incubator-allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From brond...@apache.org
Subject [3/5] git commit: [#5596] Removed remaining references to HTMLField and LinkField
Date Wed, 16 Jan 2013 20:35:08 GMT
[#5596] Removed remaining references to HTMLField and LinkField

Signed-off-by: Cory Johns <johnsca@geek.net>


Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/faad5fd8
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/faad5fd8
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/faad5fd8

Branch: refs/heads/master
Commit: faad5fd8afb6919cf8755e8add02506c6b11693d
Parents: 3cc75d1
Author: Cory Johns <johnsca@geek.net>
Authored: Wed Jan 16 16:43:16 2013 +0000
Committer: Cory Johns <johnsca@geek.net>
Committed: Wed Jan 16 16:43:16 2013 +0000

----------------------------------------------------------------------
 Allura/allura/controllers/auth.py                  |    4 +--
 Allura/allura/lib/widgets/discuss.py               |   14 ++++-----
 Allura/allura/lib/widgets/forms.py                 |    2 +-
 .../forgediscussion/widgets/forum_widgets.py       |   24 ++++----------
 4 files changed, 15 insertions(+), 29 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/faad5fd8/Allura/allura/controllers/auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py
index fa7a254..877ea4d 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -6,8 +6,6 @@ from tg import expose, session, flash, redirect, validate, config
 from tg.decorators import with_trailing_slash
 from pylons import c, g, request, response
 from webob import exc as wexc
-from ew import jinja2_ew as ew
-from jinja2.filters import escape as j2_escape
 
 import allura.tasks.repo_tasks
 from allura import model as M
@@ -328,7 +326,7 @@ class UserSkillsController(BaseController):
         return dict(
             skills_list = l,
             selected_skill = selected_skill,
-            parents = parents, 
+            parents = parents,
             add_details_fields=(len(l)==0))
 
     @expose()

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/faad5fd8/Allura/allura/lib/widgets/discuss.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/widgets/discuss.py b/Allura/allura/lib/widgets/discuss.py
index ff38529..6b9b85b 100644
--- a/Allura/allura/lib/widgets/discuss.py
+++ b/Allura/allura/lib/widgets/discuss.py
@@ -166,14 +166,12 @@ class _ThreadsTable(ew.TableField):
     class hidden_fields(ew_core.NameList):
         _id=ew.HiddenField(validator=V.Ming(M.Thread))
     class fields(ew_core.NameList):
-        num_replies=ffw.DisplayOnlyField(show_label=True, label='Num Posts')
-        num_views=ffw.DisplayOnlyField(show_label=True)
-        # XXX XSS this use of HTMLField is potentially insecure, as value.summary() doesn't
properly escape its data
-        last_post=ew.HTMLField(text="${value and value.summary()}", show_label=True)
-        subscription=ew.Checkbox(suppress_label=True, show_label=True)
-    fields.insert(0, ew.LinkField(
-            label='Subject', text="${value['subject']}",
-            href="${value['url']()}", show_label=True))
+        subscription=ew.Checkbox(suppress_label=True)
+        subject=ffw.DisplayOnlyField(label='Topic')
+        url=ffw.DisplayOnlyField()
+        num_replies=ffw.DisplayOnlyField(label='Posts')
+        num_views=ffw.DisplayOnlyField(label='Views')
+        last_post=ffw.DisplayOnlyField(label='Last Post')
 
 class SubscriptionForm(ew.SimpleForm):
     template='jinja:allura:templates/widgets/subscription_form.html'

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/faad5fd8/Allura/allura/lib/widgets/forms.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/widgets/forms.py b/Allura/allura/lib/widgets/forms.py
index ee4311c..0eeeeef 100644
--- a/Allura/allura/lib/widgets/forms.py
+++ b/Allura/allura/lib/widgets/forms.py
@@ -462,7 +462,7 @@ class RemoveTroveCategoryForm(ForgeForm):
                 show_errors=False,
                 show_label=False,
                 fields=[
-                    ew.LinkField(
+                    ffw.LinkField(
                         text=cat.fullname,
                         href="/categories/%s" % cat.shortname),
                     ew.SubmitButton(

