Permalink
Browse files

Use He library to escape html in prototype-based components. Prevent …

…creation of empty-labelled user repository. Prevent action.compression infinite loop while trying to check if file exists.
  • Loading branch information...
1 parent bc5d1fa commit 88e4865d91dab12b585ca86da46e3e6b9db6a14a @cdujeu cdujeu committed Sep 13, 2016
Showing with 53 additions and 40 deletions.
  1. +3 −0 core/src/plugins/action.compression/manifest.xml
  2. +5 −1 core/src/plugins/core.conf/AbstractConfDriver.php
  3. +1 −1 core/src/plugins/core.notifications/class.NotificationLoader.js
  4. +1 −1 core/src/plugins/editor.soundmanager/class.SMPlayer.js
  5. +2 −1 core/src/plugins/gui.ajax/package.json
  6. +1 −1 core/src/plugins/gui.ajax/res/js/ui/prototype/class.AbstractEditor.js
  7. +1 −1 core/src/plugins/gui.ajax/res/js/ui/prototype/class.AjxpDraggable.js
  8. +4 −1 core/src/plugins/gui.ajax/res/js/ui/prototype/class.AjxpTabulator.js
  9. +2 −2 core/src/plugins/gui.ajax/res/js/ui/prototype/class.BackgroundManagerPane.js
  10. +3 −3 core/src/plugins/gui.ajax/res/js/ui/prototype/class.Breadcrumb.js
  11. +1 −1 core/src/plugins/gui.ajax/res/js/ui/prototype/class.DataModelProperty.js
  12. +8 −8 core/src/plugins/gui.ajax/res/js/ui/prototype/class.FilesList.js
  13. +1 −1 core/src/plugins/gui.ajax/res/js/ui/prototype/class.FoldersTree.js
  14. +1 −1 core/src/plugins/gui.ajax/res/js/ui/prototype/class.FormManager.js
  15. +5 −5 core/src/plugins/gui.ajax/res/js/ui/prototype/class.InfoPanel.js
  16. +1 −1 core/src/plugins/gui.ajax/res/js/ui/prototype/class.LocationBar.js
  17. +1 −1 core/src/plugins/gui.ajax/res/js/ui/prototype/class.Modal.js
  18. +3 −2 core/src/plugins/gui.ajax/res/js/ui/prototype/class.MultiDownloader.js
  19. +5 −5 core/src/plugins/gui.ajax/res/js/ui/prototype/class.RepositorySelect.js
  20. +2 −2 core/src/plugins/gui.ajax/res/js/ui/prototype/class.RepositorySimpleLabel.js
  21. +1 −0 core/src/plugins/gui.ajax/res/js/vendor/nodejs/export.js
  22. +1 −1 core/src/plugins/gui.ajax/res/js/vendor/webfx/xtree.js
@@ -42,6 +42,9 @@
while(userSelection.fileNameExists(name + extension)){
name = tmpFileName + "-" + compteurFileName;
compteurFileName ++;
+ if(compteurFileName > 20){
+ break;
+ }
}
archive_nameInput.setValue(name + extension);
return name;
@@ -1048,7 +1048,11 @@ public function switchAction(ServerRequestInterface $requestInterface, ResponseI
$tplRepo = RepositoryService::getRepositoryById($tplId);
$options = [];
OptionsHelper::parseStandardFormParameters($ctx, $httpVars, $options);
- $newRep = $tplRepo->createTemplateChild(InputFilter::sanitize($httpVars["DISPLAY"]), $options, $loggedUser->getId(), $loggedUser->getId());
+ $display = InputFilter::sanitize($httpVars["DISPLAY"]);
+ if(empty($display)){
+ throw new PydioException("Cannot create repository with empty label");
+ }
+ $newRep = $tplRepo->createTemplateChild($display, $options, $loggedUser->getId(), $loggedUser->getId());
$gPath = $loggedUser->getGroupPath();
if (!empty($gPath)) {
$newRep->setGroupPath($gPath);
@@ -92,7 +92,7 @@ Class.create("NotificationLoader", {
}
var elLabel = el.getLabel();
if(!elLabel) elLabel = "/";
- var block = '<div class="notif_event_label">'+elLabel+'</div>';
+ var block = '<div class="notif_event_label">'+He.escape(elLabel)+'</div>';
var detail = '';
if(el.getMetadata().get('event_repository_label')){
detail += '<div class="notif_event_repository">'+ el.getMetadata().get('event_repository_label') + '</div>';
@@ -199,7 +199,7 @@ Class.create("SMPlayer", AbstractEditor, {
open : function($super, ajxpNode){
this.currentRichPreview = this.getPreview(ajxpNode, true);
- this.element.down(".smplayer_title").update(ajxpNode.getLabel());
+ this.element.down(".smplayer_title").update(He.escape(ajxpNode.getLabel()));
this.element.down(".smplayer_preview_element").insert(this.currentRichPreview);
window.setTimeout(function(){
try{this.currentRichPreview.down('span.sm2-360btn').click();}catch(e){}
