Skip to content
Permalink
Browse files

☔ Aggressive escaping

  • Loading branch information
foosel committed Oct 9, 2019
1 parent fd62c1f commit 7ee9bc32eb0a0b1dc28e6386ec316996734abdef
@@ -52,7 +52,7 @@ $(function() {
.done(self.requestData);
};

showConfirmationDialog(_.sprintf(gettext("You are about to revoke the application key \"%(key)s\"."), {key: key}),
showConfirmationDialog(_.sprintf(gettext("You are about to revoke the application key \"%(key)s\"."), {key: _.escape(key)}),
perform);
};

@@ -68,7 +68,7 @@ $(function() {

self.promptForAccess = function(app, token) {
var message = gettext("\"<strong>%(app)s</strong>\" has requested access to control OctoPrint through the API.");
message = _.sprintf(message, {app: app});
message = _.sprintf(message, {app: _.escape(app)});
message = "<p>" + message + "</p><p>" + gettext("Do you want to allow access to this application with your user account?") + "</p>";
return new PNotify({
title: gettext("Access Request"),
@@ -210,7 +210,7 @@ $(function() {
.done(self.requestData);
};

showConfirmationDialog(_.sprintf(gettext("You are about to revoke the application key \"%(key)s\"."), {key: key}),
showConfirmationDialog(_.sprintf(gettext("You are about to revoke the application key \"%(key)s\"."), {key: _.escape(key)}),
perform);
};

@@ -258,11 +258,11 @@ $(function() {
handler = function(key) {
return OctoPrint.plugins.appkeys.revokeKey(key)
.done(function() {
deferred.notify(_.sprintf(gettext("Revoked %(key)s..."), {key: key}), true);
deferred.notify(_.sprintf(gettext("Revoked %(key)s..."), {key: _.escape(key)}), true);
})
.fail(function(jqXHR) {
var short = _.sprintf(gettext("Revocation of %(key)s failed, continuing..."), {key: key});
var long = _.sprintf(gettext("Deletion of %(key)s failed: %(error)s"), {key: key, error: jqXHR.responseText});
var short = _.sprintf(gettext("Revocation of %(key)s failed, continuing..."), {key: _.escape(key)});
var long = _.sprintf(gettext("Deletion of %(key)s failed: %(error)s"), {key: _.escape(key), error: _.escape(jqXHR.responseText)});
deferred.notify(short, long, false);
});
};
@@ -85,7 +85,7 @@ $(function() {
self.requestData();
});
};
showConfirmationDialog(_.sprintf(gettext("You are about to delete backup file \"%(name)s\"."), {name: backup}),
showConfirmationDialog(_.sprintf(gettext("You are about to delete backup file \"%(name)s\"."), {name: _.escape(backup)}),
perform);
};

@@ -101,7 +101,7 @@ $(function() {

OctoPrint.plugins.backup.restoreBackup(backup);
};
showConfirmationDialog(_.sprintf(gettext("You are about to restore the backup file \"%(name)s\". This cannot be undone."), {name: backup}),
showConfirmationDialog(_.sprintf(gettext("You are about to restore the backup file \"%(name)s\". This cannot be undone."), {name: _.escape(backup)}),
perform);
};

@@ -117,7 +117,7 @@ $(function() {

self.backupUploadData.submit();
};
showConfirmationDialog(_.sprintf(gettext("You are about to upload and restore the backup file \"%(name)s\". This cannot be undone."), {name: self.backupUploadName()}),
showConfirmationDialog(_.sprintf(gettext("You are about to upload and restore the backup file \"%(name)s\". This cannot be undone."), {name: _.escape(self.backupUploadName())}),
perform);
};

