[open-ils-commits] [GIT] Evergreen ILS branch master updated. 0d77bd8168ed4a66c2f9f759b87ac0405faa8efe
Evergreen Git
git at git.evergreen-ils.org
Fri Aug 12 16:33:56 EDT 2011
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, master has been updated
via 0d77bd8168ed4a66c2f9f759b87ac0405faa8efe (commit)
via f0bbdb4ce207720c8743fb3fe616e2b079a8f82c (commit)
via 4e8fb086e9c242da21ed0047b64d089a7e0a6fa7 (commit)
via c079cb29dc7f8376d3a1b02aff7c8301ee6632e5 (commit)
from 8f393387f51e2efc514ab42af89067bb040cd285 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 0d77bd8168ed4a66c2f9f759b87ac0405faa8efe
Author: Thomas Berezansky <tsbere at mvlc.org>
Date: Fri Aug 12 15:47:25 2011 -0400
Don't escape_html numbers in util/print.js
Signed-off-by: Thomas Berezansky <tsbere at mvlc.org>
Signed-off-by: Jason Etheridge <jason at esilibrary.com>
diff --git a/Open-ILS/xul/staff_client/chrome/content/util/print.js b/Open-ILS/xul/staff_client/chrome/content/util/print.js
index 068eab0..5c24b03 100644
--- a/Open-ILS/xul/staff_client/chrome/content/util/print.js
+++ b/Open-ILS/xul/staff_client/chrome/content/util/print.js
@@ -301,7 +301,7 @@ util.print.prototype = {
for (var i in params.data) {
var re = new RegExp('%'+i+'%',"g");
if (typeof params.data[i] == 'string' || typeof params.data[i] == 'number') {
- try{b = s; s=s.replace(re, this.escape_html(params.data[i]));}
+ try{b = s; s=s.replace(re, (typeof params.data[i] == 'string' ? this.escape_html(params.data[i]) : params.data[i]));}
catch(E){s = b; this.error.standard_unexpected_error_alert('print.js, template_sub(): 3 string = <' + s + '>',E);}
} else {
/* likely a null, print as an empty string */
commit f0bbdb4ce207720c8743fb3fe616e2b079a8f82c
Author: Thomas Berezansky <tsbere at mvlc.org>
Date: Wed Aug 10 21:37:54 2011 -0400
Escape HTML characters in template subs
This prevents injection of random HTML from various sources.
Like bad bib records, org unit settings, patron info, etc.
Signed-off-by: Thomas Berezansky <tsbere at mvlc.org>
Signed-off-by: Jason Etheridge <jason at esilibrary.com>
diff --git a/Open-ILS/xul/staff_client/chrome/content/util/print.js b/Open-ILS/xul/staff_client/chrome/content/util/print.js
index a470651..068eab0 100644
--- a/Open-ILS/xul/staff_client/chrome/content/util/print.js
+++ b/Open-ILS/xul/staff_client/chrome/content/util/print.js
@@ -82,6 +82,9 @@ util.print.prototype = {
line = line.replace(/<block.*?>/gi,'');
line = line.replace(/<li.*?>/gi,' * ');
line = line.replace(/<.+?>/gi,'');
+ line = line.replace(/</gi,'<');
+ line = line.replace(/>/gi,'>');
+ line = line.replace(/&/gi,'&');
if (line) { new_lines.push(line); }
} else {
new_lines.push(line);
@@ -92,6 +95,10 @@ util.print.prototype = {
return new_html;
},
+ 'escape_html' : function(data) {
+ return data.replace(/&/g,'&').replace(/</g,'<').replace(/>/g,'>');
+ },
+
'simple' : function(msg,params) {
try {
if (!params) params = {};
@@ -222,32 +229,32 @@ util.print.prototype = {
try{b = s; s = s.replace(/%LINE_NO%/g,Number(params.row_idx)+1);}
catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
- try{b = s; s = s.replace(/%patron_barcode%/g,params.patron_barcode);}
+ try{b = s; s = s.replace(/%patron_barcode%/g,this.escape_html(params.patron_barcode));}
catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
- try{b = s; s = s.replace(/%LIBRARY%/g,params.lib.name());}
+ try{b = s; s = s.replace(/%LIBRARY%/g,this.escape_html(params.lib.name()));}
catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
- try{b = s; s = s.replace(/%PINES_CODE%/g,params.lib.shortname());}
+ try{b = s; s = s.replace(/%PINES_CODE%/g,this.escape_html(params.lib.shortname()));}
catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
- try{b = s; s = s.replace(/%SHORTNAME%/g,params.lib.shortname());}
+ try{b = s; s = s.replace(/%SHORTNAME%/g,this.escape_html(params.lib.shortname()));}
catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
- try{b = s; s = s.replace(/%STAFF_FIRSTNAME%/g,params.staff.first_given_name());}
+ try{b = s; s = s.replace(/%STAFF_FIRSTNAME%/g,this.escape_html(params.staff.first_given_name()));}
catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
