Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid XSS when writing a hrefs #6597

Merged
merged 1 commit into from May 27, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Avoid XSS when writing a hrefs
  • Loading branch information
cdrini committed May 27, 2022
commit 5460c8e8b517ef83c6a3b33654ba43ef0cbf051e
4 changes: 2 additions & 2 deletions openlibrary/macros/Paginate.html
Expand Up @@ -5,8 +5,8 @@

<div class="sansserif">
$if page != 0:
<a href="$:changequery(page=page - 1)" rel="nofollow">&lt; $_.prev</a> <strong>&middot;</strong>
<a href="$changequery(page=page - 1)" rel="nofollow">&lt; $_.prev</a> <strong>&middot;</strong>

$if len(pages) == limit:
<a href="$:changequery(page=page + 1)" rel="nofollow">$_.next &gt;</a>
<a href="$changequery(page=page + 1)" rel="nofollow">$_.next &gt;</a>
</div>
4 changes: 2 additions & 2 deletions openlibrary/macros/RecentChanges.html
Expand Up @@ -51,10 +51,10 @@
</table>
<div class="historyPager small sansserif gray">
$if len(changes) == limit:
<a href="$:changequery(page=page + 1)$hash" rel="nofollow">&larr; $_("Older")</a>
<a href="$changequery(page=page + 1)$hash" rel="nofollow">&larr; $_("Older")</a>
$if page > 1:
&nbsp;|&nbsp;
<a href="$:changequery(page=page - 1)$hash" rel="nofollow">$_("Newer") &rarr;</a>
<a href="$changequery(page=page - 1)$hash" rel="nofollow">$_("Newer") &rarr;</a>
</div>

$if ip or author:
Expand Down
4 changes: 2 additions & 2 deletions openlibrary/macros/RecentChangesAdmin.html
Expand Up @@ -49,9 +49,9 @@

<div class="historyPager small sansserif gray" style="width:100%;">
$if len(changes) == limit:
<a href="$:changequery(page=page + 1)" rel="nofollow">&larr; $_("Older")</a> &nbsp;|&nbsp;
<a href="$changequery(page=page + 1)" rel="nofollow">&larr; $_("Older")</a> &nbsp;|&nbsp;
$if page != 0:
<a href="$:changequery(page=page - 1)" rel="nofollow">$_("Newer") &rarr;</a>
<a href="$changequery(page=page - 1)" rel="nofollow">$_("Newer") &rarr;</a>
$else:
$_("Newer") &rarr;
</div>
4 changes: 2 additions & 2 deletions openlibrary/macros/RecentChangesUsers.html
Expand Up @@ -51,10 +51,10 @@ <h2>Recent Activity</h2>

<div class="historyPager small sansserif gray" style="width:100%;">
$if len(changes) == limit:
<a href="$:changequery(page=page + 1)" rel="nofollow">&larr; $_("Older")</a>
<a href="$changequery(page=page + 1)" rel="nofollow">&larr; $_("Older")</a>
$if page != 0:
&nbsp;|&nbsp;
<a href="$:changequery(page=page - 1)" rel="nofollow">$_("Newer") &rarr;</a>
<a href="$changequery(page=page - 1)" rel="nofollow">$_("Newer") &rarr;</a>
</div>
$else:
<p>$_("No edits. Yet.")</p>
2 changes: 1 addition & 1 deletion openlibrary/macros/WorkInfo.html
Expand Up @@ -20,7 +20,7 @@
<td><span class="object">
$for name in subjects:
$for subject in page[name]:
<a href="/search?ftokens=$:utf8(facet_token('subjects', subject.strip()))">$:utf8(thingrepr(subject)).replace(' -- ', '/')</a>,
<a href="/search?ftokens=$utf8(facet_token('subjects', subject.strip()))">$:utf8(thingrepr(subject)).replace(' -- ', '/')</a>,
</span></td></tr>
$else:
<td><span class="object">$:thingrepr(page[name])</span></td></tr>
Expand Down
4 changes: 2 additions & 2 deletions openlibrary/templates/admin/people/edits.html
Expand Up @@ -90,9 +90,9 @@ <h1><a class="plain" href="/admin/people">people</a> / <a class="plain" href="/a
$if paginate:
<div class="historyPager small sansserif gray">
$if len(changes) == limit:
<a href="$:changequery(page=page + 1)" rel="nofollow">&larr; $_("Older")</a>
<a href="$changequery(page=page + 1)" rel="nofollow">&larr; $_("Older")</a>
$if page > 1:
&nbsp;|&nbsp;
<a href="$:changequery(page=page - 1)" rel="nofollow">$_("Newer") &rarr;</a>
<a href="$changequery(page=page - 1)" rel="nofollow">$_("Newer") &rarr;</a>
</div>
</div>
4 changes: 2 additions & 2 deletions openlibrary/templates/history.html
Expand Up @@ -78,9 +78,9 @@ <h1><a href="$page.key">$name</a></h1>
<div class="sansserif">
$ page = safeint(query_param("page", "0"))
$if page != 0:
<a href="$:changequery(page=page - 1)" rel="nofollow">&larr; $_("Back")</a>
<a href="$changequery(page=page - 1)" rel="nofollow">&larr; $_("Back")</a>
$if len(h) == 20:
<a href="$:changequery(page=page + 1)" rel="nofollow">$_("Next") &rarr;</a>
<a href="$changequery(page=page + 1)" rel="nofollow">$_("Next") &rarr;</a>
</div>

