# HG changeset patch # User Goffi # Date 1306443825 -7200 # Node ID 9f19e16187ffb27c7c03c9cf8912880910770fa5 # Parent 72c51a4839cce190255e24cf76a24d066467a1fb browser side: HTML sanitization diff -r 72c51a4839cc -r 9f19e16187ff browser_side/contact.py --- a/browser_side/contact.py Thu May 26 20:13:41 2011 +0200 +++ b/browser_side/contact.py Thu May 26 23:03:45 2011 +0200 @@ -30,6 +30,7 @@ from pyjamas.dnd import makeDraggable from pyjamas.ui.DragWidget import DragWidget, DragContainer from jid import JID +from tools import html_sanitize class DragLabel(DragWidget): @@ -65,7 +66,7 @@ class GroupLabel(DragLabel, Label): def __init__(self, group): self.group = group - Label.__init__(self, group) #, Element=DOM.createElement('div') + Label.__init__(self, html_sanitize(group)) #, Element=DOM.createElement('div') self.setStyleName('group') DragLabel.__init__(self, group, "GROUP") @@ -74,7 +75,7 @@ def __init__(self, jid, name=None): if not name: name=jid - Label.__init__(self, name) + Label.__init__(self, html_sanitize(name)) self.jid=jid self.setStyleName('contact') DragLabel.__init__(self, jid, "CONTACT") diff -r 72c51a4839cc -r 9f19e16187ff browser_side/panels.py --- a/browser_side/panels.py Thu May 26 20:13:41 2011 +0200 +++ b/browser_side/panels.py Thu May 26 23:03:45 2011 +0200 @@ -75,6 +75,9 @@ menu_general.addItem("Social contract", MenuCmd(self, "onSocialContract")) menu_general.addItem("About", MenuCmd(self, "onAbout")) + menu_contacts = MenuBar(vertical=True) + menu_contacts.addItem("add contact", MenuCmd(self, "onAddContact")) + menu_group = MenuBar(vertical=True) menu_group.addItem("join room", MenuCmd(self, "onJoinRoom")) @@ -84,6 +87,7 @@ menubar = MenuBar(vertical=False) menubar.addItem(MenuItem("General", menu_general)) + menubar.addItem(MenuItem("Contacts", menu_contacts)) menubar.addItem(MenuItem("Groups", menu_group)) menubar.addItem(MenuItem("Games", True, menu_games)) self.add(menubar) @@ -103,10 +107,16 @@ Blog available (mainly in french) at http://www.goffi.org
Project page: http://wiki.goffi.org/wiki/Salut_à_Toi

-Any help Welcome :) +Any help welcome :) """) _dialog = dialog.InfoDialog("About", _about) _dialog.show() + + #Contact menu + def onAddContact(self): + """Q&D contact addition""" + Window.alert("Add contact !") + #Group menu def onJoinRoom(self): @@ -389,9 +399,9 @@ _datetime = datetime.fromtimestamp(timestamp) panel = HTMLPanel("
%(author)s on %(timestamp)s
%(body)s
" % - {"author": author, + {"author": html_sanitize(author), "timestamp": _datetime, - "body": body} + "body": html_sanitize(body)} ) panel.setStyleName('microblogEntry') self.add(panel) @@ -406,7 +416,7 @@ DropCell.__init__(self) self.host = host self.accept_all = accept_all - title=title.replace('<','<').replace('>','>') + title=html_sanitize(title) self.accepted_groups = [] _class = ['mb_panel_header'] if title == ' ': @@ -455,7 +465,7 @@ self.addClickListener(self) def __getContent(self): - return "%(status)s" % {'status':self.status} + return "%(status)s" % {'status':html_sanitize(self.status)} def changeStatus(self, new_status): self.status = new_status or ' ' @@ -474,9 +484,9 @@ _msg_class.append("chat_text_mymess") HTMLPanel.__init__(self, "%(timestamp)s %(nick)s %(msg)s" % {"timestamp": _date.strftime("%H:%M"), - "nick": "[%s]" % nick, + "nick": "[%s]" % html_sanitize(nick), "msg_class": ' '.join(_msg_class), - "msg": msg} + "msg": html_sanitize(msg)} ) self.setStyleName('chatText') @@ -533,9 +543,8 @@ return self.target = target title="%s" % target.bare - title.replace('<','<').replace('>','>') _class = ['mb_panel_header'] - self.header = HTMLPanel("
%s
" % (','.join(_class),title)) + self.header = HTMLPanel("
%s
" % (','.join(_class),html_sanitize(title))) self.header.setStyleName('chatHeader') self.body = AbsolutePanel() self.body.setStyleName('chatPanel_body') @@ -607,7 +616,7 @@ normal: general info like "toto has joined the room" me: "/me" information like "/me clenches his fist" ==> "toto clenches his fist" """ - _wid = Label(msg) + _wid = Label(html_sanitize(msg)) if type == 'normal': _wid.setStyleName('chatTextInfo') elif type == 'me':