Filter Output and Misc Fixes

config.py

@@ -13,10 +13,10 @@ class BaseConfiguration(object):
     WTF_CSRF_ENABLED = False
     # Make this random (used to generate session keys)
     SECRET_KEY = 'e9987dce48df3ce98542529fd074d9e9f9cd40e66fc6c4c2'
-    basedir = path.abspath(path.dirname(__file__))
     SQLALCHEMY_TRACK_MODIFICATIONS = True
     SQLALCHEMY_DATABASE_URI = 'mysql://root:vagrant@localhost:3306/servermail'
-    SQLALCHEMY_MIGRATE_REPO = path.join(basedir, 'db_repository')
+    basedir = path.abspath(path.dirname(__file__))
+    SQLALCHEMY_MIGRATE_REPO = path.join(basedir, 'db/migrations')
 
 
 class TestConfiguration(BaseConfiguration):

manage.py

@@ -30,9 +30,9 @@ def createdb():
     """Runs the db init, db migrate, db upgrade commands automatically,
     and adds the default configuration settings if they are missing"""
     if not os.path.isdir('db/migrations'):
-        flask_migrate.init(directory='db/migrations')
-    flask_migrate.migrate(directory='db/migrations')
-    flask_migrate.upgrade(directory='db/migrations')
+        flask_migrate.init(directory=app.config['SQLALCHEMY_MIGRATE_REPO'])
+    flask_migrate.migrate(directory=app.config['SQLALCHEMY_MIGRATE_REPO'])
+    flask_migrate.upgrade(directory=app.config['SQLALCHEMY_MIGRATE_REPO'])
     add_default_configuration_settings()
 
 

postmaster/static/js/admins.js

@@ -12,14 +12,13 @@ function newAdmin(username, password, name) {
             'name': name
         }),
 
-        success: function (data) {
+        success: function (response) {
             addStatusMessage('success', 'The administrator was added successfully');
             fillInTable();
         },
 
-        error: function (data) {
-            // The jQuery('div />') is a work around to encode all html characters
-            addStatusMessage('error', jQuery('<div />').text(jQuery.parseJSON(data.responseText).message).html());
+        error: function (response) {
+            addStatusMessage('error', filterText(jQuery.parseJSON(response.responseText).message));
         }
     });
 }
@@ -32,14 +31,13 @@ function deleteAdmin (id) {
         url: '/api/v1/admins/' + id,
         type: 'delete',
 
-        success: function (data) {
+        success: function (response) {
             addStatusMessage('success', 'The administrator was successfully removed');
             fillInTable();
         },
 
-        error: function (data) {
-            // The jQuery('div />') is a work around to encode all html characters
-            addStatusMessage('error', jQuery('<div />').text(jQuery.parseJSON(data.responseText).message).html());
+        error: function (response) {
+            addStatusMessage('error', filterText(jQuery.parseJSON(response.responseText).message));
         }
     });
 }
@@ -61,35 +59,6 @@ function adminEventListeners () {
     adminPassword.tooltip();
     adminName.tooltip();
 
-    adminPassword.editable({
-        type: 'password',
-        mode: 'inline',
-        anim: 100,
-
-        ajaxOptions: {
-            type: 'PUT',
-            dataType: 'JSON',
-            contentType: 'application/json'
-        },
-
-        params: function (params) {
-            return JSON.stringify({'password': params.value})
-        },
-
-        display: function () {
-            $(this).html('●●●●●●●●');
-        },
-
-        error: function (response) {
-            // The jQuery('div />') is a work around to encode all html characters
-            addStatusMessage('error', jQuery('<div />').text(jQuery.parseJSON(response.responseText).message).html());
-        },
-
-        success: function () {
-            addStatusMessage('success', 'The administrator\'s password was changed successfully');
-        }
-    });
-
     adminUsername.editable({
         type: 'text',
         mode: 'inline',
@@ -106,12 +75,11 @@ function adminEventListeners () {
         },
 
         display: function (value) {
-            $(this).html(value.toLowerCase());
+            $(this).html(filterText(value.toLowerCase()));
         },
 
         error: function (response) {
-            // The jQuery('div />') is a work around to encode all html characters
-            addStatusMessage('error', jQuery('<div />').text(jQuery.parseJSON(response.responseText).message).html());
+            addStatusMessage('error', filterText(jQuery.parseJSON(response.responseText).message));
         },
 
         success: function () {
@@ -139,8 +107,7 @@ function adminEventListeners () {
         },
 
         error: function (response) {
-            // The jQuery('div />') is a work around to encode all html characters
-            addStatusMessage('error', jQuery('<div />').text(jQuery.parseJSON(response.responseText).message).html());
+            addStatusMessage('error', filterText(jQuery.parseJSON(response.responseText).message));
         },
 
         success: function () {
@@ -163,9 +130,12 @@ function adminEventListeners () {
             return JSON.stringify({ 'name': params.value })
         },
 
