Launchpad itself

Merge lp:~wallyworld/launchpad/duplicate-bug-warning-xss-1057630 into lp:launchpad

  1. duplicate-bug-warning-xss-1057630
  2. Merge into devel
Proposed by Ian Booth on 2012-09-28
Status: Merged
Approved by: William Grant on 2012-09-28
Approved revision: no longer in the source branch.
Merged at revision: 16047
Proposed branch: lp:~wallyworld/launchpad/duplicate-bug-warning-xss-1057630
Merge into: lp:launchpad
Diff against target: 52 lines (+9/-11)
1 file modified
lib/lp/bugs/javascript/duplicates.js (+9/-11)
To merge this branch: bzr merge lp:~wallyworld/launchpad/duplicate-bug-warning-xss-1057630
Reviewer Review Type Date Requested Status
William Grant code 2012-09-28 Approve on 2012-09-28
Review via email: mp+126849@code.launchpad.net

Commit Message

Remove xss from bug duplicate links.

Description of the Change

Tweak the duplicate.js code to remove some XSS issues.

To post a comment you must log in.
William Grant (wgrant) :
review: Approve (code)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'lib/lp/bugs/javascript/duplicates.js'
2--- lib/lp/bugs/javascript/duplicates.js 2012-09-21 02:51:51 +0000
3+++ lib/lp/bugs/javascript/duplicates.js 2012-09-28 05:03:25 +0000
4@@ -380,12 +380,13 @@
5 // Create the informational message to go at the top of the bug tasks
6 // table.
7 _duplicate_bug_info_message: function(dup_id, dup_title) {
8- var info_template = [
9+ return Y.lp.mustache.to_html([
10 '<span class="bug-duplicate-details ellipsis ',
11 'single-line wide">',
12 '<span class="sprite info"></span>',
13 'This bug report is a duplicate of:&nbsp;',
14- '<a href="/bugs/{dup_id}">Bug #{dup_id} {dup_title}</a></span>',
15+ '<a href="/bugs/{{dup_id}}">Bug #{{dup_id}} {{dup_title}}',
16+ '</a></span>',
17 '<a id="change-duplicate-bug-bugtasks"',
18 ' href="+duplicate"',
19 ' title="Edit or remove linked duplicate bug"',
20@@ -395,11 +396,8 @@
21 ' href="+duplicate"',
22 ' title="Remove linked duplicate bug"',
23 ' class="sprite remove action-icon standalone ',
24- ' remove-duplicate-bug">Remove</a>'].join(" ");
25- return Y.Lang.substitute(info_template, {
26- dup_id: dup_id,
27- dup_title: dup_title
28- });
29+ ' remove-duplicate-bug">Remove</a>'].join(" "),
30+ {dup_id: dup_id, dup_title: dup_title});
31 },
32
33 // Render the duplicate message at the top of the bug tasks table.
34@@ -429,9 +427,9 @@
35 * @private
36 */
37 _show_comment_on_duplicate_warning: function(bug_id, title) {
38- var dupe_link = Y.Lang.substitute(
39- '<a title="{title}" id="duplicate-of-warning-link" ' +
40- 'href="/bugs/{id}" style="margin-right: 4px">bug #{id}.</a>',
41+ var dupe_link = Y.lp.mustache.to_html(
42+ '<a title="{{title}}" id="duplicate-of-warning-link" ' +
43+ 'href="/bugs/{{id}}" style="margin-right: 4px">bug #{{id}}.</a>',
44 {id: bug_id, title: title});
45 var new_duplicate_warning = Y.Node.create(
46 ['<div class="block-sprite large-warning"',
47@@ -510,4 +508,4 @@
48
49 }, "0.1", {"requires": [
50 "base", "io", "oop", "node", "event", "json", "lp.app.errors",
51- "lp.bugs.bug_picker", "lp.bugs.bugtask_index"]});
52+ "lp.mustache", "lp.bugs.bug_picker", "lp.bugs.bugtask_index"]});