@@ -182,7 +182,7 @@ $(function() {
self.backupInProgress(false);
new PNotify({
title: gettext("Creating the backup failed"),
text: _.sprintf(gettext("OctoPrint could not create your backup. Please consult <code>octoprint.log</code> for details. Error: %(error)s"), {error:data.error}),
text: _.sprintf(gettext("OctoPrint could not create your backup. Please consult <code>octoprint.log</code> for details. Error: %(error)s"), {error: _.escape(data.error)}),
type: "error",
hide: false
});
@@ -200,13 +200,13 @@ $(function() {
} else if (data.type === "installing_plugin") {
self.loglines.push({line: " ", stream: "message"});
self.loglines.push({
line: _.sprintf(gettext("Installing plugin \"%(plugin)s\"..."), {plugin: data.plugin}),
line: _.sprintf(gettext("Installing plugin \"%(plugin)s\"..."), {plugin: _.escape(data.plugin)}),
stream: "message"
});
} else if (data.type === "plugin_incompatible") {
self.loglines.push({line: " ", stream: "message"});
self.loglines.push({
line: _.sprintf(gettext("Cannot install plugin \"%(plugin)s\" due to it being incompatible to this OctoPrint version and/or underlying operating system"), {plugin: data.plugin.key}),
line: _.sprintf(gettext("Cannot install plugin \"%(plugin)s\" due to it being incompatible to this OctoPrint version and/or underlying operating system"), {plugin: _.escape(data.plugin.key)}),
stream: "stderr"
});
} else if (data.type === "unknown_plugins") {
@@ -245,11 +245,11 @@ $(function() {
handler = function(filename) {
return OctoPrint.plugins.backup.deleteBackup(filename)
.done(function() {
deferred.notify(_.sprintf(gettext("Deleted %(filename)s..."), {filename: filename}), true);
deferred.notify(_.sprintf(gettext("Deleted %(filename)s..."), {filename: _.escape(filename)}), true);
})
.fail(function(jqXHR) {
var short = _.sprintf(gettext("Deletion of %(filename)s failed, continuing..."), {filename: filename});
var long = _.sprintf(gettext("Deletion of %(filename)s failed: %(error)s"), {filename: filename, error: jqXHR.responseText});
var short = _.sprintf(gettext("Deletion of %(filename)s failed, continuing..."), {filename: _.escape(filename)});
var long = _.sprintf(gettext("Deletion of %(filename)s failed: %(error)s"), {filename: _.escape(filename), error: _.escape(jqXHR.responseText)});
deferred.notify(short, long, false);
});
};
@@ -121,7 +121,7 @@ $(function() {
.done(self.requestData);
};

showConfirmationDialog(_.sprintf(gettext("You are about to delete log file \"%(name)s\"."), {name: filename}),
showConfirmationDialog(_.sprintf(gettext("You are about to delete log file \"%(name)s\"."), {name: _.escape(filename)}),
perform);
};

@@ -172,11 +172,11 @@ $(function() {
var handler = function(filename) {
return OctoPrint.plugins.logging.deleteLog(filename)
.done(function() {
deferred.notify(_.sprintf(gettext("Deleted %(filename)s..."), {filename: filename}), true);
deferred.notify(_.sprintf(gettext("Deleted %(filename)s..."), {filename: _.escape(filename)}), true);
})
.fail(function(jqXHR) {
var short = _.sprintf(gettext("Deletion of %(filename)s failed, continuing..."), {filename: filename});
var long = _.sprintf(gettext("Deletion of %(filename)s failed: %(error)s"), {filename: filename, error: jqXHR.responseText});
var short = _.sprintf(gettext("Deletion of %(filename)s failed, continuing..."), {filename: _.escape(filename)});
var long = _.sprintf(gettext("Deletion of %(filename)s failed: %(error)s"), {filename: _.escape(filename), error: _.escape(jqXHR.responseText)});
deferred.notify(short, long, false);
});
};
@@ -444,7 +444,7 @@ $(function() {

