5 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/09bc07ada38d/ Changeset: 09bc07ada38d Branch: stable User: martenson Date: 2015-02-09 23:16:43+00:00 Summary: one more batch of escape fixes, mostly amending c2bed0a496f8 https://bitbucket.org/galaxy/galaxy-central/commits/c2bed0a496f8 Affected #: 10 files diff -r 32e4527bab2d79f0797c28500a379b6b6c7a3900 -r 09bc07ada38df8f292ce74235ead9d5f591361fd lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py --- a/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py +++ b/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py @@ -443,7 +443,7 @@ @web.require_admin def import_workflow( self, trans, workflow_name, repository_id, **kwd ): """Import a workflow contained in an installed tool shed repository into Galaxy.""" - message = escape( kwd.get( 'message', '' ) ) + message = str( escape( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) if workflow_name: workflow_name = encoding_util.tool_shed_decode( workflow_name ) @@ -480,7 +480,7 @@ tool shed repository. """ # Get the tool_shed_repository from one of the tool_dependencies. - message = escape( kwd.get( 'message', '' ) ) + message = str( escape( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) err_msg = '' tool_shed_repository = tool_dependencies[ 0 ].tool_shed_repository diff -r 32e4527bab2d79f0797c28500a379b6b6c7a3900 -r 09bc07ada38df8f292ce74235ead9d5f591361fd lib/galaxy/webapps/galaxy/controllers/library_admin.py --- a/lib/galaxy/webapps/galaxy/controllers/library_admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_admin.py @@ -162,14 +162,14 @@ library.root_folder = root_folder trans.sa_session.add_all( ( library, root_folder ) ) trans.sa_session.flush() - message = "The new library named '%s' has been created" % library.name + message = "The new library named '%s' has been created" % escape( library.name ) return trans.response.send_redirect( web.url_for( controller='library_common', action='browse_library', cntrller='library_admin', id=trans.security.encode_id( library.id ), message=message, status='done' ) ) - return trans.fill_template( '/admin/library/new_library.mako', message=escape( message ), status=escape( status ) ) + return trans.fill_template( '/admin/library/new_library.mako', message=message, status=escape( status ) ) @web.expose @web.require_admin def delete_library( self, trans, id, **kwd ): @@ -222,7 +222,7 @@ trans.sa_session.add( library_folder ) trans.sa_session.flush() if not library.deleted: - message = "Library '%s' has not been marked deleted, so it cannot be purged" % ( library.name ) + message = "Library '%s' has not been marked deleted, so it cannot be purged" % escape( library.name ) return trans.response.send_redirect( web.url_for( controller='library_admin', action='browse_libraries', message=message, @@ -232,7 +232,7 @@ library.purged = True trans.sa_session.add( library ) trans.sa_session.flush() - message = "Library '%s' and all of its contents have been purged, datasets will be removed from disk via the cleanup_datasets script" % library.name + message = "Library '%s' and all of its contents have been purged, datasets will be removed from disk via the cleanup_datasets script" % escape( library.name ) return trans.response.send_redirect( web.url_for( controller='library_admin', action='browse_libraries', message=message, diff -r 32e4527bab2d79f0797c28500a379b6b6c7a3900 -r 09bc07ada38df8f292ce74235ead9d5f591361fd lib/galaxy/webapps/galaxy/controllers/library_common.py --- a/lib/galaxy/webapps/galaxy/controllers/library_common.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_common.py @@ -248,7 +248,7 @@ trans.sa_session.refresh( library ) # Copy the permissions to the root folder trans.app.security_agent.copy_library_permissions( trans, library, library.root_folder ) - message = "Permissions updated for library '%s'." % library.name + message = "Permissions updated for library '%s'." % escape( library.name ) return trans.response.send_redirect( web.url_for( controller='library_common', action='library_permissions', cntrller=cntrller, @@ -310,7 +310,7 @@ if info_association and ( not( inherited ) or info_association.inheritable ): widgets = new_folder.get_template_widgets( trans ) if info_association: - message = "The new folder named '%s' has been added to the data library. " % new_folder.name + message = "The new folder named '%s' has been added to the data library. " % escape( new_folder.name ) message += "Additional information about this folder may be added using the inherited template." return trans.fill_template( '/library/common/folder_info.mako', cntrller=cntrller, @@ -325,7 +325,7 @@ message=escape( message ), status='done' ) # If not inheritable info_association, redirect to the library. - message = "The new folder named '%s' has been added to the data library." % new_folder.name + message = "The new folder named '%s' has been added to the data library." % escape( new_folder.name ) # SM: This is the second place where the API controller would # reference the library id: return trans.response.send_redirect( web.url_for( controller='library_common', @@ -373,7 +373,7 @@ folder.description = new_description trans.sa_session.add( folder ) trans.sa_session.flush() - message = "Information updated for folder '%s'." % folder.name + message = "Information updated for folder '%s'." % escape( folder.name ) return trans.response.send_redirect( web.url_for( controller='library_common', action='folder_info', cntrller=cntrller, @@ -429,7 +429,7 @@ permissions[ trans.app.security_agent.get_action( v.action ) ] = in_roles trans.app.security_agent.set_all_library_permissions( trans, folder, permissions ) trans.sa_session.refresh( folder ) - message = "Permissions updated for folder '%s'." % folder.name + message = "Permissions updated for folder '%s'." % escape( folder.name ) return trans.response.send_redirect( web.url_for( controller='library_common', action='folder_permissions', cntrller=cntrller, @@ -498,10 +498,10 @@ if ldda.datatype.allow_datatype_change and trans.app.datatypes_registry.get_datatype_by_extension( kwd.get( 'datatype' ) ).allow_datatype_change: trans.app.datatypes_registry.change_datatype( ldda, kwd.get( 'datatype' ) ) trans.sa_session.flush() - message = "Data type changed for library dataset '%s'." % ldda.name + message = "Data type changed for library dataset '%s'." % escape( ldda.name ) status = 'done' else: - message = "You are unable to change datatypes in this manner. Changing %s to %s is not allowed." % ( ldda.extension, kwd.get( 'datatype' ) ) + message = "You are unable to change datatypes in this manner. Changing %s to %s is not allowed." % ( escape( ldda.extension ), escape( kwd.get( 'datatype' ) ) ) status = 'error' else: message = "This dataset is currently being used as input or output. You cannot change datatype until the jobs have completed or you have canceled them." @@ -532,7 +532,7 @@ setattr( ldda.metadata, name, spec.unwrap( kwd.get( name, None ) ) ) ldda.metadata.dbkey = dbkey ldda.datatype.after_setting_metadata( ldda ) - message = "Attributes updated for library dataset '%s'." % ldda.name + message = "Attributes updated for library dataset '%s'." % escape( ldda.name ) status = 'done' else: message = "Attributes updated, but metadata could not be changed because this dataset is currently being used as input or output. You must cancel or wait for these jobs to complete before changing metadata." @@ -546,7 +546,7 @@ if name not in [ 'name', 'info', 'dbkey' ]: if spec.get( 'default' ): setattr( ldda.metadata, name, spec.unwrap( spec.get( 'default' ) ) ) - message = "Attributes have been queued to be updated for library dataset '%s'." % ldda.name + message = "Attributes have been queued to be updated for library dataset '%s'." % escape( ldda.name ) status = 'done' trans.app.datatypes_registry.set_external_metadata_tool.tool_action.execute( trans.app.datatypes_registry.set_external_metadata_tool, trans, incoming = { 'input1':ldda } ) else: @@ -570,7 +570,7 @@ self.delete_extended_metadata(trans, ex_obj) ex_obj = self.create_extended_metadata(trans, payload) self.set_item_extended_metadata_obj(trans, ldda, ex_obj) - message = "Updated Extended metadata '%s'." % ldda.name + message = "Updated Extended metadata '%s'." % escape( ldda.name ) status = 'done' else: message = "LDDA not found" @@ -581,7 +581,7 @@ if ex_obj is not None: self.unset_item_extended_metadata_obj(trans, ldda) self.delete_extended_metadata(trans, ex_obj) - message = "Deleted Extended metadata '%s'." % ldda.name + message = "Deleted Extended metadata '%s'." % escape( ldda.name ) status = 'done' @@ -658,7 +658,7 @@ @web.expose def ldda_permissions( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = escape( kwd.get( 'message', '' ) ) + message = str( escape( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -744,7 +744,7 @@ trans.app.security_agent.set_all_library_permissions( trans, ldda, permissions ) trans.sa_session.refresh( ldda ) if len( lddas ) == 1: - message = "Permissions updated for dataset '%s'." % ldda.name + message = "Permissions updated for dataset '%s'." % escape( ldda.name ) else: message = 'Permissions updated for %d datasets.' % len( lddas ) status= 'done' @@ -937,13 +937,13 @@ ldda_id_list = [ str( v.id ) for k, v in created_outputs_dict.items() ] created_ldda_ids=",".join( ldda_id_list ) if replace_dataset: - message = "Added %d dataset versions to the library dataset '%s' in the folder '%s'." % ( total_added, replace_dataset_name, folder.name ) + message = "Added %d dataset versions to the library dataset '%s' in the folder '%s'." % ( total_added, escape( replace_dataset_name ), escape( folder.name ) ) else: if not folder.parent: # Libraries have the same name as their root_folder - message = "Added %d datasets to the library '%s' (each is selected). " % ( total_added, folder.name ) + message = "Added %d datasets to the library '%s' (each is selected). " % ( total_added, escape( folder.name ) ) else: - message = "Added %d datasets to the folder '%s' (each is selected). " % ( total_added, folder.name ) + message = "Added %d datasets to the folder '%s' (each is selected). " % ( total_added, escape( folder.name ) ) if cntrller == 'library_admin': message += "Click the Go button at the bottom of this page to edit the permissions on these datasets if necessary." status='done' @@ -1399,13 +1399,13 @@ ldda_id_list = created_ldda_ids.split( ',' ) total_added = len( ldda_id_list ) if replace_dataset: - message = "Added %d dataset versions