@@ -26,7 +26,8 @@
"react-autosuggest": "1.18.2",
"clipboard":"^1.5.8",
"qrcode.react":"0.6.1",
- "cronstrue":"0.3.1"
+ "cronstrue":"0.3.1",
+ "he":"1.1.0"
},
"devDependencies": {
"grunt": "~0.4.5",
@@ -282,7 +282,7 @@ Class.create("AbstractEditor" , {
*/
updateTitle : function(title){
if(this.filenameSpan) {
- this.filenameSpan.update(title);
+ this.filenameSpan.update(He.escape(title));
}
if(this.fullScreenMode){
this.refreshFullScreenTitle();
@@ -156,7 +156,7 @@ Class.create("AjxpDraggable", Draggable, {
var max = Math.min(nodes.length,5);
var maxWidth = 0;
for(var i=0;i<max;i++){
- var text = nodes[i].getLabel() + (i<max-1?",<br>":"");
+ var text = He.escape(nodes[i].getLabel()) + (i<max-1?",<br>":"");
maxWidth = Math.max(maxWidth, testStringWidth(text));
this._clone.insert(text);
}
@@ -125,6 +125,8 @@ Class.create("AjxpTabulator", AjxpPane, {
label = MessageHash[tabInfo.label] || tabInfo.label;
}
var title = MessageHash[tabInfo.title] || label.stripTags();
+ title = He.escape(title);
+ label = He.escape(label);
var options = {className:'toggleHeader toggleInactive'};
if(!this.options.tabsTips){ options.title = title; }
td = new Element('span', options);
@@ -165,14 +167,15 @@ Class.create("AjxpTabulator", AjxpPane, {
if(label && label.innerHTML !== undefined){
if(label.down('.filenameSpan')){
var cont = label.down('.filenameSpan').innerHTML;
+ cont = He.escape(cont);
if(cont.length > 25){
cont = cont.substr(0,7)+"[...]"+cont.substr(-13);
label.down('.filenameSpan').update(cont);
}
}
return label;
}
- if(label.stripTags() != label) return label;
+ label = label.stripTags();
if(!label || !label.length) return '';
if(label.length > 25){
return label.substr(0,7)+"[...]"+label.substr(-13);
@@ -52,7 +52,7 @@ Class.create("BackgroundManagerPane", {
updatePanelMessage : function(message){
var imgString = '<img src="'+ajxpResourcesFolder+'/images/loadingImage.gif" width="16" align="absmiddle">';
- this.panel.update(imgString+' '+message);
+ this.panel.update(imgString+' '+ He.escape(message));
Effect.Appear(this.panel);
},
@@ -61,7 +61,7 @@ Class.create("BackgroundManagerPane", {
* @param errorMessage String
*/
updatePanelError:function(errorMessage){
- this.panel.update(errorMessage);
+ this.panel.update(He.escape(errorMessage));
this.panel.insert(this.makeCloseLink());
},
/**
@@ -86,15 +86,15 @@ Class.create("Breadcrumb", AjxpPane, {
refresh = '<i class="icon-refresh ajxp-goto-refresh" title="'+MessageHash[149]+'"></i>';
}
var first = pos == 0 ? ' first-bread':'';
- clickPath += "<li><span class='ajxp-goto "+first+"' data-goTo='"+pair.key+"'><em>"+pair.value+"</em></span></li>";
+ clickPath += "<li><span class='ajxp-goto "+first+"' data-goTo='"+He.escape(pair.key)+"'><em>"+He.escape(pair.value)+"</em></span></li>";
if(refresh){
- clickPath += "<li><i class='ajxp-goto' data-goTo='"+pair.key+"'>"+refresh+"</i></li>";
+ clickPath += "<li><i class='ajxp-goto' data-goTo='"+He.escape(pair.key)+"'>"+refresh+"</i></li>";
}
}else{
if(pos == length-1){
refresh = '<span class="icon-refresh ajxp-goto-refresh" title="'+MessageHash[149]+'"></span>';
}
- clickPath += (pair.value != pos == 0 || !this.options['hide_home_icon'] ? chevron : "") + "<span class='ajxp-goto' data-goTo='"+pair.key+"'>"+pair.value+refresh+"</span>";
+ clickPath += (pair.value != pos == 0 || !this.options['hide_home_icon'] ? chevron : "") + "<span class='ajxp-goto' data-goTo='"+He.escape(pair.key)+"'>"+He.escape(pair.value)+refresh+"</span>";
}
pos ++;
}.bind(this));
@@ -42,7 +42,7 @@ Class.create("DataModelProperty", {
element.update(l?l:'');
break;
case "root_label":
- element.update(dm.getRootNode().getLabel());
+ element.update(He.escape(dm.getRootNode().getLabel()));
break;
case "metadata":
if(options.metadata_sum){
@@ -349,12 +349,12 @@ Class.create("FilesList", SelectableElements, {
*/
contextObserver : function(e){
if(!this.crtContext || !this.htmlElement) return;
- //console.log('FILES LIST : FILL');
