | h}</td></tr><% my_row = row_counter.count @@ -362,28 +362,28 @@ %> %if not root_folder and ( not folder.deleted or show_deleted ): <% encoded_id = trans.security.encode_id( folder.id ) %> - <tr id="folder-${encoded_id}" class="folderRow libraryOrFolderRow" + <tr id="folder-${encoded_id | h}" class="folderRow libraryOrFolderRow" %if parent is not None: - parent="${parent}" + parent="${parent | h}" style="display: none;" %endif > - <td style="padding-left: ${folder_pad}px;"> + <td style="padding-left: ${folder_pad | h}px;"><input type="checkbox" class="folderCheckbox"/> - <span class="expandLink folder-${encoded_id}-click"> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id}-popup"> - <a class="folder-${encoded_id}-click" href="javascript:void(0);"> + <span class="expandLink folder-${encoded_id | h}-click"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id | h}-popup"> + <a class="folder-${encoded_id | h}-click" href="javascript:void(0);"><span class="rowIcon"></span> %if folder.deleted: - <div class="libraryItem-error">${folder.name}</div> + <div class="libraryItem-error">${folder.name | h}</div> %else: - ${folder.name} + ${folder.name | h} %endif </a></div></span> %if not library.deleted: - <div popupmenu="folder_img-${folder.id}-popup"> + <div popupmenu="folder_img-${folder.id | h}-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> @@ -414,7 +414,7 @@ %endif %if can_modify: %if not library.deleted and not folder.deleted: - <a class="action-button" confirm="Click OK to delete the folder '${folder.name}.'" href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Delete this folder</a> + <a class="action-button" confirm="Click OK to delete the folder '${folder.name | h}.'" href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Delete this folder</a> %elif not library.deleted and folder.deleted and not folder.purged: <a class="action-button" href="${h.url_for( controller='library_common', action='undelete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Undelete this folder</a> %endif @@ -423,7 +423,7 @@ %endif <td> %if folder.description: - ${folder.description} + ${folder.description | h} %endif <td colspan="3"></td></tr> @@ -515,12 +515,12 @@ <li><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( library.root_folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add folder</a></li> %endif %if ( ( not library.deleted ) and ( can_modify or can_manage ) ) or ( can_modify and not library.purged ) or ( library.purged ): - <li><a class="action-button" id="library-${library.id}-popup" class="menubutton">Library Actions</a></li> - <div popupmenu="library-${library.id}-popup"> + <li><a class="action-button" id="library-${library.id | h}-popup" class="menubutton">Library Actions</a></li> + <div popupmenu="library-${library.id | h}-popup"> %if not library.deleted: %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='library_info', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> - <a class="action-button" confirm="Click OK to delete the library named '${library.name}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library.id ), item_type='library' )}">Delete this data library</a> + <a class="action-button" confirm="Click OK to delete the library named '${library.name | h}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library.id ), item_type='library' )}">Delete this data library</a> %if show_deleted: <a class="action-button" href="${h.url_for( controller='library_common', action='browse_library', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=False )}">Hide deleted items</a> %else: @@ -558,7 +558,7 @@ %if library.synopsis not in [ '', 'None', None ]: <div class="libraryItemBody"> - ${library.synopsis} + ${library.synopsis | h} </div> %endif @@ -616,6 +616,6 @@ ${render_compression_types_help( comptypes )} %endif %if not has_accessible_folders: - The data library '${library.name}' does not contain any datasets that you can access. + The data library '${library.name | h}' does not contain any datasets that you can access. %endif </%def> diff -r ed67b05dc0402bf9ff9fbf35198ea2cac92e2c22 -r 0f0cca84c94ac88e6e9d347a57fd08b99d7c9176 templates/webapps/galaxy/library/common/common.mako --- a/templates/webapps/galaxy/library/common/common.mako +++ b/templates/webapps/galaxy/library/common/common.mako @@ -88,19 +88,19 @@ else: tool_form_title = 'Upload files' %> - <div class="toolFormTitle">${tool_form_title}</div> + <div class="toolFormTitle">${tool_form_title | h}</div><div class="toolFormBody"><form name="upload_library_dataset" id="upload_library_dataset" action="${action}" enctype="multipart/form-data" method="post"><input type="hidden" name="tool_id" value="upload1"/><input type="hidden" name="tool_state" value="None"/> - <input type="hidden" name="cntrller" value="${cntrller}"/> - <input type="hidden" name="library_id" value="${library_id}"/> - <input type="hidden" name="folder_id" value="${folder_id}"/> - <input type="hidden" name="show_deleted" value="${show_deleted}"/> + <input type="hidden" name="cntrller" value="${cntrller | h}"/> + <input type="hidden" name="library_id" value="${library_id | h}"/> + <input type="hidden" name="folder_id" value="${folder_id | h}"/> + <input type="hidden" name="show_deleted" value="${show_deleted | h}"/> %if replace_dataset not in [ None, 'None' ]: - <input type="hidden" name="replace_id" value="${trans.security.encode_id( replace_dataset.id )}"/> + <input type="hidden" name="replace_id" value="${trans.security.encode_id( replace_dataset.id ) | h}"/><div class="form-row"> - You are currently selecting a new file to replace '<a href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=library_id, folder_id=folder_id, id=trans.security.encode_id( replace_dataset.library_dataset_dataset_association.id ) )}">${util.unicodify( replace_dataset.name )}</a>'. + You are currently selecting a new file to replace '<a href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=library_id, folder_id=folder_id, id=trans.security.encode_id( replace_dataset.library_dataset_dataset_association.id ) )}">${util.unicodify( replace_dataset.name ) | h}</a>'. <div style="clear: both"></div></div> %endif @@ -120,7 +120,7 @@ <select name="file_type"><option value="auto" selected>Auto-detect</option> %for file_format in file_formats: - <option value="${file_format}">${file_format}</option> + <option value="${file_format | h}">${file_format | h}</option> %endfor </select></div> @@ -176,23 +176,23 @@ %for entry in os.listdir( import_dir ): ## Do not include entries that are not directories %if os.path.isdir( os.path.join( import_dir, entry ) ): - <option>${entry}</option> + <option>${entry | h}</option> %endif %endfor %else: %if ( trans.user_is_admin() and cntrller == 'library_admin' ): - <option>${import_dir}</option> + <option>${import_dir | h}</option> %else: - <option>${trans.user.email}</option> + <option>${trans.user.email | h}</option> %endif %endif </select></div><div class="toolParamHelp" style="clear: both;"> %if contains_directories: - Upload all files in a sub-directory of <strong>${import_dir}</strong> on the Galaxy server. + Upload all files in a sub-directory of <strong>${import_dir | h}</strong> on the Galaxy server. %else: - Upload all files in <strong>${import_dir}</strong> on the Galaxy server. + Upload all files in <strong>${import_dir | h}</strong> on the Galaxy server. %endif </div><div style="clear: both"></div> @@ -282,9 +282,9 @@ %> %for dbkey in dbkeys: %if dbkey[1] == default_selected: - <option value="${dbkey[1]}" selected>${dbkey[0]}</option> + <option value="${dbkey[1] | h}" selected>${dbkey[0] | h}</option> %else: - <option value="${dbkey[1]}">${dbkey[0]}</option> + <option value="${dbkey[1] | h}">${dbkey[0] | h}</option> %endif %endfor </select> @@ -295,7 +295,7 @@ <label>Message:</label><div class="form-row-input"> %if ldda_message: - <textarea name="ldda_message" rows="3" cols="35">${ldda_message}</textarea> + <textarea name="ldda_message" rows="3" cols="35">${ldda_message | h}</textarea> %else: <textarea name="ldda_message" rows="3" cols="35"></textarea> %endif @@ -320,13 +320,13 @@ %if widgets: %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field[ 'label' ]}</label> + <label>${field[ 'label' ] | h}</label><div class="form-row-input"> ${field[ 'widget' ].get_html()} </div><div class="toolParamHelp" style="clear: both;"> %if field[ 'helptext' ]: - ${field[ 'helptext' ]}<br/> + ${field[ 'helptext' ] | h}<br/> %endif *Inherited template field </div> @@ -342,14 +342,14 @@ </div> %elif upload_option == 'import_from_history': <div class="toolForm"> - <div class="toolFormTitle">Active datasets in your current history (${ util.unicodify( history.name )})</div> + <div class="toolFormTitle">Active datasets in your current history (${ util.unicodify( history.name ) | h})</div><div class="toolFormBody"> %if history and history.active_datasets: <form name="add_history_datasets_to_library" action="${h.url_for( controller='library_common', action='add_history_datasets_to_library', cntrller=cntrller, library_id=library_id )}" enctype="multipart/form-data" method="post"> - <input type="hidden" name="folder_id" value="${folder_id}"/> - <input type="hidden" name="show_deleted" value="${show_deleted}"/> + <input type="hidden" name="folder_id" value="${folder_id | h}"/> + <input type="hidden" name="show_deleted" value="${show_deleted | h}"/><input type="hidden" name="upload_option" value="import_from_history"/> - <input type="hidden" name="ldda_message" value="${ldda_message}"/> + <input type="hidden" name="ldda_message" value="${ldda_message | h}"/><% role_ids_selected = '' if roles_select_list: @@ -357,32 +357,32 @@ if selected: role_ids_selected = ','.join( selected ) %> - <input type="hidden" name="roles" value="${role_ids_selected}"/> + <input type="hidden" name="roles" value="${role_ids_selected | h}"/> %if replace_dataset not in [ None, 'None' ]: - <input type="hidden" name="replace_id" value="${trans.security.encode_id( replace_dataset.id )}"/> + <input type="hidden" name="replace_id" value="${trans.security.encode_id( replace_dataset.id ) | h}"/><div class="form-row"> - You are currently selecting a new file to replace '<a href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=library_id, folder_id=folder_id, id=trans.security.encode_id( replace_dataset.library_dataset_dataset_association.id ) )}">${ util.unicodify( replace_dataset.name )}</a>'. + You are currently selecting a new file to replace '<a href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=library_id, folder_id=folder_id, id=trans.security.encode_id( replace_dataset.library_dataset_dataset_association.id ) )}">${ util.unicodify( replace_dataset.name ) | h}</a>'. <div style="clear: both"></div></div> %endif %for hda in history.visible_datasets: <% encoded_id = trans.security.encode_id( hda.id ) %><div class="form-row"> - <input name="hda_ids" id="hist_${encoded_id}" value="${encoded_id}" type="checkbox"/> - <label for="hist_${encoded_id}" style="display: inline;font-weight:normal;">${hda.hid}: ${ util.unicodify( hda.name )}</label> + <input name="hda_ids" id="hist_${encoded_id | h}" value="${encoded_id | h}" type="checkbox"/> + <label for="hist_${encoded_id | h}" style="display: inline;font-weight:normal;">${hda.hid | h}: ${ util.unicodify( hda.name ) | h}</label></div> %endfor %if widgets: - <input type="hidden" name="template_id" value="${template_id}"/> + <input type="hidden" name="template_id" value="${template_id | h}"/> %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field[ 'label' ]}</label> + <label>${field[ 'label' ] | h}</label><div class="form-row-input"> ${field[ 'widget' ].get_html()} </div><div class="toolParamHelp" style="clear: both;"> %if field[ 'helptext' ]: - ${field[ 'helptext' ]}<br/> + ${field[ 'helptext' ] | h}<br/> %endif *Inherited template field </div> diff -r ed67b05dc0402bf9ff9fbf35198ea2cac92e2c22 -r 0f0cca84c94ac88e6e9d347a57fd08b99d7c9176 templates/webapps/galaxy/library/common/import_datasets_to_histories.mako --- a/templates/webapps/galaxy/library/common/import_datasets_to_histories.mako +++ b/templates/webapps/galaxy/library/common/import_datasets_to_histories.mako @@ -34,8 +34,8 @@ checked = " checked='checked'" %><div class="form-row"> - <input type="checkbox" name="ldda_ids" id="dataset_${encoded_id}" value="${encoded_id}" ${checked}/> - <label for="dataset_${encoded_id}" style="display: inline;font-weight:normal;">${util.unicodify( source_ldda.name )}</label> + <input type="checkbox" name="ldda_ids" id="dataset_${encoded_id | h}" value="${encoded_id | h}" ${checked}/> + <label for="dataset_${encoded_id | h}" style="display: inline;font-weight:normal;">${util.unicodify( source_ldda.name ) | h}</label></div> %endfor %else: @@ -61,7 +61,7 @@ else: current_history_text = "" %> - <option value="${encoded_id}"${selected_text}>${i + 1}: ${h.truncate( util.unicodify( target_history.name ), 30 )}${current_history_text}</option> + <option value="${encoded_id | h}"${selected_text}>${i + 1}: ${h.truncate( util.unicodify( target_history.name ), 30 ) | h}${current_history_text | h}</option> %endfor </select><br/><br/> @@ -77,8 +77,8 @@ current_history_text = "" %><div class="form-row"> - <input type="checkbox" name="target_history_ids" id="target_history_${encoded_id}" value="${encoded_id}"/> - <label for="target_history_${encoded_id}" style="display: inline; font-weight:normal;">${i + 1}: ${util.unicodify( target_history.name )}${current_history_text}</label> + <input type="checkbox" name="target_history_ids" id="target_history_${encoded_id | h}" value="${encoded_id | h}"/> + <label for="target_history_${encoded_id | h}" style="display: inline; font-weight:normal;">${i + 1}: ${util.unicodify( target_history.name ) | h}${current_history_text | h}</label></div> %endfor </div> diff -r ed67b05dc0402bf9ff9fbf35198ea2cac92e2c22 -r 0f0cca84c94ac88e6e9d347a57fd08b99d7c9176 templates/webapps/galaxy/library/common/ldda_edit_info.mako --- a/templates/webapps/galaxy/library/common/ldda_edit_info.mako +++ b/templates/webapps/galaxy/library/common/ldda_edit_info.mako @@ -34,9 +34,9 @@ <select name="datatype"> %for ext in file_formats: %if ldda.ext == ext: - <option value="${ext}" selected="yes">${ext}</option> + <option value="${ext | h}" selected="yes">${ext | h}</option> %else: - <option value="${ext}">${ext}</option> + <option value="${ext | h}">${ext | h}</option> %endif %endfor </select> @@ -44,24 +44,24 @@ %if ( trans.user_is_admin() and cntrller=='library_admin' ) or trans.app.security_agent.can_modify_library_item( current_user_roles, ldda.library_dataset ): <div class="toolForm"> - <div class="toolFormTitle">Edit attributes of ${util.unicodify( ldda.name )}</div> + <div class="toolFormTitle">Edit attributes of ${util.unicodify( ldda.name ) | h}</div><div class="toolFormBody"><form name="edit_attributes" action="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=library_id, folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), use_panels=use_panels, show_deleted=show_deleted, )}" method="post"> - <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id )}"/> + <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id ) | h}"/><div class="form-row"><label>Name:</label> - <input type="text" name="name" value="${util.unicodify( ldda.name )}" size="40"/> + <input type="text" name="name" value="${util.unicodify( ldda.name ) | h}" size="40"/><div style="clear: both"></div></div><div class="form-row"><label>Info:</label> - <input type="text" name="info" value="${util.unicodify( ldda.info )}" size="40"/> + <input type="text" name="info" value="${util.unicodify( ldda.info ) | h}" size="40"/><div style="clear: both"></div></div><div class="form-row"><label>Message:</label> %if ldda.message: - <textarea name="message" rows="3" cols="35">${ldda.message}</textarea> + <textarea name="message" rows="3" cols="35">${ldda.message | h}</textarea> %else: <textarea name="message" rows="3" cols="35"></textarea> %endif @@ -73,7 +73,7 @@ %for name, spec in ldda.metadata.spec.items(): %if spec.visible: <div class="form-row"> - <label>${spec.desc}:</label> + <label>${spec.desc | h}:</label> ${ldda.metadata.get_html_by_name( name, trans=trans )} <div style="clear: both"></div></div> @@ -85,7 +85,7 @@ </form><form name="auto_detect" action="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=library_id, folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), use_panels=use_panels, show_deleted=show_deleted, )}" method="post"><div class="form-row"> - <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id )}"/> + <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id ) | h}"/><input type="submit" name="detect" value="Auto-detect"/><div class="toolParamHelp" style="clear: both;"> This will inspect the dataset and attempt to correct the above column values if they are not accurate. @@ -101,7 +101,7 @@ %if ldda.datatype.allow_datatype_change: <form name="change_datatype" action="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=library_id, folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), use_panels=use_panels, show_deleted=show_deleted, )}" method="post"><div class="form-row"> - <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id )}"/> + <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id ) | h}"/><label>New Type:</label> ${datatype( ldda, file_formats )} <div class="toolParamHelp" style="clear: both;"> @@ -129,10 +129,10 @@ <div class="form-row"><label>Extended Metadata:</label></div> - <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id )}"/> + <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id ) | h}"/><div class="form-row"> %if ldda.extended_metadata: - <textarea name="extended_metadata" rows="15" cols="35">${util.pretty_print_json(ldda.extended_metadata.data)}</textarea> + <textarea name="extended_metadata" rows="15" cols="35">${util.pretty_print_json(ldda.extended_metadata.data) | h}</textarea> %else: <textarea name="extended_metadata" rows="15" cols="35"></textarea> %endif @@ -147,28 +147,28 @@ <p/> %else: <div class="toolForm"> - <div class="toolFormTitle">View information about ${util.unicodify( ldda.name )}</div> + <div class="toolFormTitle">View information about ${util.unicodify( ldda.name ) | h}</div><div class="toolFormBody"><div class="form-row"><label>Name:</label> - ${util.unicodify( ldda.name )} + ${util.unicodify( ldda.name ) | h} <div style="clear: both"></div></div><div class="form-row"><label>Info:</label> - ${util.unicodify( ldda.info )} + ${util.unicodify( ldda.info ) | h} <div style="clear: both"></div></div><div class="form-row"><label>Data Format:</label> - ${ldda.ext} + ${ldda.ext | h} <div style="clear: both"></div></div> %for name, spec in ldda.metadata.spec.items(): %if spec.visible: <div class="form-row"> - <label>${spec.desc}:</label> - ${ldda.metadata.get( name )} + <label>${spec.desc | h}:</label> + ${ldda.metadata.get( name ) | h} <div style="clear: both"></div></div> %endif This diff is so big that we needed to truncate the remainder. https://bitbucket.org/galaxy/galaxy-central/commits/07404a82972d/ Changeset: 07404a82972d Branch: stable User: dannon Date: 2014-12-08 20:22:53+00:00 Summary: Merged in dan/galaxy-central-prs/stable (pull request #597) [STABLE] HTML escape user-settable values in Data Libraries. Update tests to reflect that e.g. quotes are now html escaped within pages. Eliminate the unnecessary use of Params() object for these controllers. Affected #: 17 files diff -r 704efd2f5e06b9f6e63246d2324874cf7f28d83a -r 07404a82972d877b5529fffaeb3e7e05b69a02a3 lib/galaxy/webapps/galaxy/controllers/library.py --- a/lib/galaxy/webapps/galaxy/controllers/library.py +++ b/lib/galaxy/webapps/galaxy/controllers/library.py @@ -3,7 +3,7 @@ from galaxy import web from galaxy.model.orm import and_, not_, or_ from galaxy.web.base.controller import BaseUIController -from galaxy.web.framework.helpers import grids +from galaxy.web.framework.helpers import escape, grids from library_common import get_comptypes, lucene_search, whoosh_search @@ -79,7 +79,6 @@ @web.expose def list( self, trans, **kwd ): - params = util.Params( kwd ) # define app configuration for generic mako template app = { 'jscript' : "galaxy.library" @@ -89,10 +88,9 @@ @web.expose def index( self, trans, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - default_action = params.get( 'default_action', None ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'done' ) ) + default_action = kwd.get( 'default_action', None ) return trans.fill_template( "/library/index.mako", default_action=default_action, message=message, diff -r 704efd2f5e06b9f6e63246d2324874cf7f28d83a -r 07404a82972d877b5529fffaeb3e7e05b69a02a3 lib/galaxy/webapps/galaxy/controllers/library_admin.py --- a/lib/galaxy/webapps/galaxy/controllers/library_admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_admin.py @@ -5,7 +5,7 @@ from galaxy import web from galaxy.web.base.controller import BaseUIController -from galaxy.web.framework.helpers import grids, time_ago +from galaxy.web.framework.helpers import escape, grids, time_ago from library_common import get_comptypes, lucene_search, whoosh_search # from galaxy.model.orm import * @@ -141,20 +141,19 @@ lddas=lddas, show_deleted=show_deleted, use_panels=use_panels, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) # Render the list view return self.library_list_grid( trans, **kwd ) @web.expose @web.require_admin def create_library( self, trans, **kwd ): - params = galaxy.util.Params( kwd ) - message = galaxy.util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - if params.get( 'create_library_button', False ): - name = galaxy.util.restore_text( params.get( 'name', 'No name' ) ) - description = galaxy.util.restore_text( params.get( 'description', '' ) ) - synopsis = galaxy.util.restore_text( params.get( 'synopsis', '' ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + if kwd.get( 'create_library_button', False ): + name = kwd.get( 'name', 'No name' ) + description = kwd.get( 'description', '' ) + synopsis = kwd.get( 'synopsis', '' ) if synopsis in [ 'None', None ]: synopsis = '' library = trans.app.model.Library( name=name, description=description, synopsis=synopsis ) @@ -167,9 +166,9 @@ action='browse_library', cntrller='library_admin', id=trans.security.encode_id( library.id ), - message=galaxy.util.sanitize_text( message ), + message=message, status='done' ) ) - return trans.fill_template( '/admin/library/new_library.mako', message=message, status=status ) + return trans.fill_template( '/admin/library/new_library.mako', message=escape( message ), status=escape( status ) ) @web.expose @web.require_admin def delete_library( self, trans, id, **kwd ): @@ -196,8 +195,7 @@ # TODO: change this function to purge_library_item, behaving similar to delete_library_item # assuming we want the ability to purge libraries. # This function is currently only used by the functional tests. - params = galaxy.util.Params( kwd ) - library = trans.sa_session.query( trans.app.model.Library ).get( trans.security.decode_id( params.id ) ) + library = trans.sa_session.query( trans.app.model.Library ).get( trans.security.decode_id( kwd.get( 'id' ) ) ) def purge_folder( library_folder ): for lf in library_folder.folders: purge_folder( lf ) @@ -226,7 +224,7 @@ message = "Library '%s' has not been marked deleted, so it cannot be purged" % ( library.name ) return trans.response.send_redirect( web.url_for( controller='library_admin', action='browse_libraries', - message=galaxy.util.sanitize_text( message ), + message=message, status='error' ) ) else: purge_folder( library.root_folder ) @@ -236,5 +234,5 @@ message = "Library '%s' and all of its contents have been purged, datasets will be removed from disk via the cleanup_datasets script" % library.name return trans.response.send_redirect( web.url_for( controller='library_admin', action='browse_libraries', - message=galaxy.util.sanitize_text( message ), + message=message, status='done' ) ) diff -r 704efd2f5e06b9f6e63246d2324874cf7f28d83a -r 07404a82972d877b5529fffaeb3e7e05b69a02a3 lib/galaxy/webapps/galaxy/controllers/library_common.py --- a/lib/galaxy/webapps/galaxy/controllers/library_common.