- try{b = s; s = s.replace(/%STAFF_LASTNAME%/g,params.staff.family_name());}
+ try{b = s; s = s.replace(/%STAFF_LASTNAME%/g,this.escape_html(params.staff.family_name()));}
catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
- try{b = s; s = s.replace(/%STAFF_BARCODE%/g,params.staff.barcode); }
+ try{b = s; s = s.replace(/%STAFF_BARCODE%/g,this.escape_html(params.staff.barcode)); }
catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
- try{b = s; s = s.replace(/%STAFF_PROFILE%/g,obj.data.hash.pgt[ params.staff.profile() ].name() ); }
+ try{b = s; s = s.replace(/%STAFF_PROFILE%/g,this.escape_html(obj.data.hash.pgt[ params.staff.profile() ].name() )); }
catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
- try{b = s; s = s.replace(/%PATRON_ALIAS_OR_FIRSTNAME%/g,(params.patron.alias() == '' || params.patron.alias() == null) ? params.patron.first_given_name() : params.patron.alias());}
+ try{b = s; s = s.replace(/%PATRON_ALIAS_OR_FIRSTNAME%/g,this.escape_html((params.patron.alias() == '' || params.patron.alias() == null) ? params.patron.first_given_name() : params.patron.alias()));}
catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
- try{b = s; s = s.replace(/%PATRON_ALIAS%/g,(params.patron.alias() == '' || params.patron.alias() == null) ? '' : params.patron.alias());}
+ try{b = s; s = s.replace(/%PATRON_ALIAS%/g,this.escape_html((params.patron.alias() == '' || params.patron.alias() == null) ? '' : params.patron.alias()));}
catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
- try{b = s; s = s.replace(/%PATRON_FIRSTNAME%/g,params.patron.first_given_name());}
+ try{b = s; s = s.replace(/%PATRON_FIRSTNAME%/g,this.escape_html(params.patron.first_given_name()));}
catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
- try{b = s; s = s.replace(/%PATRON_LASTNAME%/g,params.patron.family_name());}
+ try{b = s; s = s.replace(/%PATRON_LASTNAME%/g,this.escape_html(params.patron.family_name()));}
catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
- try{b = s; s = s.replace(/%PATRON_BARCODE%/g,typeof params.patron.card() == 'object' ? params.patron.card().barcode() : util.functional.find_id_object_in_list( params.patron.cards(), params.patron.card() ).barcode() ) ;}
+ try{b = s; s = s.replace(/%PATRON_BARCODE%/g,this.escape_html(typeof params.patron.card() == 'object' ? params.patron.card().barcode() : util.functional.find_id_object_in_list( params.patron.cards(), params.patron.card() ).barcode() )) ;}
catch(E){s = b; this.error.sdump('D_WARN','string = <' + s + '> error = ' + js2JSON(E)+'\n');}
try{b = s; s=s.replace(/%TODAY%/g,(new Date()));}
@@ -277,14 +284,14 @@ util.print.prototype = {
alert('debug - please tell the developers that deprecated template code tried to execute');
for (var i = 0; i < cols.length; i++) {
var re = new RegExp(cols[i],"g");
- try{b = s; s=s.replace(re, params.row[i]);}
+ try{b = s; s=s.replace(re, this.escape_html(params.row[i]));}
catch(E){s = b; this.error.standard_unexpected_error_alert('print.js, template_sub(): 1 string = <' + s + '>',E);}
}
} else {
/* for dump_with_keys */
for (var i in params.row) {
var re = new RegExp('%'+i+'%',"g");
- try{b = s; s=s.replace(re, params.row[i]);}
+ try{b = s; s=s.replace(re, this.escape_html(params.row[i]));}
catch(E){s = b; this.error.standard_unexpected_error_alert('print.js, template_sub(): 2 string = <' + s + '>',E);}
}
}
@@ -294,7 +301,7 @@ util.print.prototype = {
for (var i in params.data) {
var re = new RegExp('%'+i+'%',"g");
if (typeof params.data[i] == 'string' || typeof params.data[i] == 'number') {
- try{b = s; s=s.replace(re, params.data[i]);}
+ try{b = s; s=s.replace(re, this.escape_html(params.data[i]));}
catch(E){s = b; this.error.standard_unexpected_error_alert('print.js, template_sub(): 3 string = <' + s + '>',E);}
} else {
/* likely a null, print as an empty string */
commit 4e8fb086e9c242da21ed0047b64d089a7e0a6fa7
Author: Thomas Berezansky <tsbere at mvlc.org>
Date: Wed Aug 10 21:03:46 2011 -0400
Use openDialog to make go_print workaround vanish
By passing params and the go_print function into openDialog we get
to ignore race conditions, as the window is created with the passed
in arguments.
