ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix a lot of html escaping issues 

These issues arose from a change in the way we are storing plaintext fields in
the database. Previously they were stored html escaped, and now they're not.
Fixed areas include:

 * folder names in file manager
 * new course sub-account dialog
 * grading rules for assignment groups
 * event titles in calendar
 * content locks page
 * outcomes inside rubrics
 * course listing while writing feedback
 * copying file between contexts in file mgr
 * sis import screen logs
 * file upload options in wiki sidebar

Change-Id: Iab8c8deb81fdfd9062570288218db4180204a497
Reviewed-on: https://gerrit.instructure.com/2406
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Zach Wily <zach@instructure.com>
This commit is contained in:
Zach Wily 2011-02-22 12:38:54 -07:00
parent 17b89a1751
commit 3ebda084fe
13 changed files with 25 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/models/account.rb
View File

@ -186,7 +186,7 @@ class Account < ActiveRecord::Base
end
def sub_accounts_as_options(indent=0)
res = [[("&nbsp;&nbsp;" * indent) + self.name, self.id]]
res = [[("&nbsp;&nbsp;" * indent).html_safe + self.name, self.id]]
self.sub_accounts.each do |account|
res += account.sub_accounts_as_options(indent + 1)
end

3
app/views/accounts/show.html.erb
View File

@ -78,9 +78,6 @@ $(document).ready(function() {
// get rid of this lookup part and it will use ajax queries to that serviceUrl above. I just figured this would be faster
// and since we dont have that many users per institution we can afford to send it in a pageload.
}
$("#course_account_id option").each(function() {
$(this).html($(this).text());
});
});
</script>
<% end %>

4
app/views/accounts/statistics_page_views.html.erb
View File

@ -56,10 +56,10 @@
r.g.axis(40, 230, 220, 0, 100, 5, 1, [' ', '20%', '40%', '60%', '80%', '100%'], '|');
r.g.axis(40, 230, 500, 0, 23, 24, 0, ['12am','1am','2am','3am','4am','5am','6am','7am','8am','9am','10am','11am','12pm','1pm','2pm','3pm','4pm','5pm','6pm','7pm','8pm','9pm','10pm','11pm', '12am'], '+');
} else {
$("#hourly_usage").html("No data found for report");
$("#hourly_usage").text("No data found for report");
}
} catch(e) {
$("#hourly_usage").html("Error building usage report: " + e.toString());
$("#hourly_usage").text("Error building usage report: " + e.toString());
}
var pageViewData = <%= raw @account.page_view_data(@start_at, @end_at).to_json %>;

2
app/views/content_imports/migrate_content_choose.html.erb
View File

@ -499,7 +499,7 @@ $(document).ready(function() {
var code = "ContentMigration:" + $(".content_migration_id:first").text() + ":" + course_import.progress;
var message = "There was an error during your migration import. Please notify your system administrator and give them the following code: \"" + code + "\"";
$.flashError(message);
$(".progress_message").html(message); //after("<div>" + message + "</div>")
$(".progress_message").text(message);
} else {
if(progress == lastProgress) {
waitTime = Math.max(waitTime + 500, 30000);

2
public/javascripts/assignments.js
View File

@ -548,7 +548,7 @@
} else if(rule_type == "drop_highest") {
rules += "Drop the Highest " + value + " Scores<br/>";
} else if(rule_type == "never_drop") {
var title = $("#assignment_" + value).find(".title").text();
var title = $("#assignment_" + value).find(".title").html();
rules += "Never Drop " + title + "<br/>";
}
}

3
public/javascripts/calendar.js
View File

@ -594,8 +594,7 @@
if(event.start_time_string && event.start_time_string != event.end_time_string) {
title_time += " to " + (event.end_time_formatted || "");
}
// event.title is html escaped, so we need to unescape it for the tooltip
var event_title = $("<div/>").html(event.title).text();
event_title = event.title;
event_title += (title_time ? " - " + title_time : "");
if(data.assignment && title_time) {
event_title = "due: " + event_title;

8
public/javascripts/content_locks.js
View File

@ -23,13 +23,13 @@ $(document).ready(function() {
var data = $(this).data('lock_reason');
var type = data.type || "content";
var $reason = $("<div/>");
$reason.html("This " + type + " is locked. No other reason has been provided.");
$reason.text("This " + type + " is locked. No other reason has been provided.");
if(data.lock_at) {
$reason.html("This " + type + " was locked " + $.parseFromISO(data.lock_at).datetime_formatted);
$reason.text("This " + type + " was locked " + $.parseFromISO(data.lock_at).datetime_formatted);
} else if(data.unlock_at) {
$reason.html("This " + type + " is locked until " + $.parseFromISO(data.unlock_at).datetime_formatted);
$reason.text("This " + type + " is locked until " + $.parseFromISO(data.unlock_at).datetime_formatted);
} else if(data.context_module) {
$reason.html("This " + type + " is part of the module <b>" + data.context_module.name + "</b> and hasn't been unlocked yet.");
$reason.html("This " + type + " is part of the module <b>" + $.htmlEscape(data.context_module.name) + "</b> and hasn't been unlocked yet.");
if($("#context_modules_url").length > 0) {
$reason.append("<br/>");
var $link = $("<a/>");

