couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gar...@apache.org
Subject [23/47] couchdb commit: updated refs/heads/Update-Sidebar-Ui to c173e52
Date Mon, 19 May 2014 16:17:41 GMT
Use <%- when interpolating XSS targets

  - I tried to not be super heavy handed, only using <%- for values that
    could be set with XSS payloads or otherwise come from a user/data.


Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/5e638923
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/5e638923
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/5e638923

Branch: refs/heads/Update-Sidebar-Ui
Commit: 5e63892323139c62fbb9194d3f287fb8e829f1cb
Parents: 519a488
Author: Kyle Snavely <ksnavely@cloudant.com>
Authored: Thu May 1 11:57:42 2014 -0400
Committer: Kyle Snavely <ksnavely@cloudant.com>
Committed: Thu May 1 14:08:47 2014 -0400

----------------------------------------------------------------------
 src/fauxton/app/addons/auth/templates/nav_dropdown.html        | 2 +-
 src/fauxton/app/addons/auth/templates/nav_link_title.html      | 2 +-
 src/fauxton/app/addons/config/templates/item.html              | 6 +++---
 src/fauxton/app/addons/documents/templates/changes.html        | 2 +-
 src/fauxton/app/addons/documents/templates/ddoc_info.html      | 2 +-
 .../app/addons/documents/templates/delete_database_modal.html  | 2 +-
 .../app/addons/documents/templates/design_doc_selector.html    | 6 +++---
 src/fauxton/app/addons/documents/templates/doc.html            | 4 ++--
 src/fauxton/app/addons/permissions/templates/section.html      | 2 +-
 src/fauxton/app/addons/replication/templates/form.html         | 2 +-
 src/fauxton/app/addons/replication/templates/progress.html     | 4 ++--
 11 files changed, 17 insertions(+), 17 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb/blob/5e638923/src/fauxton/app/addons/auth/templates/nav_dropdown.html
----------------------------------------------------------------------
diff --git a/src/fauxton/app/addons/auth/templates/nav_dropdown.html b/src/fauxton/app/addons/auth/templates/nav_dropdown.html
index d61c24a..983b5f7 100644
--- a/src/fauxton/app/addons/auth/templates/nav_dropdown.html
+++ b/src/fauxton/app/addons/auth/templates/nav_dropdown.html
@@ -14,7 +14,7 @@ the License.
 
 <div id="sidenav">
 <header class="row-fluid">
-  <h3> <%= user.name %> </h3>
+  <h3> <%- user.name %> </h3>
 </header>
 <nav>
 <ul class="nav nav-list">

http://git-wip-us.apache.org/repos/asf/couchdb/blob/5e638923/src/fauxton/app/addons/auth/templates/nav_link_title.html
----------------------------------------------------------------------
diff --git a/src/fauxton/app/addons/auth/templates/nav_link_title.html b/src/fauxton/app/addons/auth/templates/nav_link_title.html
index 1ec9bf4..db3587d 100644
--- a/src/fauxton/app/addons/auth/templates/nav_link_title.html
+++ b/src/fauxton/app/addons/auth/templates/nav_link_title.html
@@ -20,7 +20,7 @@ the License.
 <% } else if (user) { %>
   <a  href="#changePassword" >
   	<span class="fonticon-user fonticon"></span>
-  	<%= user.name %>
+  	<%- user.name %>
 	</a>
 <% } else { %>
   <a  href="#login" >

http://git-wip-us.apache.org/repos/asf/couchdb/blob/5e638923/src/fauxton/app/addons/config/templates/item.html
----------------------------------------------------------------------
diff --git a/src/fauxton/app/addons/config/templates/item.html b/src/fauxton/app/addons/config/templates/item.html
index 8af9a50..f5fd73e 100644
--- a/src/fauxton/app/addons/config/templates/item.html
+++ b/src/fauxton/app/addons/config/templates/item.html
@@ -13,13 +13,13 @@ the License.
 -->
 
