zeppelin-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prabhjyotsi...@apache.org
Subject zeppelin git commit: [minor] Escape string before insertion it into HTML
Date Sat, 24 Mar 2018 05:20:35 GMT
Repository: zeppelin
Updated Branches:
  refs/heads/branch-0.8 f5e56f1ee -> f058f2a41


[minor] Escape string before insertion it into HTML

In current implementation some of the unescaped HTML get passed to frontend via BootstrapDialog,
this PR is to escape those string (and sanitize the output).

[Improvement]

* Does the licenses files need update?
* Is there breaking changes for older versions?
* Does this needs documentation?

Author: Prabhjyot Singh <prabhjyotsingh@gmail.com>

Closes #2888 from prabhjyotsingh/applyEscapeBootstrapDialog and squashes the following commits:

757cfff91 [Prabhjyot Singh] apply _.Escape to BootstrapDialog

Change-Id: Icabd5e5713591929cb4ff9a41036f06ca99b6db8
(cherry picked from commit 645037b367fd3249ea000392a3237313a83f3506)
Signed-off-by: Prabhjyot Singh <prabhjyotsingh@gmail.com>


Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/f058f2a4
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/f058f2a4
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/f058f2a4

Branch: refs/heads/branch-0.8
Commit: f058f2a419995ee4b8f364ab366ff4b7dc92850d
Parents: f5e56f1
Author: Prabhjyot Singh <prabhjyotsingh@gmail.com>
Authored: Thu Mar 22 14:45:09 2018 +0530
Committer: Prabhjyot Singh <prabhjyotsingh@gmail.com>
Committed: Sat Mar 24 10:50:24 2018 +0530

----------------------------------------------------------------------
 zeppelin-web/src/app/helium/helium.controller.js  | 12 ++++++------
 .../src/app/interpreter/interpreter.controller.js |  6 +++---
 .../src/app/jobmanager/job/job.component.js       |  2 +-
 .../src/app/notebook/notebook.controller.js       | 18 +++++++++++-------
 .../components/note-action/note-action.service.js |  2 +-
 .../websocket/websocket-event.factory.js          |  2 +-
 6 files changed, 23 insertions(+), 19 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/zeppelin/blob/f058f2a4/zeppelin-web/src/app/helium/helium.controller.js
----------------------------------------------------------------------
diff --git a/zeppelin-web/src/app/helium/helium.controller.js b/zeppelin-web/src/app/helium/helium.controller.js
index 4728e08..043a9ad 100644
--- a/zeppelin-web/src/app/helium/helium.controller.js
+++ b/zeppelin-web/src/app/helium/helium.controller.js
@@ -150,7 +150,7 @@ export default function HeliumCtrl($scope, $rootScope, $sce,
               console.log('Failed to save order');
               BootstrapDialog.show({
                 title: 'Error on saving order ',
-                message: data.message,
+                message: _.escape(data.message),
               });
             });
           return false;
@@ -244,8 +244,8 @@ export default function HeliumCtrl($scope, $rootScope, $sce,
               confirm.close();
               console.log('Failed to enable package %o %o. %o', name, artifact, data);
               BootstrapDialog.show({
-                title: 'Error on enabling ' + name,
-                message: data.message,
+                title: 'Error on enabling ' + _.escape(name),
+                message: _.escape(data.message),
               });
             });
             return false;
@@ -261,7 +261,7 @@ export default function HeliumCtrl($scope, $rootScope, $sce,
       closeByBackdrop: false,
       closeByKeyboard: false,
       title: '<div style="font-weight: 300;">Do you want to disable Helium Package?</div>',
-      message: artifact,
+      message: _.escape(artifact),
       callback: function(result) {
         if (result) {
           confirm.$modalFooter.find('button').addClass('disabled');
@@ -276,8 +276,8 @@ export default function HeliumCtrl($scope, $rootScope, $sce,
             confirm.close();
             console.log('Failed to disable package %o. %o', name, data);
             BootstrapDialog.show({
-              title: 'Error on disabling ' + name,
-              message: data.message,
+              title: 'Error on disabling ' + _.escape(name),
+              message: _.escape(data.message),
             });
           });
           return false;

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/f058f2a4/zeppelin-web/src/app/interpreter/interpreter.controller.js
----------------------------------------------------------------------
diff --git a/zeppelin-web/src/app/interpreter/interpreter.controller.js b/zeppelin-web/src/app/interpreter/interpreter.controller.js
index d220dba..ef6b8a5 100644
--- a/zeppelin-web/src/app/interpreter/interpreter.controller.js
+++ b/zeppelin-web/src/app/interpreter/interpreter.controller.js
@@ -508,7 +508,7 @@ function InterpreterCtrl($rootScope, $scope, $http, baseUrlSrv, ngToast,
$timeou
       BootstrapDialog.alert({
         closable: true,
         title: 'Add interpreter',
-        message: 'Name ' + $scope.newInterpreterSetting.name + ' already exists',
+        message: 'Name ' + _.escape($scope.newInterpreterSetting.name) + ' already exists',
       });
       return;
     }
@@ -747,7 +747,7 @@ function InterpreterCtrl($rootScope, $scope, $http, baseUrlSrv, ngToast,
$timeou
   $scope.showErrorMessage = function(setting) {
     BootstrapDialog.show({
       title: 'Error downloading dependencies',
-      message: setting.errorReason,
+      message: _.escape(setting.errorReason),
     });
   };
 
@@ -775,7 +775,7 @@ function InterpreterCtrl($rootScope, $scope, $http, baseUrlSrv, ngToast,
$timeou
           window.open(res.data.body.url, '_blank');
         } else {
           BootstrapDialog.alert({
-            message: res.data.body.message,
+            message: _.escape(res.data.body.message),
           });
         }
       }).catch(function(res) {

