##// END OF EJS Templates
u » ewong » rhodecode-enterprise-ce-fork
RSS

Fork of rhodecode-enterprise-ce

select2: always escape .text attributes to prevent XSS via...
ergo -
r2196:2338f289 stable
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,483 +1,483 b''
1 1 // # Copyright (C) 2010-2017 RhodeCode GmbH
2 2 // #
3 3 // # This program is free software: you can redistribute it and/or modify
4 4 // # it under the terms of the GNU Affero General Public License, version 3
5 5 // # (only), as published by the Free Software Foundation.
6 6 // #
7 7 // # This program is distributed in the hope that it will be useful,
8 8 // # but WITHOUT ANY WARRANTY; without even the implied warranty of
9 9 // # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 10 // # GNU General Public License for more details.
11 11 // #
12 12 // # You should have received a copy of the GNU Affero General Public License
13 13 // # along with this program. If not, see <http://www.gnu.org/licenses/>.
14 14 // #
15 15 // # This program is dual-licensed. If you wish to learn more about the
16 16 // # RhodeCode Enterprise Edition, including its added features, Support services,
17 17 // # and proprietary license terms, please see https://rhodecode.com/licenses/
18 18
19 19 /**
20 20 RhodeCode JS Files
21 21 **/
22 22
23 23 if (typeof console == "undefined" || typeof console.log == "undefined"){
24 24 console = { log: function() {} }
25 25 }
26 26
27 27 // TODO: move the following function to submodules
28 28
29 29 /**
30 30 * show more
31 31 */
32 32 var show_more_event = function(){
33 33 $('table .show_more').click(function(e) {
34 34 var cid = e.target.id.substring(1);
35 35 var button = $(this);
36 36 if (button.hasClass('open')) {
37 37 $('#'+cid).hide();
38 38 button.removeClass('open');
39 39 } else {
40 40 $('#'+cid).show();
41 41 button.addClass('open one');
42 42 }
43 43 });
44 44 };
45 45
46 46 var compare_radio_buttons = function(repo_name, compare_ref_type){
47 47 $('#compare_action').on('click', function(e){
48 48 e.preventDefault();
49 49
50 50 var source = $('input[name=compare_source]:checked').val();
51 51 var target = $('input[name=compare_target]:checked').val();
52 52 if(source && target){
53 53 var url_data = {
54 54 repo_name: repo_name,
55 55 source_ref: source,
56 56 source_ref_type: compare_ref_type,
57 57 target_ref: target,
58 58 target_ref_type: compare_ref_type,
59 59 merge: 1
60 60 };
61 61 window.location = pyroutes.url('compare_url', url_data);
62 62 }
63 63 });
64 64 $('.compare-radio-button').on('click', function(e){
65 65 var source = $('input[name=compare_source]:checked').val();
66 66 var target = $('input[name=compare_target]:checked').val();
67 67 if(source && target){
68 68 $('#compare_action').removeAttr("disabled");
69 69 $('#compare_action').removeClass("disabled");
70 70 }
71 71 })
72 72 };
73 73
74 74 var showRepoSize = function(target, repo_name, commit_id, callback) {
75 75 var container = $('#' + target);
76 76 var url = pyroutes.url('repo_stats',
77 77 {"repo_name": repo_name, "commit_id": commit_id});
78 78
79 79 if (!container.hasClass('loaded')) {
80 80 $.ajax({url: url})
81 81 .complete(function (data) {
82 82 var responseJSON = data.responseJSON;
83 83 container.addClass('loaded');
84 84 container.html(responseJSON.size);
85 85 callback(responseJSON.code_stats)
86 86 })
87 87 .fail(function (data) {
88 88 console.log('failed to load repo stats');
89 89 });
90 90 }
91 91
92 92 };
93 93
94 94 var showRepoStats = function(target, data){
95 95 var container = $('#' + target);
96 96
97 97 if (container.hasClass('loaded')) {
98 98 return
99 99 }
100 100
101 101 var total = 0;
102 102 var no_data = true;
103 103 var tbl = document.createElement('table');
104 104 tbl.setAttribute('class', 'trending_language_tbl');
105 105
106 106 $.each(data, function(key, val){
107 107 total += val.count;
108 108 });
109 109
110 110 var sortedStats = [];