 <% if (option.index === 0) {%>
-<th> <%= option.section %> </th>
+<th> <%- option.section %> </th>
 <% } else { %>
 <td></td>
 <% } %>
 <td class="js-edit-value"> 
   <div class="js-show-value">
-    <%= option.name %>
+    <%- option.name %>
   </div>
   <div class="js-edit-value-form js-hidden">
     <input class="js-value-input" type="text" name="name" value="<%- option.name %>"
/>
@@ -29,7 +29,7 @@ the License.
 </td>
 <td class="js-edit-value">
   <div class="js-show-value">
-    <%= option.value %>
+    <%- option.value %>
   </div>
   <div class="js-edit-value-form js-hidden">
     <input class="js-value-input" type="text" name="value" value="<%- option.value
%>" />

http://git-wip-us.apache.org/repos/asf/couchdb/blob/5e638923/src/fauxton/app/addons/documents/templates/changes.html
----------------------------------------------------------------------
diff --git a/src/fauxton/app/addons/documents/templates/changes.html b/src/fauxton/app/addons/documents/templates/changes.html
index 5978e83..d038361 100644
--- a/src/fauxton/app/addons/documents/templates/changes.html
+++ b/src/fauxton/app/addons/documents/templates/changes.html
@@ -36,7 +36,7 @@ the License.
           <% if (change.deleted) { %>
             <%= change.id %>
           <% } else { %>
-            <a href="#<%= database.url('app') %>/<%= safeURL(change.id) %>"><%=
change.id %></a>
+            <a href="#<%- database.url('app') %>/<%- safeURL(change.id) %>"><%=
change.id %></a>
           <% } %>    </div>
         <div class="span2 text-right">
           <a class="js-copy" data-clipboard-text="<%= change.id %>" data-bypass="true"
href="#">

http://git-wip-us.apache.org/repos/asf/couchdb/blob/5e638923/src/fauxton/app/addons/documents/templates/ddoc_info.html
----------------------------------------------------------------------
diff --git a/src/fauxton/app/addons/documents/templates/ddoc_info.html b/src/fauxton/app/addons/documents/templates/ddoc_info.html
index ed0aed6..b33e49b 100644
--- a/src/fauxton/app/addons/documents/templates/ddoc_info.html
+++ b/src/fauxton/app/addons/documents/templates/ddoc_info.html
@@ -18,7 +18,7 @@ the License.
 		<% if(i%2==0){%>
 			<div class="row-fluid">
 		<% }; %>
-	    <div class="span6 well-item"><strong> <%= key %></strong> :
<%= val %>  </div>
+	    <div class="span6 well-item"><strong> <%- key %></strong> :
<%- val %>  </div>
 	    <% if(i%2==1){%>
 			</div>
 		<% }; %>

http://git-wip-us.apache.org/repos/asf/couchdb/blob/5e638923/src/fauxton/app/addons/documents/templates/delete_database_modal.html
----------------------------------------------------------------------
diff --git a/src/fauxton/app/addons/documents/templates/delete_database_modal.html b/src/fauxton/app/addons/documents/templates/delete_database_modal.html
index 7ea3bc4..2b5448c 100644
--- a/src/fauxton/app/addons/documents/templates/delete_database_modal.html
+++ b/src/fauxton/app/addons/documents/templates/delete_database_modal.html
@@ -20,7 +20,7 @@ the License.
   <div class="modal-body">
     <form id="delete-db-check" class="form" method="post">
       <p>
-      You've asked to <b>permanently delete</b> <code><%= database.id
%></code>.
+      You've asked to <b>permanently delete</b> <code><%- database.id
%></code>.
       Please enter the database name below to confirm the deletion of the
       database and all documents and attachments within.
       </p>

http://git-wip-us.apache.org/repos/asf/couchdb/blob/5e638923/src/fauxton/app/addons/documents/templates/design_doc_selector.html
----------------------------------------------------------------------
diff --git a/src/fauxton/app/addons/documents/templates/design_doc_selector.html b/src/fauxton/app/addons/documents/templates/design_doc_selector.html
index 7bbe310..b8f8b3f 100644
--- a/src/fauxton/app/addons/documents/templates/design_doc_selector.html
+++ b/src/fauxton/app/addons/documents/templates/design_doc_selector.html
@@ -12,15 +12,15 @@ License for the specific language governing permissions and limitations
under
 the License.
 -->
 <div class="span3">
-  <label for="ddoc">Save to Design Document <a href="<%=getDocUrl('design_doc')%>"
target="_blank"><i class="icon-question-sign"></i></a></label>
+  <label for="ddoc">Save to Design Document <a href="<%-getDocUrl('design_doc')%>"
target="_blank"><i class="icon-question-sign"></i></a></label>
   <select id="ddoc">
     <optgroup label="Select a document">
       <option value="new-doc">New document</option>
       <% ddocs.each(function(ddoc) { %>
       <% if (ddoc.id === ddocName) { %>
-      <option selected="selected" value="<%= ddoc.id %>"><%= ddoc.id %></option>
+      <option selected="selected" value="<%- ddoc.id %>"><%- ddoc.id %></option>
       <% } else { %>
-      <option value="<%= ddoc.id %>"><%= ddoc.id %></option>
+      <option value="<%- ddoc.id %>"><%- ddoc.id %></option>
       <% } %>
       <% }); %>
     </optgroup>

