Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize file name #851

Merged
merged 1 commit into from Jan 5, 2015
Merged

Sanitize file name #851

merged 1 commit into from Jan 5, 2015

Conversation

LukasReschke
Copy link
Contributor

Another bunch…

@kogmbh-ci
Copy link

Can one of the admins verify this patch?

@LukasReschke
Copy link
Contributor Author

Disclaimer: I have no idea how to run the tests and don't feel very keen to install Qt and Co. for that on my machine. So if you want that function tested it would be appreciated if you could come up with one instead of having me digging into that too ;-)

@kossebau
Copy link
Contributor

kossebau commented Dec 3, 2014

ok to test

@kogmbh-ci
Copy link

Build succeeded.
Refer to this link for build results: http://ci.kogmbh.com/jenkins/job/WebODF-PullReq/2290/

@kossebau
Copy link
Contributor

kossebau commented Dec 3, 2014

Related previous discussion about encoding: #783 (comment)

I have no idea how to run the tests and don't feel very keen to install Qt and Co. for that on my machine.

Installing Qt5 (at least what is needed for QWebKit) should be sufficient to get the test running automatically. Not much Co. should be coinstalled by that. Ask your package manager.

Then, you can also run the tests manually using your browser though:

cd webodf/webodf
node httpserver.js

then navigate your browser(s) to http://127.0.0.1:8124/tests/tests.html

You could also use a custom webserver, but some tests expect to be able to save files by PUT requests, so they would fail with other webservers that do not do the expected PUT handling.

Task for me: add note about httpserver.js to webodf/tests/README

peitschie
peitschie reviewed Dec 3, 2014
View reviewed changes
webodf/lib/odf/OdfCanvas.js

// FIXME: We need to support parametrized strings, because
// drop-in word replacements are inadequate for translations;
// see http://techbase.kde.org/Development/Tutorials/Localization/i18n_Mistakes#Pitfall_.232:_Word_Puzzles
element.innerHTML = runtime.tr('Loading') + ' ' + url + '...';
element.innerHTML = runtime.tr('Loading') + ' ' + utils.escapeHtml(url) + '...';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is actually an easier way to do this that avoids any manual HTML escaping:

element.innerHTML = "";
element.appendChild(element.ownerDocument.createTextNode(runtime.tr('Loading') + url + '...'));

That would be my preference here :bowtie:

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair point. Will adjust. My Javascript clean-code ability are somewhat suboptimal ;-)

@LukasReschke
Sanitize file-names
9d170f8 
Otherwise a DOM-based XSS is possible.
@LukasReschke
Copy link
Contributor Author

@peitschie Incorporated your suggestions. THX for review. Care to take a second look? :-)

@kogmbh-ci
Copy link

Build succeeded.
Refer to this link for build results: http://ci.kogmbh.com/jenkins/job/WebODF-PullReq/2292/

@peitschie
Copy link
Contributor

This patch looks good to me. Just needs @kossebau approval now 😄

@kossebau
Copy link
Contributor

kossebau commented Jan 5, 2015

Fine with me as well. Thanks for the patch, merging (so your patch now opening the 2015 commit/merge series :) ).

kossebau pushed a commit that referenced this pull request Jan 5, 2015
Merge pull request #851 from LukasReschke/sanitize-file-name
60a1269 
Sanitize file name
@kossebau kossebau merged commit 60a1269 into webodf:master Jan 5, 2015
@LukasReschke LukasReschke deleted the sanitize-file-name branch January 5, 2015 10:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@LukasReschke @kogmbh-ci @kossebau @peitschie