to the library dataset '%s' in the folder '%s'." % ( total_added, replace_dataset.name, folder.name ) + message = "Added %d dataset versions to the library dataset '%s' in the folder '%s'." % ( total_added, escape( replace_dataset.name ), escape( folder.name ) ) else: if not folder.parent: # Libraries have the same name as their root_folder - message = "Added %d datasets to the library '%s' (each is selected). " % ( total_added, folder.name ) + message = "Added %d datasets to the library '%s' (each is selected). " % ( total_added, escape( folder.name ) ) else: - message = "Added %d datasets to the folder '%s' (each is selected). " % ( total_added, folder.name ) + message = "Added %d datasets to the folder '%s' (each is selected). " % ( total_added, escape( folder.name ) ) if cntrller == 'library_admin': message += "Click the Go button at the bottom of this page to edit the permissions on these datasets if necessary." else: @@ -1591,7 +1591,7 @@ library_dataset.info = new_info trans.sa_session.add( library_dataset ) trans.sa_session.flush() - message = "Information updated for library dataset '%s'." % library_dataset.name + message = "Information updated for library dataset '%s'." % escape( library_dataset.name ) status = 'done' # See if we have any associated templates widgets = [] @@ -1648,7 +1648,7 @@ # Set the LIBRARY permissions on the LibraryDatasetDatasetAssociation trans.app.security_agent.set_all_library_permissions( trans, library_dataset.library_dataset_dataset_association, permissions ) trans.sa_session.refresh( library_dataset.library_dataset_dataset_association ) - message = "Permisisons updated for library dataset '%s'." % library_dataset.name + message = "Permisisons updated for library dataset '%s'." % escape( library_dataset.name ) status = 'done' roles = trans.app.security_agent.get_legitimate_roles( trans, library_dataset, cntrller ) return trans.fill_template( '/library/common/library_dataset_permissions.mako', @@ -1677,23 +1677,23 @@ contents = util.string_as_bool( kwd.get( 'contents', 'False' ) ) trans.app.security_agent.make_library_public( library, contents=contents ) if contents: - message = "The data library (%s) and all its contents have been made publicly accessible." % library.name + message = "The data library (%s) and all its contents have been made publicly accessible." % escape( library.name ) else: - message = "The data library (%s) has been made publicly accessible, but access to its contents has been left unchanged." % library.name + message = "The data library (%s) has been made publicly accessible, but access to its contents has been left unchanged." % escape( library.name ) elif item_type == 'folder': folder = trans.sa_session.query( trans.model.LibraryFolder ).get( trans.security.decode_id( id ) ) self._check_access( trans, cntrller, is_admin, folder, current_user_roles, use_panels, library_id, show_deleted ) self._check_manage( trans, cntrller, is_admin, folder, current_user_roles, use_panels, library_id, show_deleted ) trans.app.security_agent.make_folder_public( folder ) - message = "All of the contents of folder (%s) have been made publicly accessible." % folder.name + message = "All of the contents of folder (%s) have been made publicly accessible." % escape( folder.name ) elif item_type == 'ldda': ldda = trans.sa_session.query( trans.model.LibraryDatasetDatasetAssociation ).get( trans.security.decode_id( id ) ) self._check_access( trans, cntrller, is_admin, ldda.library_dataset, current_user_roles, use_panels, library_id, show_deleted ) self._check_manage( trans, cntrller, is_admin, ldda.library_dataset, current_user_roles, use_panels, library_id, show_deleted ) trans.app.security_agent.make_dataset_public( ldda.dataset ) - message = "The libary dataset (%s) has been made publicly accessible." % ldda.name + message = "The libary dataset (%s) has been made publicly accessible." % escape( ldda.name ) else: - message = "Invalid item_type (%s) received." % str( item_type ) + message = "Invalid item_type (%s) received." % escape( str( item_type ) ) status = 'error' return trans.response.send_redirect( web.url_for( controller='library_common', action='browse_library', @@ -1803,7 +1803,7 @@ if invalid_lddas: message += "You are not authorized to manage permissions on %s: " % inflector.cond_plural( len( invalid_lddas ), "dataset" ) for ldda in invalid_lddas: - message += '(%s)' % ldda.name + message += '(%s)' % escape( ldda.name ) message += '. ' if valid_ldda_ids: encoded_ldda_ids = [ trans.security.encode_id( ldda_id ) for ldda_id in valid_ldda_ids ] @@ -1967,7 +1967,7 @@ return archive.stream else: status = 'error' - message = 'Invalid action (%s) specified.' % str( action ) + message = 'Invalid action (%s) specified.' % escape( str( action ) ) if library_id: # If we have a library_id, browse the associated library return trans.response.send_redirect( web.url_for( controller='library_common', @@ -2053,11 +2053,11 @@ status = 'error' invalid_datasets += 1 elif ldda.dataset.state not in [ trans.model.Dataset.states.OK, trans.model.Dataset.states.ERROR ]: - message += "You cannot import dataset '%s' since its state is '%s'. " % ( ldda.name, ldda.dataset.state ) + message += "You cannot import dataset '%s' since its state is '%s'. " % ( escape( ldda.name ), ldda.dataset.state ) status = 'error' invalid_datasets += 1 elif not ldda.has_data(): - message += "You cannot import empty dataset '%s'. " % ldda.name + message += "You cannot import empty dataset '%s'. " % escape( ldda.name ) status = 'error' invalid_datasets += 1 else: @@ -2140,7 +2140,7 @@ except ValueError: return None if not ( is_admin or trans.app.security_agent.can_modify_library_item( current_user_roles, item ) ): - message = "You are not authorized to modify %s '%s'." % ( item_desc, item.name ) + message = "You are not authorized to modify %s '%s'." % ( escape( item_desc ), escape( item.name ) ) return trans.response.send_redirect( web.url_for( controller='library_common', action='browse_library', cntrller=cntrller, @@ -2151,9 +2151,9 @@ info_association, inherited = item.get_info_association( restrict=True ) if info_association: if info_association.inheritable: - message = "The template for this %s will no longer be inherited to contained folders and datasets." % item_desc + message = "The template for this %s will no longer be inherited to contained folders and datasets." % escape( item_desc ) else: - message = "The template for this %s will now be inherited to contained folders and datasets." % item_desc + message = "The template for this %s will now be inherited to contained folders and datasets." % escape( item_desc ) info_association.inheritable = not( info_association.inheritable ) trans.sa_session.add( info_association ) trans.sa_session.flush() @@ -2260,7 +2260,7 @@ elif invalid_lddas: message += "You are not authorized to move %s: " % inflector.cond_plural( len( invalid_lddas ), "dataset" ) for ldda in invalid_lddas: - message += '(%s)' % ldda.name + message += '(%s)' % escape( ldda.name ) message += '. ' num_source = len( move_ldda_ids ) - invalid_items message = "%i %s moved to folder (%s) within data library (%s)" % ( num_source, @@ -2278,9 +2278,9 @@ move_folder.parent = target_folder trans.sa_session.add( move_folder ) flush_required = True - message = "Moved folder (%s) to folder (%s) within data library (%s) " % ( move_folder.name, - target_folder.name, - target_library.name ) + message = "Moved folder (%s) to folder (%s) within data library (%s) " % ( escape( move_folder.name ), + escape( target_folder.name ), + escape( target_library.name ) ) if flush_required: trans.sa_session.flush() if target_library: @@ -2400,7 +2400,7 @@ is_admin = ( trans.user_is_admin() and cntrller == 'library_admin' ) current_user_roles = trans.get_current_user_roles() if item_type not in item_types: - message = 'Bad item_type specified: %s' % str( item_type ) + message = 'Bad item_type specified: %s' % escape( str( item_type ) ) status = 'error' else: if item_type == 'library_dataset': @@ -2430,12 +2430,12 @@ if flush_needed: trans.sa_session.flush() if valid_items: - message += "%d %s marked deleted. " % ( valid_items, inflector.cond_plural( valid_items, item_desc ) ) + message += "%d %s marked deleted. " % ( valid_items, escape( inflector.cond_plural( valid_items, item_desc ) ) ) if invalid_items: - message += '%d invalid %s specifield. ' % ( invalid_items, inflector.cond_plural( invalid_items, item_desc ) ) + message += '%d invalid %s specifield. ' % ( invalid_items, escape( inflector.cond_plural( invalid_items, item_desc ) ) ) status = 'error' if not_authorized_items: - message += 'You are not authorized to delete %d %s. ' % ( not_authorized_items, inflector.cond_plural( not_authorized_items, item_desc ) ) + message += 'You are not authorized to delete %d %s. ' % ( not_authorized_items, escape( inflector.cond_plural( not_authorized_items, item_desc ) ) ) status = 'error' if item_type == 'library': return trans.response.send_redirect( web.url_for( controller=cntrller, @@ -2462,7 +2462,7 @@ is_admin = ( trans.user_is_admin() and cntrller == 'library_admin' ) current_user_roles = trans.get_current_user_roles() if item_type not in item_types: - message = 'Bad item_type specified: %s' % str( item_type ) + message = 'Bad item_type specified: %s' % escape( str( item_type ) ) status = 'error' else: if item_type == 'library_dataset': @@ -2496,15 +2496,15 @@ if flush_needed: trans.sa_session.flush() if valid_items: - message += "%d %s marked undeleted. " % ( valid_items, inflector.cond_plural( valid_items, item_desc ) ) + message += "%d %s marked undeleted. " % ( valid_items, escape( inflector.cond_plural( valid_items, item_desc ) ) ) if invalid_items: - message += '%d invalid %s specifield. ' % ( invalid_items, inflector.cond_plural( invalid_items, item_desc ) ) + message += '%d invalid %s specifield. ' % ( invalid_items, escape( inflector.cond_plural( invalid_items, item_desc ) ) ) status = 'error' if not_authorized_items: - message += 'You are not authorized to undelete %d %s. ' % ( not_authorized_items, inflector.cond_plural( not_authorized_items, item_desc ) ) + message += 'You are not authorized to undelete %d %s. ' % ( not_authorized_items, escape( inflector.cond_plural( not_authorized_items, item_desc ) ) ) status = 'error' if purged_items: - message += '%d %s marked purged, so cannot be undeleted. ' % ( purged_items, inflector.cond_plural( purged_items, item_desc ) ) + message += '%d %s marked purged, so cannot