Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
3aeae2c7
Commit
3aeae2c7
authored
May 03, 2017
by
Jacob Schatz
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'droplab-templating-xss-fix' into 'master'
droplab templating xss fix See merge request !2085
parents
185fd98f
abde62b5
Changes
6
Show whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
21 additions
and
12 deletions
+21
-12
app/assets/javascripts/droplab/constants.js
app/assets/javascripts/droplab/constants.js
+3
-0
app/assets/javascripts/droplab/drop_down.js
app/assets/javascripts/droplab/drop_down.js
+1
-1
app/assets/javascripts/droplab/utils.js
app/assets/javascripts/droplab/utils.js
+8
-8
app/assets/javascripts/filtered_search/dropdown_hint.js
app/assets/javascripts/filtered_search/dropdown_hint.js
+1
-1
spec/javascripts/droplab/constants_spec.js
spec/javascripts/droplab/constants_spec.js
+6
-0
spec/javascripts/droplab/drop_down_spec.js
spec/javascripts/droplab/drop_down_spec.js
+2
-2
No files found.
app/assets/javascripts/droplab/constants.js
View file @
3aeae2c7
...
@@ -3,11 +3,14 @@ const DATA_DROPDOWN = 'data-dropdown';
...
@@ -3,11 +3,14 @@ const DATA_DROPDOWN = 'data-dropdown';
const
SELECTED_CLASS
=
'
droplab-item-selected
'
;
const
SELECTED_CLASS
=
'
droplab-item-selected
'
;
const
ACTIVE_CLASS
=
'
droplab-item-active
'
;
const
ACTIVE_CLASS
=
'
droplab-item-active
'
;
const
IGNORE_CLASS
=
'
droplab-item-ignore
'
;
const
IGNORE_CLASS
=
'
droplab-item-ignore
'
;
// Matches `{{anything}}` and `{{ everything }}`.
const
TEMPLATE_REGEX
=
/
\{\{(
.+
?)\}\}
/g
;
export
{
export
{
DATA_TRIGGER
,
DATA_TRIGGER
,
DATA_DROPDOWN
,
DATA_DROPDOWN
,
SELECTED_CLASS
,
SELECTED_CLASS
,
ACTIVE_CLASS
,
ACTIVE_CLASS
,
TEMPLATE_REGEX
,
IGNORE_CLASS
,
IGNORE_CLASS
,
};
};
app/assets/javascripts/droplab/drop_down.js
View file @
3aeae2c7
...
@@ -94,7 +94,7 @@ Object.assign(DropDown.prototype, {
...
@@ -94,7 +94,7 @@ Object.assign(DropDown.prototype, {
},
},
renderChildren
:
function
(
data
)
{
renderChildren
:
function
(
data
)
{
var
html
=
utils
.
t
(
this
.
templateString
,
data
);
var
html
=
utils
.
t
emplate
(
this
.
templateString
,
data
);
var
template
=
document
.
createElement
(
'
div
'
);
var
template
=
document
.
createElement
(
'
div
'
);
template
.
innerHTML
=
html
;
template
.
innerHTML
=
html
;
...
...
app/assets/javascripts/droplab/utils.js
View file @
3aeae2c7
/* eslint-disable */
/* eslint-disable */
import
{
DATA_TRIGGER
,
DATA_DROPDOWN
}
from
'
./constants
'
;
import
{
template
as
_template
}
from
'
underscore
'
;
import
{
DATA_TRIGGER
,
DATA_DROPDOWN
,
TEMPLATE_REGEX
}
from
'
./constants
'
;
const
utils
=
{
const
utils
=
{
toCamelCase
(
attr
)
{
toCamelCase
(
attr
)
{
return
this
.
camelize
(
attr
.
split
(
'
-
'
).
slice
(
1
).
join
(
'
'
));
return
this
.
camelize
(
attr
.
split
(
'
-
'
).
slice
(
1
).
join
(
'
'
));
},
},
t
(
s
,
d
)
{
template
(
templateString
,
data
)
{
for
(
const
p
in
d
)
{
const
template
=
_template
(
templateString
,
{
if
(
Object
.
prototype
.
hasOwnProperty
.
call
(
d
,
p
))
{
escape
:
TEMPLATE_REGEX
,
s
=
s
.
replace
(
new
RegExp
(
`{{
${
p
}
}}`
,
'
g
'
),
d
[
p
]);
});
}
}
return
template
(
data
);
return
s
;
},
},
camelize
(
str
)
{
camelize
(
str
)
{
...