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_common.py @@ -20,6 +20,7 @@ from galaxy.util.streamball import StreamBall from galaxy.web.base.controller import BaseUIController, UsesFormDefinitionsMixin, UsesExtendedMetadataMixin, UsesLibraryMixinItems from galaxy.web.form_builder import AddressField, CheckboxField, SelectField, build_select_field +from galaxy.web.framework.helpers import escape from galaxy.model.orm import and_, eagerload_all # Whoosh is compatible with Python 2.5+ Try to import Whoosh and set flag to indicate whether tool search is enabled. @@ -92,14 +93,13 @@ @web.expose def browse_library( self, trans, cntrller='library', **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) # If use_panels is True, the library is being accessed via an external link # which did not originate from within the Galaxy instance, and the library will # be displayed correctly with the mast head. - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - library_id = params.get( 'id', None ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + library_id = kwd.get( 'id', None ) if not library_id: # To handle bots message = "You must specify a library id." @@ -116,9 +116,9 @@ message = "Invalid library id ( %s ) specified." % str( library_id ) status = 'error' else: - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - created_ldda_ids = params.get( 'created_ldda_ids', '' ) - hidden_folder_ids = util.listify( params.get( 'hidden_folder_ids', '' ) ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + created_ldda_ids = kwd.get( 'created_ldda_ids', '' ) + hidden_folder_ids = util.listify( kwd.get( 'hidden_folder_ids', '' ) ) if created_ldda_ids and not message: message = "%d datasets are uploading in the background to the library '%s' (each is selected). " % \ ( len( created_ldda_ids.split( ',' ) ), library.name ) @@ -137,8 +137,8 @@ show_deleted=show_deleted, comptypes=comptypes, current_user_roles=current_user_roles, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) else: return trans.fill_template( 'library/common/browse_library.mako', cntrller=cntrller, @@ -149,44 +149,43 @@ show_deleted=show_deleted, comptypes=comptypes, current_user_roles=current_user_roles, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) except Exception, e: message = 'Error attempting to display contents of library (%s): %s.' % ( str( library.name ), str( e ) ) status = 'error' - default_action = params.get( 'default_action', None ) + default_action = kwd.get( 'default_action', None ) return trans.response.send_redirect( web.url_for( use_panels=use_panels, controller=cntrller, action='browse_libraries', default_action=default_action, - message=util.sanitize_text( message ), + message=message, status=status ) ) @web.expose def library_info( self, trans, cntrller, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() - library_id = params.get( 'id', None ) + library_id = kwd.get( 'id', None ) try: library = trans.sa_session.query( trans.app.model.Library ).get( trans.security.decode_id( library_id ) ) except: library = None self._check_access( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'library_info_button', False ): + if kwd.get( 'library_info_button', False ): self._check_modify( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) old_name = library.name - new_name = util.restore_text( params.get( 'name', 'No name' ) ) + new_name = kwd.get( 'name', 'No name' ) if not new_name: message = 'Enter a valid name' status='error' else: - new_description = util.restore_text( params.get( 'description', '' ) ) - new_synopsis = util.restore_text( params.get( 'synopsis', '' ) ) + new_description = kwd.get( 'description', '' ) + new_synopsis = kwd.get( 'synopsis', '' ) if new_synopsis in [ None, 'None' ]: new_synopsis = '' library.name = new_name @@ -204,7 +203,7 @@ use_panels=use_panels, id=trans.security.encode_id( library.id ), show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) # See if we have any associated templates info_association, inherited = library.get_info_association() @@ -220,29 +219,28 @@ show_deleted=show_deleted, info_association=info_association, inherited=inherited, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def library_permissions( self, trans, cntrller, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() - library_id = params.get( 'id', None ) + library_id = kwd.get( 'id', None ) try: library = trans.sa_session.query( trans.app.model.Library ).get( trans.security.decode_id( library_id ) ) except: library = None self._check_access( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) self._check_manage( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'update_roles_button', False ): + if kwd.get( 'update_roles_button', False ): # The user clicked the Save button on the 'Associate With Roles' form permissions = {} for k, v in trans.app.model.Library.permitted_actions.items(): - in_roles = [ trans.sa_session.query( trans.app.model.Role ).get( x ) for x in util.listify( params.get( k + '_in', [] ) ) ] + in_roles = [ trans.sa_session.query( trans.app.model.Role ).get( x ) for x in util.listify( kwd.get( k + '_in', [] ) ) ] permissions[ trans.app.security_agent.get_action( v.action ) ] = in_roles trans.app.security_agent.set_all_library_permissions( trans, library, permissions ) trans.sa_session.refresh( library ) @@ -255,7 +253,7 @@ use_panels=use_panels, id=trans.security.encode_id( library.id ), show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) roles = trans.app.security_agent.get_legitimate_roles( trans, library, cntrller ) all_roles = trans.app.security_agent.get_all_roles( trans, cntrller ) @@ -267,15 +265,14 @@ roles=roles, all_roles=all_roles, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def create_folder( self, trans, cntrller, parent_id, library_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller in ( 'library_admin', 'api' ) current_user_roles = trans.get_current_user_roles() try: @@ -288,9 +285,9 @@ parent_library = parent_folder.parent_library self._check_access( trans, cntrller, is_admin, parent_folder, current_user_roles, use_panels, library_id, show_deleted ) self._check_add( trans, cntrller, is_admin, parent_folder, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'new_folder_button', False ) or cntrller == 'api': - new_folder = trans.app.model.LibraryFolder( name=util.restore_text( params.name ), - description=util.restore_text( params.description ) ) + if kwd.get( 'new_folder_button', False ) or cntrller == 'api': + new_folder = trans.app.model.LibraryFolder( name=kwd.get( 'name', '' ), + description=kwd.get( 'description', '' ) ) # We are associating the last used genome build with folders, so we will always # initialize a new folder with the first dbkey in genome builds list which is currently # ? unspecified (?) @@ -322,7 +319,7 @@ show_deleted=show_deleted, info_association=info_association, inherited=inherited, - message=message, + message=escape( message ), status='done' ) # If not inheritable info_association, redirect to the library. message = "The new folder named '%s' has been added to the data library." % new_folder.name @@ -334,7 +331,7 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) # We do not render any template widgets on creation pages since saving the info_association # cannot occur before the associated item is saved. @@ -344,15 +341,14 @@ library_id=library_id, folder=parent_folder, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def folder_info( self, trans, cntrller, id, library_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -360,11 +356,11 @@ except: folder = None self._check_access( trans, cntrller, is_admin, folder, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'rename_folder_button', False ): + if kwd.get( 'rename_folder_button', False ): self._check_modify( trans, cntrller, is_admin, folder, current_user_roles, use_panels, library_id, show_deleted ) old_name = folder.name - new_name = util.restore_text( params.name ) - new_description = util.restore_text( params.description ) + new_name = kwd.get( 'name', '' ) + new_description = kwd.get( 'description', '' ) if not new_name: message = 'Enter a valid name' status='error' @@ -381,7 +377,7 @@ id=id, library_id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) # See if we have any associated templates widgets = [] @@ -401,15 +397,14 @@ show_deleted=show_deleted, info_association=info_association, inherited=inherited, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def folder_permissions( self, trans, cntrller, id, library_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -418,14 +413,14 @@ folder = None self._check_access( trans, cntrller, is_admin, folder, current_user_roles, use_panels, library_id, show_deleted ) self._check_manage( trans, cntrller, is_admin, folder, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'update_roles_button', False ): + if kwd.get( 'update_roles_button', False ): # The user clicked the Save button on the 'Associate With Roles' form permissions = {} for k, v in trans.app.model.Library.permitted_actions.items(): if k != 'LIBRARY_ACCESS': # LIBRARY_ACCESS is a special permission set only at the library level # and it is not inherited. - in_roles = [ trans.sa_session.query( trans.app.model.Role ).get( int( x ) ) for x in util.listify( params.get( k + '_in', [] ) ) ] + in_roles = [ trans.sa_session.query( trans.app.model.Role ).get( int( x ) ) for x in util.listify( kwd.get( k + '_in', [] ) ) ] permissions[ trans.app.security_agent.get_action( v.action ) ] = in_roles trans.app.security_agent.set_all_library_permissions( trans, folder, permissions ) trans.sa_session.refresh( folder ) @@ -437,7 +432,7 @@ id=trans.security.encode_id( folder.id ), library_id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) # If the library is public all roles are legitimate, but if the library # is restricted, only those roles associated with the LIBRARY_ACCESS @@ -451,15 +446,14 @@ current_user_roles=current_user_roles, roles=roles, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def ldda_edit_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -468,7 +462,7 @@ ldda = None self._check_access( trans, cntrller, is_admin, ldda, current_user_roles, use_panels, library_id, show_deleted ) self._check_modify( trans, cntrller, is_admin, ldda, current_user_roles, use_panels, library_id, show_deleted ) - dbkey = params.get( 'dbkey', '?' ) + dbkey = kwd.get( 'dbkey', '?' ) if isinstance( dbkey, list ): dbkey = dbkey[0] file_formats = [ dtype_name for dtype_name, dtype_value in trans.app.datatypes_registry.datatypes_by_extension.iteritems() if dtype_value.allow_datatype_change ] @@ -492,26 +486,26 @@ info_association, inherited = ldda.get_info_association() if info_association and ( not( inherited ) or info_association.inheritable ): widgets = ldda.get_template_widgets( trans ) - if params.get( 'change', False ): + if kwd.get( 'change', False ): # The user clicked the Save button on the 'Change data type' form if __ok_to_edit_metadata( ldda.id ): - if ldda.datatype.allow_datatype_change and trans.app.datatypes_registry.get_datatype_by_extension( params.datatype ).allow_datatype_change: - trans.app.datatypes_registry.change_datatype( ldda, params.datatype ) + if ldda.datatype.allow_datatype_change and trans.app.datatypes_registry.get_datatype_by_extension( kwd.get( 'datatype' ) ).allow_datatype_change: + trans.app.datatypes_registry.change_datatype( ldda, kwd.get( 'datatype' ) ) trans.sa_session.flush() message = "Data type changed for library dataset '%s'." % ldda.name status = 'done' else: - message = "You are unable to change datatypes in this manner. Changing %s to %s is not allowed." % ( ldda.extension, params.datatype ) + message = "You are unable to change datatypes in this manner. Changing %s to %s is not allowed." % ( ldda.extension, kwd.get( 