[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javasc
From: |
Jiten Bhagat |
Subject: |
Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits. |
Date: |
Wed, 28 Apr 2010 09:49:08 +0100 |
User-agent: |
Thunderbird 2.0.0.24 (Windows/20100228) |
Danius Michaelides wrote:
> On Tue, 27 Apr 2010, Jiten Bhagat wrote:
>
>> Hi Dan,
>>
>> Just a note that with the tooltips, the idea is to sometimes allow HTML,
>> so that richer tooltips can be shown (ie: with lists, bold text, italic
>> text, etc). By changing it in the core method this might "break"
>> existing tooltips?
>
> No, I specifically checked for this - I believe I found all the cases.
OK.
Though I am using HTML in the tooltips I generate for the service
monitoring status (to match the same way we do it in BioCatalogue). So
this will be affected when the branch is merged back in.
Jits
> Danius
>
>>
>> Cheers,
>> Jits
>>
>>
>> address@hidden wrote:
>>>
>>> Revision
>>> 2394
>>> Author
>>> dtm
>>> Date
>>> 2010-04-27 12:18:07 -0400 (Tue, 27 Apr 2010)
>>>
>>>
>>> Log Message
>>>
>>> Fix for case 98981 - javascript injection in Pack name, reported by
>>> Jits.
>>> Fix for javascript injection in tooltips.
>>>
>>>
>>> Modified Paths
>>>
>>> * trunk/app/helpers/application_helper.rb
>>> <#trunkapphelpersapplication_helperrb>
>>> * trunk/app/views/group_announcements/index.rhtml
>>> <#trunkappviewsgroup_announcementsindexrhtml>
>>> * trunk/app/views/networks/_announcements.rhtml
>>> <#trunkappviewsnetworks_announcementsrhtml>
>>>
>>>
>>> Diff
>>>
>>>
>>> Modified: trunk/app/helpers/application_helper.rb (2393 =>
>>> 2394)
>>>
>>>
>>> --- trunk/app/helpers/application_helper.rb 2010-04-27 15:41:01
>>> UTC (rev 2393)
>>> +++ trunk/app/helpers/application_helper.rb 2010-04-27 16:18:07
>>> UTC (rev 2394)
>>> @@ -390,7 +390,7 @@
>>> end
>>> when "Pack"
>>> if p = Pack.find(:first, :conditions => ["id = ?",
>>> contributableid])
>>> - return link ? link_to(p.title, pack_url(p)) : h(p.title)
>>> + return link ? link_to(h(p.title), pack_url(p)) : h(p.title)
>>> else
>>> return nil
>>> end
>>> @@ -990,7 +990,7 @@
>>> end
>>>
>>> def tooltip_title_attrib(text, delay=200)
>>> - return "header=[] body=[#{text}]
>>> cssheader=[boxoverTooltipHeader] cssbody=[boxoverTooltipBody]
>>> delay=[#{delay}]"
>>> + return "header=[] body=[#{h(text)}]
>>> cssheader=[boxoverTooltipHeader] cssbody=[boxoverTooltipBody]
>>> delay=[#{delay}]"
>>> end
>>>
>>> # This method checks to see if the current user is allowed to
>>> approve a membership that is still pending approval
>>>
>>>
>>> Modified: trunk/app/views/group_announcements/index.rhtml
>>> (2393 => 2394)
>>>
>>>
>>> --- trunk/app/views/group_announcements/index.rhtml 2010-04-27
>>> 15:41:01 UTC (rev 2393)
>>> +++ trunk/app/views/group_announcements/index.rhtml 2010-04-27
>>> 16:18:07 UTC (rev 2394)
>>> @@ -5,7 +5,7 @@
>>> <% end %>
>>>
>>> <h1>
>>> - <%= feed_icon_tag "Group address@hidden Announcements",
>>> formatted_group_announcements_path(@group, :rss) %>
>>> + <%= feed_icon_tag "Group #{h(@group.title)} Announcements",
>>> formatted_group_announcements_path(@group, :rss) %>
>>> <%= @group.announcements_in_public_mode_for_user(current_user)
>>> ? "Public " : "All " -%> Group Announcements (<%=
>>> @announcements.length %>)
>>> <br/>
>>> <span style="font-size: 77%;">for group: <%= link_to_function
>>> h(@group.title) + expand_image, visual_effect(:toggle_blind,
>>> "group_box", :duration => 0.3) -%></span>
>>>
>>>
>>> Modified: trunk/app/views/networks/_announcements.rhtml (2393
>>> => 2394)
>>>
>>>
>>> --- trunk/app/views/networks/_announcements.rhtml 2010-04-27
>>> 15:41:01 UTC (rev 2393)
>>> +++ trunk/app/views/networks/_announcements.rhtml 2010-04-27
>>> 16:18:07 UTC (rev 2394)
>>> @@ -6,7 +6,7 @@
>>>
>>> <p class="heading" style="margin: 0;">
>>> <span style="position: relative; z-index: 1000; float: left;">
>>> - <%= feed_icon_tag "#{group.title} Group Announcements",
>>> formatted_group_announcements_path(group, :rss) -%>
>>> + <%= feed_icon_tag "#{h(group.title)} Group
>>> Announcements", formatted_group_announcements_path(group, :rss) -%>
>>> </span>
>>> <a name="group_announcements"></a>
>>> <%= link_to "Announcements", group_announcements_url(group)
>>> -%>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> _______________________________________________
>>> myexperiment-hackers mailing list
>>> address@hidden
>>> http://lists.nongnu.org/mailman/listinfo/myexperiment-hackers
>>>
>>
>>
>>
>> _______________________________________________
>> myexperiment-hackers mailing list
>> address@hidden
>> http://lists.nongnu.org/mailman/listinfo/myexperiment-hackers
>>
>
>
>
> _______________________________________________
> myexperiment-hackers mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/myexperiment-hackers
- [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits., noreply, 2010/04/27
- Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits., Jiten Bhagat, 2010/04/27
- Message not available
- Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits., Danius Michaelides, 2010/04/27
- Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits.,
Jiten Bhagat <=
- Message not available
- Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits., Danius Michaelides, 2010/04/28
- Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits., Jiten Bhagat, 2010/04/28
- Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits., Jiten Bhagat, 2010/04/28
- Message not available
- Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits., Danius Michaelides, 2010/04/28
- Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits., Jiten Bhagat, 2010/04/28
- Message not available
- Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits., Danius Michaelides, 2010/04/28