Mercurial > p > roundup > code
comparison website/issues/html/page.html @ 5287:07617c8d4efc
applying upgrade of 1.5.1 -> 1.6.0.
Upgraded login form.
Added @csrf tokens to forms using post.
Fix security issue by displaying username without escaping html
entities.
User queries hrefs have their names url quoted which makes multi word
queries a valid url.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 24 Sep 2017 19:19:28 -0400 |
| parents | d24e156f9069 |
| children | 3e740c65510e |
comparison
equal
deleted
inserted
replaced
| 5286:578b5294e888 | 5287:07617c8d4efc |
|---|---|
| 82 i18n:attributes="value"/> | 82 i18n:attributes="value"/> |
| 83 <input class="form-small" size="4" | 83 <input class="form-small" size="4" |
| 84 type="text" name="@number"/> | 84 type="text" name="@number"/> |
| 85 <input type="hidden" name="@type" value="issue"/> | 85 <input type="hidden" name="@type" value="issue"/> |
| 86 <input type="hidden" name="@action" value="show"/> | 86 <input type="hidden" name="@action" value="show"/> |
| 87 <input name="@csrf" type="hidden" | |
| 88 tal:attributes="value python:utils.anti_csrf_nonce()"> | |
| 87 </form> | 89 </form> |
| 88 </li> | 90 </li> |
| 89 </ul> | 91 </ul> |
| 90 | 92 |
| 91 <ul> | 93 <ul> |
| 92 <li tal:condition="python:request.user.username=='anonymous'" class="submenu"> | 94 <li tal:condition="python:request.user.username=='anonymous'" class="submenu"> |
| 93 <b i18n:translate="">User</b> | 95 <b i18n:translate="">User</b> |
| 94 <form method="post" action="#"> | 96 <form method="post" tal:attributes="action request/base"> |
| 95 <ul> | 97 <ul> |
| 96 <li> | 98 <li> |
| 97 <tal:span i18n:translate="">Login</tal:span><br/> | 99 <tal:span i18n:translate="">Login</tal:span><br/> |
| 98 <input size="10" name="__login_name"/><br/> | 100 <input size="10" name="__login_name"/><br/> |
| 99 <input size="10" type="password" name="__login_password"/><br/> | 101 <input size="10" type="password" name="__login_password"/><br/> |
| 100 <input type="hidden" name="@action" value="Login"/> | 102 <input type="hidden" name="@action" value="Login"/> |
| 101 <input type="checkbox" name="remember" id="remember"/> | 103 <input type="checkbox" name="remember" id="remember"/> |
| 102 <label for="remember" i18n:translate="">Remember me?</label><br/> | 104 <label for="remember" i18n:translate="">Remember me?</label><br/> |
| 103 <input class="form-small" type="submit" value="Login" i18n:attributes="value"/><br/> | 105 <input class="form-small" type="submit" value="Login" i18n:attributes="value"/><br/> |
| 104 <input type="hidden" name="__came_from" tal:attributes="value string:${request/env/PATH_INFO}"/> | 106 <input name="@csrf" type="hidden" |
| 107 tal:attributes="value python:utils.anti_csrf_nonce()"> | |
| 108 <input type="hidden" name="__came_from" | |
| 109 tal:condition="exists:request/env/QUERY_STRING" | |
| 110 tal:attributes="value string:${request/base}${request/env/PATH_INFO}?${request/env/QUERY_STRING}"> | |
| 111 <input type="hidden" name="__came_from" | |
| 112 tal:condition="not:exists:request/env/QUERY_STRING" | |
| 113 tal:attributes="value string:${request/base}${request/env/PATH_INFO}"> | |
| 105 <span tal:replace="structure request/indexargs_form" /> | 114 <span tal:replace="structure request/indexargs_form" /> |
| 106 </li> | 115 </li> |
| 107 <li> | 116 <li> |
| 108 <a href="user?@template=register" | 117 <a href="user?@template=register" |
| 109 tal:condition="python:request.user.hasPermission('Register', 'user')" | 118 tal:condition="python:request.user.hasPermission('Register', 'user')" |
| 114 </ul> | 123 </ul> |
| 115 </form> | 124 </form> |
| 116 </li> | 125 </li> |
| 117 | 126 |
| 118 <li tal:condition="python:request.user.username != 'anonymous'" class="submenu"> | 127 <li tal:condition="python:request.user.username != 'anonymous'" class="submenu"> |
| 119 <p class="label"><b tal:replace="request/user/username">username</b></p> | 128 <p class="label"><b tal:replace="python:request.user.username.plain(escape=1)">username</b></p> |
| 120 <ul> | 129 <ul> |
| 121 <li> | 130 <li> |
| 122 <a href="#" | 131 <a href="#" |
| 123 tal:attributes="href python:request.indexargs_url('issue', { | 132 tal:attributes="href python:request.indexargs_url('issue', { |
| 124 '@sort': '-activity', | 133 '@sort': '-activity', |
| 143 </li> | 152 </li> |
| 144 <li class="" | 153 <li class="" |
| 145 tal:condition="python:request.user.hasPermission('View', 'query')"> | 154 tal:condition="python:request.user.hasPermission('View', 'query')"> |
| 146 <span i18n:translate=""><b>Your Queries</b> (<a class="nomargin" href="query?@template=edit">edit</a>)</span><br/> | 155 <span i18n:translate=""><b>Your Queries</b> (<a class="nomargin" href="query?@template=edit">edit</a>)</span><br/> |
| 147 <ul tal:repeat="qs request/user/queries"> | 156 <ul tal:repeat="qs request/user/queries"> |
| 148 <li><a tal:attributes="href string:${qs/klass}?${qs/url}&@dispname=${qs/name}" | 157 <li><a href="#" tal:attributes="href string:${qs/klass}?${qs/url}&@dispname=${qs/name/url_quote}" |
| 149 tal:content="qs/name">link</a></li> | 158 tal:content="qs/name">link</a></li> |
| 150 </ul> | 159 </ul> |
| 151 </li> | 160 </li> |
| 152 <li class="" | 161 <li class="" |
| 153 tal:condition="python:request.user.hasPermission('View', 'user')"> | 162 tal:condition="python:request.user.hasPermission('View', 'user')"> |