1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/9dc543bfedd7/ Changeset: 9dc543bfedd7 Branch: next-stable User: carlfeberhard Date: 2014-11-26 17:28:28+00:00 Summary: Security, UI: minor fixes to history, dataset, and page escaping; escape js tag and annotation displays Affected #: 18 files diff -r 06100e9a5626c38f3182e353470e882c29564c63 -r 9dc543bfedd7121cecb0e3f5a980fa387b09ff10 client/galaxy/scripts/mvc/annotations.js --- a/client/galaxy/scripts/mvc/annotations.js +++ b/client/galaxy/scripts/mvc/annotations.js @@ -56,7 +56,7 @@ '<label class="prompt">', _l( 'Annotation' ), '</label>', // set up initial tags by adding as CSV to input vals (necc. to init select2) '<div class="annotation" title="', _l( 'Edit annotation' ), '">', - annotation, + _.escape( annotation ), '</div>' ].join( '' ); }, diff -r 06100e9a5626c38f3182e353470e882c29564c63 -r 9dc543bfedd7121cecb0e3f5a980fa387b09ff10 client/galaxy/scripts/mvc/tags.js --- a/client/galaxy/scripts/mvc/tags.js +++ b/client/galaxy/scripts/mvc/tags.js @@ -56,7 +56,9 @@ if( !_.isArray( tagsArray ) || _.isEmpty( tagsArray ) ){ return ''; } - return tagsArray.sort().join( ',' ); + return tagsArray.map( function( tag ){ + return _.escape( tag ); + }).sort().join( ',' ); }, /** @returns {jQuery} the input for this view */ diff -r 06100e9a5626c38f3182e353470e882c29564c63 -r 9dc543bfedd7121cecb0e3f5a980fa387b09ff10 static/scripts/mvc/annotations.js --- a/static/scripts/mvc/annotations.js +++ b/static/scripts/mvc/annotations.js @@ -56,7 +56,7 @@ '<label class="prompt">', _l( 'Annotation' ), '</label>', // set up initial tags by adding as CSV to input vals (necc. to init select2) '<div class="annotation" title="', _l( 'Edit annotation' ), '">', - annotation, + _.escape( annotation ), '</div>' ].join( '' ); }, diff -r 06100e9a5626c38f3182e353470e882c29564c63 -r 9dc543bfedd7121cecb0e3f5a980fa387b09ff10 static/scripts/mvc/tags.js --- a/static/scripts/mvc/tags.js +++ b/static/scripts/mvc/tags.js @@ -56,7 +56,9 @@ if( !_.isArray( tagsArray ) || _.isEmpty( tagsArray ) ){ return ''; } - return tagsArray.sort().join( ',' ); + return tagsArray.map( function( tag ){ + return _.escape( tag ); + }).sort().join( ',' ); }, /** @returns {jQuery} the input for this view */ diff -r 06100e9a5626c38f3182e353470e882c29564c63 -r 9dc543bfedd7121cecb0e3f5a980fa387b09ff10 static/scripts/packed/mvc/annotations.js --- a/static/scripts/packed/mvc/annotations.js +++ b/static/scripts/packed/mvc/annotations.js @@ -1,1 +1,1 @@ -define(["mvc/base-mvc","utils/localization"],function(a,c){var b=Backbone.View.extend(a.LoggableMixin).extend(a.HiddenUntilActivatedViewMixin).extend({tagName:"div",className:"annotation-display",initialize:function(d){d=d||{};this.tooltipConfig=d.tooltipConfig||{placement:"bottom"};this.listenTo(this.model,"change:annotation",function(){this.render()});this.hiddenUntilActivated(d.$activator,d)},render:function(){var d=this;this.$el.html(this._template());this.$el.find("[title]").tooltip(this.tooltipConfig);this.$annotation().make_text_editable({use_textarea:true,on_finish:function(e){d.$annotation().text(e);d.model.save({annotation:e},{silent:true}).fail(function(){d.$annotation().text(d.model.previous("annotation"))})}});return this},_template:function(){var d=this.model.get("annotation");return['<label class="prompt">',c("Annotation"),"</label>",'<div class="annotation" title="',c("Edit annotation"),'">',d,"</div>"].join("")},$annotation:function(){return this.$el.find(".annotation")},remove:function(){this.