"sub", "sup", "table", "tbody", "td", "tfoot", "th", "thead", "tr", "tt", "u",
"ul", "var")
- .addAttributes("a", "href", "title")
+ .addAttributes("a", "class", "href", "style", "title")
.addAttributes("blockquote", "cite")
.addAttributes("col", "span", "width")
.addAttributes("colgroup", "span", "width")
+ .addAttributes("div", "class", "style")
.addAttributes("img", "align", "alt", "height", "src", "title", "width")
.addAttributes("ol", "start", "type")
.addAttributes("q", "cite")
- .addAttributes("table", "summary", "width")
- .addAttributes("td", "abbr", "axis", "colspan", "rowspan", "width")
- .addAttributes("th", "abbr", "axis", "colspan", "rowspan", "scope", "width")
+ .addAttributes("span", "class", "style")
+ .addAttributes("table", "class", "style", "summary", "width")
+ .addAttributes("td", "abbr", "axis", "class", "colspan", "rowspan", "style", "width")
+ .addAttributes("th", "abbr", "axis", "class", "colspan", "rowspan", "scope", "style", "width")
.addAttributes("ul", "type")
.addEnforcedAttribute("a", "rel", "nofollow")
import com.gitblit.tickets.TicketResponsible;\r
import com.gitblit.utils.StringUtils;\r
import com.gitblit.wicket.GitBlitWebSession;\r
-import com.gitblit.wicket.SafeTextModel;\r
-import com.gitblit.wicket.SafeTextModel.Mode;\r
import com.gitblit.wicket.WicketUtils;\r
import com.gitblit.wicket.panels.MarkdownTextArea;\r
\r
}\r
\r
typeModel = Model.of(ticket.type);\r
- titleModel = SafeTextModel.none(ticket.title);\r
- topicModel = SafeTextModel.none(ticket.topic == null ? "" : ticket.topic);\r
+ titleModel = Model.of(ticket.title);\r
+ topicModel = Model.of(ticket.topic == null ? "" : ticket.topic);\r
responsibleModel = Model.of();\r
milestoneModel = Model.of();\r
mergeToModel = Model.of(ticket.mergeTo == null ? getRepositoryModel().mergeTo : ticket.mergeTo);\r
form.add(new TextField<String>("title", titleModel));\r
form.add(new TextField<String>("topic", topicModel));\r
\r
- final SafeTextModel markdownPreviewModel = new SafeTextModel(Mode.none);\r
+ final IModel<String> markdownPreviewModel = Model.of(ticket.body == null ? "" : ticket.body);\r
descriptionPreview = new Label("descriptionPreview", markdownPreviewModel);\r
descriptionPreview.setEscapeModelStrings(false);\r
descriptionPreview.setOutputMarkupId(true);\r
import com.gitblit.tickets.TicketResponsible;\r
import com.gitblit.utils.StringUtils;\r
import com.gitblit.wicket.GitBlitWebSession;\r
-import com.gitblit.wicket.SafeTextModel;\r
-import com.gitblit.wicket.SafeTextModel.Mode;\r
import com.gitblit.wicket.WicketUtils;\r
import com.gitblit.wicket.panels.MarkdownTextArea;\r
\r
}\r
\r
typeModel = Model.of(TicketModel.Type.defaultType);\r
- titleModel = SafeTextModel.none();\r
- topicModel = SafeTextModel.none();\r
+ titleModel = Model.of();\r
+ topicModel = Model.of();\r
mergeToModel = Model.of(Repository.shortenRefName(getRepositoryModel().mergeTo));\r
responsibleModel = Model.of();\r
milestoneModel = Model.of();\r
form.add(new TextField<String>("title", titleModel));\r
form.add(new TextField<String>("topic", topicModel));\r
\r
- final SafeTextModel markdownPreviewModel = new SafeTextModel(Mode.none);\r
+ final IModel<String> markdownPreviewModel = Model.of();\r
descriptionPreview = new Label("descriptionPreview", markdownPreviewModel);\r
descriptionPreview.setEscapeModelStrings(false);\r
descriptionPreview.setOutputMarkupId(true);\r
desc = getString("gb.noDescriptionGiven");\r
} else {\r
String bugtraq = bugtraqProcessor().processText(getRepository(), repositoryName, ticket.body);\r
- desc = MarkdownUtils.transformGFM(app().settings(), bugtraq, ticket.repository);\r
+ String html = MarkdownUtils.transformGFM(app().settings(), bugtraq, ticket.repository);\r
+ String safeHtml = app().xssFilter().relaxed(html);\r
+ desc = safeHtml;\r
}\r
add(new Label("ticketDescription", desc).setEscapeModelStrings(false));\r
\r
} else {\r
// process the topic using the bugtraq config to link things\r
String topic = bugtraqProcessor().processText(getRepository(), repositoryName, ticket.topic);\r
