myexperiment-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javasc

From: Jiten Bhagat
Subject: Re: [myexperiment-hackers] [2394] trunk/app: Fix for case 98981 - javascript injection in Pack name, reported by Jits.
Date: Wed, 28 Apr 2010 09:49:08 +0100
User-agent: Thunderbird 2.0.0.24 (Windows/20100228) 
Danius Michaelides wrote:
> On Tue, 27 Apr 2010, Jiten Bhagat wrote:
>
>> Hi Dan,
>>
>> Just a note that with the tooltips, the idea is to sometimes allow HTML,
>> so that richer tooltips can be shown (ie: with lists, bold text, italic
>> text, etc). By changing it in the core method this might "break"
>> existing tooltips?
>
> No, I specifically checked for this - I believe I found all the cases.

OK.

Though I am using HTML in the tooltips I generate for the service
monitoring status (to match the same way we do it in BioCatalogue). So
this will be affected when the branch is merged back in.

Jits

> Danius
>
>>
>> Cheers,
>> Jits
>>
>>
>> address@hidden wrote:
>>>
>>> Revision
>>>     2394
>>> Author
>>>     dtm
>>> Date
>>>     2010-04-27 12:18:07 -0400 (Tue, 27 Apr 2010)
>>>
>>>
>>>       Log Message
>>>
>>> Fix for case 98981 - javascript injection in Pack name, reported by
>>> Jits.
>>> Fix for javascript injection in tooltips.
>>>
>>>
>>>       Modified Paths
>>>
>>>     * trunk/app/helpers/application_helper.rb
>>>       <#trunkapphelpersapplication_helperrb>
>>>     * trunk/app/views/group_announcements/index.rhtml
>>>       <#trunkappviewsgroup_announcementsindexrhtml>
>>>     * trunk/app/views/networks/_announcements.rhtml
>>>       <#trunkappviewsnetworks_announcementsrhtml>
>>>
>>>
>>>       Diff
>>>
>>>
>>>         Modified: trunk/app/helpers/application_helper.rb (2393 =>
>>> 2394)
>>>
>>>
>>> --- trunk/app/helpers/application_helper.rb    2010-04-27 15:41:01
>>> UTC (rev 2393)
>>> +++ trunk/app/helpers/application_helper.rb    2010-04-27 16:18:07
>>> UTC (rev 2394)
>>> @@ -390,7 +390,7 @@
>>>        end
>>>      when "Pack"
>>>        if p = Pack.find(:first, :conditions => ["id = ?",
>>> contributableid])
>>> -        return link ? link_to(p.title, pack_url(p)) : h(p.title)
>>> +        return link ? link_to(h(p.title), pack_url(p)) : h(p.title)
>>>        else
>>>          return nil
>>>        end
>>> @@ -990,7 +990,7 @@
>>>    end
>>>
>>>    def tooltip_title_attrib(text, delay=200)
>>> -    return "header=[] body=[#{text}]
>>> cssheader=[boxoverTooltipHeader] cssbody=[boxoverTooltipBody]
>>> delay=[#{delay}]"
>>> +    return "header=[] body=[#{h(text)}]
>>> cssheader=[boxoverTooltipHeader] cssbody=[boxoverTooltipBody]
>>> delay=[#{delay}]"
>>>    end
>>>
>>>    # This method checks to see if the current user is allowed to
>>> approve a membership that is still pending approval
>>>
>>>
>>>         Modified: trunk/app/views/group_announcements/index.rhtml
>>>         (2393 => 2394)
>>>
>>>
>>> --- trunk/app/views/group_announcements/index.rhtml    2010-04-27
>>> 15:41:01 UTC (rev 2393)
>>> +++ trunk/app/views/group_announcements/index.rhtml    2010-04-27
>>> 16:18:07 UTC (rev 2394)
>>> @@ -5,7 +5,7 @@
>>>  <% end %>
>>>
>>>  <h1>
>>> -    <%= feed_icon_tag "Group address@hidden Announcements",
>>> formatted_group_announcements_path(@group, :rss) %>
>>> +    <%= feed_icon_tag "Group #{h(@group.title)} Announcements",
>>> formatted_group_announcements_path(@group, :rss) %>
>>>      <%= @group.announcements_in_public_mode_for_user(current_user)
>>> ? "Public " : "All " -%> Group Announcements (<%=
>>> @announcements.length %>)
>>>      <br/>
>>>      <span style="font-size: 77%;">for group: <%= link_to_function
>>> h(@group.title) + expand_image, visual_effect(:toggle_blind,
>>> "group_box", :duration => 0.3) -%></span>
>>>
>>>
>>>         Modified: trunk/app/views/networks/_announcements.rhtml (2393
>>>         => 2394)
>>>
>>>
>>> --- trunk/app/views/networks/_announcements.rhtml    2010-04-27
>>> 15:41:01 UTC (rev 2393)
>>> +++ trunk/app/views/networks/_announcements.rhtml    2010-04-27
>>> 16:18:07 UTC (rev 2394)
>>> @@ -6,7 +6,7 @@
>>>
>>>      <p class="heading" style="margin: 0;">
>>>          <span style="position: relative; z-index: 1000; float: left;">
>>> -            <%= feed_icon_tag "#{group.title} Group Announcements",
>>> formatted_group_announcements_path(group, :rss) -%>
>>> +            <%= feed_icon_tag "#{h(group.title)} Group
>>> Announcements", formatted_group_announcements_path(group, :rss) -%>
>>>          </span>
>>>          <a name="group_announcements"></a>
>>>          <%= link_to "Announcements", group_announcements_url(group)
>>> -%>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> _______________________________________________
>>> myexperiment-hackers mailing list
>>> address@hidden
>>> http://lists.nongnu.org/mailman/listinfo/myexperiment-hackers
>>>
>>
>>
>>
>> _______________________________________________
>> myexperiment-hackers mailing list
>> address@hidden
>> http://lists.nongnu.org/mailman/listinfo/myexperiment-hackers
>>
>
>
>
> _______________________________________________
> myexperiment-hackers mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/myexperiment-hackers
reply via email to
[Prev in Thread] Current Thread [Next in Thread]