details: http://www.bx.psu.edu/hg/galaxy/rev/207298b5ea39 changeset: 3342:207298b5ea39 user: jeremy goecks <jeremy.goecks@emory.edu> date: Fri Feb 05 15:28:03 2010 -0500 description: Sanitize HTML in annotations and update annotations via ajax to show sanitation results. diffstat: lib/galaxy/web/controllers/history.py | 8 +++++--- lib/galaxy/web/controllers/root.py | 5 ++++- lib/galaxy/web/controllers/workflow.py | 19 ++++++++++--------- static/scripts/galaxy.base.js | 4 ++-- 4 files changed, 21 insertions(+), 15 deletions(-) diffs (128 lines): diff -r 12789b4ba919 -r 207298b5ea39 lib/galaxy/web/controllers/history.py --- a/lib/galaxy/web/controllers/history.py Fri Feb 05 14:25:38 2010 -0500 +++ b/lib/galaxy/web/controllers/history.py Fri Feb 05 15:28:03 2010 -0500 @@ -4,6 +4,7 @@ from galaxy.model.mapping import desc from galaxy.model.orm import * from galaxy.util.json import * +from galaxy.util.sanitize_html import sanitize_html from galaxy.tags.tag_handler import TagHandler from sqlalchemy.sql.expression import ClauseElement import webhelpers, logging, operator @@ -355,17 +356,18 @@ history.name = new_name trans.sa_session.add( history ) trans.sa_session.flush() + return history.name @web.expose @web.require_login( "use Galaxy histories" ) def annotate_async( self, trans, id, new_annotation=None, **kwargs ): history = self.get_history( trans, id ) if new_annotation: + # Sanitize annotation before adding it. + new_annotation = sanitize_html( new_annotation, 'utf-8', 'text/html' ) self.add_item_annotation( trans, history, new_annotation ) trans.sa_session.flush() - return - else: - return "failed" + return new_annotation @web.expose @web.json diff -r 12789b4ba919 -r 207298b5ea39 lib/galaxy/web/controllers/root.py --- a/lib/galaxy/web/controllers/root.py Fri Feb 05 14:25:38 2010 -0500 +++ b/lib/galaxy/web/controllers/root.py Fri Feb 05 15:28:03 2010 -0500 @@ -5,6 +5,7 @@ from cgi import escape, FieldStorage from galaxy import util, datatypes, jobs, web, util from galaxy.web.base.controller import * +from galaxy.util.sanitize_html import sanitize_html from galaxy.model.orm import * log = logging.getLogger( __name__ ) @@ -305,7 +306,9 @@ else: setattr( data.metadata, name, spec.unwrap( params.get (name, None) ) ) data.datatype.after_setting_metadata( data ) - self.add_item_annotation( trans, data, params.annotation ) + # Sanitize annotation before adding it. + annotation = sanitize_html( params.annotation, 'utf-8', 'text/html' ) + self.add_item_annotation( trans, data, annotation ) else: msg = ' (Metadata could not be changed because this dataset is currently being used as input or output. You must cancel or wait for these jobs to complete before changing metadata.)' trans.sa_session.flush() diff -r 12789b4ba919 -r 207298b5ea39 lib/galaxy/web/controllers/workflow.py --- a/lib/galaxy/web/controllers/workflow.py Fri Feb 05 14:25:38 2010 -0500 +++ b/lib/galaxy/web/controllers/workflow.py Fri Feb 05 15:28:03 2010 -0500 @@ -11,6 +11,7 @@ from galaxy.datatypes.data import Data from galaxy.util.odict import odict from galaxy.util.bunch import Bunch +from galaxy.util.sanitize_html import sanitize_html from galaxy.util.topsort import topsort, topsort_levels, CycleError from galaxy.workflow.modules import * from galaxy.model.mapping import desc @@ -317,8 +318,9 @@ # Rename workflow. stored.name = kwargs[ 'name' ] if 'annotation' in kwargs: - # Set workflow annotation. - self.add_item_annotation( trans, stored, kwargs[ 'annotation' ] ) + # Set workflow annotation; sanitize annotation before adding it. + annotation = sanitize_html( kwargs[ 'annotation' ], 'utf-8', 'text/html' ) + self.add_item_annotation( trans, stored, annotation ) trans.sa_session.flush() return trans.fill_template( 'workflow/edit_attributes.mako', @@ -350,20 +352,18 @@ if new_name: stored.name = new_name trans.sa_session.flush() - return - else: - return "failed" + return stored.name @web.expose @web.require_login( "use Galaxy workflows" ) def annotate_async( self, trans, id, new_annotation=None, **kwargs ): stored = get_stored_workflow( trans, id ) if new_annotation: + # Sanitize annotation before adding it. + new_annotation = sanitize_html( new_annotation, 'utf-8', 'text/html' ) self.add_item_annotation( trans, stored, new_annotation ) trans.sa_session.flush() - return - else: - return "failed" + return new_annotation @web.expose @web.require_login( "use Galaxy workflows" ) @@ -643,7 +643,8 @@ step.temp_input_connections = step_dict['input_connections'] # Save step annotation. - self.add_item_annotation( trans, step, step_dict[ 'annotation' ] ) + annotation = sanitize_html( step_dict[ 'annotation' ], 'utf-8', 'text/html' ) + self.add_item_annotation( trans, step, annotation ) # Second pass to deal with connections between steps for step in steps: # Input connections diff -r 12789b4ba919 -r 207298b5ea39 static/scripts/galaxy.base.js --- a/static/scripts/galaxy.base.js Fri Feb 05 14:25:38 2010 -0500 +++ b/static/scripts/galaxy.base.js Fri Feb 05 15:28:03 2010 -0500 @@ -249,9 +249,9 @@ alert( "Text editing for elt " + text_elt_id + " failed" ); // TODO: call finish or no? For now, let's not because error occurred. }, - success: function() { + success: function(processed_text) { // Set new text and call finish method. - $("#" + text_elt_id).text( new_text ); + $("#" + text_elt_id).text( processed_text ); if (on_finish != null) on_finish(t); }