Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Fix escaping and add verification to feature sort page attachmentsinline xwiki1344 #54

Merged
merged 3 commits into from

3 participants

@jamiemaher

Escape attachment sorting parameter, verify valid attachment property for sorting and default to 'filename' if invalid.

@mflorea mflorea commented on the diff
...ki-platform-web/src/main/webapp/templates/docextra.vm
@@ -48,7 +48,7 @@
#set($sortAttachmentsBy = "$!{request.sortAttachmentsBy}")
#if($sortAttachmentsBy != '')
### Prepend request parameter
- #set($sortAttachmentsBy = "&sortAttachmentsBy=${sortAttachmentsBy}")
+ #set($sortAttachmentsBy = "&sortAttachmentsBy=$escapetool.url(${sortAttachmentsBy})")
@mflorea Owner
mflorea added a note

The curly braces around sortAttachmentsBy are not needed here.

sdumitriu was fast on the commit button, I've removed them in commit jamiemaher@417106d

@sdumitriu Owner

But they don't hurt either...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@sdumitriu sdumitriu merged commit 87177cc into xwiki:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
View
3  xwiki-platform-core/xwiki-platform-web/src/main/webapp/templates/attachmentsinline.vm
@@ -12,7 +12,8 @@ $xwiki.ssfx.use('js/xwiki/viewers/attachments.css', true)
#set($showactions = 0)
### Determine attachment sorting
#set($sortAttachmentsBy = "$!{request.sortAttachmentsBy}")
-#if($sortAttachmentsBy == '')
+#set ($validAttachmentProperties = ['filename', 'date', 'filesize', 'author', 'version', 'mimeType'])
+#if($sortAttachmentsBy == '' || $validAttachmentProperties.indexOf($sortAttachmentsBy) == -1)
### Default to sorting by filename, sort not requested.
#set($sortAttachmentsBy = "filename")
#end
View
2  xwiki-platform-core/xwiki-platform-web/src/main/webapp/templates/docextra.vm
@@ -48,7 +48,7 @@
#set($sortAttachmentsBy = "$!{request.sortAttachmentsBy}")
#if($sortAttachmentsBy != '')
### Prepend request parameter
- #set($sortAttachmentsBy = "&sortAttachmentsBy=${sortAttachmentsBy}")
+ #set($sortAttachmentsBy = "&sortAttachmentsBy=$escapetool.url(${sortAttachmentsBy})")
@mflorea Owner
mflorea added a note

The curly braces around sortAttachmentsBy are not needed here.

sdumitriu was fast on the commit button, I've removed them in commit jamiemaher@417106d

@sdumitriu Owner

But they don't hurt either...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
#end
#set ($discard = $docextras.add(['Attachments', 'attachments', $msg.get('docextra.attachments'), $doc.getAttachmentList().size(), "attachmentsinline.vm$!{sortAttachmentsBy}", $msg.get('core.shortcuts.view.attachments')]))
#end
Something went wrong with that request. Please try again.