</div>
2 changes: 1 addition & 1 deletion openlibrary/templates/lib/nav_foot.html
Expand Up @@ -41,7 +41,7 @@ <h2>$:_('Develop')</h2>
<h2>$:_('Help')</h2>
<ul>
<li><a href="/help">$_('Help Center')</a></li>
<li><a href="/contact?$:urlencode(dict(path=request.fullpath))" title="$_('Problems')">$_('Report A Problem')</a></li>
<li><a href="/contact?$urlencode(dict(path=request.fullpath))" title="$_('Problems')">$_('Report A Problem')</a></li>
<li><a href="/help/faq/editing" title="$_('Suggest Edits')">$_('Suggesting Edits')</a></li>
</ul>
<aside id="footer-icons">
Expand Down
2 changes: 1 addition & 1 deletion openlibrary/templates/notfound.html
Expand Up @@ -15,7 +15,7 @@ <h1>$_("404 - Page Not Found")</h1>

$# Show create link only to admins
$if ctx.user and ctx.user.is_admin() and create:
<p><a class="adminOnly" href="$:url(path, m='edit')">$_("Create it?")</a></p>
<p><a class="adminOnly" href="$changequery(m='edit')">$_("Create it?")</a></p>

<div>
$if "/templates" in path or "/macros" in path:
Expand Down
4 changes: 2 additions & 2 deletions openlibrary/templates/recentchanges/render.html
Expand Up @@ -56,8 +56,8 @@
$if paginate:
<div class="historyPager small sansserif gray">
$if len(changes) == limit:
<a href="$:changequery(page=page + 1)$hash" rel="nofollow">&larr; $_("Older")</a>
<a href="$changequery(page=page + 1)$hash" rel="nofollow">&larr; $_("Older")</a>
$if page > 1:
&nbsp;|&nbsp;
<a href="$:changequery(page=page - 1)$hash" rel="nofollow">$_("Newer") &rarr;</a>
<a href="$changequery(page=page - 1)$hash" rel="nofollow">$_("Newer") &rarr;</a>
</div>
29 changes: 15 additions & 14 deletions openlibrary/templates/work_search.html
Expand Up @@ -2,17 +2,18 @@

$ fulltext_names = {'true': 'Ebooks', 'false': 'Exclude ebooks'}

$def add_facet_url(k, v):
$if k != 'has_fulltext':
$changequery(page=None,**{k:param.get(k, []) + [v]})
$else:
$changequery(page=None,**{k:v})

$def del_facet_url(k, v):
$if k != 'has_fulltext':
$changequery(page=None,**{k:[i for i in param.get(k, []) if i != v]})
$else:
$changequery(page=None,**{k:None})
$code:
def add_facet_url(k, v):
if k != 'has_fulltext':
return changequery(page=None,**{k:param.get(k, []) + [v]})
else:
return changequery(page=None,**{k:v})

def del_facet_url(k, v):
if k != 'has_fulltext':
return changequery(page=None,**{k:[i for i in param.get(k, []) if i != v]})
else:
return changequery(page=None,**{k:None})

$ param = {}
$for p in ['q', 'title', 'author', 'page', 'sort', 'isbn', 'oclc', 'contributor', 'publish_place', 'lccn', 'ia', 'first_sentence', 'publisher', 'author_key', 'debug', 'subject', 'place', 'person', 'time'] + facet_fields:
Expand Down Expand Up @@ -135,7 +136,7 @@
<span title="$_('Published by')">$display</span>
$elif header == 'author_key':
<span title="$_('Author')">$display</span>
<span style="padding-right:15px;"><a href="$:del_facet_url(header, k)" title="$_('Click to remove this facet')" class="facetRemove plain red">[x]</a></span>
<span style="padding-right:15px;"><a href="$del_facet_url(header, k)" title="$_('Click to remove this facet')" class="facetRemove plain red">[x]</a></span>
</strong></span></p>
$var title: $_('%(title)s - search', title=', '.join(title))

Expand Down Expand Up @@ -214,9 +215,9 @@ <h4 class="facetHead">$label</h4>
$ display = _('yes')
$else:
$ display = _('no')
<span class="small"><a href="$:add_facet_url(header, k)" title="$_('Filter results for ebook availability')">$display</a></span>&nbsp;<span class="smaller gray">$commify(count)</span>
<span class="small"><a href="$add_facet_url(header, k)" title="$_('Filter results for ebook availability')">$display</a></span>&nbsp;<span class="smaller gray">$commify(count)</span>
$else:
<span class="small"><a href="$:add_facet_url(header, k)" title="$_('Filter results for %(facet)s', facet=display)">$display</a></span>&nbsp;<span class="smaller gray">$commify(count)</span>
<span class="small"><a href="$add_facet_url(header, k)" title="$_('Filter results for %(facet)s', facet=display)">$display</a></span>&nbsp;<span class="smaller gray">$commify(count)</span>
</div>
$if len(counts) > start_facet_count:
<div class="facetMoreLess">
Expand Down