$annotation.off();this.stopListening(this.model);Backbone.View.prototype.remove.call(this)},toString:function(){return["AnnotationEditor(",this.model+"",")"].join("")}});return{AnnotationEditor:b}}); \ No newline at end of file +define(["mvc/base-mvc","utils/localization"],function(a,c){var b=Backbone.View.extend(a.LoggableMixin).extend(a.HiddenUntilActivatedViewMixin).extend({tagName:"div",className:"annotation-display",initialize:function(d){d=d||{};this.tooltipConfig=d.tooltipConfig||{placement:"bottom"};this.listenTo(this.model,"change:annotation",function(){this.render()});this.hiddenUntilActivated(d.$activator,d)},render:function(){var d=this;this.$el.html(this._template());this.$el.find("[title]").tooltip(this.tooltipConfig);this.$annotation().make_text_editable({use_textarea:true,on_finish:function(e){d.$annotation().text(e);d.model.save({annotation:e},{silent:true}).fail(function(){d.$annotation().text(d.model.previous("annotation"))})}});return this},_template:function(){var d=this.model.get("annotation");return['<label class="prompt">',c("Annotation"),"</label>",'<div class="annotation" title="',c("Edit annotation"),'">',_.escape(d),"</div>"].join("")},$annotation:function(){return this.$el.find(".annotation")},remove:function(){this.$annotation.off();this.stopListening(this.model);Backbone.View.prototype.remove.call(this)},toString:function(){return["AnnotationEditor(",this.model+"",")"].join("")}});return{AnnotationEditor:b}}); \ No newline at end of file diff -r 06100e9a5626c38f3182e353470e882c29564c63 -r 9dc543bfedd7121cecb0e3f5a980fa387b09ff10 static/scripts/packed/mvc/tags.js --- a/static/scripts/packed/mvc/tags.js +++ b/static/scripts/packed/mvc/tags.js @@ -1,1 +1,1 @@ -define(["mvc/base-mvc","utils/localization"],function(a,b){var c=Backbone.View.extend(a.LoggableMixin).extend(a.HiddenUntilActivatedViewMixin).extend({tagName:"div",className:"tags-display",initialize:function(d){this.listenTo(this.model,"change:tags",function(){this.render()});this.hiddenUntilActivated(d.$activator,d)},render:function(){var d=this;this.$el.html(this._template());this.$input().select2({placeholder:"Add tags",width:"100%",tags:function(){return d._getTagsUsed()}});this._setUpBehaviors();return this},_template:function(){return['<label class="prompt">',b("Tags"),"</label>",'<input class="tags-input" value="',this.tagsToCSV(),'" />'].join("")},tagsToCSV:function(){var d=this.model.get("tags");if(!_.isArray(d)||_.isEmpty(d)){return""}return d.sort().join(",")},$input:function(){return this.$el.find("input.tags-input")},_getTagsUsed:function(){return Galaxy.currUser.get("tags_used")},_setUpBehaviors:function(){var d=this;this.$input().on("change",function(e){d.model.save({tags:e.val},{silent:true});if(e.added){d._addNewTagToTagsUsed(e.added.text+"")}})},_addNewTagToTagsUsed:function(d){var e=Galaxy.currUser.get("tags_used");if(!_.contains(e,d)){e.push(d);e.sort();Galaxy.currUser.set("tags_used",e)}},remove:function(){this.$input.off();this.stopListening(this.model);Backbone.View.prototype.remove.call(this)},toString:function(){return["TagsEditor(",this.model+"",")"].join("")}});return{TagsEditor:c}}); \ No newline at end of file +define(["mvc/base-mvc","utils/localization"],function(a,b){var c=Backbone.View.extend(a.LoggableMixin).extend(a.HiddenUntilActivatedViewMixin).extend({tagName:"div",className:"tags-display",initialize:function(d){this.listenTo(this.model,"change:tags",function(){this.render()});this.hiddenUntilActivated(d.$activator,d)},render:function(){var d=this;this.$el.html(this._template());this.$input().select2({placeholder:"Add tags",width:"100%",tags:function(){return d._getTagsUsed()}});this._setUpBehaviors();return this},_template:function(){return['<label class="prompt">',b("Tags"),"</label>",'<input class="tags-input" value="',this.tagsToCSV(),'" />'].join("")},tagsToCSV:function(){var d=this.model.get("tags");if(!