'datatype' ) ) status = 'error' else: message = "This dataset is currently being used as input or output. You cannot change datatype until the jobs have completed or you have canceled them." status = "error" - elif params.get( 'save', False ): + elif kwd.get( 'save', False ): # The user clicked the Save button on the 'Edit Attributes' form old_name = ldda.name - new_name = util.restore_text( params.get( 'name', '' ) ) - new_info = util.restore_text( params.get( 'info', '' ) ) - new_message = util.restore_text( params.get( 'message', '' ) ) + new_name = kwd.get( 'name', '' ) + new_info = kwd.get( 'info', '' ) + new_message = kwd.get( 'message', '' ) if not new_name: message = 'Enter a valid name' status = 'error' @@ -524,12 +518,12 @@ for name, spec in ldda.datatype.metadata_spec.items(): if spec.get("readonly"): continue - optional = params.get( "is_" + name, None ) + optional = kwd.get( "is_" + name, None ) if optional and optional == 'true': # optional element... == 'true' actually means it is NOT checked (and therefore ommitted) setattr( ldda.metadata, name, None ) else: - setattr( ldda.metadata, name, spec.unwrap( params.get ( name, None ) ) ) + setattr( ldda.metadata, name, spec.unwrap( kwd.get( name, None ) ) ) ldda.metadata.dbkey = dbkey ldda.datatype.after_setting_metadata( ldda ) message = "Attributes updated for library dataset '%s'." % ldda.name @@ -538,7 +532,7 @@ message = "Attributes updated, but metadata could not be changed because this dataset is currently being used as input or output. You must cancel or wait for these jobs to complete before changing metadata." status = 'warning' trans.sa_session.flush() - elif params.get( 'detect', False ): + elif kwd.get( 'detect', False ): # The user clicked the Auto-detect button on the 'Edit Attributes' form if __ok_to_edit_metadata( ldda.id ): for name, spec in ldda.datatype.metadata_spec.items(): @@ -553,8 +547,8 @@ message = "This dataset is currently being used as input or output. You cannot change metadata until the jobs have completed or you have canceled them." status = 'error' trans.sa_session.flush() - elif params.get( 'change_extended_metadata', False): - em_string = util.restore_text( params.get("extended_metadata", "") ) + elif kwd.get( 'change_extended_metadata', False): + em_string = kwd.get("extended_metadata", "" ) if len(em_string): payload = None try: @@ -604,16 +598,15 @@ show_deleted=show_deleted, info_association=info_association, inherited=inherited, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def ldda_info( self, trans, cntrller, library_id, folder_id, id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - show_associated_hdas_and_lddas = util.string_as_bool( params.get( 'show_associated_hdas_and_lddas', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + show_associated_hdas_and_lddas = util.string_as_bool( kwd.get( 'show_associated_hdas_and_lddas', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() ldda = trans.sa_session.query( trans.app.model.LibraryDatasetDatasetAssociation ).get( trans.security.decode_id( id ) ) @@ -653,15 +646,14 @@ current_user_roles=current_user_roles, info_association=info_association, inherited=inherited, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def ldda_permissions( self, trans, cntrller, library_id, folder_id, id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) ids = util.listify( id ) lddas = [] libraries = [] @@ -685,7 +677,7 @@ id=library_id, cntrller=cntrller, use_panels=use_panels, - message=util.sanitize_text( message ), + message=message, status='error' ) ) # If access to the dataset is restricted, then use the roles associated with the DATASET_ACCESS permission to # determine the legitimate roles. If the dataset is public, see if access to the library is restricted. If @@ -698,7 +690,7 @@ roles = trans.app.security_agent.get_legitimate_roles( trans, library, cntrller ) else: roles = trans.app.security_agent.get_legitimate_roles( trans, ldda.dataset, cntrller ) - if params.get( 'update_roles_button', False ): + if kwd.get( 'update_roles_button', False ): # Dataset permissions access_action = trans.app.security_agent.get_action( trans.app.security_agent.permitted_actions.DATASET_ACCESS.action ) manage_permissions_action = trans.app.security_agent.get_action( trans.app.security_agent.permitted_actions.DATASET_MANAGE_PERMISSIONS.action ) @@ -755,8 +747,8 @@ library_id=library_id, roles=roles, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) if len( ids ) > 1: # Ensure that the permissions across all library items are identical, otherwise we can't update them together. check_list = [] @@ -781,7 +773,7 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) # Display permission form, permissions will be updated for all lddas simultaneously. return trans.fill_template( "/library/common/ldda_permissions.mako", @@ -791,31 +783,30 @@ library_id=library_id, roles=roles, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def upload_library_dataset( self, trans, cntrller, library_id, folder_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - ldda_message = util.restore_text( params.get( 'ldda_message', '' ) ) - deleted = util.string_as_bool( params.get( 'deleted', False ) ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - replace_id = params.get( 'replace_id', None ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + ldda_message = kwd.get( 'ldda_message', '' ) + deleted = util.string_as_bool( kwd.get( 'deleted', False ) ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + replace_id = kwd.get( 'replace_id', None ) replace_dataset = None - upload_option = params.get( 'upload_option', 'upload_file' ) - if params.get( 'files_0|space_to_tab', False ): - space_to_tab = params.get( 'files_0|space_to_tab', '' ) + upload_option = kwd.get( 'upload_option', 'upload_file' ) + if kwd.get( 'files_0|space_to_tab', False ): + space_to_tab = kwd.get( 'files_0|space_to_tab', '' ) else: - space_to_tab = params.get( 'space_to_tab', '' ) - link_data_only = params.get( 'link_data_only', 'copy_files' ) - dbkey = params.get( 'dbkey', '?' ) + space_to_tab = kwd.get( 'space_to_tab', '' ) + link_data_only = kwd.get( 'link_data_only', 'copy_files' ) + dbkey = kwd.get( 'dbkey', '?' ) if isinstance( dbkey, list ): last_used_build = dbkey[0] else: last_used_build = dbkey - roles = params.get( 'roles', '' ) + roles = kwd.get( 'roles', '' ) is_admin = trans.user_is_admin() and cntrller in ( 'library_admin', 'api' ) current_user_roles = trans.get_current_user_roles() widgets = [] @@ -844,7 +835,7 @@ library = folder.parent_library if folder and last_used_build in [ 'None', None, '?' ]: last_used_build = folder.genome_build - if params.get( 'runtool_btn', False ) or params.get( 'ajax_upload', False ) or cntrller == 'api': + if kwd.get( 'runtool_btn', False ) or kwd.get( 'ajax_upload', False ) or cntrller == 'api': error = False if upload_option == 'upload_paths' and not trans.app.config.allow_library_path_paste: error = True @@ -869,7 +860,7 @@ replace_id=replace_id, upload_option=upload_option, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) else: # See if we have any inherited templates. @@ -883,7 +874,7 @@ for index, widget_dict in enumerate( widgets ): widget = widget_dict[ 'widget' ] if isinstance( widget, AddressField ): - value = util.restore_text( params.get( widget.name, '' ) ) + value = kwd.get( widget.name, '' ) if value == 'new': if self.field_param_values_ok( widget.name, 'AddressField', **kwd ): # Save the new address @@ -966,7 +957,7 @@ default_action=default_action, created_ldda_ids=created_ldda_ids, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) else: created_ldda_ids = '' @@ -981,7 +972,7 @@ id=library_id, created_ldda_ids=created_ldda_ids, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status=status ) ) # Note: if the upload form was submitted due to refresh_on_change for a form field, we cannot re-populate # the field for the selected file ( files_0|file_data ) if the user selected one. This is because the value @@ -1040,8 +1031,8 @@ link_data_only=link_data_only, show_deleted=show_deleted, ldda_message=ldda_message, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) def upload_dataset( self, trans, cntrller, library_id, folder_id, replace_dataset=None, **kwd ): # Set up the traditional tool state/params tool_id = 'upload1' @@ -1054,16 +1045,15 @@ if input.type == "upload_dataset": dataset_upload_inputs.append( input ) # Library-specific params - params = util.Params( kwd ) # is this filetoolparam safe? - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - server_dir = util.restore_text( params.get( 'server_dir', '' ) ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + server_dir = kwd.get( 'server_dir', '' ) if replace_dataset not in [ None, 'None' ]: replace_id = trans.security.encode_id( replace_dataset.id ) else: replace_id = None - upload_option = params.get( 'upload_option', 'upload_file' ) + upload_option = kwd.get( 'upload_option', 'upload_file' ) response_code = 200 if upload_option == 'upload_directory': if server_dir in [ None, 'None', '' ]: @@ -1092,7 +1082,7 @@ try: # FIXME: instead of passing params here ( which have been processed by util.Params(), the original kwd # should be passed so that complex objects that may have been included in the initial request remain. - library_bunch = upload_common.handle_library_params( trans, params, folder_id, replace_dataset ) + library_bunch = upload_common.handle_library_params( trans, kwd, folder_id, replace_dataset ) except: response_code = 500 message = "Unable to parse upload parameters, please report this error." @@ -1103,9 +1093,9 @@ tool_params = upload_common.persist_uploads( tool_params ) uploaded_datasets = upload_common.get_uploaded_datasets( trans, cntrller, tool_params, precreated_datasets, dataset_upload_inputs, library_bunch=library_bunch ) elif upload_option == 'upload_directory': - uploaded_datasets, response_code, message = self.get_server_dir_uploaded_datasets( trans, cntrller, params, full_dir, import_dir_desc, library_bunch, response_code, message ) + uploaded_datasets, response_code, message = self.get_server_dir_uploaded_datasets( trans, cntrller, kwd, full_dir, import_dir_desc, library_bunch, response_code, message ) elif upload_option == 'upload_paths': - uploaded_datasets, response_code, message = self.get_path_paste_uploaded_datasets( trans, cntrller, params, library_bunch, response_code, message ) + uploaded_datasets, response_code, message = self.get_path_paste_uploaded_datasets( trans, cntrller, kwd, library_bunch, response_code, message ) upload_common.cleanup_unused_precreated_datasets( precreated_datasets ) if upload_option == 'upload_file' and not uploaded_datasets: response_code = 400 @@ -1121,7 +1111,7 @@ replace_id=replace_id, upload_option=upload_option, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) json_file_path = upload_common.create_paramfile( trans, uploaded_datasets ) data_list = [ ud.data for ud in uploaded_datasets ] @@ -1135,7 +1125,7 @@ def make_library_uploaded_dataset( self, trans, cntrller, params, name, path, type, library_bunch, in_folder=None ): link_data_only = params.get( 'link_data_only', 'copy_files' ) uuid_str = params.get( 'uuid', None ) - file_type = params.file_type + file_type = params.get( 'file_type' ) library_bunch.replace_dataset = None # not valid for these types of upload uploaded_dataset = util.bunch.Bunch() new_name = name @@ -1151,8 +1141,8 @@ uploaded_dataset.type = type uploaded_dataset.ext = None uploaded_dataset.file_type = file_type - uploaded_dataset.dbkey = params.dbkey - uploaded_dataset.space_to_tab = params.space_to_tab + uploaded_dataset.dbkey = params.get( 'dbkey' ) + uploaded_dataset.space_to_tab = params.get( 'space_to_tab' ) if in_folder: uploaded_dataset.in_folder = in_folder uploaded_dataset.data = upload_common.new_upload( trans, cntrller, uploaded_dataset, library_bunch ) @@ -1247,7 +1237,7 @@ files_and_folders.append((file_path, file, in_folder)) return files_and_folders def _paths_list(self, params): - return [ (l.strip(), os.path.abspath(l.strip())) for l in params.filesystem_paths.splitlines() if l.strip() ] + return [ (l.strip(), os.path.abspath(l.strip())) for l in params.get( 'filesystem_paths', '' ).splitlines() if l.strip() ] def _check_path_paste_params(self, params): if params.get( 'filesystem_paths', '' ) == '': @@ -1259,33 +1249,32 @@ if not os.path.exists( path ): bad_paths.append( path ) if bad_paths: - message = "Invalid paths:<br><ul><li>%s</li></ul>" % "</li><li>".join( bad_paths ) + message = 'Invalid paths: "%s".' % '", "'.join( bad_paths ) response_code = 400 return None, response_code, message return None @web.expose def add_history_datasets_to_library( self, trans, cntrller, library_id, folder_id, hda_ids='', **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - ldda_message = util.restore_text( params.get( 'ldda_message', '' ) ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - replace_id = params.get( 'replace_id', None ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + ldda_message = kwd.get( 'ldda_message', '' ) + show_deleted = kwd.get( 'show_deleted', False ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + replace_id = kwd.get( 'replace_id', None ) replace_dataset = None - upload_option = params.get( 'upload_option', 'import_from_history' ) - if params.get( 'files_0|space_to_tab', False ): - space_to_tab = params.get( 'files_0|space_to_tab', '' ) + upload_option = kwd.get( 'upload_option', 'import_from_history' ) + if kwd.get( 'files_0|space_to_tab', False ): + space_to_tab = kwd.get( 'files_0|space_to_tab', '' ) else: - space_to_tab = params.get( 'space_to_tab', '' ) - link_data_only = params.get( 'link_data_only', 'copy_files' ) - dbkey = params.get( 'dbkey', '?' ) + space_to_tab = kwd.get( 'space_to_tab', '' ) + link_data_only = kwd.get( 'link_data_only', 'copy_files' ) + dbkey = kwd.get( 'dbkey', '?' ) if isinstance( dbkey, list ): last_used_build = dbkey[0] else: last_used_build = dbkey - roles = params.get( 'roles', '' ) + roles = kwd.get( 'roles', '' ) is_admin = trans.user_is_admin() and cntrller in ( 'library_admin', 'api' ) current_user_roles = trans.get_current_user_roles() widgets = [] @@ -1323,9 +1312,9 @@ cntrller=cntrller, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) - if params.get( 'add_history_datasets_to_library_button', False ): + if kwd.get( 'add_history_datasets_to_library_button', False ): hda_ids = util.listify( hda_ids ) if hda_ids: dataset_names = [] @@ -1354,7 +1343,7 @@ trans.app.security_agent.copy_library_permissions( trans, folder, ldda ) trans.app.security_agent.copy_library_permissions( trans, folder, ldda.library_dataset ) else: - library_bunch = upload_common.handle_library_params( trans, params, folder_id, replace_dataset ) + library_bunch = upload_common.handle_library_params( trans, kwd, folder_id, replace_dataset ) if library_bunch.template and library_bunch.template_field_contents: # Since information templates are inherited, the template fields can be displayed on the upload form. # If the user has added field contents, we'll need to create a new form_values and info_association @@ -1422,12 +1411,12 @@ id=library_id, created_ldda_ids=created_ldda_ids, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) else: message = 'Select at least one dataset from the list of active datasets in your current history' status = 'error' - upload_option = params.get( 'upload_option', 'import_from_history' ) + upload_option = kwd.get( 'upload_option', 'import_from_history' ) widgets = self._get_populated_widgets( folder ) # Send list of data formats to the upload form so the "extension" select list can be populated dynamically file_formats = trans.app.datatypes_registry.upload_file_formats @@ -1461,8 +1450,8 @@ link_data_only=link_data_only, show_deleted=show_deleted, ldda_message=ldda_message, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) def _build_roles_select_list( self, trans, cntrller, library, selected_role_ids=[] ): # Get the list of legitimate roles to display on the upload form. If the library is public, # all active roles are legitimate. If the library is restricted by the LIBRARY_ACCESS permission, only @@ -1521,8 +1510,7 @@ def download_dataset_from_folder( self, trans, cntrller, id, library_id=None, **kwd ): """Catches the dataset id and displays file contents as directed""" show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) - params = util.Params( kwd ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -1555,15 +1543,14 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) @web.expose def library_dataset_info( self, trans, cntrller, id, library_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -1571,11 +1558,11 @@ except: library_dataset = None self._check_access( trans, cntrller, is_admin, library_dataset, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'edit_attributes_button', False ): + if kwd.get( 'edit_attributes_button', False ): self._check_modify( trans, cntrller, is_admin, library_dataset, current_user_roles, use_panels, library_id, show_deleted ) old_name = library_dataset.name - new_name = util.restore_text( params.get( 'name', '' ) ) - new_info = util.restore_text( params.get( 'info', '' ) ) + new_name = kwd.get( 'name', '' ) + new_info = kwd.get( 'info', '' ) if not new_name: message = 'Enter a valid name' status = 'error' @@ -1604,15 +1591,14 @@ widgets=widgets, widget_fields_have_contents=widget_fields_have_contents, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def library_dataset_permissions( self, trans, cntrller, id, library_id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' current_user_roles = trans.get_current_user_roles() try: @@ -1621,7 +1607,7 @@ library_dataset = None self._check_access( trans, cntrller, is_admin, library_dataset, current_user_roles, use_panels, library_id, show_deleted ) self._check_manage( trans, cntrller, is_admin, library_dataset, current_user_roles, use_panels, library_id, show_deleted ) - if params.get( 'update_roles_button', False ): + if kwd.get( 'update_roles_button', False ): # The user clicked the Save button on the 'Associate With Roles' form permissions = {} for k, v in trans.app.model.Library.permitted_actions.items(): @@ -1652,22 +1638,21 @@ roles=roles, current_user_roles=current_user_roles, show_deleted=show_deleted, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def make_library_item_public( self, trans, cntrller, library_id, item_type, id, **kwd ): - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) current_user_roles = trans.get_current_user_roles() is_admin = trans.user_is_admin() and cntrller == 'library_admin' if item_type == 'library': library = trans.sa_session.query( trans.model.Library ).get( trans.security.decode_id( id ) ) self._check_access( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) self._check_manage( trans, cntrller, is_admin, library, current_user_roles, use_panels, library_id, show_deleted ) - contents = util.string_as_bool( params.get( 'contents', 'False' ) ) + contents = util.string_as_bool( kwd.get( 'contents', 'False' ) ) trans.app.security_agent.make_library_public( library, contents=contents ) if contents: message = "The data library (%s) and all its contents have been made publicly accessible." % library.name @@ -1694,7 +1679,7 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status=status ) ) @web.expose def act_on_multiple_datasets( self, trans, cntrller, library_id=None, ldda_ids='', **kwd ): @@ -1718,12 +1703,11 @@ rval += '%s %i %s%s %s\r\n' % ( crc, size, self.url_base, quoted_fname, relpath ) return rval # Perform an action on a list of library datasets. - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - action = params.get( 'do_action', None ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + action = kwd.get( 'do_action', None ) lddas = [] error = False is_admin = trans.user_is_admin() and cntrller == 'library_admin' @@ -1738,7 +1722,7 @@ else: if action in [ 'import_to_current_history', 'import_to_histories' ]: new_kwd = {} - if action == 'import_to_current_history': + if current_history is not None and action == 'import_to_current_history': encoded_current_history_id = trans.security.encode_id( current_history.id ) selected_history_id = encoded_current_history_id new_kwd[ 'do_action' ] = action @@ -1809,7 +1793,7 @@ folder_id=folder_id, id=",".join( encoded_ldda_ids ), show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status=status ) ) else: message = "You are not authorized to manage permissions on any of the selected datasets." @@ -1970,11 +1954,11 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status=status ) ) else: # We arrived here from the library_dataset_search_results page, so redirect there. - search_term = params.get( 'search_term', '' ) + search_term = kwd.get( 'search_term', '' ) comptypes = get_comptypes( trans ) return trans.fill_template( '/library/common/library_dataset_search_results.mako', cntrller=cntrller, @@ -1984,8 +1968,8 @@ lddas=lddas, show_deleted=show_deleted, use_panels=use_panels, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def import_datasets_to_histories( self, trans, cntrller, library_id='', folder_id='', ldda_ids='', target_history_id='', target_history_ids='', new_history_name='', **kwd ): @@ -1995,12 +1979,11 @@ # - a select list option for acting on multiple selected datasets within a library # ( ldda_ids is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( ldda_ids is a comma separated string of ldda ids ) - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - action = params.get( 'do_action', None ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + action = kwd.get( 'do_action', None ) user = trans.get_user() current_history = trans.get_history() if library_id: @@ -2019,7 +2002,7 @@ target_history_ids = set( [ trans.security.decode_id( target_history_id ) for target_history_id in target_history_ids if target_history_id ] ) elif target_history_id: target_history_ids = [ trans.security.decode_id( target_history_id ) ] - if params.get( 'import_datasets_to_histories_button', False ): + if kwd.get( 'import_datasets_to_histories_button', False ): invalid_datasets = 0 if not ldda_ids or not ( target_history_ids or new_history_name ): message = "You must provide one or more source library datasets and one or more target histories." @@ -2083,11 +2066,13 @@ # to the lddas in order for the menu optin to be available. ldda = trans.sa_session.query( trans.model.LibraryDatasetDatasetAssociation ).get( ldda_id ) source_lddas.append( ldda ) + if current_history is None: + current_history = trans.get_history( create=True ) if current_history is not None: target_histories = [ current_history ] else: target_histories = [] - message = 'You must have a history before you can import datasets. You can do this by <a href="%s" target="_top">loading the analysis interface</a>.' % url_for(controller='root') + message = 'You must have a history before you can import datasets. You can do this by loading the analysis interface.' status = 'error' if user: target_histories = user.active_histories @@ -2097,7 +2082,7 @@ action='browse_library', cntrller=cntrller, id=library_id, - message=util.sanitize_text( message ), + message=message, status=status ) ) return trans.fill_template( "/library/common/import_datasets_to_histories.mako", cntrller=cntrller, @@ -2111,15 +2096,14 @@ new_history_name=new_history_name, show_deleted=show_deleted, use_panels=use_panels, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def manage_template_inheritance( self, trans, cntrller, item_type, library_id, folder_id=None, ldda_id=None, **kwd ): - params = util.Params( kwd ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) is_admin = ( trans.user_is_admin() and cntrller == 'library_admin' ) current_user_roles = trans.get_current_user_roles() try: @@ -2138,7 +2122,7 @@ cntrller=cntrller, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) info_association, inherited = item.get_info_association( restrict=True ) if info_association: @@ -2157,7 +2141,7 @@ folder_id=folder_id, id=id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='done' ) ) @web.expose def move_library_item( self, trans, cntrller, item_type, item_id, source_library_id='', make_target_current=True, **kwd ): @@ -2168,11 +2152,10 @@ # 'ldda' and item_id is a comma separated string of ldda ids ) # - a menu option for a library dataset search result set ( item_type is 'ldda' and item_id is a # comma separated string of ldda ids ) - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) - show_deleted = util.string_as_bool( params.get( 'show_deleted', False ) ) - use_panels = util.string_as_bool( params.get( 'use_panels', False ) ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) + show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) + use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) make_target_current = util.string_as_bool( make_target_current ) is_admin = trans.user_is_admin() and cntrller == 'library_admin' user = trans.get_user() @@ -2186,14 +2169,14 @@ else: # Request sent from the library_dataset_search_results page. source_library = None - target_library_id = params.get( 'target_library_id', '' ) + target_library_id = kwd.get( 'target_library_id', '' ) if target_library_id not in [ '', 'none', None ]: target_library = trans.sa_session.query( trans.model.Library ).get( trans.security.decode_id( target_library_id ) ) elif make_target_current: target_library = source_library else: target_library = None - target_folder_id = params.get( 'target_folder_id', '' ) + target_folder_id = kwd.get( 'target_folder_id', '' ) if target_folder_id not in [ '', 'none', None ]: target_folder = trans.sa_session.query( trans.model.LibraryFolder ).get( trans.security.decode_id( target_folder_id ) ) if target_library is None: @@ -2208,7 +2191,7 @@ elif item_type == 'folder': move_folder_id = item_id move_folder = trans.sa_session.query( trans.model.LibraryFolder ).get( trans.security.decode_id( move_folder_id ) ) - if params.get( 'move_library_item_button', False ): + if kwd.get( 'move_library_item_button', False ): if not ( move_ldda_ids or move_folder_id ) or target_folder_id in [ '', 'none', None ]: message = "You must select a source folder or one or more source datasets, and a target folder." status = 'error' @@ -2372,8 +2355,8 @@ target_folder_id_select_field=target_folder_id_select_field, show_deleted=show_deleted, use_panels=use_panels, - message=message, - status=status ) + message=escape( message ), + status=escape( status ) ) @web.expose def delete_library_item( self, trans, cntrller, library_id, item_id, item_type, **kwd ): # This action will handle deleting all types of library items. State is saved for libraries and @@ -2541,7 +2524,7 @@ action='browse_libraries', cntrller=cntrller, use_panels=use_panels, - message=util.sanitize_text( message ), + message=message, status='error' ) ) return trans.response.send_redirect( web.url_for( controller='library_common', action='browse_library', @@ -2549,7 +2532,7 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) def _check_add( self, trans, cntrller, is_admin, item, current_user_roles, use_panels, library_id, show_deleted ): # Deny access if the user is not an admin and does not have the LIBRARY_ADD permission. @@ -2564,7 +2547,7 @@ use_panels=use_panels, id=library_id, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) def _check_manage( self, trans, cntrller, is_admin, item, current_user_roles, use_panels, library_id, show_deleted ): if isinstance( item, trans.model.LibraryDataset ): @@ -2580,7 +2563,7 @@ id=library_id, cntrller=cntrller, use_panels=use_panels, - message=util.sanitize_text( message ), + message=message, status='error' ) ) # Deny access if the user is not an admin and does not have the LIBRARY_MANAGE permission. if not ( is_admin or trans.app.security_agent.can_manage_library_item( current_user_roles, item ) ): @@ -2592,7 +2575,7 @@ id=library_id, cntrller=cntrller, use_panels=use_panels, - message=util.sanitize_text( message ), + message=message, status='error' ) ) def _check_modify( self, trans, cntrller, is_admin, item, current_user_roles, use_panels, library_id, show_deleted ): # Deny modification if the user is not an admin and does not have the LIBRARY_MODIFY permission. @@ -2606,7 +2589,7 @@ id=library_id, use_panels=use_panels, show_deleted=show_deleted, - message=util.sanitize_text( message ), + message=message, status='error' ) ) # ---- Utility methods ------------------------------------------------------- @@ -2740,9 +2723,8 @@ return map( operator.getitem, intermed, ( -1, ) * len( intermed ) ) def lucene_search( trans, cntrller, search_term, search_url, **kwd ): """Return display of results from a full-text lucene search of data libraries.""" - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) full_url = "%s/find?%s" % ( search_url, urllib.urlencode( { "kwd" : search_term } ) ) response = urllib2.urlopen( full_url ) ldda_ids = util.json.loads( response.read() )[ "ids" ] @@ -2751,9 +2733,8 @@ return status, message, get_sorted_accessible_library_items( trans, cntrller, lddas, 'name' ) def whoosh_search( trans, cntrller, search_term, **kwd ): """Return display of results from a full-text whoosh search of data libraries.""" - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) + message = kwd.get( 'message', '' ) + status = kwd.get( 'status', 'done' ) ok = True if whoosh_search_enabled: whoosh_index_dir = trans.app.config.whoosh_index_dir diff -r 704efd2f5e06b9f6e63246d2324874cf7f28d83a -r 07404a82972d877b5529fffaeb3e7e05b69a02a3 templates/webapps/galaxy/library/common/browse_library.mako --- a/templates/webapps/galaxy/library/common/browse_library.mako +++ b/templates/webapps/galaxy/library/common/browse_library.mako @@ -236,29 +236,29 @@ %if current_version and ( not ldda.library_dataset.deleted or show_deleted ): <tr class="datasetRow" %if parent is not None: - parent="${parent}" + parent="${parent | h}" %endif - id="libraryItem-${ldda.id}"> + id="libraryItem-${ldda.id | h}"><td style="padding-left: ${pad+20}px;"> - <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id )}" value="${trans.security.encode_id( ldda.id )}" + <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${trans.security.encode_id( ldda.id ) | h}" %if selected: checked="checked" %endif /> %if simple: - <label for="${trans.security.encode_id( ldda.id )}">${ util.unicodify( ldda.name )}</label> + <label for="${trans.security.encode_id( ldda.id ) | h}">${ util.unicodify( ldda.name ) | h}</label> %else: - <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id}-popup"> + <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id | h}-popup"><a class="view-info" href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}"> %if ldda.library_dataset.deleted: - <div class="libraryItem-error">${util.unicodify( ldda.name )}</div> + <div class="libraryItem-error">${util.unicodify( ldda.name ) | h}</div> %else: - ${util.unicodify( ldda.name )} + ${util.unicodify( ldda.name ) | h} %endif </a></div> %if not library.deleted: - <div popupmenu="dataset-${ldda.id}-popup"> + <div popupmenu="dataset-${ldda.id | h}-popup"> %if not branch_deleted( folder ) and not ldda.library_dataset.deleted and can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a><a class="action-button" href="${h.url_for( controller='library_common', action='move_library_item', cntrller=cntrller, item_type='ldda', item_id=trans.security.encode_id( ldda.id ), source_library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Move this dataset</a> @@ -287,7 +287,7 @@ %endif %if can_modify: %if not library.deleted and not branch_deleted( folder ) and not ldda.library_dataset.deleted: - <a class="action-button" confirm="Click OK to delete dataset '${util.unicodify( ldda.name )}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Delete this dataset</a> + <a class="action-button" confirm="Click OK to delete dataset '${util.unicodify( ldda.name ) | h}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Delete this dataset</a> %elif not library.deleted and not branch_deleted( folder ) and not ldda.library_dataset.purged and ldda.library_dataset.deleted: <a class="action-button" href="${h.url_for( controller='library_common', action='undelete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Undelete this dataset</a> %endif @@ -298,10 +298,10 @@ </td> % if not simple: <td id="libraryItemInfo">${render_library_item_info( ldda )}</td> - <td>${ldda.extension}</td> + <td>${ldda.extension | h}</td> % endif - <td>${ldda.create_time.strftime( trans.app.config.pretty_datetime_format )}</td> - <td>${ldda.get_size( nice_size=True )}</td> + <td>${ldda.create_time.strftime( trans.app.config.pretty_datetime_format ) | h}</td> + <td>${ldda.get_size( nice_size=True ) | h}</td></tr><% my_row = row_counter.count @@ -355,28 +355,28 @@ %> %if not root_folder and ( not folder.deleted or show_deleted ): <% encoded_id = trans.security.encode_id( folder.id ) %> - <tr id="folder-${encoded_id}" class="folderRow libraryOrFolderRow" + <tr id="folder-${encoded_id | h}" class="folderRow libraryOrFolderRow" %if parent is not None: - parent="${parent}" + parent="${parent | h}" style="display: none;" %endif > - <td style="padding-left: ${folder_pad}px;"> + <td style="padding-left: ${folder_pad | h}px;"><input type="checkbox" class="folderCheckbox"/> - <span class="expandLink folder-${encoded_id}-click"> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id}-popup"> - <a class="folder-${encoded_id}-click" href="javascript:void(0);"> + <span class="expandLink folder-${encoded_id | h}-click"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id | h}-popup"> + <a class="folder-${encoded_id | h}-click" href="javascript:void(0);"><span class="rowIcon"></span> %if folder.deleted: - <div class="libraryItem-error">${folder.name}</div> + <div class="libraryItem-error">${folder.name | h}</div> %else: - ${folder.name} + ${folder.name | h} %endif </a></div></span> %if not library.deleted: - <div popupmenu="folder_img-${folder.id}-popup"> + <div popupmenu="folder_img-${folder.id | h}-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> @@ -407,7 +407,7 @@ %endif %if can_modify: %if not library.deleted and not folder.deleted: - <a class="action-button" confirm="Click OK to delete the folder '${folder.name}.'" href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Delete this folder</a> + <a class="action-button" confirm="Click OK to delete the folder '${folder.name | h}.'" href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Delete this folder</a> %elif not library.deleted and folder.deleted and not folder.purged: <a class="action-button" href="${h.url_for( controller='library_common', action='undelete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Undelete this folder</a> %endif @@ -416,7 +416,7 @@ %endif <td> %if folder.description: - ${folder.description} + ${folder.description | h} %endif <td colspan="3"></td></tr> @@ -504,7 +504,7 @@ return str( self.count ) %> - <h2>Data Library “${library.name}”</h2> + <h2>Data Library “${library.name | h}”</h2><ul class="manage-table-actions"> %if not library.deleted and ( is_admin or can_add ): @@ -517,7 +517,7 @@ %if not library.deleted: %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='library_info', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> - <a class="action-button" confirm="Click OK to delete the library named '${library.name}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library.id ), item_type='library' )}">Delete this data library</a> + <a class="action-button" confirm="Click OK to delete the library named '${library.name | h}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library.id ), item_type='library' )}">Delete this data library</a> %if show_deleted: <a class="action-button" href="${h.url_for( controller='library_common', action='browse_library', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=False )}">Hide deleted items</a> %else: @@ -555,7 +555,7 @@ %if library.synopsis not in [ '', 'None', None ]: <div class="libraryItemBody"> - ${library.synopsis} + ${library.synopsis | h} </div> %endif @@ -610,6 +610,6 @@ ${render_compression_types_help( comptypes )} %endif %if not has_accessible_folders: - The data library '${library.name}' does not contain any datasets that you can access. + The data library '${library.name | h}' does not contain any datasets that you can access. %endif </%def> diff -r 704efd2f5e06b9f6e63246d2324874cf7f28d83a -r 07404a82972d877b5529fffaeb3e7e05b69a02a3 templates/webapps/galaxy/library/common/browse_library_opt.mako --- a/templates/webapps/galaxy/library/common/browse_library_opt.mako +++ b/templates/webapps/galaxy/library/common/browse_library_opt.mako @@ -228,29 +228,29 @@ %if current_version and ( not ldda.library_dataset.deleted or show_deleted ): <tr class="datasetRow" %if parent is not None: - parent="${parent}" + parent="${parent | h}" %endif - id="libraryItem-${ldda.id}"> + id="libraryItem-${ldda.id | h}"><td style="padding-left: ${pad+20}px;"> - <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id )}" value="${trans.security.encode_id( ldda.id )}" + <input style="float: left;" type="checkbox" name="ldda_ids" id="${trans.security.encode_id( ldda.id ) | h}" value="${trans.security.encode_id( ldda.id ) | h}" %if selected: checked="checked" %endif /> %if simple: - <label for="${trans.security.encode_id( ldda.id )}">${ util.unicodify( ldda.name )}</label> + <label for="${trans.security.encode_id( ldda.id ) | h}">${ util.unicodify( ldda.name ) | h}</label> %else: - <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id}-popup"> + <div style="float: left; margin-left: 1px;" class="menubutton split popup" id="dataset-${ldda.id | h}-popup"><a class="view-info" href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}"> %if ldda.library_dataset.deleted: - <div class="libraryItem-error">${util.unicodify( ldda.name )}</div> + <div class="libraryItem-error">${util.unicodify( ldda.name ) | h}</div> %else: - ${util.unicodify( ldda.name )} + ${util.unicodify( ldda.name ) | h} %endif </a></div> %if not library.deleted: - <div popupmenu="dataset-${ldda.id}-popup"> + <div popupmenu="dataset-${ldda.id | h}-popup"> %if not branch_deleted( folder ) and not ldda.library_dataset.deleted and can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), id=trans.security.encode_id( ldda.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a><a class="action-button" href="${h.url_for( controller='library_common', action='move_library_item', cntrller=cntrller, item_type='ldda', item_id=trans.security.encode_id( ldda.id ), source_library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Move this dataset</a> @@ -279,7 +279,7 @@ %endif %if can_modify: %if not library.deleted and not branch_deleted( folder ) and not ldda.library_dataset.deleted: - <a class="action-button" confirm="Click OK to delete dataset '${util.unicodify( ldda.name )}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Delete this dataset</a> + <a class="action-button" confirm="Click OK to delete dataset '${util.unicodify( ldda.name ) | h}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Delete this dataset</a> %elif not library.deleted and not branch_deleted( folder ) and not ldda.library_dataset.purged and ldda.library_dataset.deleted: <a class="action-button" href="${h.url_for( controller='library_common', action='undelete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library_dataset.id ), item_type='library_dataset', show_deleted=show_deleted )}">Undelete this dataset</a> %endif @@ -290,10 +290,10 @@ </td> % if not simple: <td id="libraryItemInfo">${render_library_item_info( ldda )}</td> - <td>${ldda.extension}</td> + <td>${ldda.extension | h}</td> % endif - <td>${ldda.create_time.strftime( "%Y-%m-%d" )}</td> - <td>${ldda.get_size( nice_size=True )}</td> + <td>${ldda.create_time.strftime( "%Y-%m-%d" ) | h}</td> + <td>${ldda.get_size( nice_size=True ) | h}</td></tr><% my_row = row_counter.count @@ -362,28 +362,28 @@ %> %if not root_folder and ( not folder.deleted or show_deleted ): <% encoded_id = trans.security.encode_id( folder.id ) %> - <tr id="folder-${encoded_id}" class="folderRow libraryOrFolderRow" + <tr id="folder-${encoded_id | h}" class="folderRow libraryOrFolderRow" %if parent is not None: - parent="${parent}" + parent="${parent | h}" style="display: none;" %endif > - <td style="padding-left: ${folder_pad}px;"> + <td style="padding-left: ${folder_pad | h}px;"><input type="checkbox" class="folderCheckbox"/> - <span class="expandLink folder-${encoded_id}-click"> - <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id}-popup"> - <a class="folder-${encoded_id}-click" href="javascript:void(0);"> + <span class="expandLink folder-${encoded_id | h}-click"> + <div style="float: left; margin-left: 2px;" class="menubutton split popup" id="folder_img-${folder.id | h}-popup"> + <a class="folder-${encoded_id | h}-click" href="javascript:void(0);"><span class="rowIcon"></span> %if folder.deleted: - <div class="libraryItem-error">${folder.name}</div> + <div class="libraryItem-error">${folder.name | h}</div> %else: - ${folder.name} + ${folder.name | h} %endif </a></div></span> %if not library.deleted: - <div popupmenu="folder_img-${folder.id}-popup"> + <div popupmenu="folder_img-${folder.id | h}-popup"> %if not branch_deleted( folder ) and can_add: <a class="action-button" href="${h.url_for( controller='library_common', action='upload_library_dataset', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), folder_id=trans.security.encode_id( folder.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add datasets</a><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add sub-folder</a> @@ -414,7 +414,7 @@ %endif %if can_modify: %if not library.deleted and not folder.deleted: - <a class="action-button" confirm="Click OK to delete the folder '${folder.name}.'" href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Delete this folder</a> + <a class="action-button" confirm="Click OK to delete the folder '${folder.name | h}.'" href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Delete this folder</a> %elif not library.deleted and folder.deleted and not folder.purged: <a class="action-button" href="${h.url_for( controller='library_common', action='undelete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( folder.id ), item_type='folder', show_deleted=show_deleted )}">Undelete this folder</a> %endif @@ -423,7 +423,7 @@ %endif <td> %if folder.description: - ${folder.description} + ${folder.description | h} %endif <td colspan="3"></td></tr> @@ -515,12 +515,12 @@ <li><a class="action-button" href="${h.url_for( controller='library_common', action='create_folder', cntrller=cntrller, parent_id=trans.security.encode_id( library.root_folder.id ), library_id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Add folder</a></li> %endif %if ( ( not library.deleted ) and ( can_modify or can_manage ) ) or ( can_modify and not library.purged ) or ( library.purged ): - <li><a class="action-button" id="library-${library.id}-popup" class="menubutton">Library Actions</a></li> - <div popupmenu="library-${library.id}-popup"> + <li><a class="action-button" id="library-${library.id | h}-popup" class="menubutton">Library Actions</a></li> + <div popupmenu="library-${library.id | h}-popup"> %if not library.deleted: %if can_modify: <a class="action-button" href="${h.url_for( controller='library_common', action='library_info', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=show_deleted )}">Edit information</a> - <a class="action-button" confirm="Click OK to delete the library named '${library.name}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library.id ), item_type='library' )}">Delete this data library</a> + <a class="action-button" confirm="Click OK to delete the library named '${library.name | h}'." href="${h.url_for( controller='library_common', action='delete_library_item', cntrller=cntrller, library_id=trans.security.encode_id( library.id ), item_id=trans.security.encode_id( library.id ), item_type='library' )}">Delete this data library</a> %if show_deleted: <a class="action-button" href="${h.url_for( controller='library_common', action='browse_library', cntrller=cntrller, id=trans.security.encode_id( library.id ), use_panels=use_panels, show_deleted=False )}">Hide deleted items</a> %else: @@ -558,7 +558,7 @@ %if library.synopsis not in [ '', 'None', None ]: <div class="libraryItemBody"> - ${library.synopsis} + ${library.synopsis | h} </div> %endif @@ -616,6 +616,6 @@ ${render_compression_types_help( comptypes )} %endif %if not has_accessible_folders: - The data library '${library.name}' does not contain any datasets that you can access. + The data library '${library.name | h}' does not contain any datasets that you can access. %endif </%def> diff -r 704efd2f5e06b9f6e63246d2324874cf7f28d83a -r 07404a82972d877b5529fffaeb3e7e05b69a02a3 templates/webapps/galaxy/library/common/common.mako --- a/templates/webapps/galaxy/library/common/common.mako +++ b/templates/webapps/galaxy/library/common/common.mako @@ -88,19 +88,19 @@ else: tool_form_title = 'Upload files' %> - <div class="toolFormTitle">${tool_form_title}</div> + <div class="toolFormTitle">${tool_form_title | h}</div><div class="toolFormBody"><form name="upload_library_dataset" id="upload_library_dataset" action="${action}" enctype="multipart/form-data" method="post"><input type="hidden" name="tool_id" value="upload1"/><input type="hidden" name="tool_state" value="None"/> - <input type="hidden" name="cntrller" value="${cntrller}"/> - <input type="hidden" name="library_id" value="${library_id}"/> - <input type="hidden" name="folder_id" value="${folder_id}"/> - <input type="hidden" name="show_deleted" value="${show_deleted}"/> + <input type="hidden" name="cntrller" value="${cntrller | h}"/> + <input type="hidden" name="library_id" value="${library_id | h}"/> + <input type="hidden" name="folder_id" value="${folder_id | h}"/> + <input type="hidden" name="show_deleted" value="${show_deleted | h}"/> %if replace_dataset not in [ None, 'None' ]: - <input type="hidden" name="replace_id" value="${trans.security.encode_id( replace_dataset.id )}"/> + <input type="hidden" name="replace_id" value="${trans.security.encode_id( replace_dataset.id ) | h}"/><div class="form-row"> - You are currently selecting a new file to replace '<a href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=library_id, folder_id=folder_id, id=trans.security.encode_id( replace_dataset.library_dataset_dataset_association.id ) )}">${util.unicodify( replace_dataset.name )}</a>'. + You are currently selecting a new file to replace '<a href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=library_id, folder_id=folder_id, id=trans.security.encode_id( replace_dataset.library_dataset_dataset_association.id ) )}">${util.unicodify( replace_dataset.name ) | h}</a>'. <div style="clear: both"></div></div> %endif @@ -120,7 +120,7 @@ <select name="file_type"><option value="auto" selected>Auto-detect</option> %for file_format in file_formats: - <option value="${file_format}">${file_format}</option> + <option value="${file_format | h}">${file_format | h}</option> %endfor </select></div> @@ -176,23 +176,23 @@ %for entry in os.listdir( import_dir ): ## Do not include entries that are not directories %if os.path.isdir( os.path.join( import_dir, entry ) ): - <option>${entry}</option> + <option>${entry | h}</option> %endif %endfor %else: %if ( trans.user_is_admin() and cntrller == 'library_admin' ): - <option>${import_dir}</option> + <option>${import_dir | h}</option> %else: - <option>${trans.user.email}</option> + <option>${trans.user.email | h}</option> %endif %endif </select></div><div class="toolParamHelp" style="clear: both;"> %if contains_directories: - Upload all files in a sub-directory of <strong>${import_dir}</strong> on the Galaxy server. + Upload all files in a sub-directory of <strong>${import_dir | h}</strong> on