111 111 for (var obj in data){
112 112 sortedStats.push([obj, data[obj]])
113 113 }
114 114 var sortedData = sortedStats.sort(function (a, b) {
115 115 return b[1].count - a[1].count
116 116 });
117 117 var cnt = 0;
118 118 $.each(sortedData, function(idx, val){
119 119 cnt += 1;
120 120 no_data = false;
121 121
122 122 var hide = cnt > 2;
123 123 var tr = document.createElement('tr');
124 124 if (hide) {
125 125 tr.setAttribute('style', 'display:none');
126 126 tr.setAttribute('class', 'stats_hidden');
127 127 }
128 128
129 129 var key = val[0];
130 130 var obj = {"desc": val[1].desc, "count": val[1].count};
131 131
132 132 var percentage = Math.round((obj.count / total * 100), 2);
133 133
134 134 var td1 = document.createElement('td');
135 135 td1.width = 300;
136 136 var trending_language_label = document.createElement('div');
137 137 trending_language_label.innerHTML = obj.desc + " (.{0})".format(key);
138 138 td1.appendChild(trending_language_label);
139 139
140 140 var td2 = document.createElement('td');
141 141 var trending_language = document.createElement('div');
142 142 var nr_files = obj.count +" "+ _ngettext('file', 'files', obj.count);
143 143
144 144 trending_language.title = key + " " + nr_files;
145 145
146 146 trending_language.innerHTML = "<span>" + percentage + "% " + nr_files
147 147 + "</span><b>" + percentage + "% " + nr_files + "</b>";
148 148
149 149 trending_language.setAttribute("class", 'trending_language');
150 150 $('b', trending_language)[0].style.width = percentage + "%";
151 151 td2.appendChild(trending_language);
152 152
153 153 tr.appendChild(td1);
154 154 tr.appendChild(td2);
155 155 tbl.appendChild(tr);
156 156 if (cnt == 3) {
157 157 var show_more = document.createElement('tr');
158 158 var td = document.createElement('td');
159 159 lnk = document.createElement('a');
160 160
161 161 lnk.href = '#';
162 162 lnk.innerHTML = _gettext('Show more');
163 163 lnk.id = 'code_stats_show_more';
164 164 td.appendChild(lnk);
165 165
166 166 show_more.appendChild(td);
167 167 show_more.appendChild(document.createElement('td'));
168 168 tbl.appendChild(show_more);
169 169 }
170 170 });
171 171
172 172 $(container).html(tbl);
173 173 $(container).addClass('loaded');
174 174
175 175 $('#code_stats_show_more').on('click', function (e) {
176 176 e.preventDefault();
177 177 $('.stats_hidden').each(function (idx) {
178 178 $(this).css("display", "");
179 179 });
180 180 $('#code_stats_show_more').hide();
181 181 });
182 182
183 183 };
184 184
185 185 // returns a node from given html;
186 186 var fromHTML = function(html){
187 187 var _html = document.createElement('element');
188 188 _html.innerHTML = html;
189 189 return _html;
190 190 };
191 191
192 192 // Toggle Collapsable Content
193 193 function collapsableContent() {
194 194
195 195 $('.collapsable-content').not('.no-hide').hide();
196 196
197 197 $('.btn-collapse').unbind(); //in case we've been here before
198 198 $('.btn-collapse').click(function() {
199 199 var button = $(this);
200 200 var togglename = $(this).data("toggle");
201 201 $('.collapsable-content[data-toggle='+togglename+']').toggle();
202 202 if ($(this).html()=="Show Less")
203 203 $(this).html("Show More");
204 204 else
205 205 $(this).html("Show Less");
206 206 });
207 207 };
208 208
209 209 var timeagoActivate = function() {
210 210 $("time.timeago").timeago();
211 211 };
212 212
213 213 // Formatting values in a Select2 dropdown of commit references
214 214 var formatSelect2SelectionRefs = function(commit_ref){
215 215 var tmpl = '';
216 216 if (!commit_ref.text || commit_ref.type === 'sha'){
217 217 return commit_ref.text;
218 218 }
219 219 if (commit_ref.type === 'branch'){
220 220 tmpl = tmpl.concat('<i class="icon-branch"></i> ');
221 221 } else if (commit_ref.type === 'tag'){
222 222 tmpl = tmpl.concat('<i class="icon-tag"></i> ');
223 223 } else if (commit_ref.type === 'book'){
224 224 tmpl = tmpl.concat('<i class="icon-bookmark"></i> ');