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/f058f2a4/zeppelin-web/src/app/jobmanager/job/job.component.js
----------------------------------------------------------------------
diff --git a/zeppelin-web/src/app/jobmanager/job/job.component.js b/zeppelin-web/src/app/jobmanager/job/job.component.js
index e6f102f..982fa28 100644
--- a/zeppelin-web/src/app/jobmanager/job/job.component.js
+++ b/zeppelin-web/src/app/jobmanager/job/job.component.js
@@ -94,7 +94,7 @@ class JobController {
     BootstrapDialog.alert({
       closable: true,
       title: title,
-      message: errorMessage,
+      message: _.escape(errorMessage),
     });
   }
 

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/f058f2a4/zeppelin-web/src/app/notebook/notebook.controller.js
----------------------------------------------------------------------
diff --git a/zeppelin-web/src/app/notebook/notebook.controller.js b/zeppelin-web/src/app/notebook/notebook.controller.js
index 4c9de9c..ba88e3f 100644
--- a/zeppelin-web/src/app/notebook/notebook.controller.js
+++ b/zeppelin-web/src/app/notebook/notebook.controller.js
@@ -1010,7 +1010,7 @@ function NotebookCtrl($scope, $route, $routeParams, $location, $rootScope,
       closeByBackdrop: false,
       closeByKeyboard: false,
       title: '',
-      message: 'Do you want to restart ' + interpreter.name + ' interpreter?',
+      message: 'Do you want to restart ' + _.escape(interpreter.name) + ' interpreter?',
       callback: function(result) {
         if (result) {
           let payload = {
@@ -1031,7 +1031,7 @@ function NotebookCtrl($scope, $route, $routeParams, $location, $rootScope,
               console.log('Error %o %o', status, data.message);
               BootstrapDialog.show({
                 title: 'Error restart interpreter.',
-                message: data.message,
+                message: _.escape(data.message),
               });
             });
           return false;
@@ -1050,7 +1050,7 @@ function NotebookCtrl($scope, $route, $routeParams, $location, $rootScope,
         closable: false,
         title: 'Setting Owners Permissions',
         message: 'Please fill the [Owners] field. If not, it will set as current user.\n\n'
+
-          'Current user : [ ' + $rootScope.ticket.principal + ']',
+          'Current user : [ ' + _.escape($rootScope.ticket.principal) + ']',
         buttons: [
           {
             label: 'Set',
@@ -1083,9 +1083,13 @@ function NotebookCtrl($scope, $route, $routeParams, $location, $rootScope,
         BootstrapDialog.alert({
           closable: true,
           title: 'Permissions Saved Successfully',
-          message: 'Owners : ' + $scope.permissions.owners + '\n\n' + 'Readers : ' +
-           $scope.permissions.readers + '\n\n' + 'Runners : ' + $scope.permissions.runners
+
-           '\n\n' + 'Writers  : ' + $scope.permissions.writers,
+          message: 'Owners : ' + _.escape($scope.permissions.owners)
+          + '\n\n' +
+          'Readers : ' + _.escape($scope.permissions.readers) +
+          '\n\n' +
+          'Runners : ' + _.escape($scope.permissions.runners) +
+          '\n\n' +
+          'Writers  : ' + _.escape($scope.permissions.writers),
         });
         $scope.showPermissions = false;
       });
@@ -1097,7 +1101,7 @@ function NotebookCtrl($scope, $route, $routeParams, $location, $rootScope,
         closeByBackdrop: false,
         closeByKeyboard: false,
         title: 'Insufficient privileges',
-        message: data.message,
+        message: _.escape(data.message),
         buttons: [
           {
             label: 'Login',

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/f058f2a4/zeppelin-web/src/components/note-action/note-action.service.js
----------------------------------------------------------------------
diff --git a/zeppelin-web/src/components/note-action/note-action.service.js b/zeppelin-web/src/components/note-action/note-action.service.js
index d4bf6f0..83cb6df 100644
--- a/zeppelin-web/src/components/note-action/note-action.service.js
+++ b/zeppelin-web/src/components/note-action/note-action.service.js
@@ -139,7 +139,7 @@ function noteActionService(websocketMsgSrv, $location, noteRenameService,
noteLi
             type: BootstrapDialog.TYPE_WARNING,
             closable: true,
             title: 'WARNING! The folder will be MERGED',
-            message: 'The folder will be merged into <strong>' + newFolderId + '</strong>.
Are you sure?',
+            message: 'The folder will be merged into <strong>' + _.escape(newFolderId)
+ '</strong>. Are you sure?',
             callback: function(result) {
               if (result) {
                 websocketMsgSrv.renameFolder(folderId, newFolderId);

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/f058f2a4/zeppelin-web/src/components/websocket/websocket-event.factory.js
----------------------------------------------------------------------
diff --git a/zeppelin-web/src/components/websocket/websocket-event.factory.js b/zeppelin-web/src/components/websocket/websocket-event.factory.js
index 18c704d..ca33263 100644
--- a/zeppelin-web/src/components/websocket/websocket-event.factory.js
+++ b/zeppelin-web/src/components/websocket/websocket-event.factory.js
@@ -150,7 +150,7 @@ function WebsocketEventFactory($rootScope, $websocket, $location, baseUrlSrv)
{
         closeByBackdrop: false,
         closeByKeyboard: false,
         title: 'Details',
-        message: data.info.toString(),
+        message: _.escape(data.info.toString()),
         buttons: [{
           // close all the dialogs when there are error on running all paragraphs
           label: 'Close',


Mime
View raw message