the Galaxy server. %else: - Upload all files in <strong>${import_dir}</strong> on the Galaxy server. + Upload all files in <strong>${import_dir | h}</strong> on the Galaxy server. %endif </div><div style="clear: both"></div> @@ -282,9 +282,9 @@ %> %for dbkey in dbkeys: %if dbkey[1] == default_selected: - <option value="${dbkey[1]}" selected>${dbkey[0]}</option> + <option value="${dbkey[1] | h}" selected>${dbkey[0] | h}</option> %else: - <option value="${dbkey[1]}">${dbkey[0]}</option> + <option value="${dbkey[1] | h}">${dbkey[0] | h}</option> %endif %endfor </select> @@ -295,7 +295,7 @@ <label>Message:</label><div class="form-row-input"> %if ldda_message: - <textarea name="ldda_message" rows="3" cols="35">${ldda_message}</textarea> + <textarea name="ldda_message" rows="3" cols="35">${ldda_message | h}</textarea> %else: <textarea name="ldda_message" rows="3" cols="35"></textarea> %endif @@ -320,13 +320,13 @@ %if widgets: %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field[ 'label' ]}</label> + <label>${field[ 'label' ] | h}</label><div class="form-row-input"> ${field[ 'widget' ].get_html()} </div><div class="toolParamHelp" style="clear: both;"> %if field[ 'helptext' ]: - ${field[ 'helptext' ]}<br/> + ${field[ 'helptext' ] | h}<br/> %endif *Inherited template field </div> @@ -342,14 +342,14 @@ </div> %elif upload_option == 'import_from_history': <div class="toolForm"> - <div class="toolFormTitle">Active datasets in your current history (${ util.unicodify( history.name )})</div> + <div class="toolFormTitle">Active datasets in your current history (${ util.unicodify( history.name ) | h})</div><div class="toolFormBody"> %if history and history.active_datasets: <form name="add_history_datasets_to_library" action="${h.url_for( controller='library_common', action='add_history_datasets_to_library', cntrller=cntrller, library_id=library_id )}" enctype="multipart/form-data" method="post"> - <input type="hidden" name="folder_id" value="${folder_id}"/> - <input type="hidden" name="show_deleted" value="${show_deleted}"/> + <input type="hidden" name="folder_id" value="${folder_id | h}"/> + <input type="hidden" name="show_deleted" value="${show_deleted | h}"/><input type="hidden" name="upload_option" value="import_from_history"/> - <input type="hidden" name="ldda_message" value="${ldda_message}"/> + <input type="hidden" name="ldda_message" value="${ldda_message | h}"/><% role_ids_selected = '' if roles_select_list: @@ -357,32 +357,32 @@ if selected: role_ids_selected = ','.join( selected ) %> - <input type="hidden" name="roles" value="${role_ids_selected}"/> + <input type="hidden" name="roles" value="${role_ids_selected | h}"/> %if replace_dataset not in [ None, 'None' ]: - <input type="hidden" name="replace_id" value="${trans.security.encode_id( replace_dataset.id )}"/> + <input type="hidden" name="replace_id" value="${trans.security.encode_id( replace_dataset.id ) | h}"/><div class="form-row"> - You are currently selecting a new file to replace '<a href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=library_id, folder_id=folder_id, id=trans.security.encode_id( replace_dataset.library_dataset_dataset_association.id ) )}">${ util.unicodify( replace_dataset.name )}</a>'. + You are currently selecting a new file to replace '<a href="${h.url_for( controller='library_common', action='ldda_info', cntrller=cntrller, library_id=library_id, folder_id=folder_id, id=trans.security.encode_id( replace_dataset.library_dataset_dataset_association.id ) )}">${ util.unicodify( replace_dataset.name ) | h}</a>'. <div style="clear: both"></div></div> %endif %for hda in history.visible_datasets: <% encoded_id = trans.security.encode_id( hda.id ) %><div class="form-row"> - <input name="hda_ids" id="hist_${encoded_id}" value="${encoded_id}" type="checkbox"/> - <label for="hist_${encoded_id}" style="display: inline;font-weight:normal;">${hda.hid}: ${ util.unicodify( hda.name )}</label> + <input name="hda_ids" id="hist_${encoded_id | h}" value="${encoded_id | h}" type="checkbox"/> + <label for="hist_${encoded_id | h}" style="display: inline;font-weight:normal;">${hda.hid | h}: ${ util.unicodify( hda.name ) | h}</label></div> %endfor %if widgets: - <input type="hidden" name="template_id" value="${template_id}"/> + <input type="hidden" name="template_id" value="${template_id | h}"/> %for i, field in enumerate( widgets ): <div class="form-row"> - <label>${field[ 'label' ]}</label> + <label>${field[ 'label' ] | h}</label><div class="form-row-input"> ${field[ 'widget' ].get_html()} </div><div class="toolParamHelp" style="clear: both;"> %if field[ 'helptext' ]: - ${field[ 'helptext' ]}<br/> + ${field[ 'helptext' ] | h}<br/> %endif *Inherited template field </div> diff -r 704efd2f5e06b9f6e63246d2324874cf7f28d83a -r 07404a82972d877b5529fffaeb3e7e05b69a02a3 templates/webapps/galaxy/library/common/import_datasets_to_histories.mako --- a/templates/webapps/galaxy/library/common/import_datasets_to_histories.mako +++ b/templates/webapps/galaxy/library/common/import_datasets_to_histories.mako @@ -34,8 +34,8 @@ checked = " checked='checked'" %><div class="form-row"> - <input type="checkbox" name="ldda_ids" id="dataset_${encoded_id}" value="${encoded_id}" ${checked}/> - <label for="dataset_${encoded_id}" style="display: inline;font-weight:normal;">${util.unicodify( source_ldda.name )}</label> + <input type="checkbox" name="ldda_ids" id="dataset_${encoded_id | h}" value="${encoded_id | h}" ${checked}/> + <label for="dataset_${encoded_id | h}" style="display: inline;font-weight:normal;">${util.unicodify( source_ldda.name ) | h}</label></div> %endfor %else: @@ -61,7 +61,7 @@ else: current_history_text = "" %> - <option value="${encoded_id}"${selected_text}>${i + 1}: ${h.truncate( util.unicodify( target_history.name ), 30 )}${current_history_text}</option> + <option value="${encoded_id | h}"${selected_text}>${i + 1}: ${h.truncate( util.unicodify( target_history.name ), 30 ) | h}${current_history_text | h}</option> %endfor </select><br/><br/> @@ -77,8 +77,8 @@ current_history_text = "" %><div class="form-row"> - <input type="checkbox" name="target_history_ids" id="target_history_${encoded_id}" value="${encoded_id}"/> - <label for="target_history_${encoded_id}" style="display: inline; font-weight:normal;">${i + 1}: ${util.unicodify( target_history.name )}${current_history_text}</label> + <input type="checkbox" name="target_history_ids" id="target_history_${encoded_id | h}" value="${encoded_id | h}"/> + <label for="target_history_${encoded_id | h}" style="display: inline; font-weight:normal;">${i + 1}: ${util.unicodify( target_history.name ) | h}${current_history_text | h}</label></div> %endfor </div> diff -r 704efd2f5e06b9f6e63246d2324874cf7f28d83a -r 07404a82972d877b5529fffaeb3e7e05b69a02a3 templates/webapps/galaxy/library/common/ldda_edit_info.mako --- a/templates/webapps/galaxy/library/common/ldda_edit_info.mako +++ b/templates/webapps/galaxy/library/common/ldda_edit_info.mako @@ -34,9 +34,9 @@ <select name="datatype"> %for ext in file_formats: %if ldda.ext == ext: - <option value="${ext}" selected="yes">${ext}</option> + <option value="${ext | h}" selected="yes">${ext | h}</option> %else: - <option value="${ext}">${ext}</option> + <option value="${ext | h}">${ext | h}</option> %endif %endfor </select> @@ -44,24 +44,24 @@ %if ( trans.user_is_admin() and cntrller=='library_admin' ) or trans.app.security_agent.can_modify_library_item( current_user_roles, ldda.library_dataset ): <div class="toolForm"> - <div class="toolFormTitle">Edit attributes of ${util.unicodify( ldda.name )}</div> + <div class="toolFormTitle">Edit attributes of ${util.unicodify( ldda.name ) | h}</div><div class="toolFormBody"><form name="edit_attributes" action="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=library_id, folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), use_panels=use_panels, show_deleted=show_deleted, )}" method="post"> - <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id )}"/> + <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id ) | h}"/><div class="form-row"><label>Name:</label> - <input type="text" name="name" value="${util.unicodify( ldda.name )}" size="40"/> + <input type="text" name="name" value="${util.unicodify( ldda.name ) | h}" size="40"/><div style="clear: both"></div></div><div class="form-row"><label>Info:</label> - <input type="text" name="info" value="${util.unicodify( ldda.info )}" size="40"/> + <input type="text" name="info" value="${util.unicodify( ldda.info ) | h}" size="40"/><div style="clear: both"></div></div><div class="form-row"><label>Message:</label> %if ldda.message: - <textarea name="message" rows="3" cols="35">${ldda.message}</textarea> + <textarea name="message" rows="3" cols="35">${ldda.message | h}</textarea> %else: <textarea name="message" rows="3" cols="35"></textarea> %endif @@ -73,7 +73,7 @@ %for name, spec in ldda.metadata.spec.items(): %if spec.visible: <div class="form-row"> - <label>${spec.desc}:</label> + <label>${spec.desc | h}:</label> ${ldda.metadata.get_html_by_name( name, trans=trans )} <div style="clear: both"></div></div> @@ -85,7 +85,7 @@ </form><form name="auto_detect" action="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=library_id, folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), use_panels=use_panels, show_deleted=show_deleted, )}" method="post"><div class="form-row"> - <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id )}"/> + <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id ) | h}"/><input type="submit" name="detect" value="Auto-detect"/><div class="toolParamHelp" style="clear: both;"> This will inspect the dataset and attempt to correct the above column values if they are not accurate. @@ -101,7 +101,7 @@ %if ldda.datatype.allow_datatype_change: <form name="change_datatype" action="${h.url_for( controller='library_common', action='ldda_edit_info', cntrller=cntrller, library_id=library_id, folder_id=trans.security.encode_id( ldda.library_dataset.folder.id ), use_panels=use_panels, show_deleted=show_deleted, )}" method="post"><div class="form-row"> - <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id )}"/> + <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id ) | h}"/><label>New Type:</label> ${datatype( ldda, file_formats )} <div class="toolParamHelp" style="clear: both;"> @@ -129,10 +129,10 @@ <div class="form-row"><label>Extended Metadata:</label></div> - <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id )}"/> + <input type="hidden" name="id" value="${trans.security.encode_id( ldda.id ) | h}"/><div class="form-row"> %if ldda.extended_metadata: - <textarea name="extended_metadata" rows="15" cols="35">${util.pretty_print_json(ldda.extended_metadata.data)}</textarea> + <textarea name="extended_metadata" rows="15" cols="35">${util.pretty_print_json(ldda.extended_metadata.data) | h}</textarea> %else: <textarea name="extended_metadata" rows="15" cols="35"></textarea> %endif @@ -147,28 +147,28 @@ <p/> %else: <div class="toolForm"> - <div class="toolFormTitle">View information about ${util.unicodify( ldda.name )}</div> + <div class="toolFormTitle">View information about ${util.unicodify( ldda.name ) | h}</div><div class="toolFormBody"><div class="form-row"><label>Name:</label> - ${util.unicodify( ldda.name )} + ${util.unicodify( ldda.name ) | h} <div style="clear: both"></div></div><div class="form-row"><label>Info:</label> - ${util.unicodify( ldda.info )} + ${util.unicodify( ldda.info ) | h} <div style="clear: both"></div></div><div class="form-row"><label>Data Format:</label> - ${ldda.ext} + ${ldda.ext | h} <div style="clear: both"></div></div> %for name, spec in ldda.metadata.spec.items(): %if spec.visible: <div class="form-row"> - <label>${spec.desc}:</label> - ${ldda.metadata.get( name )} + <label>${spec.desc | h}:</label> + ${ldda.metadata.get( name ) | h} <div style="clear: both"></div></div> %endif This diff is so big that we needed to truncate the remainder. Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.