_.isArray(d)||_.isEmpty(d)){return""}return d.map(function(e){return _.escape(e)}).sort().join(",")},$input:function(){return this.$el.find("input.tags-input")},_getTagsUsed:function(){return Galaxy.currUser.get("tags_used")},_setUpBehaviors:function(){var d=this;this.$input().on("change",function(e){d.model.save({tags:e.val},{silent:true});if(e.added){d._addNewTagToTagsUsed(e.added.text+"")}})},_addNewTagToTagsUsed:function(d){var e=Galaxy.currUser.get("tags_used");if(!_.contains(e,d)){e.push(d);e.sort();Galaxy.currUser.set("tags_used",e)}},remove:function(){this.$input.off();this.stopListening(this.model);Backbone.View.prototype.remove.call(this)},toString:function(){return["TagsEditor(",this.model+"",")"].join("")}});return{TagsEditor:c}}); \ No newline at end of file diff -r 06100e9a5626c38f3182e353470e882c29564c63 -r 9dc543bfedd7121cecb0e3f5a980fa387b09ff10 templates/webapps/galaxy/dataset/copy_view.mako --- a/templates/webapps/galaxy/dataset/copy_view.mako +++ b/templates/webapps/galaxy/dataset/copy_view.mako @@ -53,7 +53,7 @@ %><option value="${trans.security.encode_id(hist.id)}" ${selected}> - ${i + 1}: ${h.truncate(util.unicodify( hist.name ), 30)}${current_history_text} + ${i + 1}: ${h.truncate(util.unicodify( hist.name ), 30) | h}${current_history_text} </option> %endfor </select> @@ -70,7 +70,7 @@ %><div class="form-row"><input type="checkbox" name="source_content_ids" id="${input_id}" value="${input_id}"${checked}/> - <label for="${input_id}" style="display: inline;font-weight:normal;"> ${data.hid}: ${h.to_unicode(data.name)}</label> + <label for="${input_id}" style="display: inline;font-weight:normal;"> ${data.hid}: ${h.to_unicode(data.name) | h}</label></div> %endfor %else: @@ -95,7 +95,7 @@ if encoded_id == target_history_id: selected = " selected='selected'" %> - <option value="${encoded_id}"${selected}>${i + 1}: ${h.truncate( util.unicodify( hist.name ), 30)}${source_history_text}</option> + <option value="${encoded_id}"${selected}>${i + 1}: ${h.truncate( util.unicodify( hist.name ), 30) | h}${source_history_text}</option> %endfor </select><br /><br /><a style="margin-left: 10px;" href="javascript:void(0);" id="select-multiple">Choose multiple histories</a> @@ -110,7 +110,7 @@ %><div class="form-row"><input type="checkbox" name="target_history_ids" id="hist_${encoded_id}" value="${encoded_id}"/> - <label for="hist_${encoded_id}" style="display: inline; font-weight:normal;">${i + 1}: ${ util.unicodify( hist.name ) }${cur_history_text}</label> + <label for="hist_${encoded_id}" style="display: inline; font-weight:normal;">${i + 1}: ${ util.unicodify( hist.name ) | h }${cur_history_text}</label></div> %endfor </div> diff -r 06100e9a5626c38f3182e353470e882c29564c63 -r 9dc543bfedd7121cecb0e3f5a980fa387b09ff10 templates/webapps/galaxy/dataset/display.mako --- a/templates/webapps/galaxy/dataset/display.mako +++ b/templates/webapps/galaxy/dataset/display.mako @@ -26,13 +26,11 @@ data.createTabularDatasetChunkedView({ // TODO: encode id. dataset_config: - _.extend( ${h.dumps( item.to_dict() )}, - { - chunk_url: "${h.url_for( controller='/dataset', action='display', - dataset_id=trans.security.encode_id( item.id ))}", - first_data_chunk: ${first_chunk} - } - ), + _.extend( ${h.dumps( item.to_dict() )}, { + chunk_url: "${h.url_for( controller='/dataset', action='display', + dataset_id=trans.security.encode_id( item.id ))}", + first_data_chunk: ${first_chunk} + }), parent_elt: $('.page-body') }); }); diff -r 06100e9a5626c38f3182e353470e882c29564c63 -r 9dc543bfedd7121cecb0e3f5a980fa387b09ff10 templates/webapps/galaxy/dataset/embed.mako --- a/templates/webapps/galaxy/dataset/embed.mako +++ b/templates/webapps/galaxy/dataset/embed.mako @@ -4,10 +4,13 @@ %><%def name="render_item_links( dataset )"> - <a