launchpad-reviewers team mailing list archive

Thread
Date

[Merge] lp:~wallyworld/launchpad/recipe-build-popup-xss into lp:launchpad

To: mp+54468@xxxxxxxxxxxxxxxxxx
From: Ian Booth <ian.booth@xxxxxxxxxxxxx>
Date: Wed, 23 Mar 2011 05:45:54 -0000
Reply-to: mp+54468@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Ian Booth has proposed merging lp:~wallyworld/launchpad/recipe-build-popup-xss into lp:launchpad.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~wallyworld/launchpad/recipe-build-popup-xss/+merge/54468

Fix unquoted distro series name in request build popup form.

== Implementation ==

Fix the javascript to do the escaping.

== Test ==

Modify the existing windmill test to include a distro series name with html chars in it.

bin/test -vvt test_recipe_request_build

= Launchpad lint =

Checking for conflicts and issues in changed files.

Linting changed files:
  lib/lp/code/javascript/requestbuild_overlay.js
  lib/lp/code/windmill/tests/test_recipe_request_build.py


-- 
https://code.launchpad.net/~wallyworld/launchpad/recipe-build-popup-xss/+merge/54468
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~wallyworld/launchpad/recipe-build-popup-xss into lp:launchpad.

=== modified file 'lib/lp/code/javascript/requestbuild_overlay.js'
--- lib/lp/code/javascript/requestbuild_overlay.js	2011-03-16 02:47:30 +0000
+++ lib/lp/code/javascript/requestbuild_overlay.js	2011-03-23 05:45:51 +0000
@@ -421,8 +421,10 @@
             var distro = distroseries_node.get("text").trim();
             if (distro == distroarchive[0]) {
                 nr_matches += 1;
+                var escaped_distro = Y.Escape.html(distro);
                 var disabled_checkbox_html = Y.Lang.substitute(
-                    DISABLED_DISTROSERIES_CHECKBOX_HTML, {distro: distro});
+                    DISABLED_DISTROSERIES_CHECKBOX_HTML,
+                    {distro: escaped_distro});
                 distroseries_node.set("innerHTML", disabled_checkbox_html);
                 distroseries_node.addClass("lowlight");
                 break;
@@ -487,5 +489,6 @@
             LP.cache.context.self_link, 'getPendingBuildInfo', y_config);
 }
 }, "0.1", {"requires": [
-    "dom", "node", "io-base", "lazr.anim", "lazr.formoverlay", "lp.client"
+    "dom", "node", "escape", "io-base", "lazr.anim", "lazr.formoverlay",
+    "lp.client"
     ]});

=== modified file 'lib/lp/code/windmill/tests/test_recipe_request_build.py'
--- lib/lp/code/windmill/tests/test_recipe_request_build.py	2011-03-01 03:58:18 +0000
+++ lib/lp/code/windmill/tests/test_recipe_request_build.py	2011-03-23 05:45:51 +0000
@@ -39,8 +39,8 @@
         self.ppa = self.factory.makeArchive(
             displayname='Secret PPA', owner=self.chef, name='ppa')
         self.squirrel = self.factory.makeDistroSeries(
-            displayname='Secret Squirrel', name='secret', version='100.04',
-            distribution=self.ppa.distribution)
+            displayname='Secret Squirrel <nutty>', name='secret',
+            version='100.04', distribution=self.ppa.distribution)
         naked_squirrel = removeSecurityProxy(self.squirrel)
         naked_squirrel.nominatedarchindep = self.squirrel.newArch(
             'i386', ProcessorFamily.get(1), False, self.chef,