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/faad5fd8/ForgeDiscussion/forgediscussion/widgets/forum_widgets.py
----------------------------------------------------------------------
diff --git a/ForgeDiscussion/forgediscussion/widgets/forum_widgets.py b/ForgeDiscussion/forgediscussion/widgets/forum_widgets.py
index 8a2f778..40be5e5 100644
--- a/ForgeDiscussion/forgediscussion/widgets/forum_widgets.py
+++ b/ForgeDiscussion/forgediscussion/widgets/forum_widgets.py
@@ -26,9 +26,7 @@ class _ForumsTable(ew.TableField):
     class fields(ew_core.NameList):
         num_topics=ffw.DisplayOnlyField(show_label=True, label='Topics')
         num_posts=ffw.DisplayOnlyField(show_label=True, label='Posts')
-        # XXX XSS this use of HTMLField is potentially insecure, as value.summary() doesn't
properly escape its data
-        last_post=ew.HTMLField(text="${value and value.summary()}",
-                               show_label=True)
+        last_post=ffw.DisplayOnlyField(show_label=True)
         subscribed=ew.Checkbox(suppress_label=True, show_label=True)
     fields.insert(0, _ForumSummary())
 
@@ -40,16 +38,12 @@ class ForumSubscriptionForm(ew.SimpleForm):
 
 class _ThreadsTable(DW._ThreadsTable):
     class fields(ew_core.NameList):
+        subject=ffw.DisplayOnlyField(show_label=True, label='Subject')
         num_replies=ffw.DisplayOnlyField(show_label=True, label='Num Replies')
         num_views=ffw.DisplayOnlyField(show_label=True)
-        # XXX XSS this use of HTMLField is potentially insecure, but I'm not sure what values
flags can take
-        flags=ew.HTMLField(show_label=True, text="${unicode(', '.join(value))}")
-        # XXX XSS this use of HTMLField is potentially insecure, as value.summary() doesn't
properly escape its data
-        last_post=ew.HTMLField(text="${value and value.summary()}", show_label=True)
+        flags=ffw.DisplayOnlyField(show_label=True)
+        last_post=ffw.DisplayOnlyField(show_label=True)
         subscription=ew.Checkbox(suppress_label=True, show_label=True)
-    fields.insert(0, ew.LinkField(
-            label='Subject', text="${value['subject']}",
-            href="${value['url']()}", show_label=True))
     defaults=dict(DW._ThreadsTable.defaults, div_id='forum_threads')
 
 class ThreadSubscriptionForm(DW.SubscriptionForm):
@@ -60,15 +54,11 @@ class ThreadSubscriptionForm(DW.SubscriptionForm):
 
 class AnnouncementsTable(DW._ThreadsTable):
     class fields(ew_core.NameList):
+        subject=ffw.DisplayOnlyField(show_label=True, label='Subject')
         num_replies=ffw.DisplayOnlyField(show_label=True, label='Num Replies')
         num_views=ffw.DisplayOnlyField(show_label=True)
-        # XXX XSS this use of HTMLField is potentially insecure, but I'm not sure what values
flags can take
-        flags=ew.HTMLField(show_label=True, text="${unicode(', '.join(value))}")
-        # XXX XSS this use of HTMLField is potentially insecure, as value.summary() doesn't
properly escape its data
-        last_post=ew.HTMLField(text="${value and value.summary()}", show_label=True)
-    fields.insert(0, ew.LinkField(
-            label='Subject', text="${value['subject']}",
-            href="${value['url']()}", show_label=True))
+        flags=ffw.DisplayOnlyField(show_label=True)
+        last_post=ffw.DisplayOnlyField(show_label=True)
     defaults=dict(DW._ThreadsTable.defaults, div_id='announcements')
     name='announcements'
 


Mime
View raw message