Mercurial > p > roundup > code
view website/issues/html/user_utils.js @ 4880:ca692423e401
Different approach to fix XSS in issue2550817
Encapsulate the error/ok message append method as add_ok_message and
add_error_message. The new approach escapes the messages when appending
-- at a point in the code where we still know where the message comes
from. Escaping is the default but can bei turned off. This also fixes
issue2550836 where certain messages may contain links.
Another advantage of the new fix is that users don't need to change
installed trackers and are secure by default.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Mon, 31 Mar 2014 18:19:23 +0200 |
| parents | c2d0d3e9099d |
| children | 248b7a754412 |
line wrap: on
line source
// User Editing Utilities /** * for new users: * Depending on the input field which calls it, takes the value * and dispatches it to certain other input fields: * * address * +-> username * | `-> realname * `-> organisation */ function split_name(that) { var raw = that.value var val = trim(raw) if (val == '') { return } var username='' var realname='' var address='' switch (that.name) { case 'address': address=val break case 'username': username=val break case 'realname': realname=val break default: alert('Ooops - unknown name field '+that.name+'!') return } var the_form = that.form; function field_empty(name) { return the_form[name].value == '' } // no break statements - on purpose! switch (that.name) { case 'address': var split1 = address.split('@') if (field_empty('username')) { username = split1[0] the_form.username.value = username } if (field_empty('organisation')) { the_form.organisation.value = default_organisation(split1[1]) } case 'username': if (field_empty('realname')) { realname = Cap(username.split('.').join(' ')) the_form.realname.value = realname } case 'realname': if (field_empty('username')) { username = Cap(realname.replace(' ', '.')) the_form.username.value = username } if (the_form.firstname && the_form.lastname) { var split2 = realname.split(' ') var firstname='', lastname='' firstname = split2[0] lastname = split2.slice(1).join(' ') if (field_empty('firstname')) { the_form.firstname.value = firstname } if (field_empty('lastname')) { the_form.lastname.value = lastname } } } } function SubCap(str) { switch (str) { case 'de': case 'do': case 'da': case 'du': case 'von': return str; } if (str.toLowerCase().slice(0,2) == 'mc') { return 'Mc'+str.slice(2,3).toUpperCase()+str.slice(3).toLowerCase() } return str.slice(0,1).toUpperCase()+str.slice(1).toLowerCase() } function Cap(str) { var liz = str.split(' ') for (var i=0; i<liz.length; i++) { liz[i] = SubCap(liz[i]) } return liz.join(' ') } /** * Takes a domain name (behind the @ part of an email address) * Customise this to handle the mail domains you're interested in */ function default_organisation(orga) { switch (orga.toLowerCase()) { case 'gmx': case 'yahoo': return '' default: return orga } }