be undeleted. ' % ( purged_items, escape( inflector.cond_plural( purged_items, item_desc ) ) ) status = 'error' if item_type == 'library': return trans.response.send_redirect( web.url_for( controller=cntrller, @@ -2525,7 +2525,7 @@ if isinstance( item, trans.model.HistoryDatasetAssociation ): # Make sure the user has the DATASET_ACCESS permission on the history_dataset_association. if not item: - message = "Invalid history dataset (%s) specified." % str( item ) + message = "Invalid history dataset (%s) specified." % escape( str( item ) ) can_access = False elif not trans.app.security_agent.can_access_dataset( current_user_roles, item.dataset ) and item.history.user==trans.user: message = "You do not have permission to access the history dataset with id (%s)." % str( item.id ) @@ -2533,7 +2533,7 @@ else: # Make sure the user has the LIBRARY_ACCESS permission on the library item. if not item: - message = "Invalid library item (%s) specified." % str( item ) + message = "Invalid library item (%s) specified." % escape( str( item ) ) can_access = False elif not ( is_admin or trans.app.security_agent.can_access_library_item( current_user_roles, item, trans.user ) ): if isinstance( item, trans.model.Library ): @@ -2542,7 +2542,7 @@ item_type = 'folder' else: item_type = '(unknown item type)' - message = "You do not have permission to access the %s with id (%s)." % ( item_type, str( item.id ) ) + message = "You do not have permission to access the %s with id (%s)." % ( escape( item_type ), str( item.id ) ) can_access = False if not can_access: if cntrller == 'api': @@ -2566,7 +2566,7 @@ def _check_add( self, trans, cntrller, is_admin, item, current_user_roles, use_panels, library_id, show_deleted ): # Deny access if the user is not an admin and does not have the LIBRARY_ADD permission. if not ( is_admin or trans.app.security_agent.can_add_library_item( current_user_roles, item ) ): - message = "You are not authorized to add an item to (%s)." % item.name + message = "You are not authorized to add an item to (%s)." % escape( item.name ) # Redirect to the real parent library since we know we have access to it. if cntrller == 'api': return 403, message @@ -2585,7 +2585,7 @@ if not ( is_admin or \ ( trans.app.security_agent.can_manage_library_item( current_user_roles, item ) and trans.app.security_agent.can_manage_dataset( current_user_roles, library_dataset.library_dataset_dataset_association.dataset ) ) ): - message = "You are not authorized to manage permissions on library dataset (%s)." % library_dataset.name + message = "You are not authorized to manage permissions on library dataset (%s)." % escape( library_dataset.name ) if cntrller == 'api': return 403, message return trans.response.send_redirect( web.url_for( controller='library_common', @@ -2597,7 +2597,7 @@ status='error' ) ) # Deny access if the user is not an admin and does not have the LIBRARY_MANAGE permission. if not ( is_admin or trans.app.security_agent.can_manage_library_item( current_user_roles, item ) ): - message = "You are not authorized to manage permissions on (%s)." % item.name + message = "You are not authorized to manage permissions on (%s)." % escape( item.name ) if cntrller == 'api': return 403, message return trans.response.send_redirect( web.url_for( controller='library_common', @@ -2611,7 +2611,7 @@ def _check_modify( self, trans, cntrller, is_admin, item, current_user_roles, use_panels, library_id, show_deleted ): # Deny modification if the user is not an admin and does not have the LIBRARY_MODIFY permission. if not ( is_admin or trans.app.security_agent.can_modify_library_item( current_user_roles, item ) ): - message = "You are not authorized to modify (%s)." % item.name + message = "You are not authorized to modify (%s)." % escape( item.name ) if cntrller == 'api': return 403, message return trans.response.send_redirect( web.url_for( controller='library_common', diff -r 32e4527bab2d79f0797c28500a379b6b6c7a3900 -r 09bc07ada38df8f292ce74235ead9d5f591361fd lib/galaxy/webapps/galaxy/controllers/user.py --- a/lib/galaxy/webapps/galaxy/controllers/user.py +++ b/lib/galaxy/webapps/galaxy/controllers/user.py @@ -569,7 +569,7 @@ username = trans.user.username is_activation_sent = self.send_verification_email( trans, email, username ) if is_activation_sent: - message = 'This account has not been activated yet. The activation link has been sent again. Please check your email address <b>%s</b> including the spam/trash folder.<br><a target="_top" href="%s">Return to the home page</a>.' % ( email, url_for( '/' ) ) + message = 'This account has not been activated yet. The activation link has been sent again. Please check your email address <b>%s</b> including the spam/trash folder.<br><a target="_top" href="%s">Return to the home page</a>.' % ( escape( email ), url_for( '/' ) ) status = 'error' else: message = 'This account has not been activated yet but we are unable to send the activation link. Please contact your local Galaxy administrator.<br><a target="_top" href="%s">Return to the home page</a>.' % url_for( '/' ) @@ -673,7 +673,7 @@ trans.log_event( "User created a new account" ) trans.log_event( "User logged in" ) if success and is_admin: - message = 'Created new user account (%s)' % user.email + message = 'Created new user account (%s)' % escape( user.email ) trans.response.send_redirect( web.url_for( controller='admin', action='users', cntrller=cntrller, @@ -770,7 +770,7 @@ if trans.webapp.name == 'galaxy' and trans.app.config.user_activation_on: is_activation_sent = self.send_verification_email( trans, email, username ) if is_activation_sent: - message = 'Now logged in as %s.<br>Verification email has been sent to your email address. Please verify it by clicking the activation link in the email.<br>Please check your spam/trash folder in case you cannot find the message.<br><a target="_top" href="%s">Return to the home page.</a>' % ( user.email, url_for( '/' ) ) + message = 'Now logged in as %s.<br>Verification email has been sent to your email address. Please verify it by clicking the activation link in the email.<br>Please check your spam/trash folder in case you cannot find the message.<br><a target="_top" href="%s">Return to the home page.</a>' % ( escape( user.email ), url_for( '/' ) ) success = True else: message = 'Unable to send activation email, please contact your local Galaxy administrator.' @@ -778,7 +778,7 @@ message += ' Contact: %s' % trans.app.config.error_email_to success = False else: # User activation is OFF, proceed without sending the activation email. - message = 'Now logged in as %s.<br><a target="_top" href="%s">Return to the home page.</a>' % ( user.email, url_for( '/' ) ) + message = 'Now logged in as %s.<br><a target="_top" href="%s">Return to the home page.</a>' % ( escape( user.email ), url_for( '/' ) ) success = True return ( message, status, user, success ) @@ -788,7 +788,7 @@ """ if username is None: username = trans.user.username - activation_link = self.prepare_activation_link( trans, email ) + activation_link = self.prepare_activation_link( trans, escape( email ) ) body = ("Hello %s,\n\n" "In order to complete the activation process for %s begun on %s at %s, please click on the following link to verify your account:\n\n" @@ -796,7 +796,7 @@ "By clicking on the above link and opening a Galaxy account you are also confirming that you have read and agreed to Galaxy's Terms and Conditions for use of this service (%s). This includes a quota limit of one account per user. Attempts to subvert this limit by creating multiple accounts or through any other method may result in termination of all associated accounts and data.\n\n" "Please contact us if you need help with your account at: %s. You can also browse resources available at: %s. \n\n" "More about the Galaxy Project can be found at galaxyproject.org\n\n" - "Your Galaxy Team" % (username, email, + "Your Galaxy Team" % (escape( username ), escape( email ), datetime.utcnow().strftime( "%D"), trans.request.host, activation_link, trans.app.config.terms_url, @@ -1155,7 +1155,7 @@ if not username: return "A public user name is required in the tool shed." if username in [ 'repos' ]: - return "The term <b>%s</b> is a reserved word in the tool shed, so it cannot be used as a public user name." % username + return "The term <b>%s</b> is a reserved word in the tool shed, so it cannot be used as a public user name." % escape( username ) message = "\n".join( [ validate_email( trans, email ), validate_password( trans, password, confirm ), validate_publicname( trans, username ) ] ).rstrip() diff -r 32e4527bab2d79f0797c28500a379b6b6c7a3900 -r 09bc07ada38df8f292ce74235ead9d5f591361fd lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -1022,7 +1022,7 @@ """ url = kwd.get( 'url', '' ) workflow_text = kwd.get( 'workflow_text', '' ) - message = escape( kwd.get( 'message', '' ) ) + message = str( escape( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) import_button = kwd.get( 'import_button', False ) # The special Galaxy integration landing page's URL on myExperiment @@ -1143,6 +1143,8 @@ # workflow view, so we don't need to render the Galaxy panels. action = 'center' else: + return trans.show_error_message( message ) + # Another Galaxy panels hack: The request originated from the Galaxy # workflow view, so we need to render the Galaxy panels. action = 'index' diff -r 32e4527bab2d79f0797c28500a379b6b6c7a3900 -r 09bc07ada38df8f292ce74235ead9d5f591361fd lib/galaxy/webapps/tool_shed/controllers/admin.py --- a/lib/galaxy/webapps/tool_shed/controllers/admin.py +++ b/lib/galaxy/webapps/tool_shed/controllers/admin.py @@ -140,7 +140,7 @@ trans.sa_session.flush() # Update the Tool Shed's repository registry. trans.app.repository_registry.add_category_entry( category ) - message = "Category '%s' has been created" % category.name + message = "Category '%s' has been created" % escape( category.name ) status = 'done' trans.response.send_redirect( web.url_for( controller='admin', action='manage_categories', @@ -184,7 +184,7 @@ count += 1 deleted_repositories += " %s " % repository.name if count: - message = "Deleted %d %s: %s" % ( count, inflector.cond_plural( len( ids ), "repository" ), deleted_repositories ) + message = "Deleted %d %s: %s" % ( count, inflector.cond_plural( len( ids ), "repository" ), escape( deleted_repositories ) ) else: message = "All selected repositories were already marked deleted." else: @@ -258,7 +258,7 @@ if original_category_name != new_name: # Update the Tool Shed's