// always warn if plugin is marked "disabling discouraged"
if (data.disabling_discouraged) {
var message = _.sprintf(gettext("You are about to disable \"%(name)s\"."), {name: data.name})
var message = _.sprintf(gettext("You are about to disable \"%(name)s\"."), {name: _.escape(data.name)})
+ "</p><p>" + data.disabling_discouraged;
showConfirmationDialog({
title: gettext("This is not recommended"),
@@ -458,7 +458,7 @@ $(function() {
// warn if global "warn disabling" setting is set"
else if (self.settingsViewModel.settings.plugins.pluginmanager.confirm_disable()) {
showConfirmationDialog({
message: _.sprintf(gettext("You are about to disable \"%(name)s\""), {name: data.name}),
message: _.sprintf(gettext("You are about to disable \"%(name)s\""), {name: _.escape(data.name)}),
cancel: gettext("Keep enabled"),
proceed: gettext("Disable plugin"),
onproceed: performDisabling,
@@ -517,13 +517,13 @@ $(function() {
if (!reinstall) {
workTitle = gettext("Installing plugin...");
if (name) {
workText = _.sprintf(gettext("Installing plugin \"%(name)s\" from %(url)s..."), {url: url, name: name});
workText = _.sprintf(gettext("Installing plugin \"%(name)s\" from %(url)s..."), {url: _.escape(url), name: _.escape(name)});
} else {
workText = _.sprintf(gettext("Installing plugin from %(url)s..."), {url: url});
workText = _.sprintf(gettext("Installing plugin from %(url)s..."), {url: _.escape(url)});
}
} else {
workTitle = gettext("Reinstalling plugin...");
workText = _.sprintf(gettext("Reinstalling plugin \"%(name)s\" from %(url)s..."), {url: url, name: name});
workText = _.sprintf(gettext("Reinstalling plugin \"%(name)s\" from %(url)s..."), {url: _.escape(url), name: _.escape(name)});
}
self._markWorking(workTitle, workText);

@@ -572,7 +572,7 @@ $(function() {
// defining actual uninstall logic as functor in order to handle
// the confirm/no-confirm logic without duplication of logic
var performUninstall = function() {
self._markWorking(gettext("Uninstalling plugin..."), _.sprintf(gettext("Uninstalling plugin \"%(name)s\""), {name: data.name}));
self._markWorking(gettext("Uninstalling plugin..."), _.sprintf(gettext("Uninstalling plugin \"%(name)s\""), {name: _.escape(data.name)}));

OctoPrint.plugins.pluginmanager.uninstall(data.key)
.done(function() {
@@ -594,7 +594,7 @@ $(function() {
if (self.settingsViewModel.settings.plugins.pluginmanager.confirm_uninstall()) {
// confirmation needed. Show confirmation dialog and call performUninstall if user clicks Yes
showConfirmationDialog({
message: _.sprintf(gettext("You are about to uninstall the plugin \"%(name)s\""), {name: data.name}),
message: _.sprintf(gettext("You are about to uninstall the plugin \"%(name)s\""), {name: _.escape(data.name)}),
cancel: gettext("Keep installed"),
proceed: gettext("Uninstall"),
onproceed: performUninstall,
@@ -756,7 +756,7 @@ $(function() {
}

text += "<li>"
+ _.sprintf(line, {plugin: step.plugin, result: step.result ? "<i class=\"fa fa-check\"></i>" : "<i class=\"fa fa-remove\"></i>"})
+ _.sprintf(line, {plugin: _.escape(step.plugin), result: step.result ? "<i class=\"fa fa-check\"></i>" : "<i class=\"fa fa-remove\"></i>"})
+ "</li>";
});
text += "</ul></p>";
@@ -934,16 +934,16 @@ $(function() {

var title;
if (important) {
title = _.sprintf(gettext("Important notice regarding plugin \"%(name)s\""), {name: name});
title = _.sprintf(gettext("Important notice regarding plugin \"%(name)s\""), {name: _.escape(name)});
} else {
title = _.sprintf(gettext("Notice regarding plugin \"%(name)s\""), {name: name});
title = _.sprintf(gettext("Notice regarding plugin \"%(name)s\""), {name: _.escape(name)});
}

var text = "";

if (notification.versions && notification.versions.length > 0) {
var versions = _.map(notification.versions, function(v) { return (v == version) ? "<strong>" + v + "</strong>" : v; }).join(", ");
text += "<small>" + _.sprintf(gettext("Affected versions: %(versions)s"), {versions: versions}) + "</small>";
text += "<small>" + _.sprintf(gettext("Affected versions: %(versions)s"), {versions: _.escape(versions)}) + "</small>";
} else {
text += "<small>" + gettext("Affected versions: all") + "</small>";
}
@@ -216,13 +216,13 @@ $(function() {
}

var fullNameTemplate = gettext("%(name)s: %(version)s");
value.fullNameLocal = _.sprintf(fullNameTemplate, {name: value.displayName, version: value.displayVersion});
value.fullNameLocal = _.sprintf(fullNameTemplate, {name: _.escape(value.displayName), version: _.escape(value.displayVersion)});

