diff options
| author | Ivan Kohler <ivan@freeside.biz> | 2012-06-01 17:15:27 -0700 |
|---|---|---|
| committer | Ivan Kohler <ivan@freeside.biz> | 2012-06-01 17:15:27 -0700 |
| commit | cbb4c260c40779ba84c794dd68147c54f3de2f52 (patch) | |
| tree | 2be7909d11386d157240b48ac4ce5ff878adfa1f /rt/share/html/Elements | |
| parent | d4617c6565d5fc6bafe14d11c19646b0674ae73d (diff) | |
RT 3.8.13
Diffstat (limited to 'rt/share/html/Elements')
| -rw-r--r-- | rt/share/html/Elements/CollectionAsTable/Header | 4 | ||||
| -rw-r--r-- | rt/share/html/Elements/CollectionListPaging | 12 | ||||
| -rw-r--r-- | rt/share/html/Elements/ColumnMap | 10 | ||||
| -rwxr-xr-x | rt/share/html/Elements/CreateTicket | 2 | ||||
| -rw-r--r-- | rt/share/html/Elements/EditCustomField | 2 | ||||
| -rw-r--r-- | rt/share/html/Elements/EditCustomFieldAutocomplete | 21 | ||||
| -rw-r--r-- | rt/share/html/Elements/EditCustomFieldSelect | 6 | ||||
| -rwxr-xr-x | rt/share/html/Elements/Error | 2 | ||||
| -rwxr-xr-x | rt/share/html/Elements/Header | 3 | ||||
| -rw-r--r-- | rt/share/html/Elements/HeaderJavascript | 6 | ||||
| -rwxr-xr-x | rt/share/html/Elements/MessageBox | 2 | ||||
| -rw-r--r-- | rt/share/html/Elements/PersonalQuickbar | 2 | ||||
| -rw-r--r-- | rt/share/html/Elements/RT__CustomField/ColumnMap | 8 | ||||
| -rw-r--r-- | rt/share/html/Elements/ScrubHTML | 26 | ||||
| -rw-r--r-- | rt/share/html/Elements/ShowCustomFields | 12 | ||||
| -rw-r--r-- | rt/share/html/Elements/ShowUser | 2 | ||||
| -rwxr-xr-x | rt/share/html/Elements/Submit | 4 |
17 files changed, 56 insertions, 68 deletions
diff --git a/rt/share/html/Elements/CollectionAsTable/Header b/rt/share/html/Elements/CollectionAsTable/Header index 878a77e70..75aaa3cff 100644 --- a/rt/share/html/Elements/CollectionAsTable/Header +++ b/rt/share/html/Elements/CollectionAsTable/Header @@ -129,11 +129,11 @@ foreach my $col ( @Format ) { if $OrderBy[0] && $OrderBy[0] eq $attr; $m->out( - '<a href="' . $BaseURL + '<a href="' . $m->interp->apply_escapes($BaseURL . $m->comp( '/Elements/QueryString', %$generic_query_args, OrderBy => $attr, Order => $new_order - ) + ), 'h') . '">'. loc($title) .'</a>' ); } diff --git a/rt/share/html/Elements/CollectionListPaging b/rt/share/html/Elements/CollectionListPaging index 7be9ea62c..89cf0fa94 100644 --- a/rt/share/html/Elements/CollectionListPaging +++ b/rt/share/html/Elements/CollectionListPaging @@ -55,22 +55,24 @@ $URLParams => undef </%ARGS> <%INIT> +$BaseURL = $m->interp->apply_escapes($BaseURL, 'h'); + $m->out(qq{<div class="paging">}); if ($Pages == 1) { $m->out(loc('Page 1 of 1')); } else{ $m->out(loc('Page') . ' '); -my $prev = $m->comp( +my $prev = $m->interp->apply_escapes($m->comp( '/Elements/QueryString', %$URLParams, Page => ( $CurrentPage - 1 ) - ); -my $next = $m->comp( + ), 'h'); +my $next = $m->interp->apply_escapes($m->comp( '/Elements/QueryString', %$URLParams, Page => ( $CurrentPage + 1 ) - ); + ), 'h'); my %show; $show{1} = 1; $show{$_} = 1 for (($CurrentPage - 2)..($CurrentPage + 2)); @@ -81,7 +83,7 @@ for my $number ( 1 .. $Pages ) { if ( $show{$number} ) { $dots = undef; my $qs = - $m->comp( '/Elements/QueryString', %$URLParams, Page => $number ); + $m->interp->apply_escapes($m->comp( '/Elements/QueryString', %$URLParams, Page => $number ), 'h'); $m->out(qq{<span class="pagenum">}); if ( $number == $CurrentPage ) { $m->out(qq{<span class="currentpage">$number</span> }); diff --git a/rt/share/html/Elements/ColumnMap b/rt/share/html/Elements/ColumnMap index 5e5354ade..2d226dafc 100644 --- a/rt/share/html/Elements/ColumnMap +++ b/rt/share/html/Elements/ColumnMap @@ -120,14 +120,16 @@ my $COLUMN_MAP = { my $name = $_[1] || 'SelectedTickets'; my $checked = $m->request_args->{ $name .'All' }? 