- add(new Label("ticketTopic", topic).setEscapeModelStrings(false));\r
+ String safeTopic = app().xssFilter().relaxed(topic);\r
+ add(new Label("ticketTopic", safeTopic).setEscapeModelStrings(false));\r
}\r
\r
\r
*/\r
String bugtraq = bugtraqProcessor().processText(getRepository(), repositoryName, entry.comment.text);\r
String comment = MarkdownUtils.transformGFM(app().settings(), bugtraq, repositoryName);\r
+ String safeComment = app().xssFilter().relaxed(comment);\r
Fragment frag = new Fragment("entry", "commentFragment", this);\r
Label commentIcon = new Label("commentIcon");\r
if (entry.comment.src == CommentSource.Email) {\r
WicketUtils.setCssClass(commentIcon, "iconic-comment-alt2-stroke");\r
}\r
frag.add(commentIcon);\r
- frag.add(new Label("comment", comment).setEscapeModelStrings(false));\r
+ frag.add(new Label("comment", safeComment).setEscapeModelStrings(false));\r
addUserAttributions(frag, entry, avatarWidth);\r
addDateAttributions(frag, entry);\r
item.add(frag);\r
sb.append("</td></tr>");\r
}\r
sb.append("</tbody></table>");\r
- item.add(new Label("fields", sb.toString()).setEscapeModelStrings(false));\r
+ String safeHtml = app().xssFilter().relaxed(sb.toString());\r
+ item.add(new Label("fields", safeHtml).setEscapeModelStrings(false));\r
} else {\r
item.add(new Label("fields").setVisible(false));\r
}\r
import org.apache.wicket.ajax.markup.html.form.AjaxButton;
import org.apache.wicket.markup.html.basic.Label;
import org.apache.wicket.markup.html.form.Form;
+import org.apache.wicket.model.IModel;
import org.apache.wicket.model.Model;
import com.gitblit.models.RepositoryModel;
import com.gitblit.models.TicketModel;
import com.gitblit.models.TicketModel.Change;
import com.gitblit.models.UserModel;
-import com.gitblit.wicket.SafeTextModel;
-import com.gitblit.wicket.SafeTextModel.Mode;
import com.gitblit.wicket.WicketUtils;
import com.gitblit.wicket.pages.BasePage;
}
}.setVisible(ticket != null && ticket.number > 0));
- final SafeTextModel markdownPreviewModel = new SafeTextModel(Mode.none);
+ final IModel<String> markdownPreviewModel = Model.of();
markdownPreview = new Label("markdownPreview", markdownPreviewModel);
markdownPreview.setEscapeModelStrings(false);
markdownPreview.setOutputMarkupId(true);
import org.apache.wicket.ajax.form.AjaxFormComponentUpdatingBehavior;
import org.apache.wicket.markup.html.basic.Label;
import org.apache.wicket.markup.html.form.TextArea;
+import org.apache.wicket.model.IModel;
import org.apache.wicket.model.PropertyModel;
import org.apache.wicket.util.time.Duration;
import com.gitblit.utils.MarkdownUtils;
import com.gitblit.wicket.GitBlitWebApp;
-import com.gitblit.wicket.SafeTextModel;
public class MarkdownTextArea extends TextArea {
protected String text = "";
- public MarkdownTextArea(String id, final SafeTextModel previewModel, final Label previewLabel) {
+ public MarkdownTextArea(String id, final IModel<String> previewModel, final Label previewLabel) {
super(id);
setModel(new PropertyModel(this, "text"));
add(new AjaxFormComponentUpdatingBehavior("onblur") {
setOutputMarkupId(true);
}
- protected void renderPreview(SafeTextModel previewModel) {
+ protected void renderPreview(IModel<String> previewModel) {
if (text == null) {
return;
}
String html = MarkdownUtils.transformGFM(GitBlitWebApp.get().settings(), text, repositoryName);
- previewModel.setObject(html);
+ String safeHtml = GitBlitWebApp.get().xssFilter().relaxed(html);
+ previewModel.setObject(safeHtml);
}
public String getText() {
Repository db = app().repositories().getRepository(repository.name);
BugtraqProcessor btp = new BugtraqProcessor(app().settings());
String content = btp.processText(db, repository.name, labelItem.getModelObject());
+ String safeContent = app().xssFilter().relaxed(content);
db.close();
- label = new Label("label", content);
+ label = new Label("label", safeContent);
label.setEscapeModelStrings(false);
tLabel = app().tickets().getLabel(repository, labelItem.getModelObject());
projects / gitblit.git / commitdiff