+        display: function (value) {
+            $(this).html(filterText(value));
+        },
+
         error: function (response) {
-            // The jQuery('div />') is a work around to encode all html characters
-            addStatusMessage('error', jQuery('<div />').text(jQuery.parseJSON(response.responseText).message).html());
+            addStatusMessage('error', filterText(jQuery.parseJSON(response.responseText).message));
         },
 
         success: function () {
@@ -263,9 +233,9 @@ function fillInTable () {
             var html = '';
 
             tableRow.length == 0 ? html += '<tr id="dynamicTableRow' + String(i) + '">' : null;
-            html += '<td data-title="Username: "><a href="#" class="adminUsername" data-pk="' + item.id + '" data-url="/api/v1/admins/' + item.id + '" title="Click to change the username">' + item.username + '</a></td>\
+            html += '<td data-title="Username: "><a href="#" class="adminUsername" data-pk="' + item.id + '" data-url="/api/v1/admins/' + item.id + '" title="Click to change the username">' + filterText(item.username) + '</a></td>\
                     <td data-title="Password: "><a href="#" class="adminPassword" data-pk="' + item.id + '" data-url="/api/v1/admins/' + item.id + '" title="Click to change the password">●●●●●●●●</a></td>\
-                    <td data-title="Name: "><a href="#" class="adminName" data-pk="' + item.id + '" data-url="/api/v1/admins/' + item.id + '" title="Click to change the name">' + item.name + '</a></td>\
+                    <td data-title="Name: "><a href="#" class="adminName" data-pk="' + item.id + '" data-url="/api/v1/admins/' + item.id + '" title="Click to change the name">' + filterText(item.name) + '</a></td>\
                     <td data-title="Action: "><a href="#" class="deleteAnchor" data-pk="' + item.id + '" data-toggle="modal" data-target="#deleteModal">Delete</a></td>';
             tableRow.length == 0 ? html += '</tr>' : null;
             tableRow.length == 0 ? insertTableRow(html) : tableRow.html(html);

postmaster/static/js/aliases.js

@@ -12,14 +12,13 @@ function newAlias(source, destination) {
             'destination': destination
         }),
 
-        success: function (data) {
+        success: function (response) {
             addStatusMessage('success', 'The alias was added successfully');
             fillInTable();
         },
 
-        error: function (data) {
-            // The jQuery('div />') is a work around to encode all html characters
-            addStatusMessage('error', jQuery('<div />').text(jQuery.parseJSON(data.responseText).message).html());
+        error: function (response) {
+            addStatusMessage('error', filterText(jQuery.parseJSON(response.responseText).message));
         }
     });
 }
@@ -37,9 +36,8 @@ function deleteAlias (id) {
             fillInTable();
         },
 
-        error: function (data) {
-            // The jQuery('div />') is a work around to encode all html characters
-            addStatusMessage('error', jQuery('<div />').text(jQuery.parseJSON(data.responseText).message).html());
+        error: function (response) {
+            addStatusMessage('error', filterText(jQuery.parseJSON(response.responseText).message));
         }
     });
 }
@@ -156,8 +154,8 @@ function fillInTable () {
             var html = '';
 
             tableRow.length == 0 ? html += '<tr id="dynamicTableRow' + String(i) + '">' : null;
-            html += '<td data-title="Source: "><a href="#" class="sourceAlias" data-pk="' + item.id + '" data-url="/api/v1/aliases/' + item.id + '" title="Click to change the source of the alias">' + item.source + '</td>\
-                    <td data-title="Destination: "><a href="#" class="destinationAlias" data-pk="' + item.id + '" data-url="/api/v1/aliases/' + item.id + '" title="Click to change the destination of the alias">' + item.destination + '</td>\
+            html += '<td data-title="Source: "><a href="#" class="sourceAlias" data-pk="' + item.id + '" data-url="/api/v1/aliases/' + item.id + '" title="Click to change the source of the alias">' + filterText(item.source) + '</td>\
+                    <td data-title="Destination: "><a href="#" class="destinationAlias" data-pk="' + item.id + '" data-url="/api/v1/aliases/' + item.id + '" title="Click to change the destination of the alias">' + filterText(item.destination) + '</td>\
                     <td data-title="Action: "><a href="#" class="deleteAnchor" data-pk="' + item.id + '">Delete</a></td>';
             tableRow.length == 0 ? html += '</tr>' : null;
             tableRow.length == 0 ? insertTableRow(html) : tableRow.html(html);
@@ -206,11 +204,10 @@ $(document).ready(function () {
         return JSON.stringify({ 'value': params.value })
     };
     $.fn.editable.defaults.error = function (response) {
-        // The jQuery('div />') is a work around to encode all html characters
-        addStatusMessage('error', jQuery('<div />').text(jQuery.parseJSON(response.responseText).message).html());
+        addStatusMessage('error', filterText(jQuery.parseJSON(response.responseText).message));
     };
     $.fn.editable.defaults.display = function (value) {
-        $(this).html(value.toLowerCase());
+        $(this).html(filterText(value.toLowerCase()));
     };
 