repository registry. trans.app.repository_registry.edit_category_entry( original_category_name, new_name ) - message = "The information has been saved for category '%s'" % ( category.name ) + message = "The information has been saved for category '%s'" % escape( category.name ) status = 'done' return trans.response.send_redirect( web.url_for( controller='admin', action='manage_categories', @@ -431,7 +431,7 @@ trans.sa_session.flush() # Update the Tool Shed's repository registry. trans.app.repository_registry.remove_category_entry( category ) - message += " %s " % category.name + message += " %s " % escape( category.name ) else: message = "No category ids received for deleting." status = 'error' @@ -462,7 +462,7 @@ trans.sa_session.delete( rca ) trans.sa_session.flush() purged_categories += " %s " % category.name - message = "Purged %d categories: %s" % ( count, purged_categories ) + message = "Purged %d categories: %s" % ( count, escape( purged_categories ) ) else: message = "No category ids received for purging." status = 'error' @@ -491,7 +491,7 @@ trans.app.repository_registry.add_category_entry( category ) count += 1 undeleted_categories += " %s" % category.name - message = "Undeleted %d categories: %s" % ( count, undeleted_categories ) + message = "Undeleted %d categories: %s" % ( count, escape( undeleted_categories ) ) else: message = "No category ids received for undeleting." status = 'error' diff -r 32e4527bab2d79f0797c28500a379b6b6c7a3900 -r 09bc07ada38df8f292ce74235ead9d5f591361fd lib/galaxy/webapps/tool_shed/controllers/repository.py --- a/lib/galaxy/webapps/tool_shed/controllers/repository.py +++ b/lib/galaxy/webapps/tool_shed/controllers/repository.py @@ -1120,11 +1120,11 @@ if mark_deprecated: # Update the repository registry. trans.app.repository_registry.remove_entry( repository ) - message = 'The repository <b>%s</b> has been marked as deprecated.' % repository.name + message = 'The repository <b>%s</b> has been marked as deprecated.' % escape( repository.name ) else: # Update the repository registry. trans.app.repository_registry.add_entry( repository ) - message = 'The repository <b>%s</b> has been marked as not deprecated.' % repository.name + message = 'The repository <b>%s</b> has been marked as not deprecated.' % escape( repository.name ) trans.response.send_redirect( web.url_for( controller='repository', action='browse_repositories', operation='repositories_i_own', @@ -1382,8 +1382,8 @@ else: kwd[ 'message' ] = "tool id: <b>%s</b><br/>tool name: <b>%s</b><br/>tool version: <b>%s</b><br/>exact matches only: <b>%s</b>" % \ ( basic_util.stringify( tool_ids ), - basic_util.stringify( tool_names ), - basic_util.stringify( tool_versions ), + escape( basic_util.stringify( tool_names ) ), + escape( basic_util.stringify( tool_versions ) ), str( exact_matches_checked ) ) self.matched_repository_grid.title = "Repositories with matching tools" return self.matched_repository_grid( trans, **kwd ) @@ -1473,7 +1473,7 @@ return self.install_matched_repository_grid( trans, **kwd ) else: kwd[ 'message' ] = "workflow name: <b>%s</b><br/>exact matches only: <b>%s</b>" % \ - ( basic_util.stringify( workflow_names ), str( exact_matches_checked ) ) + ( escape( basic_util.stringify( workflow_names ) ), str( exact_matches_checked ) ) self.matched_repository_grid.title = "Repositories with matching workflows" return self.matched_repository_grid( trans, **kwd ) else: @@ -3059,7 +3059,7 @@ changeset_revision=changeset_revision ) ) else: message = "The change log for the repository named <b>%s</b> owned by <b>%s</b> does not include revision <b>%s</b>." % \ - ( str( name ), str( owner ), str( changeset_revision ) ) + ( escape( str( name ) ), escape( str( owner ) ), escape( str( changeset_revision ) ) ) return trans.response.send_redirect( web.url_for( controller='repository', action='index', repository_id=repository_id, @@ -3160,18 +3160,18 @@ capsule_dict = irm.upload_capsule( **kwd ) status = capsule_dict.get( 'status', 'error' ) if status == 'error': - message = capsule_dict.get( 'error_message', '' ) + message = escape( capsule_dict.get( 'error_message', '' ) ) else: capsule_dict = irm.extract_capsule_files( **capsule_dict ) capsule_dict = irm.validate_capsule( **capsule_dict ) - status = capsule_dict.get( 'status', 'error' ) + status = escape( capsule_dict.get( 'status', 'error' ) ) if status == 'ok': return trans.response.send_redirect( web.url_for( controller='repository', action='import_capsule', **capsule_dict ) ) else: message = 'The capsule contents are invalid and cannot be imported:<br/>%s' % \ - str( capsule_dict.get( 'error_message', '' ) ) + escape( str( capsule_dict.get( 'error_message', '' ) ) ) return trans.fill_template( '/webapps/tool_shed/repository/upload_capsule.mako', url=url, message=message, diff -r 32e4527bab2d79f0797c28500a379b6b6c7a3900 -r 09bc07ada38df8f292ce74235ead9d5f591361fd lib/galaxy/webapps/tool_shed/controllers/repository_review.py --- a/lib/galaxy/webapps/tool_shed/controllers/repository_review.py +++ b/lib/galaxy/webapps/tool_shed/controllers/repository_review.py @@ -51,7 +51,7 @@ review.approved = approved_select_field_value trans.sa_session.add( review ) trans.sa_session.flush() - message = 'Approved value <b>%s</b> saved for this revision.' % approved_select_field_value + message = 'Approved value <b>%s</b> saved for this revision.' % escape( approved_select_field_value ) repository_id = trans.security.encode_id( review.repository_id ) changeset_revision = review.changeset_revision return trans.response.send_redirect( web.url_for( controller='repository_review', @@ -121,7 +121,7 @@ component = trans.app.model.Component( name=name, description=description ) trans.sa_session.add( component ) trans.sa_session.flush() - message = "Component '%s' has been created" % component.name + message = "Component '%s' has been created" % escape( component.name ) status = 'done' trans.response.send_redirect( web.url_for( controller='repository_review', action='manage_components', @@ -151,7 +151,7 @@ repository_id=repository_id, changeset_revision=changeset_revision, user_id=trans.security.encode_id( trans.user.id ) ): - message = "You have already created a review for revision <b>%s</b> of repository <b>%s</b>." % ( changeset_revision, repository.name ) + message = "You have already created a review for revision <b>%s</b> of repository <b>%s</b>." % ( changeset_revision, escape( repository.name ) ) status = "error" else: # See if there are any reviews for previous changeset revisions that the user can copy. @@ -188,7 +188,7 @@ status=status ) ) else: message = "A new review cannot be created for revision <b>%s</b> of repository <b>%s</b>. Select a valid revision and try again." \ - % ( changeset_revision, repository.name ) + % ( changeset_revision, escape( repository.name ) ) kwd[ 'message' ] = message kwd[ 'status' ] = 'error' else: @@ -218,7 +218,7 @@ component.description = new_description trans.sa_session.add( component ) trans.sa_session.flush() - message = "The information has been saved for the component named <b>%s</b>" % ( component.name ) + message = "The information has been saved for the component named <b>%s</b>" % escape( component.name ) status = 'done' return trans.response.send_redirect( web.url_for( controller='repository_review', action='manage_components', diff -r 32e4527bab2d79f0797c28500a379b6b6c7a3900 -r 09bc07ada38df8f292ce74235ead9d5f591361fd lib/galaxy/webapps/tool_shed/controllers/upload.py --- a/lib/galaxy/webapps/tool_shed/controllers/upload.py +++ b/lib/galaxy/webapps/tool_shed/controllers/upload.py @@ -256,7 +256,7 @@ source_type = "file" source = uploaded_file_filename message = "The %s <b>%s</b> has been successfully%suploaded to the repository. " % \ - ( source_type, source, uncompress_str ) + ( escape( source_type ), escape( source ), escape( uncompress_str ) ) if istar and ( undesirable_dirs_removed or undesirable_files_removed ): items_removed = undesirable_dirs_removed + undesirable_files_removed message += " %d undesirable items (.hg .svn .git directories, .DS_Store, hgrc files, etc) " % items_removed diff -r 32e4527bab2d79f0797c28500a379b6b6c7a3900 -r 09bc07ada38df8f292ce74235ead9d5f591361fd lib/tool_shed/util/repository_util.py --- a/lib/tool_shed/util/repository_util.py +++ b/lib/tool_shed/util/repository_util.py @@ -164,7 +164,7 @@ sa_session.flush() # Update the repository registry. app.repository_registry.add_entry( repository ) - message = "Repository <b>%s</b> has been created." % str( repository.name ) + message = "Repository <b>%s</b> has been created." % escape( str( repository.name ) ) return repository, message def create_repository_admin_role( app, repository ): @@ -282,7 +282,7 @@ repositories=in_repositories ) sa_session.refresh( role ) message += "Role <b>%s</b> has been associated with %d users, %d groups and %d repositories. " % \ - ( str( role.name ), len( in_users ), len( in_groups ), len( in_repositories ) ) + ( escape( str( role.name ) ), len( in_users ), len( in_groups ), len( in_repositories ) ) in_users = [] out_users = [] in_groups = [] https://bitbucket.org/galaxy/galaxy-central/commits/1242b5eb9e63/ Changeset: 1242b5eb9e63 Branch: stable User: martenson Date: 2015-02-10 17:03:19+00:00 Summary: removed unnecessary escapes Affected #: 1 file diff -r 09bc07ada38df8f292ce74235ead9d5f591361fd -r 1242b5eb9e63150ef01259123ef4edda603a21c8 lib/galaxy/webapps/tool_shed/controllers/upload.py --- a/lib/galaxy/webapps/tool_shed/controllers/upload.py +++ b/lib/galaxy/webapps/tool_shed/controllers/upload.py @@ -256,7 +256,7 @@ source_type = "file" source = uploaded_file_filename message = "The %s <b>%s</b> has been successfully%suploaded to the repository. " % \ - ( escape( source_type ), escape( source ), escape( uncompress_str ) ) + ( source_type, escape( source ), uncompress_str ) if istar and ( undesirable_dirs_removed or undesirable_files_removed ): items_removed = undesirable_dirs_removed + undesirable_files_removed message += " %d undesirable items (.hg .svn .git directories, .DS_Store, hgrc files, etc) " % items_removed https://bitbucket.org/galaxy/galaxy-central/commits/572aa15bdb08/ Changeset: 572aa15bdb08 Branch: stable User: martenson Date: 2015-02-10 17:48:53+00:00 Summary: remove incidentally added line Affected #: 1 file diff -r 1242b5eb9e63150ef01259123ef4edda603a21c8 -r 572aa15bdb0802f80c687bc4db93abd8bd42a82a lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -1143,8 +1143,6 @@ # workflow view, so we don't need to