Launchpad itself

Merge lp:~wallyworld/launchpad/confirmation-dialog-xss-1057901 into lp:launchpad

  1. confirmation-dialog-xss-1057901
  2. Merge into devel
Proposed by Ian Booth on 2012-09-28
Status: Merged
Approved by: William Grant on 2012-09-28
Approved revision: no longer in the source branch.
Merged at revision: 16048
Proposed branch: lp:~wallyworld/launchpad/confirmation-dialog-xss-1057901
Merge into: lp:launchpad
Diff against target: 67 lines (+12/-13)
2 files modified
lib/lp/app/javascript/information_type.js (+6/-6)
lib/lp/bugs/javascript/bugtask_index.js (+6/-7)
To merge this branch: bzr merge lp:~wallyworld/launchpad/confirmation-dialog-xss-1057901
Reviewer Review Type Date Requested Status
William Grant code 2012-09-28 Approve on 2012-09-28
Review via email: mp+126855@code.launchpad.net

Commit Message

Remove some xss from confirmation dialogs.

Description of the Change

Tweak the bugtask delete and information type change confirmation dialogs to remove some XSS holes.

To post a comment you must log in.
William Grant (wgrant) :
review: Approve (code)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'lib/lp/app/javascript/information_type.js'
2--- lib/lp/app/javascript/information_type.js 2012-09-27 03:17:02 +0000
3+++ lib/lp/app/javascript/information_type.js 2012-09-28 05:43:18 +0000
4@@ -208,15 +208,15 @@
5 var confirm_text_template = [
6 '<p class="block-sprite large-warning">',
7 ' You are about to mark this bug as ',
8- ' <strong>{information_type}</strong>.<br/>',
9+ ' <strong>{{information_type}}</strong>.<br/>',
10 ' The bug will become invisible because there is no-one with',
11- ' permissions to see {information_type} bugs.',
12+ ' permissions to see {{information_type}} bugs.',
13 '</p><p>',
14 ' <strong>Please confirm you really want to do this.</strong>',
15 '</p>'
16 ].join('');
17 var title = ns.get_cache_data_from_key(value, 'value', 'name');
18- var confirm_text = Y.Lang.sub(confirm_text_template,
19+ var confirm_text = Y.lp.mustache.to_html(confirm_text_template,
20 {information_type: title});
21 var co = new Y.lp.app.confirmationoverlay.ConfirmationOverlay({
22 submit_fn: function() {
23@@ -351,6 +351,6 @@
24 }
25 };
26
27-}, "0.1", {"requires": ["base", "oop", "node", "event", "io-base",
28- "lp.ui.choiceedit", "lp.bugs.bugtask_index",
29- "lp.app.banner.privacy", "lp.app.choice"]});
30+}, "0.1", {"requires": [
31+ "base", "oop", "node", "event", "io-base", "lp.mustache", "lp.app.choice",
32+ "lp.bugs.bugtask_index", "lp.app.banner.privacy", "lp.ui.choiceedit"]});
33
34=== modified file 'lib/lp/bugs/javascript/bugtask_index.js'
35--- lib/lp/bugs/javascript/bugtask_index.js 2012-09-21 15:39:22 +0000
36+++ lib/lp/bugs/javascript/bugtask_index.js 2012-09-28 05:43:18 +0000
37@@ -353,16 +353,15 @@
38 * @method _confirm_bugtask_delete
39 */
40 namespace._confirm_bugtask_delete = function(delete_link, conf) {
41- var delete_text_template = [
42+ var delete_text = Y.lp.mustache.to_html([
43 '<p class="block-sprite large-warning">',
44- ' You are about to mark bug "{bug}"<br/>as no longer affecting',
45- ' {target}.',
46+ ' You are about to mark bug "{{bug}}"<br/>as no longer affecting',
47+ ' {{target}}.',
48 '</p><p>',
49 ' <strong>Please confirm you really want to do this.</strong>',
50 '</p>'
51- ].join('');
52- var delete_text = Y.Lang.sub(delete_text_template,
53- {bug: conf.bug_title, target: conf.targetname});
54+ ].join(''),
55+ {bug: conf.bug_title, target: conf.targetname});
56 var co = new Y.lp.app.confirmationoverlay.ConfirmationOverlay({
57 submit_fn: function() {
58 namespace.delete_bugtask(delete_link, conf);
59@@ -1125,7 +1124,7 @@
60
61
62 }, "0.1", {"requires": ["base", "oop", "node", "event", "io-base",
63- "json-parse", "substitute",
64+ "json-parse", "lp.mustache",
65 "lp.ui.formoverlay", "lp.anim", "lp.ui.overlay",
66 "lp.ui.choiceedit", "lp.app.picker",
67 "lp.bugs.bugtask_index.portlets.subscription",