Cutlery/calibre
1
0
Fork 0
mirror of https://github.com/kovidgoyal/calibre.git synced 2025-07-09 03:04:10 -04:00
Code Issues Packages Projects Releases Wiki Activity

Escape markup when using innerHTML

Browse Source
This commit is contained in:
Kovid Goyal 2017-05-15 19:10:15 +05:30
parent c651219654
commit 8fe05d1e6c
No known key found for this signature in database
GPG Key ID: 06BC317B515ACE7C
5 changed files with 21 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/pyj/book_list/book_details.pyj
View File

@ -12,7 +12,7 @@ from modals import error_dialog, create_custom_dialog
from widgets import create_spinner, create_button from widgets import create_spinner, create_button
from date import format_date from date import format_date
from session import get_interface_data from session import get_interface_data
from utils import fmt_sidx, parse_url_params, conditional_timeout from utils import fmt_sidx, parse_url_params, conditional_timeout, simple_markup
from book_list.router import back, open_book, home from book_list.router import back, open_book, home
from book_list.library_data import book_metadata, cover_url, set_book_metadata, current_library_id, library_data, download_url, load_status, current_virtual_library from book_list.library_data import book_metadata, cover_url, set_book_metadata, current_library_id, library_data, download_url, load_status, current_virtual_library
@ -387,7 +387,7 @@ def metadata_fetched(container_id, book_id, end_type, xhr, event):
_('Could not fetch metadata for book'), _('Could not fetch metadata for book'),
E.div(style='margin: 1ex 1em') E.div(style='margin: 1ex 1em')
)) ))
c.lastChild.lastChild.innerHTML = xhr.error_html c.lastChild.lastChild.innerHTML = simple_markup(xhr.error_html)
def fetch_metadata(container_id, book_id): def fetch_metadata(container_id, book_id):
nonlocal current_fetch nonlocal current_fetch
@ -432,7 +432,7 @@ def check_for_books_loaded():
clear(container) clear(container)
if not load_status.ok: if not load_status.ok:
err = E.div() err = E.div()
err.innerHTML = load_status.error_html err.innerHTML = simple_markup(load_status.error_html)
container.appendChild(E.div( container.appendChild(E.div(
style='margin: 1ex 1em', style='margin: 1ex 1em',
E.div(_('Failed to load books from calibre library, with error:')), E.div(_('Failed to load books from calibre library, with error:')),

6
src/pyj/book_list/main.pyj
View File

@ -10,6 +10,7 @@ from modals import create_modal_container, error_dialog
from session import get_interface_data, UserSessionData, update_interface_data, get_translations from session import get_interface_data, UserSessionData, update_interface_data, get_translations
from gettext import gettext as _, install from gettext import gettext as _, install
from popups import install_event_filters from popups import install_event_filters
from utils import simple_markup
from book_list.constants import book_list_container_id, read_book_container_id from book_list.constants import book_list_container_id, read_book_container_id
from book_list.library_data import fetch_init_data, update_library_data, url_books_query from book_list.library_data import fetch_init_data, update_library_data, url_books_query
@ -87,9 +88,10 @@ def on_data_loaded(end_type, xhr, ev):
else: else:
p = E.p(style='color:red; font-weight: bold; font-size:1.5em') p = E.p(style='color:red; font-weight: bold; font-size:1.5em')
if xhr.status is 401: if xhr.status is 401:
p.innerHTML = _('You are not authorized to view this site') msg = _('You are not authorized to view this site')
else: else:
p.innerHTML = xhr.error_html msg = xhr.error_html
p.innerHTML = simple_markup(msg)
document.body.appendChild(p) document.body.appendChild(p)

6
src/pyj/book_list/views.pyj
View File

@ -23,7 +23,7 @@ from book_list.library_data import (
ensure_current_library_data, library_data, load_status, loaded_books_query, ensure_current_library_data, library_data, load_status, loaded_books_query,
thumbnail_cache, url_books_query thumbnail_cache, url_books_query
) )
from book_list.router import back, update_window_title, push_state, home from book_list.router import back, home, push_state, update_window_title
from book_list.search import ( from book_list.search import (
init as init_search_panel, set_apply_search, tb_config_panel_handler init as init_search_panel, set_apply_search, tb_config_panel_handler
) )
@ -32,7 +32,7 @@ from book_list.ui import set_panel_handler, show_panel
from dom import add_extra_css, build_rule, clear, ensure_id, set_css from dom import add_extra_css, build_rule, clear, ensure_id, set_css
from modals import error_dialog from modals import error_dialog
from session import get_interface_data from session import get_interface_data
from utils import conditional_timeout, parse_url_params from utils import conditional_timeout, parse_url_params, simple_markup
from widgets import create_button, create_spinner from widgets import create_button, create_spinner
CLASS_NAME = 'book-list-container' CLASS_NAME = 'book-list-container'
@ -272,7 +272,7 @@ def check_for_books_loaded():
clear(container) clear(container)
if not load_status.ok: if not load_status.ok:
err = E.div() err = E.div()
err.innerHTML = load_status.error_html err.innerHTML = simple_markup(load_status.error_html)
container.appendChild(E.div( container.appendChild(E.div(
style='margin: 1ex 1em', style='margin: 1ex 1em',
E.div(_('Failed to load books from calibre library, with error:')), E.div(_('Failed to load books from calibre library, with error:')),

12
src/pyj/modals.pyj
View File

@ -2,12 +2,14 @@
# License: GPL v3 Copyright: 2015, Kovid Goyal <kovid at kovidgoyal.net> # License: GPL v3 Copyright: 2015, Kovid Goyal <kovid at kovidgoyal.net>
from __python__ import hash_literals from __python__ import hash_literals
from ajax import ajax, ajax_send
from elementmaker import E from elementmaker import E
from dom import set_css, clear, build_rule, svgicon, add_extra_css
from gettext import gettext as _ from gettext import gettext as _
from ajax import ajax, ajax_send
from book_list.theme import get_color, get_font_size from book_list.theme import get_color, get_font_size
from dom import add_extra_css, build_rule, clear, set_css, svgicon
from popups import MODAL_Z_INDEX from popups import MODAL_Z_INDEX
from utils import simple_markup
modal_container = None modal_container = None
modal_count = 0 modal_count = 0
@ -145,10 +147,10 @@ def create_simple_dialog(title, msg, details, icon, prefix):
is_html_msg = /<[a-zA-Z]/.test(msg) is_html_msg = /<[a-zA-Z]/.test(msg)
html_container = E.div() html_container = E.div()
if is_html_msg: if is_html_msg:
html_container.innerHTML = msg html_container.innerHTML = simple_markup(msg)
details_container = E.span() details_container = E.span()
if /<[a-zA-Z]/.test(details): if /<[a-zA-Z]/.test(details):
details_container.innerHTML = details details_container.innerHTML = simple_markup(details)
else: else:
details_container.textContent = details details_container.textContent = details
parent.appendChild( parent.appendChild(
@ -193,7 +195,7 @@ def create_progress_dialog(msg, on_close):
return { return {
'close': def(): modal_container.hide_modal(modal_id);, 'close': def(): modal_container.hide_modal(modal_id);,
'update_progress': def(amount, total): pbar.max, pbar.value = total, amount;, 'update_progress': def(amount, total): pbar.max, pbar.value = total, amount;,
'set_msg': def(new_msg): msg_div.innerHTML = new_msg;, 'set_msg': def(new_msg): msg_div.innerHTML = simple_markup(new_msg);,
} }
# def test_progress(): # def test_progress():

8
src/pyj/read_book/overlay.pyj
View File

@ -11,7 +11,7 @@ from book_list.router import home
from book_list.theme import get_color from book_list.theme import get_color
from dom import add_extra_css, build_rule, clear, set_css, svgicon, unique_id from dom import add_extra_css, build_rule, clear, set_css, svgicon, unique_id
from modals import error_dialog from modals import error_dialog
from utils import full_screen_element, request_full_screen from utils import full_screen_element, request_full_screen, simple_markup
from read_book.goto import create_goto_panel from read_book.goto import create_goto_panel
from read_book.prefs.font_size import create_font_size_panel from read_book.prefs.font_size import create_font_size_panel
from read_book.prefs.main import create_prefs_panel from read_book.prefs.main import create_prefs_panel
@ -34,13 +34,13 @@ class LoadingMessage: # {{{
E.div(create_spinner('100px', '100px')), E.div(create_spinner('100px', '100px')),
E.h2() E.h2()
)) ))
container.firstChild.lastChild.innerHTML = self.msg container.firstChild.lastChild.innerHTML = simple_markup(self.msg)
set_css(container.firstChild, position='relative', top='50%', transform='translateY(-50%)') set_css(container.firstChild, position='relative', top='50%', transform='translateY(-50%)')
def set_msg(self, msg): def set_msg(self, msg):
self.msg = msg self.msg = msg
container = document.getElementById(self.container_id) container = document.getElementById(self.container_id)
container.firstChild.lastChild.innerHTML = self.msg container.firstChild.lastChild.innerHTML = simple_markup(self.msg)
def on_container_click(self, evt): def on_container_click(self, evt):
pass # Dont allow panel to be closed by a click pass # Dont allow panel to be closed by a click
@ -79,7 +79,7 @@ class DeleteBook: # {{{
E.div(create_spinner('100px', '100px')), E.div(create_spinner('100px', '100px')),
E.h2() E.h2()
)) ))
container.lastChild.lastChild.innerHTML = _('Deleting local book copy, please wait...') container.lastChild.lastChild.innerHTML = simple_markup(_('Deleting local book copy, please wait...'))
def on_container_click(self, evt): def on_container_click(self, evt):
pass # Dont allow panel to be closed by a click pass # Dont allow panel to be closed by a click