Fixes #2230

This sanitizes some instances where tool parameters were included directly into the DOM. workflow/run.mako displayed the parameter as a value in a hidden input. This was base64 encoded as there was no better solution apparent at the time. I'm not sure where this parameter is POSTed to but we should figure that out and b64decode it, or remove the hidden parameter. client/... added the parameter value into the DOM. This was easily sanitized using a standard method. workflow/display.mako included the parameter value directly into the HTML. This was cgi.esacped Conflicts: static/scripts/bundled/libs.bundled.js.map
galaxyproject · May 2, 2016 · 9290ddc · 9290ddc
1 parent 787b351
commit 9290ddc
Show file tree

Hide file tree

Showing 8 changed files with 13 additions and 9 deletions.
diff --git a/client/galaxy/scripts/mvc/form/form-input.js b/client/galaxy/scripts/mvc/form/form-input.js
@@ -77,7 +77,7 @@ define([], function() {
             this.field.collapsed ? this.$field.hide() : this.$field.fadeIn( 'fast' );
             // render preview view for collapsed fields
             this.$preview[ this.field.collapsed && this.model.get( 'collapsible_preview' ) ? 'show' : 'hide' ]()
-                         .html( this.model.get( 'text_value' ) );
+                         .html( _.escape( this.model.get( 'text_value' ) ) );
             // render error messages
             var error_text = this.model.get( 'error_text' );
             this.$error[ error_text ? 'show' : 'hide' ]();
@@ -123,4 +123,4 @@ define([], function() {
                                  .append( $( '<div/>' ).addClass( 'ui-form-preview' ) );
         }
     });
-});
+});
diff --git a/static/maps/mvc/form/form-input.js.map b/static/maps/mvc/form/form-input.js.map
diff --git a/static/scripts/bundled/analysis.bundled.js b/static/scripts/bundled/analysis.bundled.js
diff --git a/static/scripts/bundled/analysis.bundled.js.map b/static/scripts/bundled/analysis.bundled.js.map
diff --git a/static/scripts/bundled/libs.bundled.js.map b/static/scripts/bundled/libs.bundled.js.map
diff --git a/static/scripts/mvc/form/form-input.js b/static/scripts/mvc/form/form-input.js
diff --git a/templates/webapps/galaxy/workflow/display.mako b/templates/webapps/galaxy/workflow/display.mako
@@ -4,6 +4,7 @@
 <%!
     from galaxy.tools.parameters.basic import DataCollectionToolParameter, DataToolParameter, RuntimeValue
     from galaxy.web import form_builder
+    import cgi
 %>
 
 <%def name="stylesheets()">
@@ -63,7 +64,7 @@
                     <i>select at runtime</i>
                 %endif
             %else:
-                ${param.value_to_display_text( value, app )}
+                ${cgi.escape( param.value_to_display_text( value, app ) )}
             %endif
         </div>
         %if hasattr( step, 'upgrade_messages' ) and step.upgrade_messages and param.name in step.upgrade_messages:

diff --git a/templates/webapps/galaxy/workflow/run.mako b/templates/webapps/galaxy/workflow/run.mako
@@ -648,12 +648,15 @@ if wf_parms:
     });
     </script>
 %endif
+<%
+import base64
+%>
 %for i, step in enumerate( steps ):
     <!-- Only way module would be missing is if tool is missing, but
          that would cause missing_tools.mako to render instead of this
          template. -->
     <% module = step.module %>
-    <input type="hidden" name="${step.id}|tool_state" value="${module.get_state( step.state )}">
+    <input type="hidden" name="${step.id}|tool_state" value="${base64.b64encode( module.get_state( step.state ))}">
     %if step.type == 'tool' or step.type is None:
       <%
         tool = trans.app.toolbox.get_tool( step.tool_id )