Andreas/tracks
1
0
Fork 0
mirror of https://github.com/TracksApp/tracks.git synced 2026-01-09 18:58:51 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Added the sanitize method to all of the fields which get displayed on the page (context.name, project.name, project.description, todo.description, todo.notes, note.body). This stops harmful HTML codes being embedded in the page. Sanitize strips out javascript and on* attributes. The HTML gets rendered with the HTML entities escaped.

Browse source 
Incidentally, #79 does seem to be fixed now: if you enter a project or context name with a slash, the slash is escaped in the URL as %2F, so links don't break.


git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@142 a4c988fc-2ded-0310-b66e-134b36920a42
This commit is contained in:
bsag 2005-08-28 14:20:42 +00:00
parent 979ae7dc27
commit 9f5fff1225
15 changed files with 31 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

2
tracks/app/views/context/_context_listing.rhtml
View file

@ -18,7 +18,7 @@
{:action => "move_bottom", :id => context.id}, :title => "Move to bottom", :class=>"to_bottom") %>
</div>
<div class="data">
<%= link_to( "#{context.name}", :action => "show", :name => urlize(context.name) ) %>
<%= link_to( sanitize("#{context.name}"), :action => "show", :name => urlize(context.name) ) %>
<%= " (" + context.count_undone_todos("actions") + ")" %>
</div>

8
tracks/app/views/context/_show_items.rhtml
View file

@ -31,13 +31,13 @@
<%= staleness( item ) %>
<% end %>
<%= due_date( item.due ) %>
<%= item.description %>
<%= sanitize(item.description) %>
<% if item.project_id %>
<%= link_to( "[P]", { :controller => "project", :action => "show", :name => urlize(item.project.name) }, :title => "View project: #{item.project.name}" ) %>
<% end %>
<% if item.notes? %>
<%= "<a href=\"javascript:Element.toggle('" + item.id.to_s + "')\" class=\"show_notes\" title=\"Show notes\">" + image_tag( "blank", :width=>"16", :height=>"16", :border=>"0" ) + "</a>" %>
<% m_notes = markdown( item.notes ) %>
<% m_notes = sanitize(markdown( item.notes )) %>
<%= "<div class=\"notes\" id=\"" + item.id.to_s + "\" style=\"display:none\">" + m_notes + "</div>" %>
<% end %>
</div>
@ -81,13 +81,13 @@
<!-- end div.checkbox -->
<div class="description">
<span class="grey"><%= format_date( item.completed ) %></span>
<%= item.description %>
<%= sanitize(item.description) %>
<% if item.project_id %>
<%= link_to( "[P]", { :controller => "project", :action => "show", :name => urlize(item.project.name) }, :title => "View project: #{item.project.name}" ) %>
<% end %>
<% if item.notes? %>
<%= "<a href=\"javascript:Element.toggle('" + item.id.to_s + "')\" class=\"show_notes\" title=\"Show notes\">" + image_tag( "blank", :width=>"16", :height=>"16", :border=>"0" ) + "</a>" %>
<% m_notes = markdown( item.notes ) %>
<% m_notes = sanitize(markdown( item.notes )) %>
<%= "<div class=\"notes\" id=\"" + item.id.to_s + "\" style=\"display:none\">" + m_notes + "</div>" %>
<% end %>
</div><!-- [end:description] -->

2
tracks/app/views/context/list.rhtml
View file

@ -33,4 +33,4 @@
<div class="warning"><%= @flash["warning"] %></div>
<% end %>
</div><!- End of display_box -->
</div><!-- End of display_box -->

6
tracks/app/views/context/show.rhtml
View file

@ -1,7 +1,7 @@
<div id="display_box">
<div class="contexts">
<h2><%= @context.name %></h2>
<h2><%= sanitize(@context.name) %></h2>
<div id="next_actions">
<% if @not_done.empty? %>
@ -44,9 +44,9 @@
:html=> { :id=>'context-form-new-action', :name=>'context', :class => 'inline-form' } %>
<%= hidden_field( "new_item", "context_id", "value" => "#{@context.id}") %>
<label for="new_item_description">Description</label><br />
<%= text_field( "new_item", "description", "size" => 25, "tabindex" => 1 ) %><br />
<%= text_field( "new_item", "description", "size" => 25, "tabindex" => 1) %><br />
<label for="new_item_notes">Notes</label><br />
<%= text_area( "new_item", "notes", "cols" => 25, "rows" => 10, "tabindex" => 2 ) %><br />
<%= text_area( "new_item", "notes", "cols" => 25, "rows" => 10, "tabindex" => 2) %><br />
<label for="new_item_project_id">Project</label><br />
<select name="item[project_id]" id="item_project_id" tabindex="3">
<option selected="selected"></option>

2
tracks/app/views/note/_notes.rhtml
View file

@ -3,7 +3,7 @@
<h2><%= link_to("Note #{note.id.to_s}", {:action => "show", :id => note.id}, :title => "Show note #{note.id.to_s}" ) %></h2>
<div id="note-<%= note.id.to_s %>">
<%= textilize(note.body) %>
<%= sanitize(textilize(note.body)) %>
<div class="note_footer">
<%= link_to_remote( image_tag("blank", :title =>"Delete this note", :class=>"delete_item"),

