couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r1030261 - in /couchdb/trunk/share/www: database.html document.html index.html script/couch_test_runner.js script/futon.browse.js script/futon.format.js script/futon.js session.html
Date Tue, 02 Nov 2010 22:16:19 GMT
Author: jan
Date: Tue Nov  2 22:16:18 2010
New Revision: 1030261

URL: http://svn.apache.org/viewvc?rev=1030261&view=rev
Log:
Escape URL and cookie input.

Modified:
    couchdb/trunk/share/www/database.html
    couchdb/trunk/share/www/document.html
    couchdb/trunk/share/www/index.html
    couchdb/trunk/share/www/script/couch_test_runner.js
    couchdb/trunk/share/www/script/futon.browse.js
    couchdb/trunk/share/www/script/futon.format.js
    couchdb/trunk/share/www/script/futon.js
    couchdb/trunk/share/www/session.html

Modified: couchdb/trunk/share/www/database.html
URL: http://svn.apache.org/viewvc/couchdb/trunk/share/www/database.html?rev=1030261&r1=1030260&r2=1030261&view=diff
==============================================================================
--- couchdb/trunk/share/www/database.html [utf-8] (original)
+++ couchdb/trunk/share/www/database.html [utf-8] Tue Nov  2 22:16:18 2010
@@ -71,17 +71,17 @@ specific language governing permissions 
         });
 
         // Restore preferences/state
-        $("#documents thead th.key").toggleClass("desc", $.futon.storage.get("desc"));
-        var reduce = $.futon.storage.get("reduce");
+        $("#documents thead th.key").toggleClass("desc", !!$.futon.storage.get("desc"));
+        var reduce = !!$.futon.storage.get("reduce");
         $("#reduce :checkbox")[0].checked = reduce;
-        $("#grouplevel select").val($.futon.storage.get("group_level"));
+        $("#grouplevel select").val(parseInt($.futon.storage.get("group_level")));
         $("#grouplevel").toggleClass("disabled", !reduce).find("select").each(function()
{
           this.disabled = !reduce;
         });
 
-        $("#perpage").val($.futon.storage.get("per_page"));
+        $("#perpage").val(parseInt($.futon.storage.get("per_page")));
 
-        var staleViews = $.futon.storage.get("stale");
+        var staleViews = !!$.futon.storage.get("stale");
         $("#staleviews :checkbox")[0].checked = staleViews;
 
         page.populateViewsMenu();

Modified: couchdb/trunk/share/www/document.html
URL: http://svn.apache.org/viewvc/couchdb/trunk/share/www/document.html?rev=1030261&r1=1030260&r2=1030261&view=diff
==============================================================================
--- couchdb/trunk/share/www/document.html [utf-8] (original)
+++ couchdb/trunk/share/www/document.html [utf-8] Tue Nov  2 22:16:18 2010
@@ -42,9 +42,9 @@ specific language governing permissions 
       });
 
       $(function() {
-        $("h1 a.dbname").text(page.dbName)
+        $("h1 a.dbname").text(encodeURIComponent(page.dbName))
           .attr("href", "database.html?" + encodeURIComponent(page.db.name));
-        $("h1 strong").text(page.docId);
+        $("h1 strong").text(encodeURIComponent(page.docId));
         $("h1 a.raw").attr("href", "/" + encodeURIComponent(page.db.name) +
           "/" + encodeURIComponent(page.docId));
         page.updateFieldListing();

Modified: couchdb/trunk/share/www/index.html
URL: http://svn.apache.org/viewvc/couchdb/trunk/share/www/index.html?rev=1030261&r1=1030260&r2=1030261&view=diff
==============================================================================
--- couchdb/trunk/share/www/index.html [utf-8] (original)
+++ couchdb/trunk/share/www/index.html [utf-8] Tue Nov  2 22:16:18 2010
@@ -34,7 +34,7 @@ specific language governing permissions 
             this.updateSelection(location.pathname + "index.html");
           });
         }
-        var dbsPerPage = $.futon.storage.get("per_page");
+        var dbsPerPage = parseInt($.futon.storage.get("per_page"));
         if (dbsPerPage) $("#perpage").val(dbsPerPage);
         $("#perpage").change(function() {
           page.updateDatabaseListing();

Modified: couchdb/trunk/share/www/script/couch_test_runner.js
URL: http://svn.apache.org/viewvc/couchdb/trunk/share/www/script/couch_test_runner.js?rev=1030261&r1=1030260&r2=1030261&view=diff
==============================================================================
--- couchdb/trunk/share/www/script/couch_test_runner.js (original)
+++ couchdb/trunk/share/www/script/couch_test_runner.js Tue Nov  2 22:16:18 2010
@@ -14,6 +14,13 @@
 
 
 function loadScript(url) {
+  // disallow loading remote URLs
+  if((url.substr(0, 7) == "http://")
+    || (url.substr(0, 2) == "//")
+    || (url.substr(0, 5) == "data:")
+    || (url.substr(0, 11) == "javsacript:")) {
+        throw "Not loading remote test scripts";
+  }
   if (typeof document != "undefined") document.write('<script src="'+url+'"></script>');
 };
 

