[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javasc
From: |
Jiten Bhagat |
Subject: |
Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits. |
Date: |
Tue, 27 Apr 2010 17:35:03 +0100 |
User-agent: |
Thunderbird 2.0.0.24 (Windows/20100228) |
Hi Dan,
Just a note that with the tooltips, the idea is to sometimes allow HTML,
so that richer tooltips can be shown (ie: with lists, bold text, italic
text, etc). By changing it in the core method this might "break"
existing tooltips?
Cheers,
Jits
address@hidden wrote:
>
> Revision
> 2394
> Author
> dtm
> Date
> 2010-04-27 12:18:07 -0400 (Tue, 27 Apr 2010)
>
>
> Log Message
>
> Fix for case 98981 - javascript injection in Pack name, reported by Jits.
> Fix for javascript injection in tooltips.
>
>
> Modified Paths
>
> * trunk/app/helpers/application_helper.rb
> <#trunkapphelpersapplication_helperrb>
> * trunk/app/views/group_announcements/index.rhtml
> <#trunkappviewsgroup_announcementsindexrhtml>
> * trunk/app/views/networks/_announcements.rhtml
> <#trunkappviewsnetworks_announcementsrhtml>
>
>
> Diff
>
>
> Modified: trunk/app/helpers/application_helper.rb (2393 => 2394)
>
>
> --- trunk/app/helpers/application_helper.rb 2010-04-27 15:41:01 UTC (rev
> 2393)
> +++ trunk/app/helpers/application_helper.rb 2010-04-27 16:18:07 UTC (rev
> 2394)
> @@ -390,7 +390,7 @@
> end
> when "Pack"
> if p = Pack.find(:first, :conditions => ["id = ?", contributableid])
> - return link ? link_to(p.title, pack_url(p)) : h(p.title)
> + return link ? link_to(h(p.title), pack_url(p)) : h(p.title)
> else
> return nil
> end
> @@ -990,7 +990,7 @@
> end
>
> def tooltip_title_attrib(text, delay=200)
> - return "header=[] body=[#{text}] cssheader=[boxoverTooltipHeader]
> cssbody=[boxoverTooltipBody] delay=[#{delay}]"
> + return "header=[] body=[#{h(text)}] cssheader=[boxoverTooltipHeader]
> cssbody=[boxoverTooltipBody] delay=[#{delay}]"
> end
>
> # This method checks to see if the current user is allowed to approve a
> membership that is still pending approval
>
>
> Modified: trunk/app/views/group_announcements/index.rhtml
> (2393 => 2394)
>
>
> --- trunk/app/views/group_announcements/index.rhtml 2010-04-27 15:41:01 UTC
> (rev 2393)
> +++ trunk/app/views/group_announcements/index.rhtml 2010-04-27 16:18:07 UTC
> (rev 2394)
> @@ -5,7 +5,7 @@
> <% end %>
>
> <h1>
> - <%= feed_icon_tag "Group address@hidden Announcements",
> formatted_group_announcements_path(@group, :rss) %>
> + <%= feed_icon_tag "Group #{h(@group.title)} Announcements",
> formatted_group_announcements_path(@group, :rss) %>
> <%= @group.announcements_in_public_mode_for_user(current_user) ?
> "Public " : "All " -%> Group Announcements (<%= @announcements.length %>)
> <br/>
> <span style="font-size: 77%;">for group: <%= link_to_function
> h(@group.title) + expand_image, visual_effect(:toggle_blind, "group_box",
> :duration => 0.3) -%></span>
>
>
> Modified: trunk/app/views/networks/_announcements.rhtml (2393
> => 2394)
>
>
> --- trunk/app/views/networks/_announcements.rhtml 2010-04-27 15:41:01 UTC
> (rev 2393)
> +++ trunk/app/views/networks/_announcements.rhtml 2010-04-27 16:18:07 UTC
> (rev 2394)
> @@ -6,7 +6,7 @@
>
> <p class="heading" style="margin: 0;">
> <span style="position: relative; z-index: 1000; float: left;">
> - <%= feed_icon_tag "#{group.title} Group Announcements",
> formatted_group_announcements_path(group, :rss) -%>
> + <%= feed_icon_tag "#{h(group.title)} Group
> Announcements", formatted_group_announcements_path(group, :rss) -%>
> </span>
> <a name="group_announcements"></a>
> <%= link_to "Announcements", group_announcements_url(group) -%>
> ------------------------------------------------------------------------
>
> _______________________________________________
> myexperiment-hackers mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/myexperiment-hackers
>
- [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits., noreply, 2010/04/27
- Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits.,
Jiten Bhagat <=
- Message not available
- Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits., Danius Michaelides, 2010/04/27
- Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits., Jiten Bhagat, 2010/04/28
- Message not available
- Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits., Danius Michaelides, 2010/04/28
- Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits., Jiten Bhagat, 2010/04/28
- Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits., Jiten Bhagat, 2010/04/28
- Message not available
- Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits., Danius Michaelides, 2010/04/28
- Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits., Jiten Bhagat, 2010/04/28
- Message not available
- Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits., Danius Michaelides, 2010/04/28