2
tracks/app/views/note/_notes_summary.rhtml
View file

@ -2,6 +2,6 @@
<div class="note_wrapper">
<%= link_to( image_tag("blank"), { :controller => "note", :action => "show",
:id => note.id}, :title => "Show note", :class => "show_notes" ) %>&nbsp;
<%= textilize(truncate(note.body, 50, "...")) %>
<%= sanitize(textilize(truncate(note.body, 50, "..."))) %>
</div>
<% note = nil -%>

2
tracks/app/views/project/_project_listing.rhtml
View file

@ -18,7 +18,7 @@
{:action => "move_bottom", :id => project.id}, :title => "Move to bottom", :class=>"to_bottom") %>
</div>
<div class="data">
<%= link_to( "#{project.name}", :action => "show", :name => urlize(project.name) ) %><%= " (" + project.count_undone_todos("actions") + ")" %>
<%= link_to( sanitize("#{project.name}"), :action => "show", :name => urlize(project.name) ) %><%= " (" + project.count_undone_todos("actions") + ")" %>
</div>
<div class="buttons">
<% if project.done == 1 -%>

8
tracks/app/views/project/_show_items.rhtml
View file

@ -32,13 +32,13 @@
<% end %>
<%= due_date( item.due ) %>
<%= item.description %>
<%= sanitize(item.description) %>
<% if item.context_id %>
<%= link_to( "[C]", { :controller => "context", :action => "show", :name => urlize(item.context.name) }, :title => "View context: #{item.context.name}" ) %>
<% end %>
<% if item.notes? %>
<%= "<a href=\"javascript:Element.toggle('" + item.id.to_s + "')\" class=\"show_notes\" title=\"Show notes\">" + image_tag( "blank", :width=>"16", :height=>"16", :border=>"0" ) + "</a>" %>
<% m_notes = markdown( item.notes ) %>
<% m_notes = sanitize(markdown( item.notes )) %>
<%= "<div class=\"notes\" id=\"" + item.id.to_s + "\" style=\"display:none\">" + m_notes + "</div>" %>
<% end %>
</div>
@ -81,13 +81,13 @@
<!-- end div.checkbox -->
<div class="description">
<span class="grey"><%= format_date( item.completed ) %></span>
<%= item.description %>
<%= sanitize(item.description) %>
<% if item.project_id %>
<%= link_to( "[C]", { :controller => "context", :action => "show", :name => urlize(item.context.name) }, :title => "View context: #{item.context.name}" ) %>
<% end %>
<% if item.notes? %>
<%= "<a href=\"javascript:Element.toggle('" + item.id.to_s + "')\" class=\"show_notes\" title=\"Show notes\">" + image_tag( "blank", :width=>"16", :height=>"16", :border=>"0" ) + "</a>" %>
<% m_notes = markdown( item.notes ) %>
<% m_notes = sanitize(markdown( item.notes )) %>
<%= "<div class=\"notes\" id=\"" + item.id.to_s + "\" style=\"display:none\">" + m_notes + "</div>" %>
<% end %>
</div><!-- [end:description] -->

4
tracks/app/views/project/show.rhtml
View file

@ -1,9 +1,9 @@
<div id="display_box">
<div class="contexts">
<h2><%= @project.name %></h2>
<h2><%= sanitize(@project.name) %></h2>
<% if @project.description -%>
<div class="project_description"><%= @project.description %></div>
<div class="project_description"><%= sanitize(@project.description) %></div>
<% end -%>
<div id="next_actions">

4
tracks/app/views/shared/add_new_item_form.rhtml
View file

@ -24,10 +24,10 @@
:html=> { :id=>'todo-form-new-action', :name=>'todo', :class => 'inline-form' }) %>
<label for="new_item_description">Description</label><br />
<%= text_field( "new_item", "description", "size" => 25, "tabindex" => 1 ) %><br />
<%= text_field( "new_item", "description", "size" => 25, "tabindex" => 1) %><br />
<label for="new_item_notes">Notes</label><br />
<%= text_area( "new_item", "notes", "cols" => 25, "rows" => 10, "tabindex" => 2 ) %><br />
<%= text_area( "new_item", "notes", "cols" => 25, "rows" => 10, "tabindex" => 2) %><br />
<label for="new_item_context_id">Context</label><br />
<%= collection_select( "new_item", "context_id", @contexts, "id", "name",

