diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2006-12-17 08:10:18 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2006-12-17 08:10:18 +0000 |
| commit | 2b86ef8e28d0e5376197391c29a8fb302f14820f (patch) | |
| tree | e5a80fb24158b350507c28021418a19aa7084991 /app/views/projects | |
| parent | 3e28dc669b014db811c0de673a090adf54f42bc1 (diff) | |
| download | redmine-2b86ef8e28d0e5376197391c29a8fb302f14820f.tar.gz redmine-2b86ef8e28d0e5376197391c29a8fb302f14820f.zip | |
various modifications to prevent xss
- validation of names and labels against /^[\w\s\'\-]*$/i
- html entities encoding
git-svn-id: http://redmine.rubyforge.org/svn/trunk@99 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app/views/projects')
| -rw-r--r-- | app/views/projects/activity.rhtml | 12 | ||||
| -rw-r--r-- | app/views/projects/calendar.rhtml | 2 | ||||
| -rw-r--r-- | app/views/projects/changelog.rhtml | 2 | ||||
| -rw-r--r-- | app/views/projects/export_issues_pdf.rfpdf | 3 | ||||
| -rw-r--r-- | app/views/projects/gantt.rhtml | 2 | ||||
| -rw-r--r-- | app/views/projects/list.rhtml | 2 | ||||
| -rw-r--r-- | app/views/projects/list_documents.rhtml | 14 | ||||
| -rw-r--r-- | app/views/projects/list_issues.rhtml | 2 | ||||
| -rw-r--r-- | app/views/projects/list_news.rhtml | 13 | ||||
| -rw-r--r-- | app/views/projects/show.rhtml | 15 |
10 files changed, 20 insertions, 47 deletions
diff --git a/app/views/projects/activity.rhtml b/app/views/projects/activity.rhtml index 9afe8ff25..9a4a07aff 100644 --- a/app/views/projects/activity.rhtml +++ b/app/views/projects/activity.rhtml @@ -18,20 +18,20 @@ <% @events_by_day[day].sort {|x,y| y.created_on <=> x.created_on }.each do |e| %>
<li><p>
<% if e.is_a? Issue %>
- <%= e.created_on.strftime("%H:%M") %> <%= link_to "#{e.tracker.name} ##{e.id}", :controller => 'issues', :action => 'show', :id => e %> (<%= e.status.name %>): <%= e.subject %><br />
+ <%= e.created_on.strftime("%H:%M") %> <%= link_to "#{e.tracker.name} ##{e.id}", :controller => 'issues', :action => 'show', :id => e %> (<%= e.status.name %>): <%=h e.subject %><br />
<i><%= e.author.name %></i>
<% elsif e.is_a? News %>
- <%= e.created_on.strftime("%H:%M") %> <%=l(:label_news)%>: <%= link_to e.title, :controller => 'news', :action => 'show', :id => e %><br />
- <% unless e.summary.empty? %><%= e.summary %><br /><% end %>
+ <%= e.created_on.strftime("%H:%M") %> <%=l(:label_news)%>: <%= link_to h(e.title), :controller => 'news', :action => 'show', :id => e %><br />
+ <% unless e.summary.empty? %><%=h e.summary %><br /><% end %>
<i><%= e.author.name %></i>
<% elsif (e.is_a? Attachment) and (e.container.is_a? Version) %>
- <%= e.created_on.strftime("%H:%M") %> <%=l(:label_attachment)%> (<%= e.container.name %>): <%= link_to e.filename, :controller => 'projects', :action => 'list_files', :id => @project %><br />
+ <%= e.created_on.strftime("%H:%M") %> <%=l(:label_attachment)%> (<%=h e.container.name %>): <%= link_to e.filename, :controller => 'projects', :action => 'list_files', :id => @project %><br />
<i><%= e.author.name %></i>
<% elsif (e.is_a? Attachment) and (e.container.is_a? Document) %>
- <%= e.created_on.strftime("%H:%M") %> <%=l(:label_attachment)%>: <%= e.filename %> (<%= link_to e.container.title, :controller => 'documents', :action => 'show', :id => e.container %>)<br />
+ <%= e.created_on.strftime("%H:%M") %> <%=l(:label_attachment)%>: <%= e.filename %> (<%= link_to h(e.container.title), :controller => 'documents', :action => 'show', :id => e.container %>)<br />
<i><%= e.author.name %></i>
<% elsif e.is_a? Document %>
- <%= e.created_on.strftime("%H:%M") %> <%=l(:label_document)%>: <%= link_to e.title, :controller => 'documents', :action => 'show', :id => e %><br />