225 225 }
226 return tmpl.concat(commit_ref.text);
226 return tmpl.concat(escapeHtml(commit_ref.text));
227 227 };
228 228
229 229 // takes a given html element and scrolls it down offset pixels
230 230 function offsetScroll(element, offset) {
231 231 setTimeout(function() {
232 232 var location = element.offset().top;
233 233 // some browsers use body, some use html
234 234 $('html, body').animate({ scrollTop: (location - offset) });
235 235 }, 100);
236 236 }
237 237
238 238 // scroll an element `percent`% from the top of page in `time` ms
239 239 function scrollToElement(element, percent, time) {
240 240 percent = (percent === undefined ? 25 : percent);
241 241 time = (time === undefined ? 100 : time);
242 242
243 243 var $element = $(element);
244 244 if ($element.length == 0) {
245 245 throw('Cannot scroll to {0}'.format(element))
246 246 }
247 247 var elOffset = $element.offset().top;
248 248 var elHeight = $element.height();
249 249 var windowHeight = $(window).height();
250 250 var offset = elOffset;
251 251 if (elHeight < windowHeight) {
252 252 offset = elOffset - ((windowHeight / (100 / percent)) - (elHeight / 2));
253 253 }
254 254 setTimeout(function() {
255 255 $('html, body').animate({ scrollTop: offset});
256 256 }, time);
257 257 }
258 258
259 259 /**
260 260 * global hooks after DOM is loaded
261 261 */
262 262 $(document).ready(function() {
263 263 firefoxAnchorFix();
264 264
265 265 $('.navigation a.menulink').on('click', function(e){
266 266 var menuitem = $(this).parent('li');
267 267 if (menuitem.hasClass('open')) {
268 268 menuitem.removeClass('open');
269 269 } else {
270 270 menuitem.addClass('open');
271 271 $(document).on('click', function(event) {
272 272 if (!$(event.target).closest(menuitem).length) {
273 273 menuitem.removeClass('open');
274 274 }
275 275 });
276 276 }
277 277 });
278 278 $('.compare_view_files').on(
279 279 'mouseenter mouseleave', 'tr.line .lineno a',function(event) {
280 280 if (event.type === "mouseenter") {
281 281 $(this).parents('tr.line').addClass('hover');
282 282 } else {
283 283 $(this).parents('tr.line').removeClass('hover');
284 284 }
285 285 });
286 286
287 287 $('.compare_view_files').on(
288 288 'mouseenter mouseleave', 'tr.line .add-comment-line a',function(event){
289 289 if (event.type === "mouseenter") {
290 290 $(this).parents('tr.line').addClass('commenting');
291 291 } else {
292 292 $(this).parents('tr.line').removeClass('commenting');
293 293 }
294 294 });
295 295
296 296 $('body').on( /* TODO: replace the $('.compare_view_files').on('click') below
297 297 when new diffs are integrated */
298 298 'click', '.cb-lineno a', function(event) {
299 299
300 300 if ($(this).attr('data-line-no') !== ""){
301 301 $('.cb-line-selected').removeClass('cb-line-selected');
302 302 var td = $(this).parent();
303 303 td.addClass('cb-line-selected'); // line number td
304 304 td.prev().addClass('cb-line-selected'); // line data td
305 305 td.next().addClass('cb-line-selected'); // line content td
306 306
307 307 // Replace URL without jumping to it if browser supports.
308 308 // Default otherwise
309 309 if (history.pushState) {
310 310 var new_location = location.href.rstrip('#');
311 311 if (location.hash) {
312 312 new_location = new_location.replace(location.hash, "");
313 313 }
314 314
315 315 // Make new anchor url
316 316 new_location = new_location + $(this).attr('href');
317 317 history.pushState(true, document.title, new_location);
318 318
319 319 return false;
320 320 }
321 321 }
322 322 });
323 323
324 324 $('.compare_view_files').on( /* TODO: replace this with .cb function above
325 325 when new diffs are integrated */
326 326 'click', 'tr.line .lineno a',function(event) {
327 327 if ($(this).text() != ""){
328 328 $('tr.line').removeClass('selected');
329 329 $(this).parents("tr.line").addClass('selected');
330 330
331 331 // Replace URL without jumping to it if browser supports.