href="${h.url_for( controller='/dataset', action='display', dataset_id=trans.security.encode_id( dataset.id ), to_ext=dataset.ext )}" title="Save dataset" class="icon-button disk"></a> + <a href="${h.url_for( controller='/dataset', action='display', dataset_id=trans.security.encode_id( dataset.id ), to_ext=dataset.ext )}" + title="Save dataset" class="icon-button disk"></a> ## Links for importing and viewing an item. - <a href="${h.url_for( controller='/dataset', action='imp', dataset_id=trans.security.encode_id( item.id ) )}" title="Import dataset" class="icon-button import"></a> - <a class="icon-button go-to-full-screen" href="${h.url_for( controller='/dataset', action='display_by_username_and_slug', username=dataset.history.user.username, slug=trans.security.encode_id( dataset.id ) )}" title="Go to dataset"></a> + <a href="${h.url_for( controller='/dataset', action='imp', dataset_id=trans.security.encode_id( item.id ) )}" + title="Import dataset" class="icon-button import"></a> + <a href="${h.url_for( controller='/dataset', action='display_by_username_and_slug', username=dataset.history.user.username, slug=trans.security.encode_id( dataset.id ) )}" + title="Go to dataset" class="icon-button go-to-full-screen"></a></%def> diff -r 06100e9a5626c38f3182e353470e882c29564c63 -r 9dc543bfedd7121cecb0e3f5a980fa387b09ff10 templates/webapps/galaxy/dataset/errors.mako --- a/templates/webapps/galaxy/dataset/errors.mako +++ b/templates/webapps/galaxy/dataset/errors.mako @@ -49,7 +49,7 @@ <body><h2>Dataset generation errors</h2> - <p><b>Dataset ${hda.hid}: ${hda.display_name()}</b></p> + <p><b>Dataset ${hda.hid}: ${hda.display_name() | h}</b></p><% job = hda.creating_job %> %if job: diff -r 06100e9a5626c38f3182e353470e882c29564c63 -r 9dc543bfedd7121cecb0e3f5a980fa387b09ff10 templates/webapps/galaxy/dataset/security_common.mako --- a/templates/webapps/galaxy/dataset/security_common.mako +++ b/templates/webapps/galaxy/dataset/security_common.mako @@ -77,7 +77,7 @@ else: current_actions = [] permitted_actions = {}.items() - obj_str = 'unknown object %s' %obj_name + obj_str = 'unknown object %s' % obj_name obj_type = '' %><script type="text/javascript"> @@ -104,7 +104,7 @@ }); </script><div class="toolForm"> - <div class="toolFormTitle">Manage ${obj_type} permissions on ${obj_str}</div> + <div class="toolFormTitle">Manage ${obj_type} permissions on ${obj_str | h}</div><div class="toolFormBody"><form name="edit_role_associations" id="edit_role_associations" action="${form_url}" method="post"><div class="form-row"></div> diff -r 06100e9a5626c38f3182e353470e882c29564c63 -r 9dc543bfedd7121cecb0e3f5a980fa387b09ff10 templates/webapps/galaxy/dataset/tabular_chunked.mako --- a/templates/webapps/galaxy/dataset/tabular_chunked.mako +++ b/templates/webapps/galaxy/dataset/tabular_chunked.mako @@ -15,14 +15,12 @@ } }); - require(['mvc/data'], function(data) { + require([ 'mvc/data' ], function( data ) { data.createTabularDatasetChunkedView({ - dataset_config: _.extend( ${h.dumps( trans.security.encode_dict_ids( dataset.to_dict() ) )}, - { - first_data_chunk: ${chunk} - } - ), - parent_elt: $('body') + dataset_config : _.extend( ${ h.dumps( trans.security.encode_dict_ids( dataset.to_dict() ) )}, { + first_data_chunk: ${ chunk } + }), + parent_elt : $( 'body' ) }); }); </script> diff -r 06100e9a5626c38f3182e353470e882c29564c63 -r 9dc543bfedd7121cecb0e3f5a980fa387b09ff10 templates/webapps/galaxy/history/embed.mako --- a/templates/webapps/galaxy/history/embed.mako +++ b/templates/webapps/galaxy/history/embed.mako @@ -23,7 +23,7 @@ </a></h4> %if hasattr( item, "annotation") and item.annotation: - <div class="annotation">${item.annotation}</div> + <div class="annotation">${item.annotation | h}</div> %endif </div><div class='summary-content'> diff -r 06100e9a5626c38f3182e353470e882c29564c63 -r 9dc543bfedd7121cecb0e3f5a980fa387b09ff10 templates/webapps/galaxy/history/history_panel.mako --- a/templates/webapps/galaxy/history/history_panel.mako +++ /dev/null @@ -1,14 +0,0 @@ -## shortcuts for script tags that create history panels -## ---------------------------------------------------------------------------- -<%def name="current_history_panel( selector_to_attach_to=None, options )"> -</%def> - - -## ---------------------------------------------------------------------------- -<%def name="history_panel( history_id, selector_to_attach_to=None, options )"> -</%def> - - -## ---------------------------------------------------------------------------- -<%def name="bootstrapped_history_panel( history, hdas, selector_to_attach_to=None, options )"> -</%def> diff -r 06100e9a5626c38f3182e353470e882c29564c63 -r 9dc543bfedd7121cecb0e3f5a980fa387b09ff10 templates/webapps/galaxy/history/share.mako --- a/templates/webapps/galaxy/history/share.mako +++ b/templates/webapps/galaxy/history/share.mako @@ -20,7 +20,7 @@ <tr><td><input type="hidden" name="id" value="${trans.security.encode_id( history.id )}"> - ${ util.unicodify( history.name )} + ${ util.unicodify( history.name ) | h } </td><td> %if len( history.datasets ) < 1: diff -r 06100e9a5626c38f3182e353470e882c29564c63 -r 9dc543bfedd7121cecb0e3f5a980fa387b09ff10 templates/webapps/galaxy/history/view.mako --- a/templates/webapps/galaxy/history/view.mako +++ b/templates/webapps/galaxy/history/view.mako @@ -1,4 +1,4 @@ -<%namespace file="/galaxy.masthead.mako" import="get_user_json" /> +<%namespace file="/galaxy_client_app.mako" import="get_user_json" /> ## ---------------------------------------------------------------------------- <%! @@ -166,9 +166,9 @@ // use_panels effects where the the center_panel() is rendered: // w/o it renders to the body, w/ it renders to #center - we need to adjust a few things for scrolling to work var hasMasthead = ${ 'true' if use_panels else 'false' }, - userIsOwner = ${'true' if user_is_owner else 'false'}, - historyJSON = ${h.dumps( history )}, - hdaJSON = ${h.dumps( hdas )}, + userIsOwner = ${ 'true' if user_is_owner else 'false' }, + historyJSON = ${ h.dumps( history ) }, + hdaJSON = ${ h.dumps( hdas ) }, panelToUse = ( userIsOwner )? //TODO: change class names ({ location: 'mvc/history/history-panel-edit', className: 'HistoryPanelEdit' }): diff -r 06100e9a5626c38f3182e353470e882c29564c63 -r 9dc543bfedd7121cecb0e3f5a980fa387b09ff10 templates/webapps/galaxy/page/editor.mako --- a/templates/webapps/galaxy/page/editor.mako +++ b/templates/webapps/galaxy/page/editor.mako @@ -47,7 +47,7 @@ <a id="close-button" class="panel-header-button">Close</a></div><div class="unified-panel-header-inner"> - Page Editor <span style="font-weight: normal">| Title : ${page.title}</span> + Page Editor <span style="font-weight: normal">| Title : ${page.title | h}</span></div></div> diff -r 06100e9a5626c38f3182e353470e882c29564c63 -r 9dc543bfedd7121cecb0e3f5a980fa387b09ff10 templates/webapps/galaxy/page/index.mako --- a/templates/webapps/galaxy/page/index.mako +++ b/templates/webapps/galaxy/page/index.mako @@ -30,7 +30,7 @@ <% page = association.page %><tr><td> - <a class="menubutton" id="shared-${i}-popup" href="${h.url_for(controller='page', action='display_by_username_and_slug', username=page.user.username, slug=page.slug)}">${page.title}</a> + <a class="menubutton" id="shared-${i}-popup" href="${h.url_for(controller='page', action='display_by_username_and_slug', username=page.user.username, slug=page.slug)}">${page.title | h}</a></td><td>${page.user.username}</td><td> Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.