+ <%= e.created_on.strftime("%H:%M") %> <%=l(:label_document)%>: <%= link_to h(e.title), :controller => 'documents', :action => 'show', :id => e %><br />
<% end %>
</p></li>
diff --git a/app/views/projects/calendar.rhtml b/app/views/projects/calendar.rhtml index 2781f98c9..9b0c26ed4 100644 --- a/app/views/projects/calendar.rhtml +++ b/app/views/projects/calendar.rhtml @@ -50,7 +50,7 @@ while day <= @date_to elsif day == i.due_date
image_tag('arrow_to')
end %>
- <small><%= link_to "#{i.tracker.name} ##{i.id}", :controller => 'issues', :action => 'show', :id => i %>: <%= i.subject.sub(/^(.{30}[^\s]*\s).*$/, '\1 (...)') %></small><br />
+ <small><%= link_to "#{i.tracker.name} ##{i.id}", :controller => 'issues', :action => 'show', :id => i %>: <%=h i.subject.sub(/^(.{30}[^\s]*\s).*$/, '\1 (...)') %></small><br />
<% end %>
</td>
<%= '</tr><tr height="100">' if day.cwday >= 7 and day!=@date_to %>
diff --git a/app/views/projects/changelog.rhtml b/app/views/projects/changelog.rhtml index 081456413..e59df059d 100644 --- a/app/views/projects/changelog.rhtml +++ b/app/views/projects/changelog.rhtml @@ -23,6 +23,6 @@ <ul>
<% ver_id = issue.fixed_version_id
end %>
- <li><%= link_to issue.long_id, :controller => 'issues', :action => 'show', :id => issue %> [<%= issue.tracker.name %>]: <%= issue.subject %></li>
+ <li><%= link_to issue.long_id, :controller => 'issues', :action => 'show', :id => issue %> [<%= issue.tracker.name %>]: <%=h issue.subject %></li>
<% end %>
</div>
\ No newline at end of file diff --git a/app/views/projects/export_issues_pdf.rfpdf b/app/views/projects/export_issues_pdf.rfpdf index 2e0acf54b..09592d391 100644 --- a/app/views/projects/export_issues_pdf.rfpdf +++ b/app/views/projects/export_issues_pdf.rfpdf @@ -1,10 +1,9 @@ <% pdf=IfpdfHelper::IFPDF.new
pdf.AliasNbPages
pdf.footer_date = format_date(Date.today)
- pdf.AddPage
@issues.each {|i|
- render :partial => 'issues/pdf', :locals => { :pdf => pdf, :issue => i }
pdf.AddPage
+ render :partial => 'issues/pdf', :locals => { :pdf => pdf, :issue => i }
}
%>
diff --git a/app/views/projects/gantt.rhtml b/app/views/projects/gantt.rhtml index 206186f08..7fbe02757 100644 --- a/app/views/projects/gantt.rhtml +++ b/app/views/projects/gantt.rhtml @@ -103,7 +103,7 @@ top = headers_heigth + 8 @issues.each do |i| %>
<div style="position: absolute;line-height:1em;height:16px;top:<%= top %>px;left:4px;width:<%= subject_width - 5 %>px;overflow:hidden;">
<small><%= link_to "#{i.tracker.name} ##{i.id}", :controller => 'issues', :action => 'show', :id => i %>:
- <%= i.subject.sub(/^(.{30}[^\s]*\s).*$/, '\1 (...)') %></small>
+ <%=h i.subject.sub(/^(.{30}[^\s]*\s).*$/, '\1 (...)') %></small>
</div>
<% top = top + 20
end %>
diff --git a/app/views/projects/list.rhtml b/app/views/projects/list.rhtml index 0137086d9..69e2c064f 100644 --- a/app/views/projects/list.rhtml +++ b/app/views/projects/list.rhtml @@ -10,7 +10,7 @@ <% for project in @projects %> <tr class="<%= cycle("odd", "even") %>">
<td><%= link_to project.name, :action => 'show', :id => project %>
- <td><%= project.description %>
+ <td><%=h project.description %>
<td align="center"><%= format_date(project.created_on) %>
</tr> <% end %> diff --git a/app/views/projects/list_documents.rhtml b/app/views/projects/list_documents.rhtml index 0b630e922..c24785f69 100644 --- a/app/views/projects/list_documents.rhtml +++ b/app/views/projects/list_documents.rhtml @@ -8,16 +8,6 @@ <% documents = @documents.group_by {|d| d.category } %>
<% documents.each do |category, docs| %>
-<h3><%= category.name %></h3>
-<ul>
-<% docs.each do |d| %>
- <li>
- <b><%= link_to d.title, :controller => 'documents', :action => 'show', :id => d %></b>
- <br />
- <%= truncate d.description, 250 %><br />
- <em><%= format_time(d.created_on) %></em><br />
- </li> -
-<% end %>
-</ul>
+ <h3><%= category.name %></h3>