render the Galaxy panels. action = 'center' else: - return trans.show_error_message( message ) - # Another Galaxy panels hack: The request originated from the Galaxy # workflow view, so we need to render the Galaxy panels. action = 'index' https://bitbucket.org/galaxy/galaxy-central/commits/6d62105ccb7b/ Changeset: 6d62105ccb7b Branch: stable User: martenson Date: 2015-02-16 18:56:59+00:00 Summary: Merge Affected #: 10 files diff -r cc6774fcfed18076b0bc0b3a671b696a8a7d7a87 -r 6d62105ccb7b5e75f6fde9c3636fed93442b36e8 lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py --- a/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py +++ b/lib/galaxy/webapps/galaxy/controllers/admin_toolshed.py @@ -443,7 +443,7 @@ @web.require_admin def import_workflow( self, trans, workflow_name, repository_id, **kwd ): """Import a workflow contained in an installed tool shed repository into Galaxy.""" - message = escape( kwd.get( 'message', '' ) ) + message = str( escape( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) if workflow_name: workflow_name = encoding_util.tool_shed_decode( workflow_name ) @@ -480,7 +480,7 @@ tool shed repository. """ # Get the tool_shed_repository from one of the tool_dependencies. - message = escape( kwd.get( 'message', '' ) ) + message = str( escape( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) err_msg = '' tool_shed_repository = tool_dependencies[ 0 ].tool_shed_repository diff -r cc6774fcfed18076b0bc0b3a671b696a8a7d7a87 -r 6d62105ccb7b5e75f6fde9c3636fed93442b36e8 lib/galaxy/webapps/galaxy/controllers/library_admin.py --- a/lib/galaxy/webapps/galaxy/controllers/library_admin.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_admin.py @@ -162,14 +162,14 @@ library.root_folder = root_folder trans.sa_session.add_all( ( library, root_folder ) ) trans.sa_session.flush() - message = "The new library named '%s' has been created" % library.name + message = "The new library named '%s' has been created" % escape( library.name ) return trans.response.send_redirect( web.url_for( controller='library_common', action='browse_library', cntrller='library_admin', id=trans.security.encode_id( library.id ), message=message, status='done' ) ) - return trans.fill_template( '/admin/library/new_library.mako', message=escape( message ), status=escape( status ) ) + return trans.fill_template( '/admin/library/new_library.mako', message=message, status=escape( status ) ) @web.expose @web.require_admin def delete_library( self, trans, id, **kwd ): @@ -222,7 +222,7 @@ trans.sa_session.add( library_folder ) trans.sa_session.flush() if not library.deleted: - message = "Library '%s' has not been marked deleted, so it cannot be purged" % ( library.name ) + message = "Library '%s' has not been marked deleted, so it cannot be purged" % escape( library.name ) return trans.response.send_redirect( web.url_for( controller='library_admin', action='browse_libraries', message=message, @@ -232,7 +232,7 @@ library.purged = True trans.sa_session.add( library ) trans.sa_session.flush() - message = "Library '%s' and all of its contents have been purged, datasets will be removed from disk via the cleanup_datasets script" % library.name + message = "Library '%s' and all of its contents have been purged, datasets will be removed from disk via the cleanup_datasets script" % escape( library.name ) return trans.response.send_redirect( web.url_for( controller='library_admin', action='browse_libraries', message=message, diff -r cc6774fcfed18076b0bc0b3a671b696a8a7d7a87 -r 6d62105ccb7b5e75f6fde9c3636fed93442b36e8 lib/galaxy/webapps/galaxy/controllers/library_common.py --- a/lib/galaxy/webapps/galaxy/controllers/library_common.py +++ b/lib/galaxy/webapps/galaxy/controllers/library_common.py @@ -248,7 +248,7 @@ trans.sa_session.refresh( library ) # Copy the permissions to the root folder trans.app.security_agent.copy_library_permissions( trans, library, library.root_folder ) - message = "Permissions updated for library '%s'." % library.name + message = "Permissions updated for library '%s'." % escape( library.name ) return trans.response.send_redirect( web.url_for( controller='library_common', action='library_permissions', cntrller=cntrller, @@ -310,7 +310,7 @@ if info_association and ( not( inherited ) or info_association.inheritable ): widgets = new_folder.get_template_widgets( trans ) if info_association: - message = "The new folder named '%s' has been added to the data library. " % new_folder.name + message = "The new folder named '%s' has been added to the data library. " % escape( new_folder.name ) message += "Additional information about this folder may be added using the inherited template." return trans.fill_template( '/library/common/folder_info.mako', cntrller=cntrller, @@ -325,7 +325,7 @@ message=escape( message ), status='done' ) # If not inheritable info_association, redirect to the library. - message = "The new folder named '%s' has been added to the data library." % new_folder.name + message = "The new folder named '%s' has been added to the data library." % escape( new_folder.name ) # SM: This is the second place where the API controller would # reference the library id: return trans.response.send_redirect( web.url_for( controller='library_common', @@ -373,7 +373,7 @@ folder.description = new_description trans.sa_session.add( folder ) trans.sa_session.flush() - message = "Information updated for folder '%s'." % folder.name + message = "Information updated for folder '%s'." % escape( folder.name ) return trans.response.send_redirect( web.url_for( controller='library_common', action='folder_info', cntrller=cntrller, @@ -429,7 +429,7 @@ permissions[ trans.app.security_agent.get_action( v.action ) ] = in_roles trans.app.security_agent.set_all_library_permissions( trans, folder, permissions ) trans.sa_session.refresh( folder ) - message = "Permissions updated for folder '%s'." % folder.name + message = "Permissions updated for folder '%s'." % escape( folder.name ) return trans.response.send_redirect( web.url_for( controller='library_common', action='folder_permissions', cntrller=cntrller, @@ -498,10 +498,10 @@ if ldda.datatype.allow_datatype_change and trans.app.datatypes_registry.get_datatype_by_extension( kwd.get( 'datatype' ) ).allow_datatype_change: trans.app.datatypes_registry.change_datatype( ldda, kwd.get( 'datatype' ) ) trans.sa_session.flush() - message = "Data type changed for library dataset '%s'." % ldda.name + message = "Data type changed for library dataset '%s'." % escape( ldda.name ) status = 'done' else: - message = "You are unable to change datatypes in this manner. Changing %s to %s is not allowed." % ( ldda.extension, kwd.get( 'datatype' ) ) + message = "You are unable to change datatypes in this manner. Changing %s to %s is not allowed." % ( escape( ldda.extension ), escape( kwd.get( 'datatype' ) ) ) status = 'error' else: message = "This dataset is currently being used as input or output. You cannot change datatype until the jobs have completed or you have canceled them." @@ -532,7 +532,7 @@ setattr( ldda.metadata, name, spec.unwrap( kwd.get( name, None ) ) ) ldda.metadata.dbkey = dbkey ldda.datatype.after_setting_metadata( ldda ) - message = "Attributes updated for library dataset '%s'." % ldda.name + message = "Attributes updated for library dataset '%s'." % escape( ldda.name ) status = 'done' else: message = "Attributes updated, but metadata could not be changed because this dataset is currently being used as input or output. You must cancel or wait for these jobs to complete before changing metadata." @@ -546,7 +546,7 @@ if name not in [ 'name', 'info', 'dbkey' ]: if spec.get( 'default' ): setattr( ldda.metadata, name, spec.unwrap( spec.get( 'default' ) ) ) - message = "Attributes have been queued to be updated for library dataset '%s'." % ldda.name + message = "Attributes have been queued to be updated for library dataset '%s'." % escape( ldda.name ) status = 'done' trans.app.datatypes_registry.set_external_metadata_tool.tool_action.execute( trans.app.datatypes_registry.set_external_metadata_tool, trans, incoming = { 'input1':ldda } ) else: @@ -570,7 +570,7 @@ self.delete_extended_metadata(trans, ex_obj) ex_obj = self.create_extended_metadata(trans, payload) self.set_item_extended_metadata_obj(trans, ldda, ex_obj) - message = "Updated Extended metadata '%s'." % ldda.name + message = "Updated Extended metadata '%s'." % escape( ldda.name ) status = 'done' else: message = "LDDA not found" @@ -581,7 +581,7 @@ if ex_obj is not None: self.unset_item_extended_metadata_obj(trans, ldda) self.delete_extended_metadata(trans, ex_obj) - message = "Deleted Extended metadata '%s'." % ldda.name + message = "Deleted Extended metadata '%s'." % escape( ldda.name ) status = 'done' @@ -658,7 +658,7 @@ @web.expose def ldda_permissions( self, trans, cntrller, library_id, folder_id, id, **kwd ): - message = escape( kwd.get( 'message', '' ) ) + message = str( escape( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) show_deleted = util.string_as_bool( kwd.get( 'show_deleted', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -744,7 +744,7 @@ trans.app.security_agent.set_all_library_permissions( trans, ldda, permissions ) trans.sa_session.refresh( ldda ) if len( lddas ) == 1: - message = "Permissions updated for dataset '%s'." % ldda.name + message = "Permissions updated for dataset '%s'." % escape( ldda.name ) else: message = 'Permissions updated for %d datasets.' % len( lddas ) status= 'done' @@ -937,13 +937,13 @@ ldda_id_list = [ str( v.id ) for k, v in created_outputs_dict.items() ] created_ldda_ids=",".join( ldda_id_list ) if replace_dataset: - message = "Added %d dataset versions to the library dataset '%s' in the folder '%s'." % ( total_added, replace_dataset_name, folder.name ) + message = "Added %d dataset versions to the library dataset '%s' in the folder '%s'." % ( total_added, escape( replace_dataset_name ), escape( folder.name ) ) else: if not folder.parent: # Libraries have the same name as their root_folder - message = "Added %d datasets to the library '%s' (each is selected). " % ( total_added, folder.name ) + message = "Added %d datasets to the library '%s' (each is selected). " % ( total_added, escape( folder.name ) ) else: - message = "Added %d datasets to the folder '%s' (each is selected). " % ( total_added, folder.name ) + message = "Added %d datasets to the folder '%s' (each is selected). " % ( total_added, escape( folder.name ) ) if cntrller == 'library_admin': message += "Click the Go button at the