8
tracks/app/views/shared/sidebar.rhtml
View file

@ -1,7 +1,7 @@
<h3>Active Projects:</h3>
<ul>
<% for project in @projects.collect { |x| x.done? ? nil:x }.compact -%>
<li><%= link_to( project.name, { :controller => "project", :action => "show",
<li><%= link_to( sanitize(project.name), { :controller => "project", :action => "show",
:name => urlize(project.name) } ) + " (" + project.count_undone_todos("actions") + ")" %></li>
<% end -%>
</ul>
@ -9,7 +9,7 @@
<h3>Completed Projects:</h3>
<ul>
<% for project in @projects.collect { |x| x.done? ? x:nil }.compact -%>
<li><%= link_to( project.name, { :controller => "project", :action => "show",
<li><%= link_to( sanitize(project.name), { :controller => "project", :action => "show",
:name => urlize(project.name) } ) + " (" + project.count_undone_todos("actions") + ")" %></li>
<% end -%>
</ul>
@ -17,7 +17,7 @@
<h3>Active Contexts:</h3>
<ul>
<% for context in @contexts.collect { |x| x.hidden? ? nil:x }.compact -%>
<li><%= link_to( context.name, { :controller => "context", :action => "show",
<li><%= link_to( sanitize(context.name), { :controller => "context", :action => "show",
:name => urlize(context.name) } ) + " (" + context.count_undone_todos("actions") + ")" %></li>
<% end -%>
</ul>
@ -25,7 +25,7 @@
<h3>Hidden Contexts:</h3>
<ul>
<% for context in @contexts.collect { |x| x.hidden? ? x:nil }.compact -%>
<li><%= link_to( context.name, { :controller => "context", :action => "show",
<li><%= link_to( sanitize(context.name), { :controller => "context", :action => "show",
:name => urlize(context.name) } ) + " (" + context.count_undone_todos("actions") + ")" %></li>
<% end -%>
</ul>

4
tracks/app/views/todo/_action_edit_form.rhtml
View file

@ -7,11 +7,11 @@
<table>
<tr>
<td class="label"><label for="item_description">Next action</label></td>
<td><%= text_field( "item", "description", "tabindex" => 1 ) %></td>
<td><%= text_field( "item", "description", "tabindex" => 1) %></td>
</tr>
<tr>
<td class="label"><label for="item_notes">Notes</label></td>
<td><%= text_area( "item", "notes", "cols" => 20, "rows" => 5, "tabindex" => 2 ) %></td>
<td><%= text_area( "item", "notes", "cols" => 20, "rows" => 5, "tabindex" => 2) %></td>
</tr>
<tr>
<td class="label"><label for="item_context_id">Context</label></td>

4
tracks/app/views/todo/_done.rhtml
View file

@ -2,7 +2,7 @@
<% if done.completed %>
<td valign="top"><%= image_tag( "done", :width=>"16", :height=>"16", :border=>"0") %></td>
<td valign="top"><span class="grey"><%= format_date( done.completed ) %></span></td>
<td valign="top"><%= " " + done.description + " "%>
<td valign="top"><%= " " + sanitize(done.description) + " "%>
<% if done.project_id %>
<%= "(" + done.context['name'] + ", " + done.project['name'] + ")" %>
@ -17,7 +17,7 @@
<% if done.notes? %>
<%= "<a href=\"javascript:Element.toggle('" + done.id.to_s + "')\" title=\"Show notes\">" +
image_tag( "notes", :width=>"10", :height=>"10", :border=>"0") + "</a>" %>
<% m_notes = markdown( done.notes ) %>
<% m_notes = sanitize(markdown( done.notes )) %>
<%= "<div class=\"notes\" id=\"" + done.id.to_s + "\" style=\"display:none\">" + m_notes + "</div>" %>
<% end %>
</td>

4
tracks/app/views/todo/_item.rhtml
View file

@ -15,7 +15,7 @@
<%= staleness( item ) %>
<% end %>
<%= due_date( item.due ) %>
<%= item.description %>
<%= sanitize(item.description) %>
<% if item.project_id %>
<%= link_to( "[P]", { :controller => "project", :action => "show", :name => urlize(item.project.name) }, :title => "View project: #{item.project.name}" ) %>
<% end %>
@ -45,7 +45,7 @@
<!-- end div.checkbox -->
<div class="description">
<span class="grey"><%= format_date( item.completed ) %></span>
<%= item.description %>
<%= sanitize(item.description) %>
<% if item.project_id %>
<%= link_to( "[P]", { :controller => "project", :action => "show", :name => urlize(item.project.name) }, :title => "View project: #{item.project.name}" ) %>
<% end %>

2
tracks/app/views/todo/list.rhtml
View file

@ -12,7 +12,7 @@
-%>
<div class="contexts">
<h2><a href="javascript:toggleSingle('c<%=@context.id%>');javascript:toggleImage('toggle_context_<%=@context.id%>')" class="refresh"><%= image_tag("collapse.png", :name=>"toggle_context_#{@context.id}", :border=>"0") %></a>
<%= link_to( "#{@context.name}", :controller => "context", :action => "show", :name => urlize(@context.name) ) %></h2>
<%= link_to( sanitize("#{@context.name}"), :controller => "context", :action => "show", :name => urlize(@context.name) ) %></h2>
<div id="c<%= @context.id %>" class="next_actions">
<%= render :partial => "item", :collection => @not_done %>