     // When hitting the back/forward buttons, reload the table

postmaster/static/js/configs.js

@@ -17,7 +17,11 @@ function configEventListeners () {
 
     configTextItems.unbind();
     configTextItems.tooltip();
-    configTextItems.editable();
+    configTextItems.editable({
+        display: function (value) {
+            $(this).html(filterText(value));
+        }
+    });
 
     configLogFile.unbind();
     configLogFile.tooltip();
@@ -26,6 +30,9 @@ function configEventListeners () {
             // Sets the Mail Database Auditing to True in the UI
             $('td:contains("Mail Database Auditing")').next('td').children('a').text('True');
             addStatusMessage('success', 'The setting was changed successfully');
+        },
+        display: function (value) {
+            $(this).html(filterText(value));
         }
     });
 }
@@ -65,8 +72,8 @@ function fillInTable () {
             }
 
             tableRow.length == 0 ? html += '<tr id="dynamicTableRow' + String(i) + '">' : null;
-            html += '<td data-title="Setting: ">' + item.setting + '</td>\
-                    <td data-title="Value: "><a href="#" class="' + cssClass + '" data-pk="' + item.id + '" data-url="/api/v1/configs/' + item.id + '" title="Click to change the setting value">' + (item.value != null ? item.value : '') + '</a></td>';
+            html += '<td data-title="Setting: ">' + filterText(item.setting) + '</td>\
+                    <td data-title="Value: "><a href="#" class="' + cssClass + '" data-pk="' + item.id + '" data-url="/api/v1/configs/' + item.id + '" title="Click to change the setting value">' + (item.value != null ? filterText(item.value) : '') + '</a></td>';
             tableRow.length == 0 ? html += '</tr>' : null;
             tableRow.length == 0 ? appendTableRow(html) : tableRow.html(html);
 
@@ -112,8 +119,7 @@ $(document).ready(function () {
         return JSON.stringify({ 'value': params.value })
     };
     $.fn.editable.defaults.error = function (response) {
-        // The jQuery('div />') is a work around to encode all html characters
-        addStatusMessage('error', jQuery('<div />').text(jQuery.parseJSON(response.responseText).message).html());
+        addStatusMessage('error', filterText(jQuery.parseJSON(response.responseText).message));
     };
     $.fn.editable.defaults.success = function () {
         addStatusMessage('success', 'The setting was changed successfully');

postmaster/static/js/domains.js

@@ -8,14 +8,13 @@ function newDomain(name) {
             contentType: 'application/json',
             data: JSON.stringify({ 'name': name }),
 
-            success: function (data) {
+            success: function (response) {
                 addStatusMessage('success', 'The domain was added successfully.');
                 fillInTable();
             },
 
-            error: function (data) {
-                // The jQuery('div />') is a work around to encode all html characters
-                addStatusMessage('error', jQuery('<div />').text(jQuery.parseJSON(data.responseText).message).html());
+            error: function (response) {
+                addStatusMessage('error', filterText(jQuery.parseJSON(response.responseText).message));
             }
         });
     }
@@ -33,14 +32,13 @@ function deleteDomain (id) {
             type: 'delete',
             contentType: 'application/json',
 
-            success: function (data) {
+            success: function (response) {
                 addStatusMessage('success', 'The domain was successfully removed.');
                 fillInTable();
             },
 
-            error: function (data) {
-                // The jQuery('div />') is a work around to encode all html characters
-                addStatusMessage('error', jQuery('<div />').text(jQuery.parseJSON(data.responseText).message).html());
+            error: function (response) {
+                addStatusMessage('error', filterText(jQuery.parseJSON(response.responseText).message));
             }
         });
     }
@@ -130,7 +128,7 @@ function fillInTable(filter) {
             var html = '';
 
             tableRow.length == 0 ? html += '<tr id="dynamicTableRow' + String(i) + '">' : null;
-            html += '<td data-pk="' + item.id + '" data-title="Domain: ">' + item.name + '</td>\
+            html += '<td data-pk="' + item.id + '" data-title="Domain: ">' + filterText(item.name) + '</td>\
                      <td data-title="Action: "><a href="#" class="deleteAnchor" data-pk="' + item.id + '" data-toggle="modal" data-target="#deleteModal">Delete</a></td>';
             tableRow.length == 0 ? html += '</tr>' : null;
             tableRow.length == 0 ? insertTableRow(html) : tableRow.html(html);