'checked="checked"': ''; - return \qq{<input type="checkbox" name="${name}All" value="1" $checked - onclick="setCheckbox(this.form, '$name', this.checked)" />}; + return \qq{<input type="checkbox" name="}, $name, \qq{All" value="1" $checked + onclick="setCheckbox(this.form, }, + $m->interp->apply_escapes($name,'j'), + \qq{, this.checked)" />}; }, value => sub { my $id = $_[0]->id; my $name = $_[2] || 'SelectedTickets'; - return \qq{<input type="checkbox" name="$name" value="$id" checked="checked" />} + return \qq{<input type="checkbox" name="}, $name, \qq{" value="$id" checked="checked" />} if $m->request_args->{ $name . 'All'}; my $arg = $m->request_args->{ $name }; @@ -138,7 +140,7 @@ my $COLUMN_MAP = { elsif ( $arg ) { $checked = 'checked="checked"' if $arg == $id; } - return \qq{<input type="checkbox" name="$name" value="$id" $checked />} + return \qq{<input type="checkbox" name="}, $name, \qq{" value="$id" $checked />} }, }, RadioButton => { diff --git a/rt/share/html/Elements/CreateTicket b/rt/share/html/Elements/CreateTicket index 02275ef34..c8287e08e 100755 --- a/rt/share/html/Elements/CreateTicket +++ b/rt/share/html/Elements/CreateTicket @@ -46,7 +46,7 @@ %# %# END BPS TAGGED BLOCK }}} <form action="<% RT->Config->Get('WebPath') %><% $SendTo %>" name="CreateTicketInQueue" id="CreateTicketInQueue"> -<&|/l, $m->scomp('/Elements/SelectNewTicketQueue', OnChange => 'document.CreateTicketInQueue.submit()', SendTo => $SendTo ) &><input type="submit" class="button" value="New ticket in" /> [_1]</&> +<&|/l_unsafe, $m->scomp('/Elements/SelectNewTicketQueue', OnChange => 'document.CreateTicketInQueue.submit()', SendTo => $SendTo ) &><input type="submit" class="button" value="New ticket in" /> [_1]</&> </form> <%ARGS> $SendTo => '/Ticket/Create.html', diff --git a/rt/share/html/Elements/EditCustomField b/rt/share/html/Elements/EditCustomField index 6c5d7f5cf..32ea59deb 100644 --- a/rt/share/html/Elements/EditCustomField +++ b/rt/share/html/Elements/EditCustomField @@ -85,7 +85,7 @@ if ($MaxValues == 1 && $Values) { } # The "Magic" hidden input causes RT to know that we were trying to edit the field, even if # we don't see a value later, since browsers aren't compelled to submit empty form fields -$m->out("\n".'<input type="hidden" class="hidden" name="'.$NamePrefix.$CustomField->Id.'-Values-Magic" value="1" />'."\n"); +$m->out("\n".'<input type="hidden" class="hidden" name="'.$m->interp->apply_escapes($NamePrefix, 'h').$CustomField->Id.'-Values-Magic" value="1" />'."\n"); my $EditComponent = "EditCustomField$Type"; $m->callback( %ARGS, CallbackName => 'EditComponentName', Name => \$EditComponent, CustomField => $CustomField, Object => $Object ); diff --git a/rt/share/html/Elements/EditCustomFieldAutocomplete b/rt/share/html/Elements/EditCustomFieldAutocomplete index 13a43ed67..70ff3968b 100644 --- a/rt/share/html/Elements/EditCustomFieldAutocomplete +++ b/rt/share/html/Elements/EditCustomFieldAutocomplete @@ -49,19 +49,19 @@ <textarea cols="<% $Cols %>" rows="<% $Rows %>" name="<% $name %>-Values" id="<% $name %>-Values" class="CF-<%$CustomField->id%>-Edit"><% $Default %></textarea><div id="<% $name %>-Choices" class="autocomplete"></div> <script type="text/javascript"> new Ajax.Autocompleter( - "<% $name %>-Values", - "<% $name %>-Choices", - "<% RT->Config->Get('WebPath')%>/Helpers/Autocomplete/CustomFieldValues", - { tokens: [ '\n' ] } + <% $name |n,j%>+"-Values", + <% $name |n,j%>+"-Choices", + <% RT->Config->Get('WebPath') |n,j%>+"/Helpers/Autocomplete/CustomFieldValues", + { tokens: [ '\n' ], parameters: <% $Context |n,j %> } ); % } else { <input type="text" id="<% $name %>-Value" name="<% $name %>-Value" class="CF-<%$CustomField->id%>-Edit" value="<% $Default %>"/><div id="<% $name %>-Choices" class="autocomplete"></div> <script type="text/javascript"> new Ajax.Autocompleter( - "<% $name %>-Value", - "<% $name %>-Choices", - "<% RT->Config->Get('WebPath')%>/Helpers/Autocomplete/CustomFieldValues", - {} + <% $name |n,j%>+"-Value", + <% $name |n,j%>+"-Choices", + <% RT->Config->Get('WebPath') |n,j%>+"/Helpers/Autocomplete/CustomFieldValues", + { parameters: <% $Context |n,j %> } ); % } </script> @@ -76,6 +76,11 @@ if ( $Multiple and $Values ) { $Default .= $value->Content ."\n"; } } +my $Context = ""; +if ($CustomField->ContextObject) { + $Context .= "ContextId=" . $CustomField->ContextObject->Id . "&"; + $Context .= "ContextType=". ref($CustomField->ContextObject); +} </%INIT> <%ARGS> $CustomField => undef diff --git a/rt/share/html/Elements/EditCustomFieldSelect b/rt/share/html/Elements/EditCustomFieldSelect index bf2a8289d..f106a7038 100644 --- a/rt/share/html/Elements/EditCustomFieldSelect +++ b/rt/share/html/Elements/EditCustomFieldSelect @@ -55,7 +55,7 @@ % if (!$HideCategory and @category and not $CustomField->BasedOnObj->id) { <script type="text/javascript" src="<%RT->Config->Get('WebPath')%>/NoAuth/js/cascaded.js"></script> %# XXX - Hide this select from w3m? - <select onchange="filter_cascade('<% $id %>-Values', this.value)" name="<% $id %>-Category" class="CF-<%$CustomField->id%>-Edit"> + <select onchange="filter_cascade(<% "$id-Values" |n,j%>, this.value)" name="<% $id %>-Category" class="CF-<%$CustomField->id%>-Edit"> <option value=""<% !$selected && qq[ selected="selected"] |n %>><&|/l&>-</&></option> % foreach my $cat (@category) { % my ($depth, $name) = @$cat; @@ -66,12 +66,12 @@ <script type="text/javascript" src="<%RT->Config->Get('WebPath')%>/NoAuth/js/cascaded.js"></script> <script type="text/javascript"><!-- doOnLoad( function () { - var basedon = document.getElementById('<% $NamePrefix . $CustomField->BasedOnObj->id %>-Values'); + var basedon = document.getElementById(<% $NamePrefix . $CustomField->BasedOnObj->id . "-Values" |n,j%>); if (basedon != null) { var oldchange = basedon.onchange; basedon.onchange = function () { filter_cascade( - '<% $id %>-Values', + <% "$id-Values" |n,j%>, basedon.value, 1 ); diff --git a/rt/share/html/Elements/Error b/rt/share/html/Elements/Error index 84593735c..14eb2c4f4 100755 --- a/rt/share/html/Elements/Error +++ b/rt/share/html/Elements/Error @@ -81,7 +81,7 @@ Encode::_utf8_off($error); $RT::Logger->error($error); -if ( defined $session{'SessionType'} && $session{'SessionType'} eq 'REST' ) { +if ( $session{'REST'} ) { $r->content_type('text/plain'); $m->out( "Error: " . $Why . "\n" ); $m->out( $Details . "\n" ) if defined $Details && length $Details; diff --git a/rt/share/html/Elements/Header b/rt/share/html/Elements/Header index 64d548dc3..5f11abf8e 100755 --- a/rt/share/html/Elements/Header +++ b/rt/share/html/Elements/Header @@ -68,7 +68,8 @@ $id =~ s|-$||g; my $head = ''; if ($Refresh && $Refresh =~ /^(\d+)/ && $1 > 0) { - $head .= qq( <meta http-equiv="refresh" content="$Refresh" /> ); + my $URL = $m->notes->{RefreshURL}; $URL = $URL ? ";URL=$URL" : ""; + $head .