allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From brond...@apache.org
Subject [19/38] git commit: [#4019] ticket:516 Escape JSON
Date Wed, 30 Apr 2014 18:15:51 GMT
[#4019] ticket:516 Escape JSON


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/ab8e1e13
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/ab8e1e13
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/ab8e1e13

Branch: refs/heads/master
Commit: ab8e1e13039f7a8481da4291ce5e48838685c966
Parents: b18f864
Author: Sergey Gromovoy <sgromovoy@gmail.com>
Authored: Thu Jan 30 17:37:53 2014 +0200
Committer: Dave Brondsema <dbrondsema@slashdotmedia.com>
Committed: Wed Apr 30 15:55:12 2014 +0000

----------------------------------------------------------------------
 Allura/allura/lib/helpers.py                                | 2 ++
 Allura/allura/tests/test_helpers.py                         | 9 +++++++++
 ForgeTracker/forgetracker/model/ticket.py                   | 2 +-
 .../templates/tracker_widgets/ticket_search_results.html    | 2 +-
 4 files changed, 13 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/ab8e1e13/Allura/allura/lib/helpers.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/helpers.py b/Allura/allura/lib/helpers.py
index d109917..ce132ba 100644
--- a/Allura/allura/lib/helpers.py
+++ b/Allura/allura/lib/helpers.py
@@ -128,6 +128,8 @@ def make_safe_path_portion(ustr, relaxed=True):
     s = s.replace('--', '-')
     return s
 
+def escape_json(data):
+    return json.dumps(data).replace('<', '\u003C')
 
 def monkeypatch(*objs):
     def patchem(func):

http://git-wip-us.apache.org/repos/asf/allura/blob/ab8e1e13/Allura/allura/tests/test_helpers.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/test_helpers.py b/Allura/allura/tests/test_helpers.py
index 69f5a09..182144a 100644
--- a/Allura/allura/tests/test_helpers.py
+++ b/Allura/allura/tests/test_helpers.py
@@ -75,6 +75,15 @@ class TestMakeSafePathPortion(TestCase):
         self.assertEqual(s, 'THIS-IS-Illegal')
 
 
+def test_escape_json():
+    inputdata = {"foo": "bar</script><img src=foobar onerror=alert(1)>"}
+    outputsample = '{"foo": "bar\u003C/script>\u003Cimg src=foobar onerror=alert(1)>"}'
+
+    outputdata = h.escape_json(inputdata)
+
+    print outputdata
+    assert_equals(outputdata, outputsample)
+
 def test_really_unicode():
     here_dir = path.dirname(__file__)
     s = h.really_unicode('\xef\xbb\xbf<?xml version="1.0" encoding="utf-8" ?>')

http://git-wip-us.apache.org/repos/asf/allura/blob/ab8e1e13/ForgeTracker/forgetracker/model/ticket.py
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/model/ticket.py b/ForgeTracker/forgetracker/model/ticket.py
index 520da7a..439691c 100644
--- a/ForgeTracker/forgetracker/model/ticket.py
+++ b/ForgeTracker/forgetracker/model/ticket.py
@@ -1192,7 +1192,7 @@ class Ticket(VersionedArtifact, ActivityObject, VotableArtifact):
                         count = count - 1
         return dict(tickets=tickets,
                     count=count, q=q, limit=limit, page=page, sort=sort,
-                    filter=json.dumps(filter),
+                    filter=filter,
                     filter_choices=tsearch.get_facets(matches),
                     solr_error=solr_error, **kw)
 

http://git-wip-us.apache.org/repos/asf/allura/blob/ab8e1e13/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_search_results.html
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_search_results.html
b/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_search_results.html
index b7552cd..e3d6f7e 100644
--- a/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_search_results.html
+++ b/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_search_results.html
@@ -127,7 +127,7 @@
   {{widget.fields['page_list'].display(limit=limit, page=page, count=count)}}
   <script type="text/javascript">
     var q="{{query and h.urlquoteplus(query) or ''}}", count={{count}}, limit={{limit}},
page={{page}}, sort="{{sort}}";
-    var filter = {{ filter|safe or {} }};
+    var filter = {{h.escape_json(filter or {})|safe}};
   </script>
 </div>
 {% block wiki_extra_css %}


Mime
View raw message