- var base = getBaseName(this.crtContext.getLabel());
- if(!base){
- try{base = ajaxplorer.user.repositories.get(ajaxplorer.repositoryId).getLabel();}catch(e){}
- }
if(!this.options.muteUpdateTitleEvent){
+ //console.log('FILES LIST : FILL');
+ var base = getBaseName(this.crtContext.getLabel());
+ if(!base){
+ try{base = ajaxplorer.user.repositories.get(ajaxplorer.repositoryId).getLabel();}catch(e){}
+ }
this.htmlElement.fire("editor:updateTitle", base);
}
this.empty();
@@ -1792,7 +1792,7 @@ Class.create("FilesList", SelectableElements, {
var textLabel = new Element("span", {
id :'ajxp_label',
className :'text_label'+fullview
- }).update(metaData.get('text'));
+ }).update(He.escape(metaData.get('text')));
if(metaData.get('fonticon') && pydio.currentThemeUsesIconFonts){
textLabel.insert({top: new Element('span', {className: 'mimefont mdi mdi-' + metaData.get('fonticon')})});
@@ -1939,7 +1939,7 @@ Class.create("FilesList", SelectableElements, {
var label = new Element('div', {
className:"thumbLabel",
title:textNode.stripTags()
- }).update(textNode);
+ }).update(He.escape(textNode));
innerSpan.insert({"bottom":img});
innerSpan.insert({"bottom":label});
@@ -2035,7 +2035,7 @@ Class.create("FilesList", SelectableElements, {
var label = new Element('div', {
className:"thumbLabel",
title:textNode.stripTags()
- }).update(textNode);
+ }).update(He.escape(textNode));
innerSpan.insert({"bottom":img});
//newRow.insert({"bottom":label});
@@ -286,7 +286,7 @@ Class.create("FoldersTree", AjxpPane, {
* @param newIcon String
*/
changeNodeLabel: function(nodeId, newLabel, newIcon){
- $(nodeId+'-label').update(newLabel);
+ $(nodeId+'-label').update(He.escape(newLabel));
if(newIcon){
var realNode = webFXTreeHandler.all[nodeId];
realNode.icon = newIcon;
@@ -250,7 +250,7 @@ Class.create("FormManager", {
}else{
selectedString = (defaultValue == cValue ? ' selected' : '');
}
- element += '<option value="'+cValue+'"'+selectedString+'>'+cLabel+'</option>';
+ element += '<option value="'+cValue+'"'+selectedString+'>'+He.escape(cLabel)+'</option>';
}
element += '</select><span class="select-styler"></span>';
}else if(type == "image" && param.get("uploadAction")){
@@ -251,7 +251,7 @@ Class.create("InfoPanel", AjxpPane, {
this._currentObservedNode = uniqNode;
this._currentObservedNode.observeOnce("node_replaced", this.updateHandler);
- this.updateTitle(uniqNode.getLabel());
+ this.updateTitle(He.escape(uniqNode.getLabel()));
var isFile = false;
if(uniqNode) isFile = uniqNode.isLeaf();
if(!isFile && uniqNode && uniqNode.isRoot()){
@@ -438,9 +438,9 @@ Class.create("InfoPanel", AjxpPane, {
}
tAttributes.each(function(attName){
if(attName == 'basename' && metadata.get('filename')){
- this[attName] = getBaseName(metadata.get('filename'));
+ this[attName] = He.escape(getBaseName(metadata.get('filename')));
if(metadata.get('text')){
- this[attName] = metadata.get('text');
+ this[attName] = He.escape(metadata.get('text'));
}
} else if(attName == 'compute_image_dimensions'){
if(metadata.get('image_width') && metadata.get('image_height')){
@@ -463,7 +463,7 @@ Class.create("InfoPanel", AjxpPane, {
var simpleTpl = new Template('<div class="info_panel_multiple_tile"><div class="tile_preview_container"><div class="tile_preview">#{preview}</div></div><div class="tile_label">#{label}</div></div>');
multipleNodes.each(function(n){
var p = oThis.getPreviewElement(n, false, false);
- var args = {label:getBaseName(n.getMetadata().get('filename'))};
+ var args = {label:He.escape(PathUtils.getBasename(n.getMetadata().get('filename')))};
if(Object.isString(p)) args['preview']=p;
else if(Object.isElement(p) && p.outerHTML) args['preview']= p.outerHTML;
s += simpleTpl.evaluate(args);
@@ -494,7 +494,7 @@ Class.create("InfoPanel", AjxpPane, {
}
this[attName] = url;
} else if(metadata.get(attName)){
- this[attName] = metadata.get(attName);
+ this[attName] = He.escape(metadata.get(attName));
} else{
this[attName] = '';
}