+ <%= render :partial => 'documents/document', :collection => docs %>
<% end %>
\ No newline at end of file diff --git a/app/views/projects/list_issues.rhtml b/app/views/projects/list_issues.rhtml index 5f0d0282a..190aab838 100644 --- a/app/views/projects/list_issues.rhtml +++ b/app/views/projects/list_issues.rhtml @@ -69,7 +69,7 @@ <td align="center"><%= link_to issue.long_id, :controller => 'issues', :action => 'show', :id => issue %></td>
<td align="center" style="font-weight:bold;color:#<%= issue.status.html_color %>;"><%= issue.status.name %></font></td>
<td align="center"><%= issue.tracker.name %></td>
- <td><%= link_to issue.subject, :controller => 'issues', :action => 'show', :id => issue %></td> + <td><%= link_to h(issue.subject), :controller => 'issues', :action => 'show', :id => issue %></td> <td align="center"><%= issue.author.display_name %></td>
<td align="center"><%= format_time(issue.created_on) %></td> <td align="center"><%= format_time(issue.updated_on) %></td> diff --git a/app/views/projects/list_news.rhtml b/app/views/projects/list_news.rhtml index 1427c07be..8d8f99668 100644 --- a/app/views/projects/list_news.rhtml +++ b/app/views/projects/list_news.rhtml @@ -5,16 +5,5 @@ <h2><%=l(:label_news_plural)%></h2> <% if @news.empty? %><p><i><%= l(:label_no_data) %></i></p><% end %> - -<ul> -<% for news in @news %>
- <li><%= link_to news.title, :controller => 'news', :action => 'show', :id => news %><br />
- <% unless news.summary.empty? %><%= news.summary %><br /><% end %> - <em><%= news.author.name %>, <%= format_time(news.created_on) %></em><br /> - <%= news.comments_count %> <%= lwr(:label_comment, news.comments_count).downcase %><br />
- </li>
-<% end %> -</ul> - -
+<%= render :partial => 'news/news', :collection => @news %> <%= pagination_links_full @news_pages %>
diff --git a/app/views/projects/show.rhtml b/app/views/projects/show.rhtml index 79e36a586..46f17d9b9 100644 --- a/app/views/projects/show.rhtml +++ b/app/views/projects/show.rhtml @@ -1,13 +1,13 @@ <h2><%=l(:label_overview)%></h2>
<div class="splitcontentleft">
- <%= simple_format(auto_link(@project.description)) %>
+ <%= simple_format(auto_link(h @project.description)) %>
<ul>
<% unless @project.homepage.empty? %><li><%=l(:field_homepage)%>: <%= auto_link @project.homepage %></li><% end %>
<li><%=l(:field_created_on)%>: <%= format_date(@project.created_on) %></li>
<% for custom_value in @custom_values %>
<% if !custom_value.value.empty? %>
- <li><%= custom_value.custom_field.name%>: <%= show_value(custom_value) %></li>
+ <li><%= custom_value.custom_field.name%>: <%=h show_value(custom_value) %></li>
<% end %>
<% end %>
</ul>
@@ -32,7 +32,7 @@ <% end %>
</ul>
<% end %> - <center><small>[ <%= link_to l(:label_issue_view_all), :controller => 'projects', :action => 'list_issues', :id => @project, :set_filter => 1 %> ]</small></center>
+ <center><small><%= link_to l(:label_issue_view_all), :controller => 'projects', :action => 'list_issues', :id => @project, :set_filter => 1 %></small></center>
</div> </div>
@@ -55,13 +55,8 @@ <div class="box">
<h3><%=l(:label_news_latest)%></h3>
- <% for news in @news %>
- <p><b><%= news.title %></b> <small>(<%= link_to_user news.author %> <%= format_time(news.created_on) %>)</small><br />
- <%= news.summary %>
- <small>[<%= link_to l(:label_read), :controller => 'news', :action => 'show', :id => news %>]</small></p>
- <hr />
- <% end %> - <center><small>[ <%= link_to l(:label_news_view_all), :controller => 'projects', :action => 'list_news', :id => @project %> ]</small></center>
+ <%= render :partial => 'news/news', :collection => @news %> + <center><small><%= link_to l(:label_news_view_all), :controller => 'projects', :action => 'list_news', :id => @project %></small></center>
</div>
</div>
|