taiga
/
taiga-front
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #137 from taigaio/bug/1500/xss 

fix history xss
stable
David Barragán Merino 2014-11-01 12:33:04 +01:00
parent 969b79642c 4dd950134e
commit 35aff99a31
22 changed files with 73 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
app/coffee/modules/admin/memberships.coffee
View File

@ -115,11 +115,11 @@ paginatorTemplate = """
<% } %>
<% _.each(pages, function(item) { %>
<li class="<%= item.classes %>">
<li class="<%- item.classes %>">
<% if (item.type === "page") { %>
<a href="" data-pagenum="<%= item.num %>"><%= item.num %></a>
<a href="" data-pagenum="<%- item.num %>"><%- item.num %></a>
<% } else if (item.type === "page-active") { %>
<span class="active"><%= item.num %></span>
<span class="active"><%- item.num %></span>
<% } else { %>
<span>...</span>
<% } %>
@ -233,7 +233,7 @@ module.directive("tgMemberships", MembershipsDirective)
MembershipsRowAvatarDirective = ($log) ->
template = _.template("""
<figure class="avatar">
<img src="<%= imgurl %>" alt="<%- full_name %>">
<img src="<%- imgurl %>" alt="<%- full_name %>">
<figcaption>
<span class="name"><%- full_name %></span>
<span class="email"><%- email %></span>

2
app/coffee/modules/auth.coffee
View File

@ -157,7 +157,7 @@ PublicRegisterMessageDirective = ($config, $navUrls) ->
template = _.template("""
<p class="login-text">
<span>Not registered yet?</span>
<a href="<%= url %>" tg-nav="register" title="Register"> create your free account here</a>
<a href="<%- url %>" tg-nav="register" title="Register"> create your free account here</a>
</p>""")
templateFn = ->

18
app/coffee/modules/backlog/filters.coffee
View File

@ -40,18 +40,18 @@ BacklogFiltersDirective = ($log, $location) ->
<% _.each(filters, function(f) { %>
<% if (f.selected) { %>
<a class="single-filter active"
data-type="<%= f.type %>"
data-id="<%= f.id %>">
<span class="name" <% if (f.color){ %>style="border-left: 3px solid <%= f.color %>;"<% } %>>
data-type="<%- f.type %>"
data-id="<%- f.id %>">
<span class="name" <% if (f.color){ %>style="border-left: 3px solid <%- f.color %>;"<% } %>>
<%- f.name %>
</span>
<span class="number"><%- f.count %></span>
</a>
<% } else { %>
<a class="single-filter"
data-type="<%= f.type %>"
data-id="<%= f.id %>">
<span class="name" <% if (f.color){ %>style="border-left: 3px solid <%= f.color %>;"<% } %>>
data-type="<%- f.type %>"
data-id="<%- f.id %>">
<span class="name" <% if (f.color){ %>style="border-left: 3px solid <%- f.color %>;"<% } %>>
<%- f.name %>
</span>
<span class="number"><%- f.count %></span>
@ -63,9 +63,9 @@ BacklogFiltersDirective = ($log, $location) ->
templateSelected = _.template("""
<% _.each(filters, function(f) { %>
<a class="single-filter selected"
data-type="<%= f.type %>"
data-id="<%= f.id %>">
<span class="name" <% if (f.color){ %>style="border-left: 3px solid <%= f.color %>;"<% } %>>
data-type="<%- f.type %>"
data-id="<%- f.id %>">
<span class="name" <% if (f.color){ %>style="border-left: 3px solid <%- f.color %>;"<% } %>>
<%- f.name %></span>
<span class="icon icon-delete"></span>
</a>