2
public/javascripts/edit_rubric.js
View File

@ -590,7 +590,7 @@ var rubricEditing = {
var $name = $dialog.find(".outcomes_select.blank:first").clone(true).removeClass('blank');
outcome.title = outcome.short_description;
var $text = $("<div/>");
$text.html(outcome.short_description);
$text.text(outcome.short_description);
outcome.title = $.truncateText($.trim($text.text()), 35);
outcome.display_name = outcome.cached_context_short_name || "";
$name.fillTemplateData({data: outcome});

2
public/javascripts/feedback.js
View File

@ -57,7 +57,7 @@ $(document).ready(function() {
$dialog.find(".feedback-course-select")
.html(function(){
return $.map(courses, function(course){
return '<option value="' + course.id + '">' + course.name + '</option>';
return '<option value="' + course.id + '">' + $.htmlEscape(course.name) + '</option>';
}).join('');
})
.showIf(courses.length > 0);

4
public/javascripts/full_files.js
View File

@ -441,7 +441,7 @@ var files = {};
$(ui.helper).find(".header .sub_header").text("move to " + droppable.name);
if(draggable && droppable && draggable.context_string != droppable.context_string) {
$(ui.helper).addClass('copy_drag');
$(ui.helper).find(".header .sub_header").html("<strong>copy</strong> to " + droppable.name);
$(ui.helper).find(".header .sub_header").html("<strong>copy</strong> to " + $.htmlEscape(droppable.name));
}
},
out: function(event, ui) {
@ -524,7 +524,7 @@ var files = {};
if(!$context_folder || $context_folder.length === 0) {
$context_folder = $files_structure.find(".folder_blank").clone(true).removeClass('folder_blank');
}
$context_folder.children(".name").html(context_name);
$context_folder.children(".name").text(context_name);
$context_folder.children(".id").text(root_folder.id);
$context_folder.addClass('context folder folder_' + root_folder.id + ' ' + context_string);
$context_folder.find("li").addClass('to_be_removed');

9
public/javascripts/instructure_helper.js
View File

@ -720,7 +720,9 @@
}
return r;
}
$.htmlEscape = function(str) {
return $('<div/>').text(str).html();
}
// Fills the selected object(s) with data values as specified. Plaintext values should be specified in the
// data: data used to fill template.
@ -771,8 +773,8 @@
$found.val(options.data[item]);
} else {
try {
var str = options.data[item].toString().replace(/\&/g, "&amp;").replace(/\"/g, "&quot;").replace(/\</g, "&lt;").replace(/\>/g, "&gt;");
$found.html(str);
var str = options.data[item].toString();
$found.html($.htmlEscape(str));
} catch(e) { }
}
}
@ -811,6 +813,7 @@
}
return this;
};
$.fn.fillTemplateData.defaults = {htmlValues: null, hrefValues: null};
// Reverse version of fillTemplateData. Lets you pull out the string versions of values held in divs, spans, etc.
// Based on the usage of class names within an object to specify an object's sub-parts.

6
public/javascripts/sis_import.js
View File

@ -32,7 +32,7 @@ $(document).ready(function(event) {
output += "<li>Errors that prevent importing\n<ul>";
for(var i in batch.processing_errors) {
var message = batch.processing_errors[i];
output += "<li>" + message[0] + " - " + message[1] + "</li>";
output += "<li>" + $.htmlEscape(message[0]) + " - " + $.htmlEscape(message[1]) + "</li>";
}
output += "</ul>\n</li>";
}
@ -40,7 +40,7 @@ $(document).ready(function(event) {
output += "<li>Warnings\n<ul>";
for(var i in batch.processing_warnings) {
var message = batch.processing_warnings[i];
output += "<li>" + message[0] + " - " + message[1] + "</li>";
output += "<li>" + $.htmlEscape(message[0]) + " - " + $.htmlEscape(message[1]) + "</li>";
}
output += "</ul>\n</li>";
}
@ -162,7 +162,7 @@ $(document).ready(function(event) {
startPoll();
} else {
//show error message
$(".sis_messages .error_message").html(data.error_message);
$(".sis_messages .error_message").text(data.error_message);
$(".sis_messages").show();
if(data.batch_in_progress){
startPoll();

1
public/javascripts/wiki_sidebar.js
View File

@ -164,6 +164,7 @@
if(name.length + level + 1 > 38) {
name = name.substring(0, 35) + "...";
}
name = $.htmlEscape(name);
for(var idx = 0; idx < level; idx++) {
name = "&nbsp;&nbsp;" + name;
}