Mercurial > libervia-web

changeset 51:9f19e16187ff

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
browser side: HTML sanitization
author Goffi <goffi@goffi.org>
date Thu, 26 May 2011 23:03:45 +0200
parents 72c51a4839cc
children 4419ef07bb2b
files browser_side/contact.py browser_side/panels.py
diffstat 2 files changed, 22 insertions(+), 12 deletions(-) [+]
line wrap: on
line diff
--- a/browser_side/contact.py	Thu May 26 20:13:41 2011 +0200
+++ b/browser_side/contact.py	Thu May 26 23:03:45 2011 +0200
@@ -30,6 +30,7 @@
 from pyjamas.dnd import makeDraggable
 from pyjamas.ui.DragWidget import DragWidget, DragContainer
 from jid import JID
+from tools import html_sanitize
 
 class DragLabel(DragWidget):
 
@@ -65,7 +66,7 @@
 class GroupLabel(DragLabel, Label):
     def __init__(self, group):
         self.group = group
-        Label.__init__(self, group) #, Element=DOM.createElement('div')
+        Label.__init__(self, html_sanitize(group)) #, Element=DOM.createElement('div')
         self.setStyleName('group')
         DragLabel.__init__(self, group, "GROUP")
     
@@ -74,7 +75,7 @@
     def __init__(self, jid, name=None):
         if not name:
             name=jid
-        Label.__init__(self, name)
+        Label.__init__(self, html_sanitize(name))
         self.jid=jid
         self.setStyleName('contact')
         DragLabel.__init__(self, jid, "CONTACT")
--- a/browser_side/panels.py	Thu May 26 20:13:41 2011 +0200
+++ b/browser_side/panels.py	Thu May 26 23:03:45 2011 +0200
@@ -75,6 +75,9 @@
         menu_general.addItem("Social contract", MenuCmd(self, "onSocialContract"))
         menu_general.addItem("About", MenuCmd(self, "onAbout"))
 
+        menu_contacts = MenuBar(vertical=True)
+        menu_contacts.addItem("add contact", MenuCmd(self, "onAddContact"))
+
         menu_group = MenuBar(vertical=True)
         menu_group.addItem("join room", MenuCmd(self, "onJoinRoom"))
 
@@ -84,6 +87,7 @@
 
         menubar = MenuBar(vertical=False)
         menubar.addItem(MenuItem("General", menu_general))
+        menubar.addItem(MenuItem("Contacts", menu_contacts))
         menubar.addItem(MenuItem("Groups", menu_group))
         menubar.addItem(MenuItem("Games", True, menu_games))
         self.add(menubar)
@@ -103,10 +107,16 @@
 Blog available (mainly in french) at <a href="http://www.goffi.org" target="_blank">http://www.goffi.org</a><br />
 Project page: <a href="http://wiki.goffi.org/wiki/Salut_à_Toi"target="_blank">http://wiki.goffi.org/wiki/Salut_à_Toi</a><br />
 <br />
-Any help Welcome :)
+Any help welcome :)
 """)
         _dialog = dialog.InfoDialog("About", _about)
         _dialog.show()
+
+    #Contact menu
+    def onAddContact(self):
+        """Q&D contact addition"""
+        Window.alert("Add contact !")
+
     
     #Group menu
     def onJoinRoom(self):
@@ -389,9 +399,9 @@
         _datetime = datetime.fromtimestamp(timestamp)
 
         panel = HTMLPanel("<div class='mb_entry_header'><span class='mb_entry_author'>%(author)s</span> on <span class='mb_entry_timestamp'>%(timestamp)s</span></div><div class='mb_entry_body'>%(body)s</div>" %
-            {"author": author,
+            {"author": html_sanitize(author),
             "timestamp": _datetime,
-            "body": body}
+            "body": html_sanitize(body)}
             )
         panel.setStyleName('microblogEntry')
         self.add(panel)
@@ -406,7 +416,7 @@
         DropCell.__init__(self)
         self.host = host
         self.accept_all = accept_all
-        title=title.replace('<','&lt;').replace('>','&gt;')
+        title=html_sanitize(title)
         self.accepted_groups = []
         _class = ['mb_panel_header']
         if title == '&nbsp;':
@@ -455,7 +465,7 @@
         self.addClickListener(self)
 
     def __getContent(self):
-        return "<span class='status'>%(status)s</span>" % {'status':self.status}
+        return "<span class='status'>%(status)s</span>" % {'status':html_sanitize(self.status)}
 
     def changeStatus(self, new_status):
         self.status = new_status or '&nbsp;'
@@ -474,9 +484,9 @@
             _msg_class.append("chat_text_mymess")
         HTMLPanel.__init__(self, "<span class='chat_text_timestamp'>%(timestamp)s</span> <span class='chat_text_nick'>%(nick)s</span> <span class='%(msg_class)s'>%(msg)s</span>" %
             {"timestamp": _date.strftime("%H:%M"),
-            "nick": "[%s]" % nick,
+            "nick": "[%s]" % html_sanitize(nick),
             "msg_class": ' '.join(_msg_class),
-            "msg": msg}
+            "msg": html_sanitize(msg)}
             )
         self.setStyleName('chatText')
 
@@ -533,9 +543,8 @@
             return
         self.target = target
         title="%s" % target.bare
-        title.replace('<','&lt;').replace('>','&gt;')
         _class = ['mb_panel_header']
-        self.header = HTMLPanel("<div class='%s'>%s</div>" % (','.join(_class),title))
+        self.header = HTMLPanel("<div class='%s'>%s</div>" % (','.join(_class),html_sanitize(title)))
         self.header.setStyleName('chatHeader')
         self.body = AbsolutePanel()
         self.body.setStyleName('chatPanel_body')
@@ -607,7 +616,7 @@
             normal: general info like "toto has joined the room"
             me: "/me" information like "/me clenches his fist" ==> "toto clenches his fist"
         """
-        _wid = Label(msg)
+        _wid = Label(html_sanitize(msg))
         if type == 'normal':
             _wid.setStyleName('chatTextInfo')
         elif type == 'me':