Oh, and we can stop using js2JSON and such.
Signed-off-by: Thomas Berezansky <tsbere at mvlc.org>
Signed-off-by: Jason Etheridge <jason at esilibrary.com>
diff --git a/Open-ILS/xul/staff_client/chrome/content/util/print.js b/Open-ILS/xul/staff_client/chrome/content/util/print.js
index aba38e9..a470651 100644
--- a/Open-ILS/xul/staff_client/chrome/content/util/print.js
+++ b/Open-ILS/xul/staff_client/chrome/content/util/print.js
@@ -148,13 +148,11 @@ util.print.prototype = {
switch(content_type) {
case 'text/html' :
- var jsrc = 'data:text/javascript,' + window.escape('var params = { "data" : ' + js2JSON(params.data) + ', "list" : ' + js2JSON(params.list) + '}; function my_init() { if (typeof go_print == "function") { go_print(); } else { setTimeout( function() { if (typeof go_print == "function") { alert("Please tell the developers that the 2-second go_print workaround executed, and let them know whether this job printed successfully. Thanks!"); go_print(); } else { alert("Please tell the developers that the 2-second go_print workaround did not work. We will try to print one more time; there have been reports of wasted receipt paper at this point. Please check the settings in the print dialog and/or prepare to power off your printer. Thanks!"); window.print(); } }, 2000 ); } /* FIXME - mozilla bug#301560 - xpcom kills it too */ }');
+ var jsrc = 'data:text/javascript,' + window.escape('var params = window.arguments[0]; window.go_print = window.arguments[1];');
var print_url = 'data:text/html,'
+ '<html id="top"><head><script src="/xul/server/main/JSAN.js"></script><script src="' + window.escape(jsrc) + '"></script></head>'
- + '<body onload="try{my_init();}catch(E){alert(E);}">' + window.escape(msg) + '</body></html>';
- w = obj.win.open(print_url,'receipt_temp','chrome,resizable');
- w.minimize();
- w.go_print = function() {
+ + '<body onload="try{go_print();}catch(E){alert(E);}">' + window.escape(msg) + '</body></html>';
+ w = obj.win.openDialog(print_url,'receipt_temp','chrome,resizable,minimizable', null, { "data" : params.data, "list" : params.list}, function() {
try {
obj.NSPrint(w, silent, params);
} catch(E) {
@@ -162,7 +160,8 @@ util.print.prototype = {
w.print();
}
w.minimize(); w.close();
- }
+ });
+ w.minimize();
break;
default:
w = obj.win.open('data:' + content_type + ',' + window.escape(msg),'receipt_temp','chrome,resizable');
commit c079cb29dc7f8376d3a1b02aff7c8301ee6632e5
Author: Thomas Berezansky <tsbere at mvlc.org>
Date: Wed Aug 10 21:02:51 2011 -0400
Add openDialog to window class
Uses window.openDialog instead of window.open.