bottom of this page to edit the permissions on these datasets if necessary." status='done' @@ -1399,13 +1399,13 @@ ldda_id_list = created_ldda_ids.split( ',' ) total_added = len( ldda_id_list ) if replace_dataset: - message = "Added %d dataset versions to the library dataset '%s' in the folder '%s'." % ( total_added, replace_dataset.name, folder.name ) + message = "Added %d dataset versions to the library dataset '%s' in the folder '%s'." % ( total_added, escape( replace_dataset.name ), escape( folder.name ) ) else: if not folder.parent: # Libraries have the same name as their root_folder - message = "Added %d datasets to the library '%s' (each is selected). " % ( total_added, folder.name ) + message = "Added %d datasets to the library '%s' (each is selected). " % ( total_added, escape( folder.name ) ) else: - message = "Added %d datasets to the folder '%s' (each is selected). " % ( total_added, folder.name ) + message = "Added %d datasets to the folder '%s' (each is selected). " % ( total_added, escape( folder.name ) ) if cntrller == 'library_admin': message += "Click the Go button at the bottom of this page to edit the permissions on these datasets if necessary." else: @@ -1591,7 +1591,7 @@ library_dataset.info = new_info trans.sa_session.add( library_dataset ) trans.sa_session.flush() - message = "Information updated for library dataset '%s'." % library_dataset.name + message = "Information updated for library dataset '%s'." % escape( library_dataset.name ) status = 'done' # See if we have any associated templates widgets = [] @@ -1648,7 +1648,7 @@ # Set the LIBRARY permissions on the LibraryDatasetDatasetAssociation trans.app.security_agent.set_all_library_permissions( trans, library_dataset.library_dataset_dataset_association, permissions ) trans.sa_session.refresh( library_dataset.library_dataset_dataset_association ) - message = "Permisisons updated for library dataset '%s'." % library_dataset.name + message = "Permisisons updated for library dataset '%s'." % escape( library_dataset.name ) status = 'done' roles = trans.app.security_agent.get_legitimate_roles( trans, library_dataset, cntrller ) return trans.fill_template( '/library/common/library_dataset_permissions.mako', @@ -1677,23 +1677,23 @@ contents = util.string_as_bool( kwd.get( 'contents', 'False' ) ) trans.app.security_agent.make_library_public( library, contents=contents ) if contents: - message = "The data library (%s) and all its contents have been made publicly accessible." % library.name + message = "The data library (%s) and all its contents have been made publicly accessible." % escape( library.name ) else: - message = "The data library (%s) has been made publicly accessible, but access to its contents has been left unchanged." % library.name + message = "The data library (%s) has been made publicly accessible, but access to its contents has been left unchanged." % escape( library.name ) elif item_type == 'folder': folder = trans.sa_session.query( trans.model.LibraryFolder ).get( trans.security.decode_id( id ) ) self._check_access( trans, cntrller, is_admin, folder, current_user_roles, use_panels, library_id, show_deleted ) self._check_manage( trans, cntrller, is_admin, folder, current_user_roles, use_panels, library_id, show_deleted ) trans.app.security_agent.make_folder_public( folder ) - message = "All of the contents of folder (%s) have been made publicly accessible." % folder.name + message = "All of the contents of folder (%s) have been made publicly accessible." % escape( folder.name ) elif item_type == 'ldda': ldda = trans.sa_session.query( trans.model.LibraryDatasetDatasetAssociation ).get( trans.security.decode_id( id ) ) self._check_access( trans, cntrller, is_admin, ldda.library_dataset, current_user_roles, use_panels, library_id, show_deleted ) self._check_manage( trans, cntrller, is_admin, ldda.library_dataset, current_user_roles, use_panels, library_id, show_deleted ) trans.app.security_agent.make_dataset_public( ldda.dataset ) - message = "The libary dataset (%s) has been made publicly accessible." % ldda.name + message = "The libary dataset (%s) has been made publicly accessible." % escape( ldda.name ) else: - message = "Invalid item_type (%s) received." % str( item_type ) + message = "Invalid item_type (%s) received." % escape( str( item_type ) ) status = 'error' return trans.response.send_redirect( web.url_for( controller='library_common', action='browse_library', @@ -1803,7 +1803,7 @@ if invalid_lddas: message += "You are not authorized to manage permissions on %s: " % inflector.cond_plural( len( invalid_lddas ), "dataset" ) for ldda in invalid_lddas: - message += '(%s)' % ldda.name + message += '(%s)' % escape( ldda.name ) message += '. ' if valid_ldda_ids: encoded_ldda_ids = [ trans.security.encode_id( ldda_id ) for ldda_id in valid_ldda_ids ] @@ -1967,7 +1967,7 @@ return archive.stream else: status = 'error' - message = 'Invalid action (%s) specified.' % str( action ) + message = 'Invalid action (%s) specified.' % escape( str( action ) ) if library_id: # If we have a library_id, browse the associated library return trans.response.send_redirect( web.url_for( controller='library_common', @@ -2053,11 +2053,11 @@ status = 'error' invalid_datasets += 1 elif ldda.dataset.state not in [ trans.model.Dataset.states.OK, trans.model.Dataset.states.ERROR ]: - message += "You cannot import dataset '%s' since its state is '%s'. " % ( ldda.name, ldda.dataset.state ) + message += "You cannot import dataset '%s' since its state is '%s'. " % ( escape( ldda.name ), ldda.dataset.state ) status = 'error' invalid_datasets += 1 elif not ldda.has_data(): - message += "You cannot import empty dataset '%s'. " % ldda.name + message += "You cannot import empty dataset '%s'. " % escape( ldda.name ) status = 'error' invalid_datasets += 1 else: @@ -2140,7 +2140,7 @@ except ValueError: return None if not ( is_admin or trans.app.security_agent.can_modify_library_item( current_user_roles, item ) ): - message = "You are not authorized to modify %s '%s'." % ( item_desc, item.name ) + message = "You are not authorized to modify %s '%s'." % ( escape( item_desc ), escape( item.name ) ) return trans.response.send_redirect( web.url_for( controller='library_common', action='browse_library', cntrller=cntrller, @@ -2151,9 +2151,9 @@ info_association, inherited = item.get_info_association( restrict=True ) if info_association: if info_association.inheritable: - message = "The template for this %s will no longer be inherited to contained folders and datasets." % item_desc + message = "The template for this %s will no longer be inherited to contained folders and datasets." % escape( item_desc ) else: - message = "The template for this %s will now be inherited to contained folders and datasets." % item_desc + message = "The template for this %s will now be inherited to contained folders and datasets." % escape( item_desc ) info_association.inheritable = not( info_association.inheritable ) trans.sa_session.add( info_association ) trans.sa_session.flush() @@ -2260,7 +2260,7 @@ elif invalid_lddas: message += "You are not authorized to move %s: " % inflector.cond_plural( len( invalid_lddas ), "dataset" ) for ldda in invalid_lddas: - message += '(%s)' % ldda.name + message += '(%s)' % escape( ldda.name ) message += '. ' num_source = len( move_ldda_ids ) - invalid_items message = "%i %s moved to folder (%s) within data library (%s)" % ( num_source, @@ -2278,9 +2278,9 @@ move_folder.parent = target_folder trans.sa_session.add( move_folder ) flush_required = True - message = "Moved folder (%s) to folder (%s) within data library (%s) " % ( move_folder.name, - target_folder.name, - target_library.name ) + message = "Moved folder (%s) to folder (%s) within data library (%s) " % ( escape( move_folder.name ), + escape( target_folder.name ), + escape( target_library.name ) ) if flush_required: trans.sa_session.flush() if target_library: @@ -2400,7 +2400,7 @@ is_admin = ( trans.user_is_admin() and cntrller == 'library_admin' ) current_user_roles = trans.get_current_user_roles() if item_type not in item_types: - message = 'Bad item_type specified: %s' % str( item_type ) + message = 'Bad item_type specified: %s' % escape( str( item_type ) ) status = 'error' else: if item_type == 'library_dataset': @@ -2430,12 +2430,12 @@ if flush_needed: trans.sa_session.flush() if valid_items: - message += "%d %s marked deleted. " % ( valid_items, inflector.cond_plural( valid_items, item_desc ) ) + message += "%d %s marked deleted. " % ( valid_items, escape( inflector.cond_plural( valid_items, item_desc ) ) ) if invalid_items: - message += '%d invalid %s specifield. ' % ( invalid_items, inflector.cond_plural( invalid_items, item_desc ) ) + message += '%d invalid %s specifield. ' % ( invalid_items, escape( inflector.cond_plural( invalid_items, item_desc ) ) ) status = 'error' if not_authorized_items: - message += 'You are not authorized to delete %d %s. ' % ( not_authorized_items, inflector.cond_plural( not_authorized_items, item_desc ) ) + message += 'You are not authorized to delete %d %s. ' % ( not_authorized_items, escape( inflector.cond_plural( not_authorized_items, item_desc ) ) ) status = 'error' if item_type == 'library': return trans.response.send_redirect( web.url_for( controller=cntrller, @@ -2462,7 +2462,7 @@ is_admin = ( trans.user_is_admin() and cntrller == 'library_admin' ) current_user_roles = trans.get_current_user_roles() if item_type not in item_types: - message = 'Bad item_type specified: %s' % str( item_type ) + message = 'Bad item_type specified: %s' % escape( str( item_type ) ) status = 'error' else: if item_type == 'library_dataset': @@ -2496,15 +2496,15 @@ if flush_needed: trans.sa_session.flush() if valid_items: - message += "%d %s marked undeleted. " % ( valid_items, inflector.cond_plural( valid_items, item_desc ) ) + message += "%d %s marked undeleted. " % ( valid_items, escape( inflector.cond_plural( valid_items, item_desc ) ) ) if invalid_items: - message += '%d invalid %s specifield. ' % ( invalid_items, inflector.cond_plural( invalid_items, item_desc ) ) + message += '%d invalid %s specifield. ' % ( invalid_items, escape( inflector.cond_plural( invalid_items, item_desc ) ) ) status = 'error' if not_authorized_items: - message += 'You are not authorized to undelete %d %s. ' % ( not_authorized_items, inflector.cond_plural( not_authorized_items, item_desc ) ) + message += 'You are not authorized to undelete %d %s. ' % ( not_authorized_items, escape( inflector.cond_plural( not_authorized_items, item_desc ) ) ) status = 'error' if purged_items: - message += '%d %s marked purged, so cannot be undeleted. ' % ( purged_items, inflector.cond_plural( purged_items, item_desc ) ) + message += '%d %s marked purged, so cannot be undeleted. ' % ( purged_items, escape( inflector.cond_plural( purged_items, item_desc ) ) ) status = 'error' if item_type == 'library': return trans.response.send_redirect( web.url_for( controller=cntrller, @@ -2525,7 +2525,7 @@ if isinstance( item, trans.model.HistoryDatasetAssociation ): # Make sure the user has the DATASET_ACCESS permission on the history_dataset_association. if not item: - message = "Invalid history dataset (%s) specified." % str( item ) + message = "Invalid history dataset (%s) specified." % escape( str( item ) ) can_access = False elif not trans.app.security_agent.can_access_dataset( current_user_roles, item.dataset ) and item.history.user==trans.user: message = "You do not have permission to access the history dataset with id (%s)." % str( item.id ) @@ -2533,7 +2533,7 @@ else: # Make sure the user has the LIBRARY_ACCESS permission on the library item. if not item: - message = "Invalid library item (%s) specified." % str( item ) + message = "Invalid library item (%s) specified." % escape( str( item ) ) can_access = False elif not ( is_admin or trans.app.security_agent.can_access_library_item( current_user_roles, item, trans.user ) ): if isinstance( item, trans.model.Library ): @@ -2542,7 +2542,7 @@ item_type = 'folder' else: item_type = '(unknown item type)' - message = "You do not have permission to access the %s with id (%s)." % ( item_type, str( item.id ) ) + message = "You do not have permission to access the %s with id (%s)." % ( escape( item_type ), str( item.id ) ) can_access = False if not can_access: if cntrller == 'api': @@ -2566,7 +2566,7 @@ def _check_add( self, trans, cntrller, is_admin, item, current_user_roles, use_panels, library_id, show_deleted ): # Deny access if the user is not an admin and does not have the LIBRARY_ADD permission. if not ( is_admin or trans.app.security_agent.can_add_library_item( current_user_roles, item ) ): - message = "You are not authorized to add an item to (%s)." % item.name + message = "You are not authorized to add an item to (%s)." % escape( item.name ) # Redirect to the real parent library since we know we have access to it. if cntrller == 'api': return 403, message @@ -2585,7 +2585,7 @@ if not ( is_admin or \ ( trans.app.security_agent.can_manage_library_item( current_user_roles, item ) and trans.app.security_agent.can_manage_dataset( current_user_roles, library_dataset.library_dataset_dataset_association.dataset ) ) ): - message = "You are not authorized to manage permissions on library dataset (%s)." % library_dataset.name + message = "You are not authorized to manage permissions on library dataset (%s)." % escape( library_dataset.name ) if cntrller == 'api': return 403, message return trans.response.send_redirect( web.url_for( controller='library_common', @@ -2597,7 +2597,7 @@ status='error' ) ) # Deny access if the user is not an admin and does not have the LIBRARY_MANAGE permission. if not ( is_admin or trans.app.security_agent.can_manage_library_item( current_user_roles, item ) ): - message = "You are not authorized to manage permissions on (%s)." % item.name + message = "You are not authorized to manage permissions on (%s)." % escape( item.name ) if cntrller == 'api': return 403, message return trans.response.send_redirect( web.url_for( controller='library_common', @@ -2611,7 +2611,7 @@ def _check_modify( self, trans, cntrller, is_admin, item, current_user_roles, use_panels, library_id, show_deleted ): # Deny modification if the user is not an admin and does not have the LIBRARY_MODIFY permission. if not ( is_admin or trans.app.security_agent.can_modify_library_item( current_user_roles, item ) ): - message = "You are not authorized to modify (%s)." % item.name + message = "You are not authorized to modify (%s)." % escape( item.name ) if cntrller == 'api': return 403, message return trans.response.send_redirect( web.url_for( controller='library_common', diff -r cc6774fcfed18076b0bc0b3a671b696a8a7d7a87 -r 6d62105ccb7b5e75f6fde9c3636fed93442b36e8 lib/galaxy/webapps/galaxy/controllers/user.py --- a/lib/galaxy/webapps/galaxy/controllers/user.py +++ b/lib/galaxy/webapps/galaxy/controllers/user.py @@ -569,7 +569,7 @@ username = trans.user.username is_activation_sent = self.send_verification_email( trans, email, username ) if is_activation_sent: - message = 'This account has not been activated yet. The activation link has been sent again. Please check your email address <b>%s</b> including the spam/trash folder.<br><a target="_top" href="%s">Return to the home page</a>.' % ( email, url_for( '/' ) ) + message = 'This account has not been activated yet. The activation link has been sent again. Please check your email address <b>%s</b> including the spam/trash folder.<br><a target="_top" href="%s">Return to the home page</a>.' % ( escape( email ), url_for( '/' ) ) status = 'error' else: message = 'This account has not been activated yet but we are unable to send the activation link. Please contact your local Galaxy administrator.<br><a target="_top" href="%s">Return to the home page</a>.' % url_for( '/' ) @@ -673,7 +673,7 @@ trans.log_event( "User created a new account" ) trans.log_event( "User logged in" ) if success and is_admin: - message = 'Created new user account (%s)' % user.email + message = 'Created new user account (%s)' % escape( user.email ) trans.response.send_redirect( web.url_for( controller='admin', action='users', cntrller=cntrller, @@ -770,7 +770,7 @@ if trans.webapp.name == 'galaxy' and trans.app.config.user_activation_on: is_activation_sent = self.send_verification_email( trans, email, username ) if is_activation_sent: - message = 'Now logged in as %s.<br>Verification email has been sent to your email address. Please verify it by clicking the activation link in the email.<br>Please check your spam/trash folder in case you cannot find the message.<br><a target="_top" href="%s">Return to the home page.</a>' % ( user.email, url_for( '/' ) ) + message = 'Now logged in as %s.<br>Verification email has been sent to your email address. Please verify it by clicking the activation link in the email.<br>Please check your spam/trash folder in case you cannot find the message.<br><a target="_top" href="%s">Return to the home page.</a>' % ( escape( user.email ), url_for( '/' ) ) success = True else: message = 'Unable to send activation email, please contact your local Galaxy administrator.' @@ -778,7 +778,7 @@ message += ' Contact: %s' % trans.app.config.error_email_to success = False else: # User activation is OFF, proceed without sending the activation email. - message = 'Now logged in as %s.<br><a target="_top" href="%s">Return to the home page.</a>' % ( user.email, url_for( '/' ) ) + message = 'Now logged in as %s.<br><a target="_top" href="%s">Return to the home page.</a>' % ( escape( user.email ), url_for( '/' ) ) success = True return ( message, status, user, success ) @@ -788,7 +788,7 @@ """ if username is None: username = trans.user.username - activation_link = self.prepare_activation_link( trans, email ) + activation_link = self.prepare_activation_link( trans, escape( email ) ) body = ("Hello %s,\n\n" "In order to complete the activation process for %s begun on %s at %s, please click on the following link to verify your account:\n\n" @@ -796,7 +796,7 @@ "By clicking on the above link and opening a Galaxy account you are also confirming that you have read and agreed to Galaxy's Terms and Conditions for use of this service (%s). This includes a quota limit of one account per user. Attempts to subvert this limit by creating multiple accounts or through any other method may result in termination of all associated accounts and data.\n\n" "Please contact us if you need help with your account at: %s. You can also browse resources available at: %s. \n\n" "More about the Galaxy Project can be found at galaxyproject.org\n\n" - "Your Galaxy Team" % (username, email, + "Your Galaxy Team" % (escape( username ), escape( email ), datetime.utcnow().strftime( "%D"), trans.request.host, activation_link, trans.app.config.terms_url, @@ -1155,7 +1155,7 @@ if not username: return "A public user name is required in the tool shed." if username in [ 'repos' ]: - return "The term <b>%s</b> is a reserved word in the tool shed, so it cannot be used as a public user name." % username + return "The term <b>%s</b> is a reserved word in the tool shed, so it cannot be used as a public user name." % escape( username ) message = "\n".join( [ validate_email( trans, email ), validate_password( trans, password, confirm ), validate_publicname( trans, username ) ] ).rstrip() diff -r cc6774fcfed18076b0bc0b3a671b696a8a7d7a87 -r 6d62105ccb7b5e75f6fde9c3636fed93442b36e8 lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -1022,7 +1022,7 @@ """ url = kwd.get( 'url', '' ) workflow_text = kwd.get( 'workflow_text', '' ) - message = escape( kwd.get( 'message', '' ) ) + message = str( escape( kwd.get( 'message', '' ) ) ) status = kwd.get( 'status', 'done' ) import_button = kwd.get( 'import_button', False ) # The special Galaxy integration landing page's URL on myExperiment diff -r cc6774fcfed18076b0bc0b3a671b696a8a7d7a87 -r 6d62105ccb7b5e75f6fde9c3636fed93442b36e8 lib/galaxy/webapps/tool_shed/controllers/admin.py --- a/lib/galaxy/webapps/tool_shed/controllers/admin.py +++ b/lib/galaxy/webapps/tool_shed/controllers/admin.py @@ -140,7 +140,7 @@ trans.sa_session.flush() # Update the Tool Shed's repository registry. trans.app.repository_registry.add_category_entry( category ) - message = "Category '%s' has been created" % category.name + message = "Category '%s' has been created" % escape( category.name ) status = 'done' trans.response.send_redirect( web.url_for( controller='admin', action='manage_categories', @@ -184,7 +184,7 @@ count += 1 deleted_repositories += " %s " % repository.name if count: - message = "Deleted %d %s: %s" % ( count, inflector.cond_plural( len( ids ), "repository" ), deleted_repositories ) + message = "Deleted %d %s: %s" % ( count, inflector.cond_plural( len( ids ), "repository" ), escape( deleted_repositories ) ) else: message = "All selected repositories were already marked deleted." else: @@ -258,7 +258,7 @@ if original_category_name != new_name: # Update the Tool Shed's repository