kallithea Changeset - 642fa51e0d0b

Changeset - 642fa51e0d0b

Parent rev.

Child rev.

[Not reviewed]

default

0 2 0

Mads Kiilerich (mads) - 5 years ago 2020-11-07 18:27:33
mads@kiilerich.com

Grafted from: 21fa569a5e54

lib: move js escaping from helpers to webutils

It was no real problem it lived in helpers: it was only used from templates
anyway.

But for completeness and correctness, move all web utils to webutils.

2 files changed with 56 insertions and 49 deletions:

kallithea/lib/helpers.py

kallithea/lib/webutils.py

0 comments (0 inline, 0 general)

kallithea/lib/helpers.py

➞

Show inline comments

@@ @@ -15,13 +15,12 @@ @@
 Helper functions
 Consists of functions to typically be used within templates, but also
 available to Controllers. This module is available to both as 'h'.
 """
 import hashlib
 import json
 import logging
 import re
 import textwrap
 import urllib.parse
 from beaker.cache import cache_region
@@ @@ -44,29 +43,32 @@ from kallithea.lib.utils2 import (MENTIO @@
 from kallithea.lib.vcs.backends.base import BaseChangeset, EmptyChangeset
 from kallithea.lib.vcs.exceptions import ChangesetDoesNotExistError
 #==============================================================================
 # SCM FILTERS available via h.
 #==============================================================================
 from kallithea.lib.vcs.utils import author_email, author_name
 from kallithea.lib.webutils import (HTML, Option, canonical_url, checkbox, chop_at, end_form, escape, form, format_byte_size, hidden, html_escape, link_to,
                                     literal, password, pop_flash_messages, radio, reset, safeid, select, session_csrf_secret_name, session_csrf_secret_token,
                                     submit, text, textarea, truncate, url, wrap_paragraphs)
 from kallithea.lib.webutils import (HTML, Option, canonical_url, checkbox, chop_at, end_form, escape, form, format_byte_size, hidden, html_escape, js, jshtml,
                                     link_to, literal, password, pop_flash_messages, radio, reset, safeid, select, session_csrf_secret_name,
                                     session_csrf_secret_token, submit, text, textarea, truncate, url, wrap_paragraphs)
 from kallithea.model import db
 from kallithea.model.changeset_status import ChangesetStatusModel
 # mute pyflakes "imported but unused"
 # from webutils
 assert HTML
 assert Option
 assert canonical_url
 assert checkbox
 assert chop_at
 assert end_form
 assert form
 assert format_byte_size
 assert hidden
 assert js
 assert jshtml
 assert password
 assert pop_flash_messages
 assert radio
 assert reset
 assert safeid
 assert select
@@ @@ -90,57 +92,12 @@ assert time_to_datetime @@
 assert EmptyChangeset
 log = logging.getLogger(__name__)
 def js(value):
     """Convert Python value to the corresponding JavaScript representation.
     This is necessary to safely insert arbitrary values into HTML <script>
     sections e.g. using Mako template expression substitution.
     Note: Rather than using this function, it's preferable to avoid the
     insertion of values into HTML <script> sections altogether. Instead,
     data should (to the extent possible) be passed to JavaScript using
     data attributes or AJAX calls, eliminating the need for JS specific
     escaping.
     Note: This is not safe for use in attributes (e.g. onclick), because
     quotes are not escaped.
     Because the rules for parsing <script> varies between XHTML (where
     normal rules apply for any special characters) and HTML (where
     entities are not interpreted, but the literal string "</script>"
     is forbidden), the function ensures that the result never contains
     '&', '<' and '>', thus making it safe in both those contexts (but
     not in attributes).
     """
     return literal(
         ('(' + json.dumps(value) + ')')
         # In JSON, the following can only appear in string literals.
         .replace('&', r'\x26')
         .replace('<', r'\x3c')
         .replace('>', r'\x3e')
+    )
 def jshtml(val):
     """HTML escapes a string value, then converts the resulting string
     to its corresponding JavaScript representation (see `js`).
     This is used when a plain-text string (possibly containing special
     HTML characters) will be used by a script in an HTML context (e.g.
     element.innerHTML or jQuery's 'html' method).
     If in doubt, err on the side of using `jshtml` over `js`, since it's
     better to escape too much than too little.
     """
     return js(escape(val))
 def FID(raw_id, path):
     """
     Creates a unique ID for filenode based on it's hash of path and revision
     it's safe to use in urls
     """
     return 'C-%s-%s' % (short_id(raw_id), hashlib.md5(safe_bytes(path)).hexdigest()[:12])

kallithea/lib/webutils.py

➞

Show inline comments

@@ @@ -17,12 +17,13 @@ kallithea.lib.webutils @@
 Helper functions that may rely on the current WSGI request, exposed in the TG2
 thread-local "global" variables. It should have few dependencies so it can be
 imported anywhere - just like the global variables can be used everywhere.
 """
 import json
 import logging
 import random
 from tg import request, session
 from webhelpers2.html import HTML, escape, literal
 from webhelpers2.html.tags import NotGiven, Option, Options, _input
@@ @@ -253,6 +254,55 @@ def flash(message, category, logf=None): @@
 def pop_flash_messages():
     """Return all accumulated messages and delete them from the session.
     The return value is a list of ``Message`` objects.
     """
     return [_Message(category, message) for category, message in _session_flash_messages(clear=True)]
+#
 # Generic-ish formatting and markup
+#
 def js(value):
     """Convert Python value to the corresponding JavaScript representation.
     This is necessary to safely insert arbitrary values into HTML <script>
     sections e.g. using Mako template expression substitution.
     Note: Rather than using this function, it's preferable to avoid the
     insertion of values into HTML <script> sections altogether. Instead,
     data should (to the extent possible) be passed to JavaScript using
     data attributes or AJAX calls, eliminating the need for JS specific
     escaping.
     Note: This is not safe for use in attributes (e.g. onclick), because
     quotes are not escaped.
     Because the rules for parsing <script> varies between XHTML (where
     normal rules apply for any special characters) and HTML (where
     entities are not interpreted, but the literal string "</script>"
     is forbidden), the function ensures that the result never contains
     '&', '<' and '>', thus making it safe in both those contexts (but
     not in attributes).
     """
     return literal(
         ('(' + json.dumps(value) + ')')
         # In JSON, the following can only appear in string literals.
         .replace('&', r'\x26')
         .replace('<', r'\x3c')
         .replace('>', r'\x3e')
+    )
 def jshtml(val):
     """HTML escapes a string value, then converts the resulting string
     to its corresponding JavaScript representation (see `js`).
     This is used when a plain-text string (possibly containing special
     HTML characters) will be used by a script in an HTML context (e.g.
     element.innerHTML or jQuery's 'html' method).
     If in doubt, err on the side of using `jshtml` over `js`, since it's
     better to escape too much than too little.
     """
     return js(escape(val))

0 comments (0 inline, 0 general)