@@ -235,7 +235,7 @@ Class.create("LocationBar", {
this.realPath = newPath;
this.currentLabel = this.realPath;
if(getBaseName(newPath) != newNode.getLabel()){
- this.currentLabel = getRepName(newPath) + '/' + newNode.getLabel();
+ this.currentLabel = getRepName(newPath) + '/' + He.escape(newNode.getLabel());
}
this.label.update(this.currentLabel);
this.currentPath.value = this.realPath;
@@ -710,7 +710,7 @@ Class.create("Modal", {
this.messageBox.update(this.messageContent);
this.messageBox.observe("click", this.closeMessageDiv.bind(this));
}
- message = message.stripScripts();
+ message = He.escape(message);
message = message.replace(new RegExp("(\\n)", "g"), "<br>");
if(messageType == "ERROR"){ this.messageBox.removeClassName('logMessage'); this.messageBox.addClassName('errorMessage');}
else { this.messageBox.removeClassName('errorMessage'); this.messageBox.addClassName('logMessage');}
@@ -56,8 +56,9 @@
var new_row = new Element( 'div' );
var new_row_button = new Element('a');
- new_row_button.href= this.downloadUrl + fileName;
- new_row_button.insert('<img src="'+ajxpResourcesFolder+'/images/actions/16/download_manager.png" height="16" width="16" align="absmiddle" border="0"> '+(label?label:getBaseName(fileName)));
+ new_row_button.href= this.downloadUrl + fileName;
+ var display = He.escape(label?label:getBaseName(fileName));
+ new_row_button.insert('<img src="'+ajxpResourcesFolder+'/images/actions/16/download_manager.png" height="16" width="16" align="absmiddle" border="0"> '+ display);
new_row_button.multidownloader = this;
@@ -135,11 +135,11 @@ Class.create("RepositorySelect", {
return;
}
- var label = repoObject.getHtmlBadge() + '<span class="menu_label">' + repoObject.getLabel() + '</span>';
- var alt = repoObject.getLabel();
+ var label = repoObject.getHtmlBadge() + '<span class="menu_label">' + He.escape(repoObject.getLabel()) + '</span>';
+ var alt = He.escape(repoObject.getLabel());
if(repoObject.getDescription()){
- label += '<span class="menu_description">' + repoObject.getDescription() + '</span>';
- alt += '-' + repoObject.getDescription();
+ label += '<span class="menu_description">' + He.escape(repoObject.getDescription()) + '</span>';
+ alt += '-' + He.escape(repoObject.getDescription());
}else{
alt += (repoObject.getOwner() ? " ("+MessageHash[413]+" " + repoObject.getOwner()+ ")":"");
}
@@ -166,7 +166,7 @@ Class.create("RepositorySelect", {
actions.push(actionData);
}
if(key == repositoryId){
- if(this.label) this.label.setValue(repoObject.getLabel());
+ if(this.label) this.label.setValue(He.escape(repoObject.getLabel()));
if(this.icon) this.icon.src = repoObject.getIcon();
}
}.bind(this));
@@ -69,9 +69,9 @@ Class.create("RepositorySimpleLabel", AjxpPane, {
if(repositoryList && repositoryList.size()){
var repoObject = repositoryList.get(repositoryId);
if(repoObject){
- this.htmlElement.down("div.repository_title").update(repoObject.getLabel());
+ this.htmlElement.down("div.repository_title").update(He.escape(repoObject.getLabel()));
if(this.options.displayWorkspaceDescription){
- this.htmlElement.down("div.repository_description").update(repoObject.getDescription());
+ this.htmlElement.down("div.repository_description").update(He.escape(repoObject.getDescription()));
}
}
}
@@ -16,4 +16,5 @@ window.ReactAutoSuggest = require('react-autosuggest');
window.Clipboard = require('clipboard');
window.ReactQRCode = require('qrcode.react');
window.Cronstrue = require("cronstrue");
+window.He = require("he");
window.injectTapEventPlugin();
@@ -290,7 +290,7 @@ WebFXTreeAbstractNode.prototype.add = function (node, bNoIdent) {
WebFXTreeAbstractNode.prototype.updateLabel = function(label){
- if($(this.id+'-label')) $(this.id+'-label').update(label);
+ if($(this.id+'-label')) $(this.id+'-label').update(He.escape(label));
};
WebFXTreeAbstractNode.prototype.updateIcon = function(icon, openIcon, overlayIcon, overlayClasses){

0 comments on commit 88e4865

Please sign in to comment.