= qq( <meta http-equiv="refresh" content="$1$URL" /> ); } my $WebPath = RT->Config->Get('WebPath'); diff --git a/rt/share/html/Elements/HeaderJavascript b/rt/share/html/Elements/HeaderJavascript index ce0b97621..95be98986 100644 --- a/rt/share/html/Elements/HeaderJavascript +++ b/rt/share/html/Elements/HeaderJavascript @@ -60,7 +60,7 @@ $onload => undef <script type="text/javascript"><!-- doOnLoad(loadTitleBoxStates); % if ( $focus ) { - doOnLoad(function () { focusElementById('<% $focus %>') }); + doOnLoad(function () { focusElementById(<% $focus |n,j%>) }); % } % if ( $onload ) { @@ -112,8 +112,8 @@ $onload => undef typeField.setAttribute('value', 'text/html'); textArea.parentNode.appendChild(typeField); - var oFCKeditor = new FCKeditor( textArea.name, '100%', <% RT->Config->Get('MessageBoxRichTextHeight', $session{CurrentUser} ) %> ); - oFCKeditor.BasePath = "<%RT->Config->Get('WebPath')%>/NoAuth/RichText/"; + var oFCKeditor = new FCKeditor( textArea.name, '100%', <% RT->Config->Get('MessageBoxRichTextHeight', $session{CurrentUser} ) |n,j%> ); + oFCKeditor.BasePath = <%RT->Config->Get('WebPath') |n,j%>+"/NoAuth/RichText/"; oFCKeditor.ReplaceTextarea(); } } diff --git a/rt/share/html/Elements/MessageBox b/rt/share/html/Elements/MessageBox index 3bc73eb5a..3ca8dc899 100755 --- a/rt/share/html/Elements/MessageBox +++ b/rt/share/html/Elements/MessageBox @@ -67,7 +67,7 @@ if ( $IncludeSignature and my $text = $session{'CurrentUser'}->UserObj->Signatur # wrap="something" seems to really break IE + richtext my $wrap_type = ''; if ( not RT->Config->Get('MessageBoxRichText', $session{'CurrentUser'}) ) { - $wrap_type = qq(wrap="$Wrap"); + $wrap_type = 'wrap="' . $m->interp->apply_escapes($Wrap, 'h') . '"'; } </%INIT> diff --git a/rt/share/html/Elements/PersonalQuickbar b/rt/share/html/Elements/PersonalQuickbar index 993c4578f..baac70401 100644 --- a/rt/share/html/Elements/PersonalQuickbar +++ b/rt/share/html/Elements/PersonalQuickbar @@ -51,7 +51,7 @@ $Prefs => '/Prefs/Other.html' <div id="quick-personal"> <span class="hide"><a href="#skipnav"><&|/l&>Skip Menu</&></a> | </span> % if ($session{'CurrentUser'}->Name) { - <&|/l, "<span>".$session{'CurrentUser'}->Name."</span>" &>Logged in as [_1]</&> + <&|/l_unsafe, "<span>".$m->interp->apply_escapes($session{'CurrentUser'}->Name, 'h')."</span>" &>Logged in as [_1]</&> % if ( $session{'CurrentUser'}->HasRight( Right => 'ModifySelf', Object => $RT::System ) ) { | <a href="<%RT->Config->Get('WebPath')%><%$Prefs%>"><&|/l&>Preferences</&></a> % } diff --git a/rt/share/html/Elements/RT__CustomField/ColumnMap b/rt/share/html/Elements/RT__CustomField/ColumnMap index c0e17f264..ecaa3b7fd 100644 --- a/rt/share/html/Elements/RT__CustomField/ColumnMap +++ b/rt/share/html/Elements/RT__CustomField/ColumnMap @@ -120,8 +120,10 @@ my $COLUMN_MAP = { my $name = 'RemoveCustomField'; my $checked = $m->request_args->{ $name .'All' }? 'checked="checked"': ''; - return \qq{<input type="checkbox" name="${name}All" value="1" $checked - onclick="setCheckbox(this.form, '$name', this.checked)" />}; + return \qq{<input type="checkbox" name="}, $name, \qq{All" value="1" $checked + onclick="setCheckbox(this.form, }, + $m->interp->apply_escapes($name,'j'), + \qq{, this.checked)" />}; }, value => sub { my $id = $_[0]->id; @@ -137,7 +139,7 @@ my $COLUMN_MAP = { elsif ( $arg ) { $checked = 'checked="checked"' if $arg == $id; } - return \qq{<input type="checkbox" name="$name" value="$id" $checked />} + return \qq{<input type="checkbox" name="}, $name, \qq{" value="$id" $checked />} }, }, MoveCF => { diff --git a/rt/share/html/Elements/ScrubHTML