Unverified Commit ea788a49 authored by IKEDA Soji's avatar IKEDA Soji Committed by GitHub
Browse files

Merge pull request #430 from ikedas/issue-428 by ikedas

Template strings passed to javascript were not escaped
parents 960ad903 de3c7396
......@@ -10,19 +10,19 @@
<!--
[%# A few configuration settings and miscellaneous vars. ~%]
var sympa = {
backText: "[%|loc%]Back[%END%]",
calendarButtonText: "[%|loc%]Calendar[%END%]",
backText: '[%"Back"|loc|escape_cstr%]',
calendarButtonText: '[%"Calendar"|loc|escape_cstr%]',
calendarFirstDay: 0,
closeText: "[%|loc%]Close[%END%]",
dayNames: "[%|loc%]Sunday:Monday:Tuesday:Wednesday:Thursday:Friday:Saturday[%END%]".split(":"),
dayNamesMin: "[%|loc%]Su:Mo:Tu:We:Th:Fr:Sa[%END%]".split(":"),
home_url: '[% path_cgi %]/',
icons_url: '[% icons_url %]',
lang: '[% lang %]',
loadingText: "[%|loc%]Please Wait...[%END%]",
monthNamesShort: "[%|loc%]Jan:Feb:Mar:Apr:May:Jun:Jul:Aug:Sep:Oct:Nov:Dec[%END%]".split(":"),
openInNewWinText: "[%|loc%]Open in a new window[%END%]",
resetText: "[%|loc%]Reset[%END%]"
closeText: '[%"Close"|loc|escape_cstr%]',
dayNames: '[%"Sunday:Monday:Tuesday:Wednesday:Thursday:Friday:Saturday"|loc|escape_cstr%]'.split(":"),
dayNamesMin: '[%"Su:Mo:Tu:We:Th:Fr:Sa"|loc|escape_cstr%]'.split(":"),
home_url: '[% path_cgi | escape_cstr %]/',
icons_url: '[% icons_url | escape_cstr %]',
lang: '[% lang | escape_cstr %]',
loadingText: '[%"Please Wait..."|loc|escape_cstr%]',
monthNamesShort: '[%"Jan:Feb:Mar:Apr:May:Jun:Jul:Aug:Sep:Oct:Nov:Dec"|loc|escape_cstr%]'.split(":"),
openInNewWinText: '[%"Open in a new window"|loc|escape_cstr%]',
resetText: '[%"Reset"|loc|escape_cstr%]'
};
[%# Variable for backward compatibility. ~%]
var lang = '[% lang %]';
......
......@@ -21,7 +21,7 @@
<!--
var line = [% o.stats_values %];
$.jqplot('[% chartid %]', [line], {
title: '[% o.title %]',
title: '[% o.title | escape_cstr %]',
axesDefaults: {
min: 0,
tickRenderer: $.jqplot.CanvasAxisTickRenderer,
......
......@@ -102,11 +102,18 @@ sub _escape_xml {
}
# Old name: tt2::escape_quote().
sub _escape_quote {
# No longer used. Use _escape_cstr().
#sub _escape_quote;
sub _escape_cstr {
my $string = shift;
$string =~ s/\'/\\\'/g;
$string =~ s/\"/\\\"/g;
$string =~ s{([\t\n\r\'\"\\])}{
($1 eq "\t") ? "\\t" :
($1 eq "\n") ? "\\n" :
($1 eq "\r") ? "\\r" :
"\\$1"
}eg;
return $string;
}
......@@ -335,12 +342,12 @@ sub parse {
mailtourl => [\&_mailtourl, 1],
obfuscate => [\&_obfuscate, 1],
optdesc => [sub { shift; $self->_optdesc_func(@_) }, 1],
qencode => [\&qencode, 0],
escape_xml => [\&_escape_xml, 0],
escape_url => [\&_escape_url, 0],
escape_quote => [\&_escape_quote, 0],
decode_utf8 => [\&decode_utf8, 0],
encode_utf8 => [\&encode_utf8, 0],
qencode => [\&qencode, 0],
escape_cstr => [\&_escape_cstr, 0],
escape_xml => [\&_escape_xml, 0],
escape_url => [\&_escape_url, 0],
decode_utf8 => [\&decode_utf8, 0],
encode_utf8 => [\&encode_utf8, 0],
url_abs => [sub { shift; $self->_url_func(1, $data, @_) }, 1],
url_rel => [sub { shift; $self->_url_func(0, $data, @_) }, 1],
canonic_email => \&Sympa::Tools::Text::canonic_email,
......@@ -514,10 +521,19 @@ No longer used.
No longer used.
=item escape_cstr
Applies C-style escaping of a string (not enclosed by quotes).
This filter was added on Sympa 6.2.38.
=item escape_quote
Escape quotation marks.
B<Deprecated>.
Use escape_cstr.
=item escape_url
Escapes URL.
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment