ulysia/szurubooru
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

client/general: escape entity names in links

Browse source
This commit is contained in:
rr- 2016-06-23 12:19:32 +02:00
parent 6ea129a9ef
commit c7f6663c36
12 changed files with 35 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
client/html/comment.tpl
View file

@ -1,7 +1,7 @@
<div class='comment'> <div class='comment'>
<div class='avatar'> <div class='avatar'>
<% if (ctx.comment.user.name && ctx.canViewUsers) { %> <% if (ctx.comment.user.name && ctx.canViewUsers) { %>
<a href='/user/<%- ctx.comment.user.name %>'> <a href='/user/<%- encodeURIComponent(ctx.comment.user.name) %>'>
<% } %> <% } %>
<%= ctx.makeThumbnail(ctx.comment.user.avatarUrl) %> <%= ctx.makeThumbnail(ctx.comment.user.avatarUrl) %>
@ -15,7 +15,7 @@
<header><!-- <header><!--
--><span class='nickname'><!-- --><span class='nickname'><!--
--><% if (ctx.comment.user.name && ctx.canViewUsers) { %><!-- --><% if (ctx.comment.user.name && ctx.canViewUsers) { %><!--
--><a href='/user/<%- ctx.comment.user.name %>'><!-- --><a href='/user/<%- encodeURIComponent(ctx.comment.user.name) %>'><!--
--><% } %><!-- --><% } %><!--
--><%- ctx.comment.user.name %><!-- --><%- ctx.comment.user.name %><!--

2
client/html/comments_page.tpl
View file

@ -4,7 +4,7 @@
--><li><!-- --><li><!--
--><div class='post-thumbnail'><!-- --><div class='post-thumbnail'><!--
--><% if (ctx.canViewPosts) { %><!-- --><% if (ctx.canViewPosts) { %><!--
--><a href='/post/<%- post.id %>'><!-- --><a href='/post/<%- encodeURIComponent(post.id) %>'><!--
--><% } %><!-- --><% } %><!--
--><%= ctx.makeThumbnail(post.thumbnailUrl) %><!-- --><%= ctx.makeThumbnail(post.thumbnailUrl) %><!--
--><% if (ctx.canViewPosts) { %><!-- --><% if (ctx.canViewPosts) { %><!--

14
client/html/post.tpl
View file

@ -4,9 +4,9 @@
<article class='next-post'> <article class='next-post'>
<% if (ctx.nextPostId) { %> <% if (ctx.nextPostId) { %>
<% if (ctx.searchQuery && ctx.searchQuery.text) { %> <% if (ctx.searchQuery && ctx.searchQuery.text) { %>
<a href='/post/<%- ctx.nextPostId %>/text=<%- ctx.searchQuery.text %>'> <a href='/post/<%- encodeURIComponent(ctx.nextPostId) %>/text=<%- encodeURIComponent(ctx.searchQuery.text) %>'>
<% } else { %> <% } else { %>
<a href='/post/<%- ctx.nextPostId %>'> <a href='/post/<%- encodeURIComponent(ctx.nextPostId) %>'>
<% } %> <% } %>
<% } else { %> <% } else { %>
<a class='inactive'> <a class='inactive'>
@ -18,9 +18,9 @@
<article class='previous-post'> <article class='previous-post'>
<% if (ctx.prevPostId) { %> <% if (ctx.prevPostId) { %>
<% if (ctx.searchQuery && ctx.searchQuery.text) { %> <% if (ctx.searchQuery && ctx.searchQuery.text) { %>
<a href='/post/<%- ctx.prevPostId %>/text=<%- ctx.searchQuery.text %>'> <a href='/post/<%- encodeURIComponent(ctx.prevPostId) %>/text=<%- encodeURIComponent(ctx.searchQuery.text) %>'>
<% } else { %> <% } else { %>
<a href='/post/<%- ctx.prevPostId %>'> <a href='/post/<%- encodeURIComponent(ctx.prevPostId) %>'>
<% } %> <% } %>
<% } else { %> <% } else { %>
<a class='inactive'> <a class='inactive'>
@ -31,16 +31,16 @@
</article> </article>
<article class='edit-post'> <article class='edit-post'>
<% if (ctx.editMode) { %> <% if (ctx.editMode) { %>
<a href='/post/<%- ctx.post.id %>'> <a href='/post/<%- encodeURIComponent(ctx.post.id) %>'>
<i class='fa fa-eye'></i> <i class='fa fa-eye'></i>
<span class='vim-nav-hint'>Back to view mode</span> <span class='vim-nav-hint'>Back to view mode</span>
</a> </a>
<% } else { %> <% } else { %>
<% if (ctx.canEditPosts) { %> <% if (ctx.canEditPosts) { %>
<% if (ctx.searchQuery && ctx.searchQuery.text) { %> <% if (ctx.searchQuery && ctx.searchQuery.text) { %>
<a href='/post/<%- ctx.post.id %>/edit/text=<%- ctx.searchQuery.text %>'> <a href='/post/<%- encodeURIComponent(ctx.post.id) %>/edit/text=<%- encodeURIComponent(ctx.searchQuery.text) %>'>
<% } else { %> <% } else { %>
<a href='/post/<%- ctx.post.id %>/edit'> <a href='/post/<%- encodeURIComponent(ctx.post.id) %>/edit'>
<% } %> <% } %>
<% } else { %> <% } else { %>
<a class='inactive'> <a class='inactive'>

8
client/html/post_readonly_sidebar.tpl
View file

@ -33,8 +33,8 @@
<section class='search'> <section class='search'>
Search on Search on
<a href='http://iqdb.org/?url=<%- ctx.post.contentUrl %>'>IQDB</a> &middot; <a href='http://iqdb.org/?url=<%- encodeURIComponent(ctx.post.contentUrl) %>'>IQDB</a> &middot;
<a href='https://www.google.com/searchbyimage?&image_url=<%- ctx.post.contentUrl %>'>Google Images</a> <a href='https://www.google.com/searchbyimage?&image_url=<%- encodeURIComponent(ctx.post.contentUrl) %>'>Google Images</a>
</section> </section>
<section class='social'> <section class='social'>
@ -50,14 +50,14 @@
--><% for (let tag of ctx.post.tags) { %><!-- --><% for (let tag of ctx.post.tags) { %><!--
--><li><!-- --><li><!--
--><% if (ctx.canViewTags) { %><!-- --><% if (ctx.canViewTags) { %><!--
--><a href='/tag/<%- tag %>' class='<%= ctx.makeCssName(ctx.getTagCategory(tag), 'tag') %>'><!-- --><a href='/tag/<%- encodeURIComponent(tag) %>' class='<%= ctx.makeCssName(ctx.getTagCategory(tag), 'tag') %>'><!--
--><i class='fa fa-tag'></i><!-- --><i class='fa fa-tag'></i><!--
--><% } %><!-- --><% } %><!--
--><% if (ctx.canListPosts) { %><!-- --><% if (ctx.canListPosts) { %><!--
--></a><!-- --></a><!--
--><% } %><!-- --><% } %><!--
--><% if (ctx.canListPosts) { %><!-- --><% if (ctx.canListPosts) { %><!--
--><a href='/posts/text=<%- tag %>' class='<%= ctx.makeCssName(ctx.getTagCategory(tag), 'tag') %>'><!-- --><a href='/posts/text=<%- encodeURIComponent(tag) %>' class='<%= ctx.makeCssName(ctx.getTagCategory(tag), 'tag') %>'><!--
--><% } %><!-- --><% } %><!--
--><%- tag %><!-- --><%- tag %><!--
--><% if (ctx.canListPosts) { %><!-- --><% if (ctx.canListPosts) { %><!--

4
client/html/posts_page.tpl
View file

@ -5,9 +5,9 @@
<li> <li>
<% if (ctx.canViewPosts) { %> <% if (ctx.canViewPosts) { %>
<% if (ctx.searchQuery && ctx.searchQuery.text) { %> <% if (ctx.searchQuery && ctx.searchQuery.text) { %>
<a href='/post/<%- post.id %>/text=<%- ctx.searchQuery.text %>' title='@<%- post.id %> (<%- post.type %>)&#10;&#10;Tags: <%- post.tags.map(tag => '#' + tag).join(' ') %>'> <a href='/post/<%- encodeURIComponent(post.id) %>/text=<%- encodeURIComponent(ctx.searchQuery.text) %>' title='@<%- post.id %> (<%- post.type %>)&#10;&#10;Tags: <%- post.tags.map(tag => '#' + tag).join(' ') %>'>
<% } else { %> <% } else { %>
<a href='/post/<%- post.id %>' title='@<%- post.id %> (<%- post.type %>)&#10;&#10;Tags: <%- post.tags.map(tag => '#' + tag).join(' ') %>'> <a href='/post/<%- encodeURIComponent(post.id) %>' title='@<%- post.id %> (<%- post.type %>)&#10;&#10;Tags: <%- post.tags.map(tag => '#' + tag).join(' ') %>'>
<% } %> <% } %>
<% } else { %> <% } else { %>
<a> <a>

8
client/html/tag.tpl
View file

@ -2,15 +2,15 @@
<h1><%- ctx.tag.names[0] %></h1> <h1><%- ctx.tag.names[0] %></h1>
<nav class='buttons'><!-- <nav class='buttons'><!--
--><ul><!-- --><ul><!--
--><li data-name='summary'><a href='/tag/<%- ctx.tag.names[0] %>'>Summary</a></li><!-- --><li data-name='summary'><a href='/tag/<%- encodeURIComponent(ctx.tag.names[0]) %>'>Summary</a></li><!--
--><% if (ctx.canMerge) { %><!-- --><% if (ctx.canMerge) { %><!--
--><li data-name='edit'><a href='/tag/<%- ctx.tag.names[0] %>/edit'>Edit</a></li><!-- --><li data-name='edit'><a href='/tag/<%- encodeURIComponent(ctx.tag.names[0]) %>/edit'>Edit</a></li><!--
--><% } %><!-- --><% } %><!--
--><% if (ctx.canMerge) { %><!-- --><% if (ctx.canMerge) { %><!--
--><li data-name='merge'><a href='/tag/<%- ctx.tag.names[0] %>/merge'>Merge with&hellip;</a></li><!-- --><li data-name='merge'><a href='/tag/<%- encodeURIComponent(ctx.tag.names[0]) %>/merge'>Merge with&hellip;</a></li><!--
--><% } %><!-- --><% } %><!--
--><% if (ctx.canDelete) { %><!-- --><% if (ctx.canDelete) { %><!--
--><li data-name='delete'><a href='/tag/<%- ctx.tag.names[0] %>/delete'>Delete</a></li><!-- --><li data-name='delete'><a href='/tag/<%- encodeURIComponent(ctx.tag.names[0]) %>/delete'>Delete</a></li><!--
--><% } %><!-- --><% } %><!--
--></ul><!-- --></ul><!--
--></nav> --></nav>

2
client/html/tag_category_row.tpl
View file

@ -17,7 +17,7 @@
</td> </td>
<td class='usages'> <td class='usages'>
<% if (ctx.tagCategory.name) { %> <% if (ctx.tagCategory.name) { %>
<a href='/tags/text=category:<%- ctx.tagCategory.name %>'> <a href='/tags/text=category:<%- encodeURIComponent(ctx.tagCategory.name) %>'>
<%- ctx.tagCategory.tagCount %> <%- ctx.tagCategory.tagCount %>
</a> </a>
<% } else { %> <% } else { %>

2
client/html/tag_delete.tpl
View file

@ -2,7 +2,7 @@
<form> <form>
<% if (ctx.tag.postCount) { %> <% if (ctx.tag.postCount) { %>
<p>For extra <s>paranoia</s> safety, only tags that are unused can be deleted.</p> <p>For extra <s>paranoia</s> safety, only tags that are unused can be deleted.</p>
<p>Check <a href='/posts/text=<%- ctx.tag.names[0] %>'>which posts</a> are tagged with <%- ctx.tag.names[0] %>.</p> <p>Check <a href='/posts/text=<%- encodeURIComponent(ctx.tag.names[0]) %>'>which posts</a> are tagged with <%- ctx.tag.names[0] %>.</p>
<% } else { %> <% } else { %>
<div class='input'> <div class='input'>
<ul> <ul>

6
client/html/user.tpl
View file

@ -2,12 +2,12 @@
<h1><%- ctx.user.name %></h1> <h1><%- ctx.user.name %></h1>
<nav class='buttons'><!-- <nav class='buttons'><!--
--><ul><!-- --><ul><!--
--><li data-name='summary'><a href='/user/<%- ctx.user.name %>'>Summary</a></li><!-- --><li data-name='summary'><a href='/user/<%- encodeURIComponent(ctx.user.name) %>'>Summary</a></li><!--
--><% if (ctx.canEditAnything) { %><!-- --><% if (ctx.canEditAnything) { %><!--
--><li data-name='edit'><a href='/user/<%- ctx.user.name %>/edit'>Account settings</a></li><!-- --><li data-name='edit'><a href='/user/<%- encodeURIComponent(ctx.user.name) %>/edit'>Account settings</a></li><!--
--><% } %><!-- --><% } %><!--
--><% if (ctx.canDelete) { %><!-- --><% if (ctx.canDelete) { %><!--
--><li data-name='delete'><a href='/user/<%- ctx.user.name %>/delete'>Account deletion</a></li><!-- --><li data-name='delete'><a href='/user/<%- encodeURIComponent(ctx.user.name) %>/delete'>Account deletion</a></li><!--
--><% } %><!-- --><% } %><!--
--></ul><!-- --></ul><!--
--></nav> --></nav>

6
client/html/user_summary.tpl
View file

@ -10,9 +10,9 @@
<nav> <nav>
<p><strong>Quick links</strong></p> <p><strong>Quick links</strong></p>
<ul> <ul>
<li><a href='/posts/text=submit:<%- ctx.user.name %>'><%- ctx.user.uploadedPostCount %> uploads</a></li> <li><a href='/posts/text=submit:<%- encodeURIComponent(ctx.user.name) %>'><%- ctx.user.uploadedPostCount %> uploads</a></li>
<li><a href='/posts/text=fav:<%- ctx.user.name %>'><%- ctx.user.favoritePostCount %> favorites</a></li> <li><a href='/posts/text=fav:<%- encodeURIComponent(ctx.user.name) %>'><%- ctx.user.favoritePostCount %> favorites</a></li>
<li><a href='/posts/text=comment:<%- ctx.user.name %>'><%- ctx.user.commentCount %> comments</a></li> <li><a href='/posts/text=comment:<%- encodeURIComponent(ctx.user.name) %>'><%- ctx.user.commentCount %> comments</a></li>
</ul> </ul>
</nav> </nav>

4
client/html/users_page.tpl
View file

@ -4,7 +4,7 @@
--><li> --><li>
<div class='wrapper'> <div class='wrapper'>
<% if (ctx.canViewUsers) { %> <% if (ctx.canViewUsers) { %>
<a class='image' href='/user/<%- user.name %>'> <a class='image' href='/user/<%- encodeURIComponent(user.name) %>'>
<% } %> <% } %>
<%= ctx.makeThumbnail(user.avatarUrl) %> <%= ctx.makeThumbnail(user.avatarUrl) %>
<% if (ctx.canViewUsers) { %> <% if (ctx.canViewUsers) { %>
@ -12,7 +12,7 @@
<% } %> <% } %>
<div class='details'> <div class='details'>
<% if (ctx.canViewUsers) { %> <% if (ctx.canViewUsers) { %>
<a href='/user/<%- user.name %>'> <a href='/user/<%- encodeURIComponent(user.name) %>'>
<% } %> <% } %>
<%- user.name %> <%- user.name %>
<% if (ctx.canViewUsers) { %> <% if (ctx.canViewUsers) { %>

8
client/js/util/views.js
View file

@ -149,7 +149,8 @@ function makeColorInput(options) {
function makePostLink(id) { function makePostLink(id) {
const text = '@' + id; const text = '@' + id;
return api.hasPrivilege('posts:view') ? return api.hasPrivilege('posts:view') ?
makeNonVoidElement('a', {'href': '/post/' + id}, text) : makeNonVoidElement(
'a', {'href': '/post/' + encodeURIComponent(id)}, text) :
text; text;
} }
@ -159,7 +160,7 @@ function makeTagLink(name) {
return api.hasPrivilege('tags:view') ? return api.hasPrivilege('tags:view') ?
makeNonVoidElement( makeNonVoidElement(
'a', { 'a', {
'href': '/tag/' + name, 'href': '/tag/' + encodeURIComponent(name),
'class': misc.makeCssName(category, 'tag'), 'class': misc.makeCssName(category, 'tag'),
}, name) : }, name) :
makeNonVoidElement( makeNonVoidElement(
@ -172,7 +173,8 @@ function makeTagLink(name) {
function makeUserLink(user) { function makeUserLink(user) {
const text = makeThumbnail(user.avatarUrl) + user.name; const text = makeThumbnail(user.avatarUrl) + user.name;
const link = api.hasPrivilege('users:view') ? const link = api.hasPrivilege('users:view') ?
makeNonVoidElement('a', {'href': '/user/' + user.name}, text) : makeNonVoidElement(
'a', {'href': '/user/' + encodeURIComponent(user.name)}, text) :
text; text;
return makeNonVoidElement('span', {class: 'user'}, link); return makeNonVoidElement('span', {class: 'user'}, link);
} }