10
app/coffee/modules/common/components.coffee
View File

@ -121,7 +121,7 @@ CreatedByDisplayDirective = ->
template = _.template("""
<div class="user-avatar">
<img src="<%= owner.photo %>" alt="<%- owner.full_name_display %>" />
<img src="<%- owner.photo %>" alt="<%- owner.full_name_display %>" />
</div>
<div class="created-by">
@ -178,7 +178,7 @@ WatchersDirective = ($rootscope, $confirm, $repo) ->
<div class="watcher-single">
<div class="watcher-avatar">
<span class="avatar" href="" title="<%- watcher.full_name_display %>">
<img src="<%= watcher.photo %>" alt="<%- watcher.full_name_display %>">
<img src="<%- watcher.photo %>" alt="<%- watcher.full_name_display %>">
</span>
</div>
<div class="watcher-name">
@ -186,7 +186,7 @@ WatchersDirective = ($rootscope, $confirm, $repo) ->
<% if(isEditable){ %>
<a class="icon icon-delete"
data-watcher-id="<%= watcher.id %>" href="" title="delete-watcher">
data-watcher-id="<%- watcher.id %>" href="" title="delete-watcher">
</a>
<% }; %>
</div>
@ -281,7 +281,7 @@ AssignedToDirective = ($rootscope, $confirm, $repo, $loading) ->
template = _.template("""
<% if (assignedTo) { %>
<div class="user-avatar">
<img src="<%= assignedTo.photo %>" alt="<%- assignedTo.full_name_display %>" />
<img src="<%- assignedTo.photo %>" alt="<%- assignedTo.full_name_display %>" />
</div>
<% } %>
@ -681,7 +681,7 @@ ListItemUsStatusDirective = ->
ListItemAssignedtoDirective = ->
template = _.template("""
<figure class="avatar">
<img src="<%= imgurl %>" alt="<%- name %>"/>
<img src="<%- imgurl %>" alt="<%- name %>"/>
<figcaption><%- name %></figcaption>
</figure>
""")

16
app/coffee/modules/common/history.coffee
View File

@ -84,11 +84,11 @@ HistoryDirective = ($log, $loading) ->
<div class="activity-fromto">
<p>
<strong> from </strong> <br />
<span><%= point[0] %></span>
<span><%- point[0] %></span>
</p>
<p>
<strong> to </strong> <br />
<span><%= point[1] %></span>
<span><%- point[1] %></span>
</p>
</div>
</div>
@ -103,11 +103,11 @@ HistoryDirective = ($log, $loading) ->
<div class="activity-fromto">
<p>
<strong> from </strong> <br />
<span><%= from %></span>
<span><%- from %></span>
</p>
<p>
<strong> to </strong> <br />
<span><%= to %></span>
<span><%- to %></span>
</p>
</div>
</div>
@ -120,12 +120,12 @@ HistoryDirective = ($log, $loading) ->
<div class="activity-fromto">
<% _.each(diff, function(change) { %>
<p>
<strong><%= change.name %> from </strong> <br />
<span><%= change.from %></span>
<strong><%- change.name %> from </strong> <br />
<span><%- change.from %></span>
</p>
<p>
<strong><%= change.name %> to </strong> <br />
<span><%= change.to %></span>
<strong><%- change.name %> to </strong> <br />
<span><%- change.to %></span>
</p>
<% }) %>
</div>

4
app/coffee/modules/common/lightboxes.coffee
View File

@ -390,7 +390,7 @@ usersTemplate = _.template("""
<div class="watcher-single active">
<div class="watcher-avatar">
<a href="" title="Assigned to" class="avatar">
<img src="<%= selected.photo %>"/>
<img src="<%- selected.photo %>"/>
</a>
</div>
<a href="" title="<%- selected.full_name_display %>" class="watcher-name">
@ -404,7 +404,7 @@ usersTemplate = _.template("""
<div class="watcher-single" data-user-id="<%- user.id %>">
<div class="watcher-avatar">
<a href="#" title="Assigned to" class="avatar">
<img src="<%= user.photo %>" />
<img src="<%- user.photo %>" />
</a>
</div>
<a href="" title="<%- user.full_name_display %>" class="watcher-name">

20
app/coffee/modules/issues/detail.coffee
View File

@ -164,8 +164,8 @@ IssueStatusDisplayDirective = ->
Open
<% } %>
</span>
<span class="us-detail-status" style="color:<%= status.color %>">
<%= status.name %>
<span class="us-detail-status" style="color:<%- status.color %>">
<%- status.name %>
</span>
""") # TODO: i18n
@ -208,8 +208,8 @@ IssueStatusButtonDirective = ($rootScope, $repo, $confirm, $loading) ->
template = _.template("""
<div class="status-data <% if(editable){ %>clickable<% }%>">
<span class="level" style="background-color:<%= status.color %>"></span>
<span class="status-status"><%= status.name %></span>
<span class="level" style="background-color:<%- status.color %>"></span>
<span class="status-status"><%- status.name %></span>
<% if(editable){ %><span class="icon icon-arrow-bottom"></span><% }%>
<span class="level-name">status</span>
@ -302,8 +302,8 @@ IssueTypeButtonDirective = ($rootScope, $repo, $confirm, $loading) ->
template = _.template("""
<div class="type-data <% if(editable){ %>clickable<% }%>">
<span class="level" style="background-color:<%= type.color %>"></span>
<span class="type-type"><%= type.name %></span>
<span class="level" style="background-color:<%- type.color %>"></span>
<span class="type-type"><%- type.name %></span>
<% if(editable){ %><span class="icon icon-arrow-bottom"></span><% }%>
<span class="level-name">type</span>
@ -396,8 +396,8 @@ IssueSeverityButtonDirective = ($rootScope, $repo, $confirm, $loading) ->
template = _.template("""
<div class="severity-data <% if(editable){ %>clickable<% }%>">
<span class="level" style="background-color:<%= severity.color %>"></span>
<span class="severity-severity"><%= severity.name %></span>
<span class="level" style="background-color:<%- severity.color %>"></span>
<span class="severity-severity"><%- severity.name %></span>
<% if(editable){ %><span class="icon icon-arrow-bottom"></span><% }%>
<span class="level-name">severity</span>
@ -490,8 +490,8 @@ IssuePriorityButtonDirective = ($rootScope, $repo, $confirm, $loading) ->
template = _.template("""
<div class="priority-data <% if(editable){ %>clickable<% }%>">
<span class="level" style="background-color:<%= priority.color %>"></span>
<span class="priority-priority"><%= priority.name %></span>
<span class="level" style="background-color:<%- priority.color %>"></span>
<span class="priority-priority"><%- priority.name %></span>
<% if(editable){ %><span class="icon icon-arrow-bottom"></span><% }%>
<span class="level-name">priority</span>

18
app/coffee/modules/issues/list.coffee
View File

@ -319,11 +319,11 @@ paginatorTemplate = """
<% } %>
<% _.each(pages, function(item) { %>
<li class="<%= item.classes %>">
<li class="<%- item.classes %>">
<% if (item.type === "page") { %>
<a href="" data-pagenum="<%= item.num %>"><%= item.num %></a>
<a href="" data-pagenum="<%- item.num %>"><%- item.num %></a>
<% } else if (item.type === "page-active") { %>
<span class="active"><%= item.num %></span>
<span class="active"><%- item.num %></span>
<% } else { %>
<span>...</span>
<% } %>
@ -469,8 +469,8 @@ IssuesFiltersDirective = ($log, $location, $rs, $confirm, $loading) ->
<% _.each(filters, function(f) { %>
<% if (!f.selected) { %>
<a class="single-filter"
data-type="<%= f.type %>"
data-id="<%= f.id %>">
data-type="<%- f.type %>"
data-id="<%- f.id %>">
<span class="name" <% if (f.color){ %>style="border-left: 3px solid <%- f.color %>;"<% } %>>
<%- f.name %>
</span>
@ -491,9 +491,9 @@ IssuesFiltersDirective = ($log, $location, $rs, $confirm, $loading) ->
templateSelected = _.template("""
<% _.each(filters, function(f) { %>
<a class="single-filter selected"
data-type="<%= f.type %>"
data-id="<%= f.id %>">
<span class="name" <% if (f.color){ %>style="border-left: 3px solid <%= f.color %>;"<% } %>>
data-type="<%- f.type %>"
data-id="<%- f.id %>">
<span class="name" <% if (f.color){ %>style="border-left: 3px solid <%- f.color %>;"<% } %>>
<%- f.name %>
</span>
<span class="icon icon-delete"></span>
@ -786,7 +786,7 @@ module.directive("tgIssueStatusInlineEdition", ["$tgRepo", IssueStatusInlineEdit
IssueAssignedToInlineEditionDirective = ($repo, $rootscope, popoverService) ->
template = _.template("""
<img src="<%= imgurl %>" alt="<%- name %>"/>
<img src="<%- imgurl %>" alt="<%- name %>"/>
<figcaption><%- name %></figcaption>
""")