Modified: couchdb/trunk/share/www/script/futon.browse.js
URL: http://svn.apache.org/viewvc/couchdb/trunk/share/www/script/futon.browse.js?rev=1030261&r1=1030260&r2=1030261&view=diff
==============================================================================
--- couchdb/trunk/share/www/script/futon.browse.js [utf-8] (original)
+++ couchdb/trunk/share/www/script/futon.browse.js [utf-8] Tue Nov  2 22:16:18 2010
@@ -97,7 +97,10 @@
     // Page class for browse/database.html
     CouchDatabasePage: function() {
       var urlParts = location.search.substr(1).split("/");
-      var dbName = decodeURIComponent(urlParts.shift());
+      var dbName = decodeURIComponent(urlParts.shift())
+
+      var dbNameRegExp = new RegExp("[^a-z0-9\_\$\(\)\+\/\-]", "g");
+      dbName = dbName.replace(dbNameRegExp, "");
 
       $.futon.storage.declareWithPrefix(dbName + ".", {
         desc: {},
@@ -119,7 +122,7 @@
         if (viewName) {
           this.redirecting = true;
           location.href = "database.html?" + encodeURIComponent(dbName) +
-            "/" + viewName;
+            "/" + encodeURIComponent(viewName);
         }
       }
       var db = $.couch.db(dbName);
@@ -372,7 +375,8 @@
                 var path = $.couch.encodeDocId(doc._id) + "/_view/" +
                   encodeURIComponent(viewNames[j]);
                 var option = $(document.createElement("option"))
-                  .attr("value", path).text(viewNames[j]).appendTo(optGroup);
+                  .attr("value", path).text(encodeURIComponent(viewNames[j]))
+                  .appendTo(optGroup);
                 if (path == viewName) {
                   option[0].selected = true;
                 }
@@ -408,7 +412,7 @@
               }
               var viewCode = resp.views[localViewName];
               page.viewLanguage = resp.language || "javascript";
-              $("#language").val(page.viewLanguage);
+              $("#language").val(encodeURIComponent(page.viewLanguage));
               page.updateViewEditor(viewCode.map, viewCode.reduce || "");
               $("#viewcode button.revert, #viewcode button.save").attr("disabled", "disabled");
               page.storedViewCode = viewCode;
@@ -420,7 +424,7 @@
           page.updateViewEditor(page.storedViewCode.map,
             page.storedViewCode.reduce || "");
           page.viewLanguage = page.storedViewLanguage;
-          $("#language").val(page.viewLanguage);
+          $("#language").val(encodeURIComponent(page.viewLanguage));
           $("#viewcode button.revert, #viewcode button.save").attr("disabled", "disabled");
           page.isDirty = false;
           if (callback) callback();
@@ -504,7 +508,8 @@
                     callback({
                       docid: "Cannot save to " + data.docid +
                              " because its language is \"" + doc.language +
-                             "\", not \"" + page.viewLanguage + "\"."
+                             "\", not \"" +
+                             encodeURIComponent(page.viewLanguage) + "\"."
                     });
                     return;
                   }

Modified: couchdb/trunk/share/www/script/futon.format.js
URL: http://svn.apache.org/viewvc/couchdb/trunk/share/www/script/futon.format.js?rev=1030261&r1=1030260&r2=1030261&view=diff
==============================================================================
--- couchdb/trunk/share/www/script/futon.format.js [utf-8] (original)
+++ couchdb/trunk/share/www/script/futon.format.js [utf-8] Tue Nov  2 22:16:18 2010
@@ -16,7 +16,10 @@
     escape: function(string) {
       return string.replace(/&/g, "&amp;")
                    .replace(/</g, "&lt;")
-                   .replace(/>/g, "&gt;");
+                   .replace(/>/g, "&gt;")
+                   .replace(/"/, "&quot;")
+                   .replace(/'/, "&#39;;")
+                   ;
     },
 
     // JSON pretty printing

Modified: couchdb/trunk/share/www/script/futon.js
URL: http://svn.apache.org/viewvc/couchdb/trunk/share/www/script/futon.js?rev=1030261&r1=1030260&r2=1030261&view=diff
==============================================================================
--- couchdb/trunk/share/www/script/futon.js (original)
+++ couchdb/trunk/share/www/script/futon.js Tue Nov  2 22:16:18 2010
@@ -215,9 +215,10 @@ function $$(node) {
       recentDbs.sort();
       $.each(recentDbs, function(idx, name) {
         if (name) {
+          name = encodeURIComponent(name);
           $("#dbs").append("<li>" +
             "<button class='remove' title='Remove from list' value='" + name + "'></button>"
+
-            "<a href='database.html?" + encodeURIComponent(name) + "' title='" + name
+ "'>" + name +
+            "<a href='database.html?" + name + "' title='" + name + "'>" + name +
             "</a></li>");
         }
       });

Modified: couchdb/trunk/share/www/session.html
URL: http://svn.apache.org/viewvc/couchdb/trunk/share/www/session.html?rev=1030261&r1=1030260&r2=1030261&view=diff
==============================================================================
--- couchdb/trunk/share/www/session.html (original)
+++ couchdb/trunk/share/www/session.html Tue Nov  2 22:16:18 2010
@@ -36,7 +36,7 @@ specific language governing permissions 
           }
           m = qp.match(/reason=(.*)/);
           if (m) {
-            reason = decodeURIComponent(m[1]);
+            reason = $.futon.escape(decodeURIComponent(m[1]));
           }
         });
         if (reason) {



Mime
View raw message