...
app/assets/javascripts/filtered_search/dropdown_hint.js
View file @
3aeae2c7
...
@@ -62,7 +62,7 @@ class DropdownHint extends gl.FilteredSearchDropdown {
...
@@ -62,7 +62,7 @@ class DropdownHint extends gl.FilteredSearchDropdown {
Object
.
assign
({
Object
.
assign
({
icon
:
`fa-
${
icon
}
`
,
icon
:
`fa-
${
icon
}
`
,
hint
,
hint
,
tag
:
`
<
${
tag
}
>
`
,
tag
:
`
<
${
tag
}
>
`
,
},
type
&&
{
type
}),
},
type
&&
{
type
}),
);
);
}
}
...
...
spec/javascripts/droplab/constants_spec.js
View file @
3aeae2c7
...
@@ -27,6 +27,12 @@ describe('constants', function () {
...
@@ -27,6 +27,12 @@ describe('constants', function () {
});
});
});
});
describe
(
'
TEMPLATE_REGEX
'
,
function
()
{
it
(
'
should be a handlebars templating syntax regex
'
,
function
()
{
expect
(
constants
.
TEMPLATE_REGEX
).
toEqual
(
/
\{\{(
.+
?)\}\}
/g
);
});
});
describe
(
'
IGNORE_CLASS
'
,
function
()
{
describe
(
'
IGNORE_CLASS
'
,
function
()
{
it
(
'
should be `droplab-item-ignore`
'
,
function
()
{
it
(
'
should be `droplab-item-ignore`
'
,
function
()
{
expect
(
constants
.
IGNORE_CLASS
).
toBe
(
'
droplab-item-ignore
'
);
expect
(
constants
.
IGNORE_CLASS
).
toBe
(
'
droplab-item-ignore
'
);
...
...
spec/javascripts/droplab/drop_down_spec.js
View file @
3aeae2c7
...
@@ -451,7 +451,7 @@ describe('DropDown', function () {
...
@@ -451,7 +451,7 @@ describe('DropDown', function () {
this
.
html
=
'
html
'
;
this
.
html
=
'
html
'
;
this
.
template
=
{
firstChild
:
{
outerHTML
:
'
outerHTML
'
,
style
:
{}
}
};
this
.
template
=
{
firstChild
:
{
outerHTML
:
'
outerHTML
'
,
style
:
{}
}
};
spyOn
(
utils
,
'
t
'
).
and
.
returnValue
(
this
.
html
);
spyOn
(
utils
,
'
t
emplate
'
).
and
.
returnValue
(
this
.
html
);
spyOn
(
document
,
'
createElement
'
).
and
.
returnValue
(
this
.
template
);
spyOn
(
document
,
'
createElement
'
).
and
.
returnValue
(
this
.
template
);
spyOn
(
this
.
dropdown
,
'
setImagesSrc
'
);
spyOn
(
this
.
dropdown
,
'
setImagesSrc
'
);
...
@@ -459,7 +459,7 @@ describe('DropDown', function () {
...
@@ -459,7 +459,7 @@ describe('DropDown', function () {
});
});
it
(
'
should call utils.t with .templateString and data
'
,
function
()
{
it
(
'
should call utils.t with .templateString and data
'
,
function
()
{
expect
(
utils
.
t
).
toHaveBeenCalledWith
(
this
.
templateString
,
this
.
data
);
expect
(
utils
.
t
emplate
).
toHaveBeenCalledWith
(
this
.
templateString
,
this
.
data
);
});
});
it
(
'
should call document.createElement
'
,
function
()
{
it
(
'
should call document.createElement
'
,
function
()
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment