ulysia/szurubooru
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

client/general: escape entity names in links

Browse source
This commit is contained in:
rr- 2016-06-23 12:19:32 +02:00
parent 6ea129a9ef
commit c7f6663c36
12 changed files with 35 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
client/html/comment.tpl
View file

@ -1,7 +1,7 @@
<div class='comment'>
<div class='avatar'>
<% if (ctx.comment.user.name && ctx.canViewUsers) { %>
<a href='/user/<%- ctx.comment.user.name %>'>
<a href='/user/<%- encodeURIComponent(ctx.comment.user.name) %>'>
<% } %>
<%= ctx.makeThumbnail(ctx.comment.user.avatarUrl) %>
@ -15,7 +15,7 @@
<header><!--
--><span class='nickname'><!--
--><% if (ctx.comment.user.name && ctx.canViewUsers) { %><!--
--><a href='/user/<%- ctx.comment.user.name %>'><!--
--><a href='/user/<%- encodeURIComponent(ctx.comment.user.name) %>'><!--
--><% } %><!--
--><%- ctx.comment.user.name %><!--

2
client/html/comments_page.tpl
View file

@ -4,7 +4,7 @@
--><li><!--
--><div class='post-thumbnail'><!--
--><% if (ctx.canViewPosts) { %><!--
--><a href='/post/<%- post.id %>'><!--
--><a href='/post/<%- encodeURIComponent(post.id) %>'><!--
--><% } %><!--
--><%= ctx.makeThumbnail(post.thumbnailUrl) %><!--
--><% if (ctx.canViewPosts) { %><!--

14
client/html/post.tpl
View file

@ -4,9 +4,9 @@
<article class='next-post'>
<% if (ctx.nextPostId) { %>
<% if (ctx.searchQuery && ctx.searchQuery.text) { %>
<a href='/post/<%- ctx.nextPostId %>/text=<%- ctx.searchQuery.text %>'>
<a href='/post/<%- encodeURIComponent(ctx.nextPostId) %>/text=<%- encodeURIComponent(ctx.searchQuery.text) %>'>
<% } else { %>
<a href='/post/<%- ctx.nextPostId %>'>
<a href='/post/<%- encodeURIComponent(ctx.nextPostId) %>'>
<% } %>
<% } else { %>
<a class='inactive'>
@ -18,9 +18,9 @@
<article class='previous-post'>
<% if (ctx.prevPostId) { %>
<% if (ctx.searchQuery && ctx.searchQuery.text) { %>
<a href='/post/<%- ctx.prevPostId %>/text=<%- ctx.searchQuery.text %>'>
<a href='/post/<%- encodeURIComponent(ctx.prevPostId) %>/text=<%- encodeURIComponent(ctx.searchQuery.text) %>'>
<% } else { %>
<a href='/post/<%- ctx.prevPostId %>'>
<a href='/post/<%- encodeURIComponent(ctx.prevPostId) %>'>
<% } %>
<% } else { %>
<a class='inactive'>
@ -31,16 +31,16 @@
</article>
<article class='edit-post'>
<% if (ctx.editMode) { %>
<a href='/post/<%- ctx.post.id %>'>
<a href='/post/<%- encodeURIComponent(ctx.post.id) %>'>
<i class='fa fa-eye'></i>
<span class='vim-nav-hint'>Back to view mode</span>
</a>
<% } else { %>
<% if (ctx.canEditPosts) { %>
<% if (ctx.searchQuery && ctx.searchQuery.text) { %>
<a href='/post/<%- ctx.post.id %>/edit/text=<%- ctx.searchQuery.text %>'>
<a href='/post/<%- encodeURIComponent(ctx.post.id) %>/edit/text=<%- encodeURIComponent(ctx.searchQuery.text) %>'>
<% } else { %>
<a href='/post/<%- ctx.post.id %>/edit'>
<a href='/post/<%- encodeURIComponent(ctx.post.id) %>/edit'>
<% } %>
<% } else { %>
<a class='inactive'>

8
client/html/post_readonly_sidebar.tpl
View file

@ -33,8 +33,8 @@
<section class='search'>
Search on
<a href='http://iqdb.org/?url=<%- ctx.post.contentUrl %>'>IQDB</a> &middot;
<a href='https://www.google.com/searchbyimage?&image_url=<%- ctx.post.contentUrl %>'>Google Images</a>
<a href='http://iqdb.org/?url=<%- encodeURIComponent(ctx.post.contentUrl) %>'>IQDB</a> &middot;
<a href='https://www.google.com/searchbyimage?&image_url=<%- encodeURIComponent(ctx.post.contentUrl) %>'>Google Images</a>
</section>
<section class='social'>
@ -50,14 +50,14 @@
--><% for (let tag of ctx.post.tags) { %><!--
--><li><!--
--><% if (ctx.canViewTags) { %><!--
--><a href='/tag/<%- tag %>' class='<%= ctx.makeCssName(ctx.getTagCategory(tag), 'tag') %>'><!--
--><a href='/tag/<%- encodeURIComponent(tag) %>' class='<%= ctx.makeCssName(ctx.getTagCategory(tag), 'tag') %>'><!--
--><i class='fa fa-tag'></i><!--
--><% } %><!--
--><% if (ctx.canListPosts) { %><!--
--></a><!--
--><% } %><!--
--><% if (ctx.canListPosts) { %><!--
--><a href='/posts/text=<%- tag %>' class='<%= ctx.makeCssName(ctx.getTagCategory(tag), 'tag') %>'><!--
--><a href='/posts/text=<%- encodeURIComponent(tag) %>' class='<%= ctx.makeCssName(ctx.getTagCategory(tag), 'tag') %>'><!--
--><% } %><!--
--><%- tag %><!--
--><% if (ctx.canListPosts) { %><!--

4
client/html/posts_page.tpl
View file

@ -5,9 +5,9 @@
<li>
<% if (ctx.canViewPosts) { %>
<% if (ctx.searchQuery && ctx.searchQuery.text) { %>
<a href='/post/<%- post.id %>/text=<%- ctx.searchQuery.text %>' title='@<%- post.id %> (<%- post.type %>)&#10;&#10;Tags: <%- post.tags.map(tag => '#' + tag).join(' ') %>'>
<a href='/post/<%- encodeURIComponent(post.id) %>/text=<%- encodeURIComponent(ctx.searchQuery.text) %>' title='@<%- post.id %> (<%- post.type %>)&#10;&#10;Tags: <%- post.tags.map(tag => '#' + tag).join(' ') %>'>
<% } else { %>
<a href='/post/<%- post.id %>' title='@<%- post.id %> (<%- post.type %>)&#10;&#10;Tags: <%- post.tags.map(tag => '#' + tag).join(' ') %>'>
<a href='/post/<%- encodeURIComponent(post.id) %>' title='@<%- post.id %> (<%- post.type %>)&#10;&#10;Tags: <%- post.tags.map(tag => '#' + tag).join(' ') %>'>
<% } %>
<% } else { %>
<a>

8
client/html/tag.tpl
View file

@ -2,15 +2,15 @@
<h1><%- ctx.tag.names[0] %></h1>
<nav class='buttons'><!--
--><ul><!--
--><li data-name='summary'><a href='/tag/<%- ctx.tag.names[0] %>'>Summary</a></li><!--
--><li data-name='summary'><a href='/tag/<%- encodeURIComponent(ctx.tag.names[0]) %>'>Summary</a></li><!--
--><% if (ctx.canMerge) { %><!--
--><li data-name='edit'><a href='/tag/<%- ctx.tag.names[0] %>/edit'>Edit</a></li><!--
--><li data-name='edit'><a href='/tag/<%- encodeURIComponent(ctx.tag.names[0]) %>/edit'>Edit</a></li><!--
--><% } %><!--
--><% if (ctx.canMerge) { %><!--
--><li data-name='merge'><a href='/tag/<%- ctx.tag.names[0] %>/merge'>Merge with&hellip;</a></li><!--
--><li data-name='merge'><a href='/tag/<%- encodeURIComponent(ctx.tag.names[0]) %>/merge'>Merge with&hellip;</a></li><!--
--><% } %><!--
--><% if (ctx.canDelete) { %><!--
--><li data-name='delete'><a href='/tag/<%- ctx.tag.names[0] %>/delete'>Delete</a></li><!--
--><li data-name='delete'><a href='/tag/<%- encodeURIComponent(ctx.tag.names[0]) %>/delete'>Delete</a></li><!--
--><% } %><!--
--></ul><!--
--></nav>

2
client/html/tag_category_row.tpl
View file

@ -17,7 +17,7 @@
</td>
<td class='usages'>
<% if (ctx.tagCategory.name) { %>
<a href='/tags/text=category:<%- ctx.tagCategory.name %>'>
<a href='/tags/text=category:<%- encodeURIComponent(ctx.tagCategory.name) %>'>
<%- ctx.tagCategory.tagCount %>
</a>
<% } else { %>

2
client/html/tag_delete.tpl
View file

@ -2,7 +2,7 @@
<form>
<% if (ctx.tag.postCount) { %>
<p>For extra <s>paranoia</s> safety, only tags that are unused can be deleted.</p>
<p>Check <a href='/posts/text=<%- ctx.tag.names[0] %>'>which posts</a> are tagged with <%- ctx.tag.names[0] %>.</p>
<p>Check <a href='/posts/text=<%- encodeURIComponent(ctx.tag.names[0]) %>'>which posts</a> are tagged with <%- ctx.tag.names[0] %>.</p>
<% } else { %>
<div class='input'>
<ul>

6
client/html/user.tpl
View file

@ -2,12 +2,12 @@
<h1><%- ctx.user.name %></h1>
<nav class='buttons'><!--
--><ul><!--
--><li data-name='summary'><a href='/user/<%- ctx.user.name %>'>Summary</a></li><!--
--><li data-name='summary'><a href='/user/<%- encodeURIComponent(ctx.user.name) %>'>Summary</a></li><!--
--><% if (ctx.canEditAnything) { %><!--
--><li data-name='edit'><a href='/user/<%- ctx.user.name %>/edit'>Account settings</a></li><!--
--><li data-name='edit'><a href='/user/<%- encodeURIComponent(ctx.user.name) %>/edit'>Account settings</a></li><!--
--><% } %><!--
--><% if (ctx.canDelete) { %><!--
--><li data-name='delete'><a href='/user/<%- ctx.user.name %>/delete'>Account deletion</a></li><!--
--><li data-name='delete'><a href='/user/<%- encodeURIComponent(ctx.user.name) %>/delete'>Account deletion</a></li><!--
--><% } %><!--
--></ul><!--
--></nav>

6
client/html/user_summary.tpl
View file

@ -10,9 +10,9 @@
<nav>
<p><strong>Quick links</strong></p>
<ul>
<li><a href='/posts/text=submit:<%- ctx.user.name %>'><%- ctx.user.uploadedPostCount %> uploads</a></li>
<li><a href='/posts/text=fav:<%- ctx.user.name %>'><%- ctx.user.favoritePostCount %> favorites</a></li>
<li><a href='/posts/text=comment:<%- ctx.user.name %>'><%- ctx.user.commentCount %> comments</a></li>
<li><a href='/posts/text=submit:<%- encodeURIComponent(ctx.user.name) %>'><%- ctx.user.uploadedPostCount %> uploads</a></li>
<li><a href='/posts/text=fav:<%- encodeURIComponent(ctx.user.name) %>'><%- ctx.user.favoritePostCount %> favorites</a></li>
<li><a href='/posts/text=comment:<%- encodeURIComponent(ctx.user.name) %>'><%- ctx.user.commentCount %> comments</a></li>
</ul>
</nav>

4
client/html/users_page.tpl
View file

@ -4,7 +4,7 @@
--><li>
<div class='wrapper'>
<% if (ctx.canViewUsers) { %>
<a class='image' href='/user/<%- user.name %>'>
<a class='image' href='/user/<%- encodeURIComponent(user.name) %>'>
<% } %>
<%= ctx.makeThumbnail(user.avatarUrl) %>
<% if (ctx.canViewUsers) { %>
@ -12,7 +12,7 @@
<% } %>
<div class='details'>
<% if (ctx.canViewUsers) { %>
<a href='/user/<%- user.name %>'>
<a href='/user/<%- encodeURIComponent(user.name) %>'>
<% } %>
<%- user.name %>
<% if (ctx.canViewUsers) { %>

8
client/js/util/views.js
View file

@ -149,7 +149,8 @@ function makeColorInput(options) {
function makePostLink(id) {
const text = '@' + id;
return api.hasPrivilege('posts:view') ?
makeNonVoidElement('a', {'href': '/post/' + id}, text) :
makeNonVoidElement(
'a', {'href': '/post/' + encodeURIComponent(id)}, text) :
text;
}
@ -159,7 +160,7 @@ function makeTagLink(name) {
return api.hasPrivilege('tags:view') ?
makeNonVoidElement(
'a', {
'href': '/tag/' + name,
'href': '/tag/' + encodeURIComponent(name),
'class': misc.makeCssName(category, 'tag'),
}, name) :
makeNonVoidElement(
@ -172,7 +173,8 @@ function makeTagLink(name) {
function makeUserLink(user) {
const text = makeThumbnail(user.avatarUrl) + user.name;
const link = api.hasPrivilege('users:view') ?
makeNonVoidElement('a', {'href': '/user/' + user.name}, text) :
makeNonVoidElement(
'a', {'href': '/user/' + encodeURIComponent(user.name)}, text) :
text;
return makeNonVoidElement('span', {class: 'user'}, link);
}