2
app/coffee/modules/kanban/main.coffee
View File

@ -392,7 +392,7 @@ KanbanUserDirective = ($log) ->
template = _.template("""
<figure class="avatar">
<a href="#" title="Assign User Story" <% if (!clickable) {%>class="not-clickable"<% } %>>
<img src="<%= imgurl %>" alt="<%- name %>" class="avatar">
<img src="<%- imgurl %>" alt="<%- name %>" class="avatar">
</a>
</figure>
""") # TODO: i18n

2
app/coffee/modules/nav.coffee
View File

@ -272,7 +272,7 @@ ProjectMenuDirective = ($log, $compile, $auth, $rootscope, $tgAuth, $location, $
<li><a href="" title="Logout" class="logout">Logout</a></li>
</ul>
<a href="" title="User preferences" class="avatar" id="nav-user-settings">
<img src="<%= user.photo %>" alt="<%= user.full_name_display %>" />
<img src="<%- user.photo %>" alt="<%- user.full_name_display %>" />
</a>
</div>
</div>

2
app/coffee/modules/related-tasks.coffee
View File

@ -310,7 +310,7 @@ module.directive("tgRelatedTasks", ["$tgRepo", "$tgResources", "$rootScope", Rel
RelatedTaskAssignedToInlineEditionDirective = ($repo, $rootscope, popoverService) ->
template = _.template("""
<img src="<%= imgurl %>" alt="<%- name %>"/>
<img src="<%- imgurl %>" alt="<%- name %>"/>
<figcaption><%- name %></figcaption>
""")

2
app/coffee/modules/taskboard/main.coffee
View File

@ -316,7 +316,7 @@ TaskboardUserDirective = ($log) ->
template = _.template("""
<figure class="avatar">
<a href="#" title="Assign task" <% if (!clickable) {%>class="not-clickable"<% } %>>
<img src="<%= imgurl %>" alt="<%- name %>">
<img src="<%- imgurl %>" alt="<%- name %>">
</a>
</figure>
""") # TODO: i18n

8
app/coffee/modules/tasks/detail.coffee
View File

@ -168,8 +168,8 @@ TaskStatusDisplayDirective = ->
Open
<% } %>
</span>
<span class="us-detail-status" style="color:<%= status.color %>">
<%= status.name %>
<span class="us-detail-status" style="color:<%- status.color %>">
<%- status.name %>
</span>
""") # TODO: i18n
@ -212,8 +212,8 @@ TaskStatusButtonDirective = ($rootScope, $repo, $confirm, $loading) ->
template = _.template("""
<div class="status-data <% if(editable){ %>clickable<% }%>">
<span class="level" style="background-color:<%= status.color %>"></span>
<span class="status-status"><%= status.name %></span>
<span class="level" style="background-color:<%- status.color %>"></span>
<span class="status-status"><%- status.name %></span>
<% if(editable){ %><span class="icon icon-arrow-bottom"></span><% }%>
<span class="level-name">status</span>

8
app/coffee/modules/userstories/detail.coffee
View File

@ -177,8 +177,8 @@ UsStatusDisplayDirective = ->
Open
<% } %>
</span>
<span class="us-detail-status" style="color:<%= status.color %>">
<%= status.name %>
<span class="us-detail-status" style="color:<%- status.color %>">
<%- status.name %>
</span>
""") # TODO: i18n
@ -441,8 +441,8 @@ UsStatusButtonDirective = ($rootScope, $repo, $confirm, $loading) ->
template = _.template("""
<div class="status-data <% if(editable){ %>clickable<% }%>">
<span class="level" style="background-color:<%= status.color %>"></span>
<span class="status-status"><%= status.name %></span>
<span class="level" style="background-color:<%- status.color %>"></span>
<span class="status-status"><%- status.name %></span>
<% if(editable){ %><span class="icon icon-arrow-bottom"></span><% }%>
<span class="level-name">status</span>

2
app/coffee/modules/wiki/main.coffee
View File

@ -163,7 +163,7 @@ WikiSummaryDirective = ($log) ->
</li>
<li class="username-edition">
<figure class="avatar">
<img src="<%= user.imgUrl %>" alt="<%- user.name %>">
<img src="<%- user.imgUrl %>" alt="<%- user.name %>">
</figure>
<span class="description">last modification</span>
<span class="username"><%- user.name %></span>

2
app/partials/issues-detail.jade
View File

@ -25,7 +25,7 @@ block content
p.block-desc-container(ng-show="issue.is_blocked")
span.block-description-title Blocked
span.block-description(tg-bind-html="issue.blocked_note || 'This issue is blocked'")
span.block-description(ng-bind="issue.blocked_note || 'This issue is blocked'")
div.issue-nav
a.icon.icon-arrow-left(ng-show="previousUrl", tg-bo-href="previousUrl",

2
app/partials/task-detail.jade
View File

@ -29,7 +29,7 @@ block content
span(tg-bo-bind="us.subject")
p.block-desc-container(ng-show="task.is_blocked")
span.block-description-title Blocked
span.block-description(tg-bind-html="task.blocked_note || 'This task is blocked'")
span.block-description(ng-bind="task.blocked_note || 'This task is blocked'")
div.issue-nav
a.icon.icon-arrow-left(ng-show="previousUrl", tg-bo-href="previousUrl",
title="previous task")

2
app/partials/us-detail.jade
View File

@ -30,7 +30,7 @@ block content
p.block-desc-container(ng-show="us.is_blocked")
span.block-description-title Blocked
span.block-description(tg-bind-html="us.blocked_note || 'This user story is blocked'")
span.block-description(ng-bind="us.blocked_note || 'This user story is blocked'")
div.issue-nav
a.icon.icon-arrow-left(ng-show="previousUrl", tg-bo-href="previousUrl",
title="previous user story")

4
app/partials/views/components/kanban-task.jade
View File

@ -4,10 +4,10 @@ div.kanban-task-inner
div.task-text
a.task-assigned(href="", title="Assign User Story")
span.task-num(tg-bo-ref="us.ref")
a.task-name(href="", tg-bo-title="us.subject", tg-bind-html="us.subject",
a.task-name(href="", tg-bo-title="us.subject", ng-bind="us.subject",
tg-nav="project-userstories-detail:project=project.slug,ref=us.ref")
a.task-points(href="", title="Total Us points")
span(tg-bind-html="us.total_points") --
span(ng-bind="us.total_points") --
span points
a.icon.icon-edit(tg-check-permission="modify_us", href="", title="Edit")
a.icon.icon-drag-h(tg-check-permission="modify_us", href="", title="Drag&Drop")

2
app/partials/views/components/sprint-summary.jade
View File

@ -2,7 +2,7 @@ div.summary.large-summary
div
div.summary-progress-bar(tg-progress-bar="stats.completedPercentage")
div.data
span.number(tg-bind-html="stats.completedPercentage + '%'")
span.number(ng-bind="stats.completedPercentage + '%'")
ul
li

10
app/partials/views/components/summary.jade
View File

@ -2,17 +2,17 @@ div.summary
div.summary-progress-bar(tg-backlog-progress-bar="stats")
div.data
span.number(tg-bind-html="stats.completedPercentage + '%'")
span.number(ng-bind="stats.completedPercentage + '%'")
ul
li
span.number(tg-bind-html="stats.total_points") --
span.number(ng-bind="stats.total_points") --
span.description project<br />points
li
span.number(tg-bind-html="stats.defined_points") --
span.number(ng-bind="stats.defined_points") --
span.description defined<br />points
li
span.number(tg-bind-html="stats.closed_points") --
span.number(ng-bind="stats.closed_points") --
span.description closed<br />points
li
span.number(tg-bind-html="stats.speed | number:0") --
span.number(ng-bind="stats.speed | number:0") --
span.description points /<br />sprint

2
app/partials/views/modules/sprints.jade
View File

@ -4,7 +4,7 @@ section.sprints
div.summary
ul
li
span.number(tg-bind-html="sprintsCounter") --
span.number(ng-bind="sprintsCounter") --
span.description <br/>sprints
div.new-sprint
a.button.button-green(href="", title="Add New sprint",