postmaster/static/js/logs.js

@@ -30,9 +30,9 @@ function fillInTable() {
             var html = '';
 
             tableRow.length == 0 ? html += '<tr id="dynamicTableRow' + String(i) + '">' : null;
-            html += '<td data-title="Time: ">' + dateFormatFromISO(item.timestamp) + '</td>\
-                    <td data-title="Admin: ">' + item.admin + '</td>\
-                    <td data-title="Message: ">' + item.message + '</td>';
+            html += '<td data-title="Time: ">' + filterText(dateFormatFromISO(item.timestamp)) + '</td>\
+                    <td data-title="Admin: ">' + filterText(item.admin) + '</td>\
+                    <td data-title="Message: ">' + filterText(item.message) + '</td>';
             tableRow.length == 0 ? html += '</tr>' : null;
             tableRow.length == 0 ? appendTableRow(html) : tableRow.html(html);
 
@@ -47,7 +47,7 @@ function fillInTable() {
     .fail(function (jqxhr, textStatus, error) {
         // Remove the loading spinner
         manageSpinner(false);
-        addStatusMessage('error', JSON.parse(jqxhr.responseText)['message']);
+        addStatusMessage('error', filterText(JSON.parse(jqxhr.responseText)['message']));
     });
 }
 

postmaster/static/js/users.js

@@ -11,14 +11,13 @@ function newUser(email, password) {
             'password': password
         }),
 
-        success: function (data) {
+        success: function (response) {
             addStatusMessage('success', 'The user was added successfully');
             fillInTable();
         },
 
-        error: function (data) {
-            // The jQuery('div />') is a work around to encode all html characters
-            addStatusMessage('error', jQuery('<div />').text(jQuery.parseJSON(data.responseText).message).html());
+        error: function (response) {
+            addStatusMessage('error', filterText(jQuery.parseJSON(response.responseText).message));
         }
     });
 }
@@ -31,14 +30,13 @@ function deleteUser (id) {
         url: '/api/v1/users/' + id,
         type: 'delete',
 
-        success: function (data) {
+        success: function (response) {
             addStatusMessage('success', 'The user was successfully removed');
             fillInTable();
         },
 
-        error: function (data) {
-            // The jQuery('div />') is a work around to encode all html characters
-            addStatusMessage('error', jQuery('<div />').text(jQuery.parseJSON(data.responseText).message).html());
+        error: function (response) {
+            addStatusMessage('error', filterText(jQuery.parseJSON(response.responseText).message));
         }
     });
 }
@@ -74,8 +72,7 @@ function userEventListeners () {
         },
 
         error: function (response) {
-            // The jQuery('div />') is a work around to encode all html characters
-            addStatusMessage('error', jQuery('<div />').text(jQuery.parseJSON(response.responseText).message).html());
+            addStatusMessage('error', filterText(jQuery.parseJSON(response.responseText).message));
         },
 
         success: function () {
@@ -164,7 +161,7 @@ function fillInTable () {
             var html = '';
 
             tableRow.length == 0 ? html += '<tr id="dynamicTableRow' + String(i) + '">' : null;
-            html += '<td data-title="Email: ">' + item.email + '</td>\
+            html += '<td data-title="Email: ">' + filterText(item.email) + '</td>\
                     <td data-title="Password: "><a href="#" class="userPassword" data-pk="' + item.id + '" data-url="/api/v1/users/' + item.id + '" title="Click to change the password">●●●●●●●●</a></td>\
                     <td data-title="Action: "><a href="#" class="deleteAnchor" data-pk="' + item.id + '" data-toggle="modal" data-target="#deleteModal">Delete</a></td>';
             tableRow.length == 0 ? html += '</tr>' : null;

postmaster/static/js/utils.js

@@ -16,6 +16,25 @@ function getUrlVars() {
 }
 
 
+// Inspired from https://github.com/janl/mustache.js/blob/master/mustache.js
+function filterText(text) {
+     var entityMap = {
+        '&': '&',
+        '<': '&lt;',
+        '>': '&gt;',
+        '"': '&quot;',
+        "'": '&#39;',
+        '/': '&#x2F;',
+        '`': '&#x60;',
+        '=': '&#x3D;'
+    };
+
+    return String(text).replace(/[&<>"'`=\/]/g, function fromEntityMap (s) {
+      return entityMap[s];
+    });
+}
+
+
 function changePage(obj, e) {
 
     if (history.pushState) {