332 332 // Default otherwise
333 333 if (history.pushState) {
334 334 var new_location = location.href;
335 335 if (location.hash){
336 336 new_location = new_location.replace(location.hash, "");
337 337 }
338 338
339 339 // Make new anchor url
340 340 var new_location = new_location+$(this).attr('href');
341 341 history.pushState(true, document.title, new_location);
342 342
343 343 return false;
344 344 }
345 345 }
346 346 });
347 347
348 348 $('.compare_view_files').on(
349 349 'click', 'tr.line .add-comment-line a',function(event) {
350 350 var tr = $(event.currentTarget).parents('tr.line')[0];
351 351 injectInlineForm(tr);
352 352 return false;
353 353 });
354 354
355 355 $('.collapse_file').on('click', function(e) {
356 356 e.stopPropagation();
357 357 if ($(e.target).is('a')) { return; }
358 358 var node = $(e.delegateTarget).first();
359 359 var icon = $($(node.children().first()).children().first());
360 360 var id = node.attr('fid');
361 361 var target = $('#'+id);
362 362 var tr = $('#tr_'+id);
363 363 var diff = $('#diff_'+id);
364 364 if(node.hasClass('expand_file')){
365 365 node.removeClass('expand_file');
366 366 icon.removeClass('expand_file_icon');
367 367 node.addClass('collapse_file');
368 368 icon.addClass('collapse_file_icon');
369 369 diff.show();
370 370 tr.show();
371 371 target.show();
372 372 } else {
373 373 node.removeClass('collapse_file');
374 374 icon.removeClass('collapse_file_icon');
375 375 node.addClass('expand_file');
376 376 icon.addClass('expand_file_icon');
377 377 diff.hide();
378 378 tr.hide();
379 379 target.hide();
380 380 }
381 381 });
382 382
383 383 $('#expand_all_files').click(function() {
384 384 $('.expand_file').each(function() {
385 385 var node = $(this);
386 386 var icon = $($(node.children().first()).children().first());
387 387 var id = $(this).attr('fid');
388 388 var target = $('#'+id);
389 389 var tr = $('#tr_'+id);
390 390 var diff = $('#diff_'+id);
391 391 node.removeClass('expand_file');
392 392 icon.removeClass('expand_file_icon');
393 393 node.addClass('collapse_file');
394 394 icon.addClass('collapse_file_icon');
395 395 diff.show();
396 396 tr.show();
397 397 target.show();
398 398 });
399 399 });
400 400
401 401 $('#collapse_all_files').click(function() {
402 402 $('.collapse_file').each(function() {
403 403 var node = $(this);
404 404 var icon = $($(node.children().first()).children().first());
405 405 var id = $(this).attr('fid');
406 406 var target = $('#'+id);
407 407 var tr = $('#tr_'+id);
408 408 var diff = $('#diff_'+id);
409 409 node.removeClass('collapse_file');
410 410 icon.removeClass('collapse_file_icon');
411 411 node.addClass('expand_file');
412 412 icon.addClass('expand_file_icon');
413 413 diff.hide();
414 414 tr.hide();
415 415 target.hide();
416 416 });
417 417 });
418 418
419 419 // Mouse over behavior for comments and line selection
420 420
421 421 // Select the line that comes from the url anchor
422 422 // At the time of development, Chrome didn't seem to support jquery's :target
423 423 // element, so I had to scroll manually
424 424
425 425 if (location.hash) {
426 426 var result = splitDelimitedHash(location.hash);
427 427 var loc = result.loc;
428 428 if (loc.length > 1) {
429 429
430 430 var highlightable_line_tds = [];
431 431
432 432 // source code line format
433 433 var page_highlights = loc.substring(
434 434 loc.indexOf('#') + 1).split('L');
435 435
436 436 if (page_highlights.length > 1) {
437 437 var highlight_ranges = page_highlights[1].split(",");
438 438 var h_lines = [];
439 439 for (var pos in highlight_ranges) {
440 440 var _range = highlight_ranges[pos].split('-');
441 441 if (_range.length === 2) {
442 442 var start = parseInt(_range[0]);
443 443 var end = parseInt(_range[1]);
444 444 if (start < end) {
445 445 for (var i = start; i <= end; i++) {
