launchpad-reviewers team mailing list archive

[Ian Booth <ian.booth@xxxxxxxxxxxxx>]

Ian Booth has proposed merging lp:~wallyworld/launchpad/confirmation-dialog-xss-1057901 into lp:launchpad.

Commit message:
Remove some xss from confirmation dialogs.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~wallyworld/launchpad/confirmation-dialog-xss-1057901/+merge/126855

Tweak the bugtask delete and information type change confirmation dialogs to remove some XSS holes.
-- 
https://code.launchpad.net/~wallyworld/launchpad/confirmation-dialog-xss-1057901/+merge/126855
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~wallyworld/launchpad/confirmation-dialog-xss-1057901 into lp:launchpad.

=== modified file 'lib/lp/app/javascript/information_type.js'
--- lib/lp/app/javascript/information_type.js	2012-09-27 03:17:02 +0000
+++ lib/lp/app/javascript/information_type.js	2012-09-28 05:43:18 +0000
@@ -208,15 +208,15 @@
     var confirm_text_template = [
         '<p class="block-sprite large-warning">',
         '    You are about to mark this bug as ',
-        '    <strong>{information_type}</strong>.<br/>',
+        '    <strong>{{information_type}}</strong>.<br/>',
         '    The bug will become invisible because there is no-one with',
-        '    permissions to see {information_type} bugs.',
+        '    permissions to see {{information_type}} bugs.',
         '</p><p>',
         '    <strong>Please confirm you really want to do this.</strong>',
         '</p>'
         ].join('');
     var title = ns.get_cache_data_from_key(value, 'value', 'name');
-    var confirm_text = Y.Lang.sub(confirm_text_template,
+    var confirm_text = Y.lp.mustache.to_html(confirm_text_template,
             {information_type: title});
     var co = new Y.lp.app.confirmationoverlay.ConfirmationOverlay({
         submit_fn: function() {
@@ -351,6 +351,6 @@
     }
 };
 
-}, "0.1", {"requires": ["base", "oop", "node", "event", "io-base",
-                        "lp.ui.choiceedit", "lp.bugs.bugtask_index",
-                        "lp.app.banner.privacy", "lp.app.choice"]});
+}, "0.1", {"requires": [
+    "base", "oop", "node", "event", "io-base", "lp.mustache", "lp.app.choice",
+    "lp.bugs.bugtask_index", "lp.app.banner.privacy", "lp.ui.choiceedit"]});

=== modified file 'lib/lp/bugs/javascript/bugtask_index.js'
--- lib/lp/bugs/javascript/bugtask_index.js	2012-09-21 15:39:22 +0000
+++ lib/lp/bugs/javascript/bugtask_index.js	2012-09-28 05:43:18 +0000
@@ -353,16 +353,15 @@
  * @method _confirm_bugtask_delete
  */
 namespace._confirm_bugtask_delete = function(delete_link, conf) {
-    var delete_text_template = [
+    var delete_text = Y.lp.mustache.to_html([
         '<p class="block-sprite large-warning">',
-        '    You are about to mark bug "{bug}"<br/>as no longer affecting',
-        '    {target}.',
+        '    You are about to mark bug "{{bug}}"<br/>as no longer affecting',
+        '    {{target}}.',
         '</p><p>',
         '    <strong>Please confirm you really want to do this.</strong>',
         '</p>'
-        ].join('');
-    var delete_text = Y.Lang.sub(delete_text_template,
-            {bug: conf.bug_title, target: conf.targetname});
+        ].join(''),
+        {bug: conf.bug_title, target: conf.targetname});
     var co = new Y.lp.app.confirmationoverlay.ConfirmationOverlay({
         submit_fn: function() {
             namespace.delete_bugtask(delete_link, conf);
@@ -1125,7 +1124,7 @@
 
 
 }, "0.1", {"requires": ["base", "oop", "node", "event", "io-base",
-                        "json-parse", "substitute",
+                        "json-parse", "lp.mustache",
                         "lp.ui.formoverlay", "lp.anim", "lp.ui.overlay",
                         "lp.ui.choiceedit", "lp.app.picker",
                         "lp.bugs.bugtask_index.portlets.subscription",