var fullNameRemoteVars = {name: value.displayName, version: gettext("unknown")};
if (value.hasOwnProperty("information") && value.information.hasOwnProperty("remote") && value.information.remote.hasOwnProperty("name")) {
fullNameRemoteVars.version = value.information.remote.name;
}
value.fullNameRemote = _.sprintf(fullNameTemplate, fullNameRemoteVars);
value.fullNameRemote = _.sprintf(fullNameTemplate, _.escape(fullNameRemoteVars));

versions.push(value);
});
@@ -656,7 +656,7 @@ $(function() {
case "updating": {
console.log(JSON.stringify(messageData));

text = _.sprintf(gettext("Now updating %(name)s to %(version)s"), {name: messageData.name, version: messageData.version});
text = _.sprintf(gettext("Now updating %(name)s to %(version)s"), {name: _.escape(messageData.name), version: _.escape(messageData.version)});
self.loglines.push({line: "", stream: "separator"});
self.loglines.push({line: _.repeat("+", text.length), stream: "separator"});
self.loglines.push({line: text, stream: "message"});
@@ -174,7 +174,7 @@ function DataUpdater(allViewModels, connectCallback, disconnectCallback) {

self._safeModePopup = new PNotify({
title: gettext("Safe mode is active"),
text: _.sprintf(gettext("<p>The server is currently running in safe mode. Third party plugins and language packs are disabled and cannot be enabled.</p><p>Reason: %(reason)s</p>"), {reason: reason}),
text: _.sprintf(gettext("<p>The server is currently running in safe mode. Third party plugins and language packs are disabled and cannot be enabled.</p><p>Reason: %(reason)s</p>"), {reason: _.escape(reason)}),
hide: false
});
}
@@ -251,7 +251,7 @@ function DataUpdater(allViewModels, connectCallback, disconnectCallback) {
}
self._printerErrorCancelNotification = new PNotify({
title: gettext("Error reported by printer"),
text: _.sprintf(gettext("Your printer's firmware reported an error. Due to that the ongoing print job will be cancelled. Reported error: %(firmwareError)s"), payload),
text: _.sprintf(gettext("Your printer's firmware reported an error. Due to that the ongoing print job will be cancelled. Reported error: %(firmwareError)s"), _.escape(payload)),
type: "error",
hide: false
});
@@ -262,24 +262,24 @@ function DataUpdater(allViewModels, connectCallback, disconnectCallback) {
switch (payload.reason) {
case "firmware": {
title = gettext("Error reported by printer");
text = _.sprintf(gettext("Your printer's firmware reported an error. Due to that OctoPrint will disconnect. Reported error: %(error)s"), payload);
text = _.sprintf(gettext("Your printer's firmware reported an error. Due to that OctoPrint will disconnect. Reported error: %(error)s"), _.escape(payload));
break;
}
case "resend":
case "resend_loop":
case "timeout": {
title = gettext("Communication error");
text = _.sprintf(gettext("There was a communication error while talking to your printer. Please consult the terminal output and octoprint.log for details. Error: %(error)s"), payload);
text = _.sprintf(gettext("There was a communication error while talking to your printer. Please consult the terminal output and octoprint.log for details. Error: %(error)s"), _.escape(payload));
break;
}
case "connection": {
title = gettext("Error connecting to printer");
text = _.sprintf(gettext("There was an error while trying to connect to your printer. Error: %(error)s"), payload);
text = _.sprintf(gettext("There was an error while trying to connect to your printer. Error: %(error)s"), _.escape(payload));
break;
}
case "start_print": {
title = gettext("Error starting a print");
text = _.sprintf(gettext("There was an error while trying to start a print job. Error: %(error)s"), payload);
text = _.sprintf(gettext("There was an error while trying to start a print job. Error: %(error)s"), _.escape(payload));
break;
}
case "autodetect_port":
@@ -289,7 +289,7 @@ function DataUpdater(allViewModels, connectCallback, disconnectCallback) {
}
default: {
title = gettext("Unknown error");
text = _.sprintf(gettext("There was an unknown error while talking to your printer. Please consult the terminal output and octoprint.log for details. Error: %(error)s"), payload);
text = _.sprintf(gettext("There was an unknown error while talking to your printer. Please consult the terminal output and octoprint.log for details. Error: %(error)s"), _.escape(payload));
break;
}
}

0 comments on commit 7ee9bc3

Please sign in to comment.
You can’t perform that action at this time.