b/rt/share/html/Elements/ScrubHTML index 87aaaf387..5f72d24de 100644 --- a/rt/share/html/Elements/ScrubHTML +++ b/rt/share/html/Elements/ScrubHTML @@ -45,32 +45,8 @@ %# those contributions and any derivatives thereof. %# %# END BPS TAGGED BLOCK }}} -<%ONCE> -my $scrubber = new HTML::Scrubber; -$scrubber->default( - 0, - { - '*' => 0, - id => 1, - class => 1, - # Match http, ftp and relative urls - # XXX: we also scrub format strings with this module then allow simple config options - href => qr{^(?:http:|ftp:|https:|/|__Web(?:Path|BaseURL|URL)__)}i, - face => 1, - size => 1, - target => 1, - style => qr{^(?:(?:color:\s*rgb\(\d+,\s*\d+,\s*\d+\))| - (?:text-align:\s*))}ix, - } -); -$scrubber->deny(qw[*]); -$scrubber->allow( - qw[A B U P BR I HR BR SMALL EM FONT SPAN STRONG SUB SUP STRIKE H1 H2 H3 H4 H5 H6 DIV UL OL LI DL DT DD PRE] -); -$scrubber->comment(0); -</%ONCE> <%init> -return $scrubber->scrub($Content); +return ScrubHTML($Content); </%init> <%args> $Content => undef diff --git a/rt/share/html/Elements/ShowCustomFields b/rt/share/html/Elements/ShowCustomFields index 1bb61435f..efbbfa8fb 100644 --- a/rt/share/html/Elements/ShowCustomFields +++ b/rt/share/html/Elements/ShowCustomFields @@ -108,13 +108,13 @@ my $print_value = sub { if ( $cf->IncludeContentForValue ) { my $vid = $value->id; $m->out( '<div class="object_cf_value_include" id="object_cf_value_'. $vid .'">' ); - $m->print( loc("See also:") ); - $m->out( '<a href="'. $value->IncludeContentForValue .'">' ); - $m->print( $value->IncludeContentForValue ); + $m->out( loc("See also:") ); + $m->out( '<a href="'. $m->interp->apply_escapes($value->IncludeContentForValue, 'h') .'">' ); + $m->out( $m->interp->apply_escapes($value->IncludeContentForValue, 'h') ); $m->out( qq{</a></div>\n} ); - $m->out( qq{<script><!--\nahah('} ); - $m->print( $value->IncludeContentForValue ); - $m->out( qq{', 'object_cf_value_$vid');\n--></script>\n} ); + $m->out( qq{<script><!--\nahah(} ); + $m->out( $m->interp->apply_escapes($value->IncludeContentForValue, 'j') ); + $m->out( qq{, 'object_cf_value_$vid');\n--></script>\n} ); } }; diff --git a/rt/share/html/Elements/ShowUser b/rt/share/html/Elements/ShowUser index 6381594d9..27f2358d9 100644 --- a/rt/share/html/Elements/ShowUser +++ b/rt/share/html/Elements/ShowUser @@ -51,7 +51,7 @@ # $Address is Email::Address object my $comp = '/Elements/ShowUser'. ucfirst lc $style; -unless ( $m->comp_exists( $comp ) ) { +unless ( RT::Interface::Web->ComponentPathIsSafe($comp) and $m->comp_exists( $comp ) ) { $RT::Logger->error( 'Either system config or user #' . $session{'CurrentUser'}->id diff --git a/rt/share/html/Elements/Submit b/rt/share/html/Elements/Submit index fd2ecde41..a1970d9f2 100755 --- a/rt/share/html/Elements/Submit +++ b/rt/share/html/Elements/Submit @@ -52,10 +52,10 @@ id="<%$id%>" > <div class="extra-buttons"> % if ($CheckAll) { - <input type="button" value="<%$CheckAllLabel%>" onclick="setCheckbox(this.form, '<% $CheckboxName %>', true);return false;" class="button" /> + <input type="button" value="<%$CheckAllLabel%>" onclick="setCheckbox(this.form, <% $CheckboxName |n,j%>, true);return false;" class="button" /> % } % if ($ClearAll) { - <input type="button" value="<%$ClearAllLabel%>" onclick="setCheckbox(this.form, '<% $CheckboxName %>', false);return false;" class="button" /> + <input type="button" value="<%$ClearAllLabel%>" onclick="setCheckbox(this.form, <% $CheckboxName |n,j%>, false);return false;" class="button" /> % } % if ($Reset) { <input type="reset" value="<%$ResetLabel%>" class="button" /> |