446 446 h_lines.push(i);
447 447 }
448 448 }
449 449 }
450 450 else {
451 451 h_lines.push(parseInt(highlight_ranges[pos]));
452 452 }
453 453 }
454 454 for (pos in h_lines) {
455 455 var line_td = $('td.cb-lineno#L' + h_lines[pos]);
456 456 if (line_td.length) {
457 457 highlightable_line_tds.push(line_td);
458 458 }
459 459 }
460 460 }
461 461
462 462 // now check a direct id reference (diff page)
463 463 if ($(loc).length && $(loc).hasClass('cb-lineno')) {
464 464 highlightable_line_tds.push($(loc));
465 465 }
466 466 $.each(highlightable_line_tds, function (i, $td) {
467 467 $td.addClass('cb-line-selected'); // line number td
468 468 $td.prev().addClass('cb-line-selected'); // line data
469 469 $td.next().addClass('cb-line-selected'); // line content
470 470 });
471 471
472 472 if (highlightable_line_tds.length) {
473 473 var $first_line_td = highlightable_line_tds[0];
474 474 scrollToElement($first_line_td);
475 475 $.Topic('/ui/plugins/code/anchor_focus').prepareOrPublish({
476 476 td: $first_line_td,
477 477 remainder: result.remainder
478 478 });
479 479 }
480 480 }
481 481 }
482 482 collapsableContent();
483 483 });
Show file before | Show file after | Hide comments
@@ -1,84 +1,82 b''
1 1 /* COMMON */
2 2 var select2RefFilterResults = function(queryTerm, data) {
3 3 var filteredData = {results: []};
4 4 //filter results
5 5 $.each(data.results, function() {
6 6 var section = this.text;
7 7 var children = [];
8 8 $.each(this.children, function() {
9 9 if (queryTerm.length === 0 || this.text.toUpperCase().indexOf(queryTerm.toUpperCase()) >= 0) {
10 10 children.push(this);
11 11 }
12 12 });
13 13
14 14 if (children.length > 0) {
15 15 filteredData.results.push({
16 16 'text': section,
17 17 'children': children
18 18 });
19 19 }
20 20 });
21 21
22 22 return filteredData
23 23 };
24 24
25 25
26 26 var select2RefBaseSwitcher = function(targetElement, loadUrl, initialData){
27 27 var formatResult = function(result, container, query) {
28 28 return formatSelect2SelectionRefs(result);
29 29 };
30 30
31 31 var formatSelection = function(data, container) {
32 32 return formatSelect2SelectionRefs(data);
33 33 };
34 34
35 35 $(targetElement).select2({
36 36 cachedDataSource: {},
37 37 dropdownAutoWidth: true,
38 formatResult: formatResult,
39 38 width: "resolve",
40 39 containerCssClass: "drop-menu",
41 40 dropdownCssClass: "drop-menu-dropdown",
42 41 query: function(query) {
43 42 var self = this;
44 43 var cacheKey = '__ALLREFS__';
45 44 var cachedData = self.cachedDataSource[cacheKey];
46 45 if (cachedData) {
47 46 var data = select2RefFilterResults(query.term, cachedData);
48 47 query.callback({results: data.results});
49 48 } else {
50 49 $.ajax({
51 50 url: loadUrl,
52 51 data: {},
53 52 dataType: 'json',
54 53 type: 'GET',
55 54 success: function(data) {
56 55 self.cachedDataSource[cacheKey] = data;
57 56 query.callback({results: data.results});
58 57 }
59 58 });
60 59 }
61 60 },
62
63 61 initSelection: function(element, callback) {
64 62 callback(initialData);
65 63 },
66
64 formatResult: formatResult,
67 65 formatSelection: formatSelection
68 66 });
69 67
70 68 };
71 69
72 70 /* WIDGETS */
73 71 var select2RefSwitcher = function(targetElement, initialData) {
74 72 var loadUrl = pyroutes.url('repo_refs_data',
75 73 {'repo_name': templateContext.repo_name});
76 74 select2RefBaseSwitcher(targetElement, loadUrl, initialData);
77 75 };
78 76
79 77 var select2FileHistorySwitcher = function(targetElement, initialData, state) {
80 78 var loadUrl = pyroutes.url('files_history_home',
81 79 {'repo_name': templateContext.repo_name, 'revision': state.rev,
82 80 'f_path': state.f_path});
83 81 select2RefBaseSwitcher(targetElement, loadUrl, initialData);
84 82 };
General Comments 0
You need to be logged in to leave comments. Login now