http://git-wip-us.apache.org/repos/asf/couchdb/blob/5e638923/src/fauxton/app/addons/documents/templates/doc.html
----------------------------------------------------------------------
diff --git a/src/fauxton/app/addons/documents/templates/doc.html b/src/fauxton/app/addons/documents/templates/doc.html
index 9433868..e9a46cf 100644
--- a/src/fauxton/app/addons/documents/templates/doc.html
+++ b/src/fauxton/app/addons/documents/templates/doc.html
@@ -31,8 +31,8 @@ the License.
       <ul class="dropdown-menu">
         <%_.each(attachments, function (att) { %>
         <li>
-        <a href="<%= att.url %>" target="_blank"> <strong> <%= att.fileName
%> </strong> -
-          <span> <%= att.contentType %>, <%= formatSize(att.size)%> </span>
+        <a href="<%- att.url %>" target="_blank"> <strong> <%- att.fileName
%> </strong> -
+          <span> <%- att.contentType %>, <%- formatSize(att.size)%> </span>
         </a>
         </li>
         <% }) %>

http://git-wip-us.apache.org/repos/asf/couchdb/blob/5e638923/src/fauxton/app/addons/permissions/templates/section.html
----------------------------------------------------------------------
diff --git a/src/fauxton/app/addons/permissions/templates/section.html b/src/fauxton/app/addons/permissions/templates/section.html
index 0459562..fe228f5 100644
--- a/src/fauxton/app/addons/permissions/templates/section.html
+++ b/src/fauxton/app/addons/permissions/templates/section.html
@@ -13,7 +13,7 @@ the License.
 -->
 <header class="page-header">
 <h3> <%= (section) %> </h3>
-<p class="help"> <%= help %> <a href="<%=getDocUrl('database_permission')%>"
target="_blank"><i class="icon-question-sign"> </i> </a></p>
+<p class="help"> <%= help %> <a href="<%-getDocUrl('database_permission')%>"
target="_blank"><i class="icon-question-sign"> </i> </a></p>
 </header>
 
 <div class="row-fluid">

http://git-wip-us.apache.org/repos/asf/couchdb/blob/5e638923/src/fauxton/app/addons/replication/templates/form.html
----------------------------------------------------------------------
diff --git a/src/fauxton/app/addons/replication/templates/form.html b/src/fauxton/app/addons/replication/templates/form.html
index 32a87dc..342a4fd 100644
--- a/src/fauxton/app/addons/replication/templates/form.html
+++ b/src/fauxton/app/addons/replication/templates/form.html
@@ -63,7 +63,7 @@ the License.
 
 			<label for="createTarget">
 				<input type="checkbox" name="create_target" value="true" id="createTarget">
-				Create Target <a href="<%=getDocUrl('replication_doc')%>" target="_blank"><i
class="icon-question-sign" rel="tooltip" title="Create the target database"></i></a>
+				Create Target <a href="<%-getDocUrl('replication_doc')%>" target="_blank"><i
class="icon-question-sign" rel="tooltip" title="Create the target database"></i></a>
 			</label>
 		</div>
 

http://git-wip-us.apache.org/repos/asf/couchdb/blob/5e638923/src/fauxton/app/addons/replication/templates/progress.html
----------------------------------------------------------------------
diff --git a/src/fauxton/app/addons/replication/templates/progress.html b/src/fauxton/app/addons/replication/templates/progress.html
index 1e6ef90..ea9d6c3 100644
--- a/src/fauxton/app/addons/replication/templates/progress.html
+++ b/src/fauxton/app/addons/replication/templates/progress.html
@@ -11,12 +11,12 @@ WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 License for the specific language governing permissions and limitations under
 the License.
 -->
-<p class="span6 break">Replicating <strong><%=source%></strong> to
<strong><%=target%></strong></p>
+<p class="span6 break">Replicating <strong><%-source%></strong> to
<strong><%-target%></strong></p>
 
 <div class="span4 progress progress-striped active">
   <div class="bar" style="width: <%=progress || 0%>%;"><%=progress || "0"%>%</div>
 </div>
 
 <span class="span1">
-	<button class="cancel btn btn-danger btn-large delete" data-source="<%=source%>"
 data-rep-id="<%=repid%>" data-continuous="<%=continuous%>" data-target="<%=target%>">Cancel</a>
+	<button class="cancel btn btn-danger btn-large delete" data-source="<%-source%>"
 data-rep-id="<%-repid%>" data-continuous="<%-continuous%>" data-target="<%-target%>">Cancel</a>
 </span>


Mime
View raw message