registry. trans.app.repository_registry.edit_category_entry( original_category_name, new_name ) - message = "The information has been saved for category '%s'" % ( category.name ) + message = "The information has been saved for category '%s'" % escape( category.name ) status = 'done' return trans.response.send_redirect( web.url_for( controller='admin', action='manage_categories', @@ -431,7 +431,7 @@ trans.sa_session.flush() # Update the Tool Shed's repository registry. trans.app.repository_registry.remove_category_entry( category ) - message += " %s " % category.name + message += " %s " % escape( category.name ) else: message = "No category ids received for deleting." status = 'error' @@ -462,7 +462,7 @@ trans.sa_session.delete( rca ) trans.sa_session.flush() purged_categories += " %s " % category.name - message = "Purged %d categories: %s" % ( count, purged_categories ) + message = "Purged %d categories: %s" % ( count, escape( purged_categories ) ) else: message = "No category ids received for purging." status = 'error' @@ -491,7 +491,7 @@ trans.app.repository_registry.add_category_entry( category ) count += 1 undeleted_categories += " %s" % category.name - message = "Undeleted %d categories: %s" % ( count, undeleted_categories ) + message = "Undeleted %d categories: %s" % ( count, escape( undeleted_categories ) ) else: message = "No category ids received for undeleting." status = 'error' diff -r cc6774fcfed18076b0bc0b3a671b696a8a7d7a87 -r 6d62105ccb7b5e75f6fde9c3636fed93442b36e8 lib/galaxy/webapps/tool_shed/controllers/repository.py --- a/lib/galaxy/webapps/tool_shed/controllers/repository.py +++ b/lib/galaxy/webapps/tool_shed/controllers/repository.py @@ -1120,11 +1120,11 @@ if mark_deprecated: # Update the repository registry. trans.app.repository_registry.remove_entry( repository ) - message = 'The repository <b>%s</b> has been marked as deprecated.' % repository.name + message = 'The repository <b>%s</b> has been marked as deprecated.' % escape( repository.name ) else: # Update the repository registry. trans.app.repository_registry.add_entry( repository ) - message = 'The repository <b>%s</b> has been marked as not deprecated.' % repository.name + message = 'The repository <b>%s</b> has been marked as not deprecated.' % escape( repository.name ) trans.response.send_redirect( web.url_for( controller='repository', action='browse_repositories', operation='repositories_i_own', @@ -1382,8 +1382,8 @@ else: kwd[ 'message' ] = "tool id: <b>%s</b><br/>tool name: <b>%s</b><br/>tool version: <b>%s</b><br/>exact matches only: <b>%s</b>" % \ ( basic_util.stringify( tool_ids ), - basic_util.stringify( tool_names ), - basic_util.stringify( tool_versions ), + escape( basic_util.stringify( tool_names ) ), + escape( basic_util.stringify( tool_versions ) ), str( exact_matches_checked ) ) self.matched_repository_grid.title = "Repositories with matching tools" return self.matched_repository_grid( trans, **kwd ) @@ -1473,7 +1473,7 @@ return self.install_matched_repository_grid( trans, **kwd ) else: kwd[ 'message' ] = "workflow name: <b>%s</b><br/>exact matches only: <b>%s</b>" % \ - ( basic_util.stringify( workflow_names ), str( exact_matches_checked ) ) + ( escape( basic_util.stringify( workflow_names ) ), str( exact_matches_checked ) ) self.matched_repository_grid.title = "Repositories with matching workflows" return self.matched_repository_grid( trans, **kwd ) else: @@ -3060,7 +3060,7 @@ changeset_revision=changeset_revision ) ) else: message = "The change log for the repository named <b>%s</b> owned by <b>%s</b> does not include revision <b>%s</b>." % \ - ( str( name ), str( owner ), str( changeset_revision ) ) + ( escape( str( name ) ), escape( str( owner ) ), escape( str( changeset_revision ) ) ) return trans.response.send_redirect( web.url_for( controller='repository', action='index', repository_id=repository_id, @@ -3161,18 +3161,18 @@ capsule_dict = irm.upload_capsule( **kwd ) status = capsule_dict.get( 'status', 'error' ) if status == 'error': - message = capsule_dict.get( 'error_message', '' ) + message = escape( capsule_dict.get( 'error_message', '' ) ) else: capsule_dict = irm.extract_capsule_files( **capsule_dict ) capsule_dict = irm.validate_capsule( **capsule_dict ) - status = capsule_dict.get( 'status', 'error' ) + status = escape( capsule_dict.get( 'status', 'error' ) ) if status == 'ok': return trans.response.send_redirect( web.url_for( controller='repository', action='import_capsule', **capsule_dict ) ) else: message = 'The capsule contents are invalid and cannot be imported:<br/>%s' % \ - str( capsule_dict.get( 'error_message', '' ) ) + escape( str( capsule_dict.get( 'error_message', '' ) ) ) return trans.fill_template( '/webapps/tool_shed/repository/upload_capsule.mako', url=url, message=message, diff -r cc6774fcfed18076b0bc0b3a671b696a8a7d7a87 -r 6d62105ccb7b5e75f6fde9c3636fed93442b36e8 lib/galaxy/webapps/tool_shed/controllers/repository_review.py --- a/lib/galaxy/webapps/tool_shed/controllers/repository_review.py +++ b/lib/galaxy/webapps/tool_shed/controllers/repository_review.py @@ -51,7 +51,7 @@ review.approved = approved_select_field_value trans.sa_session.add( review ) trans.sa_session.flush() - message = 'Approved value <b>%s</b> saved for this revision.' % approved_select_field_value + message = 'Approved value <b>%s</b> saved for this revision.' % escape( approved_select_field_value ) repository_id = trans.security.encode_id( review.repository_id ) changeset_revision = review.changeset_revision return trans.response.send_redirect( web.url_for( controller='repository_review', @@ -121,7 +121,7 @@ component = trans.app.model.Component( name=name, description=description ) trans.sa_session.add( component ) trans.sa_session.flush() - message = "Component '%s' has been created" % component.name + message = "Component '%s' has been created" % escape( component.name ) status = 'done' trans.response.send_redirect( web.url_for( controller='repository_review', action='manage_components', @@ -151,7 +151,7 @@ repository_id=repository_id, changeset_revision=changeset_revision, user_id=trans.security.encode_id( trans.user.id ) ): - message = "You have already created a review for revision <b>%s</b> of repository <b>%s</b>." % ( changeset_revision, repository.name ) + message = "You have already created a review for revision <b>%s</b> of repository <b>%s</b>." % ( changeset_revision, escape( repository.name ) ) status = "error" else: # See if there are any reviews for previous changeset revisions that the user can copy. @@ -188,7 +188,7 @@ status=status ) ) else: message = "A new review cannot be created for revision <b>%s</b> of repository <b>%s</b>. Select a valid revision and try again." \ - % ( changeset_revision, repository.name ) + % ( changeset_revision, escape( repository.name ) ) kwd[ 'message' ] = message kwd[ 'status' ] = 'error' else: @@ -218,7 +218,7 @@ component.description = new_description trans.sa_session.add( component ) trans.sa_session.flush() - message = "The information has been saved for the component named <b>%s</b>" % ( component.name ) + message = "The information has been saved for the component named <b>%s</b>" % escape( component.name ) status = 'done' return trans.response.send_redirect( web.url_for( controller='repository_review', action='manage_components', diff -r cc6774fcfed18076b0bc0b3a671b696a8a7d7a87 -r 6d62105ccb7b5e75f6fde9c3636fed93442b36e8 lib/galaxy/webapps/tool_shed/controllers/upload.py --- a/lib/galaxy/webapps/tool_shed/controllers/upload.py +++ b/lib/galaxy/webapps/tool_shed/controllers/upload.py @@ -256,7 +256,7 @@ source_type = "file" source = uploaded_file_filename message = "The %s <b>%s</b> has been successfully%suploaded to the repository. " % \ - ( source_type, source, uncompress_str ) + ( source_type, escape( source ), uncompress_str ) if istar and ( undesirable_dirs_removed or undesirable_files_removed ): items_removed = undesirable_dirs_removed + undesirable_files_removed message += " %d undesirable items (.hg .svn .git directories, .DS_Store, hgrc files, etc) " % items_removed diff -r cc6774fcfed18076b0bc0b3a671b696a8a7d7a87 -r 6d62105ccb7b5e75f6fde9c3636fed93442b36e8 lib/tool_shed/util/repository_util.py --- a/lib/tool_shed/util/repository_util.py +++ b/lib/tool_shed/util/repository_util.py @@ -164,7 +164,7 @@ sa_session.flush() # Update the repository registry. app.repository_registry.add_entry( repository ) - message = "Repository <b>%s</b> has been created." % str( repository.name ) + message = "Repository <b>%s</b> has been created." % escape( str( repository.name ) ) return repository, message def create_repository_admin_role( app, repository ): @@ -282,7 +282,7 @@ repositories=in_repositories ) sa_session.refresh( role ) message += "Role <b>%s</b> has been associated with %d users, %d groups and %d repositories. " % \ - ( str( role.name ), len( in_users ), len( in_groups ), len( in_repositories ) ) + ( escape( str( role.name ) ), len( in_users ), len( in_groups ), len( in_repositories ) ) in_users = [] out_users = [] in_groups = [] https://bitbucket.org/galaxy/galaxy-central/commits/d677cb314dcc/ Changeset: d677cb314dcc Branch: stable User: martenson Date: 2015-02-16 19:00:52+00:00 Summary: back off some over escaping when uploading capsule Affected #: 1 file diff -r 6d62105ccb7b5e75f6fde9c3636fed93442b36e8 -r d677cb314dccedd8743eba26f1d446cdf97ebf16 lib/galaxy/webapps/tool_shed/controllers/repository.py --- a/lib/galaxy/webapps/tool_shed/controllers/repository.py +++ b/lib/galaxy/webapps/tool_shed/controllers/repository.py @@ -3161,18 +3161,18 @@ capsule_dict = irm.upload_capsule( **kwd ) status = capsule_dict.get( 'status', 'error' ) if status == 'error': - message = escape( capsule_dict.get( 'error_message', '' ) ) + message = capsule_dict.get( 'error_message', '' ) else: capsule_dict = irm.extract_capsule_files( **capsule_dict ) capsule_dict = irm.validate_capsule( **capsule_dict ) - status = escape( capsule_dict.get( 'status', 'error' ) ) + status = capsule_dict.get( 'status', 'error' ) if status == 'ok': return trans.response.send_redirect( web.url_for( controller='repository', action='import_capsule', **capsule_dict ) ) else: message = 'The capsule contents are invalid and cannot be imported:<br/>%s' % \ - escape( str( capsule_dict.get( 'error_message', '' ) ) ) + str( capsule_dict.get( 'error_message', '' ) ) return trans.fill_template( '/webapps/tool_shed/repository/upload_capsule.mako', url=url, message=message, Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.