https://developer.mozilla.org/en/DOM/window.openDialog
Signed-off-by: Thomas Berezansky <tsbere at mvlc.org>
Signed-off-by: Jason Etheridge <jason at esilibrary.com>
diff --git a/Open-ILS/xul/staff_client/chrome/content/util/window.js b/Open-ILS/xul/staff_client/chrome/content/util/window.js
index fc1c19a..dbacd79 100644
--- a/Open-ILS/xul/staff_client/chrome/content/util/window.js
+++ b/Open-ILS/xul/staff_client/chrome/content/util/window.js
@@ -59,6 +59,33 @@ util.window.prototype = {
return w;
},
+ 'SafeWindowOpenDialog' : function (url,title,features) {
+ var w;
+
+ netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
+ netscape.security.PrivilegeManager.enablePrivilege("UniversalPreferencesRead");
+ netscape.security.PrivilegeManager.enablePrivilege("UniversalPreferencesWrite");
+ netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
+ netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserWrite");
+
+ const CI = Components.interfaces;
+ const PB = Components.classes["@mozilla.org/preferences-service;1"].getService(CI.nsIPrefBranch);
+
+ var blocked = false;
+ try {
+ // pref 'dom.disable_open_during_load' is the main popup blocker preference
+ blocked = PB.getBoolPref("dom.disable_open_during_load");
+ if(blocked) PB.setBoolPref("dom.disable_open_during_load",false);
+ w = this.win.openDialog.apply(this.win,arguments);
+ } catch(E) {
+ this.error.sdump('D_ERROR','window.SafeWindowOpen: ' + E + '\n');
+ throw(E);
+ }
+ if(blocked) PB.setBoolPref("dom.disable_open_during_load",true);
+
+ return w;
+ },
+
'open' : function(url,title,features,my_xulG) {
netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
var key;
@@ -108,6 +135,59 @@ util.window.prototype = {
);
*/
return w;
+ },
+
+ 'openDialog' : function(url,title,features,my_xulG) {
+ netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
+ var key;
+ if (!title) title = '_blank';
+ if (!features) features = 'chrome'; // Note that this is a default for openDialog anyway
+ var outArgs = Array.prototype.slice.call(arguments);
+ outArgs.splice(3,1); // Remove my_xulG
+ this.error.sdump('D_WIN', 'opening ' + url + ', ' + title + ', ' + features + ' from ' + this.win + '\n');
+ var data;
+ if (features.match(/modal/) && my_xulG) {
+ JSAN.use('OpenILS.data'); data = new OpenILS.data(); data.init({'via':'stash'});
+ if (typeof data.modal_xulG_stack == 'undefined') data.modal_xulG_stack = {};
+ /* FIXME - not a perfect key.. could imagine two top-level windows both opening modal windows */
+ key = url;
+ if (typeof xulG == 'object') {
+ if (typeof xulG.url_prefix == 'function') {
+ key = key.replace( xulG.url_prefix('/'), '/' );
+ }
+ } else if (typeof url_prefix == 'function') {
+ key = key.replace( url_prefix('/'), '/' );
+ }
+ if (typeof data.modal_xulG_stack[key] == 'undefined') data.modal_xulG_stack[key] = [];
+ data.modal_xulG_stack[key].push( my_xulG );
+ data.stash('modal_xulG_stack');
+ this.error.sdump('D_WIN','modal key = ' + key);
+ }
+ var w = this.SafeWindowOpenDialog.apply(this, outArgs);
+ if (features.match(/modal/) && my_xulG) {
+ data.init({'via':'stash'});
+ var x = data.modal_xulG_stack[key].pop();
+ data.stash('modal_xulG_stack');
+ w.focus();
+ return x;
+ } else {
+ if (my_xulG) {
+ if (get_contentWindow(w)) {
+ get_contentWindow(w).xulG = my_xulG;
+ } else {
+ w.xulG = my_xulG;
+ }
+ }
+ }
+ /*
+ setTimeout(
+ function() {
+ try { w.title = title; } catch(E) { dump('**'+E+'\n'); }
+ try { w.document.title = title; } catch(E) { dump('**'+E+'\n'); }
+ }, 0
+ );
+ */
+ return w;
}
}
-----------------------------------------------------------------------
Summary of changes:
.../xul/staff_client/chrome/content/util/print.js | 50 +++++++------
.../xul/staff_client/chrome/content/util/window.js | 80 ++++++++++++++++++++
2 files changed, 108 insertions(+), 22 deletions(-)
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list