Changeset 447


Ignore:
Timestamp:
Apr 22, 2008, 1:37:50 AM (17 years ago)
Author:
ecprice
Message:

Avoid html injection.

Cheetah is painful.

Location:
trunk/packages/sipb-xen-www/code
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/packages/sipb-xen-www/code/main.py

    r446 r447  
    1212import sys
    1313import time
     14import urllib
    1415from StringIO import StringIO
    1516
     
    5960checkpoint = Checkpoint()
    6061
     62def jquote(string):
     63    return "'" + string.replace('\\', '\\\\').replace("'", "\\'").replace('\n', '\\n') + "'"
    6164
    6265def helppopup(subj):
    6366    """Return HTML code for a (?) link to a specified help topic"""
    64     return ('<span class="helplink"><a href="help?subject=' + subj +
    65             '&amp;simple=true" target="_blank" ' +
    66             'onclick="return helppopup(\'' + subj + '\')">(?)</a></span>')
     67    return ('<span class="helplink"><a href="help?' +
     68            cgi.escape(urllib.urlencode(dict(subject=subj, simple='true')))
     69            +'" target="_blank" ' +
     70            'onclick="return helppopup(' + cgi.escape(jquote(subj)) + ')">(?)</a></span>')
    6771
    6872def makeErrorPre(old, addition):
  • trunk/packages/sipb-xen-www/code/templates/functions.tmpl

    r443 r447  
     1#filter WebSafe
    12#def databaseList($lst, $default, $onchange, $name, $id, $valueattr, $descattr)
    23<select name="$name" id="$id"#slurp
     
    1920
    2021#def cdromList($default="", $onchange=None)
     22#filter None
    2123$databaseList(sorted($sipb_xen_database.CDROM.select(), key=lambda x: x.description),
    2224              default, onchange, 'cdrom', 'cdromlist', 'cdrom_id', 'description')
     25#end filter
    2326#end def
    2427
    2528#def autoList($default="", $onchange=None)
     29#filter None
    2630$databaseList(sorted($sipb_xen_database.Autoinstall.select(), key=lambda x: x.description),
    2731              default, onchange, 'autoinstall', 'autoinstalllist', 'autoinstall_id', 'description')
    28 ## $databaseList(autos, default, onchange, 'autoinstall', 'autoinstalllist', 'autoinstall_id', 'description')
     32#end filter
    2933#end def
    3034
     
    5458#end if
    5559#end def
    56 
     60#filter None
    5761$full_body
     62#end filter
     63#end filter
  • trunk/packages/sipb-xen-www/code/templates/info.tmpl

    r443 r447  
    4141        #end if
    4242      <td>Boot CD:</td>
    43       <td>$cdromList()</td>
     43      <td>#slurp
     44#filter None
     45$cdromList()#slurp
     46#end filter
     47</td>
    4448  </tr>
    4549    <tr>
     
    6266  <input type="hidden" name="machine_id" value="$defaults.machine_id"/>
    6367  <table>
    64     <tr><td>Owner${helppopup("owner")}:</td><td><input type="text" name="owner", value="$defaults.owner"/></td></tr>
     68    <tr><td>Owner#slurp
     69#filter None
     70$helppopup("owner")#slurp
     71#end filter
     72:</td><td><input type="text" name="owner", value="$defaults.owner"/></td></tr>
     73#filter None
    6574$errorRow('owner', $err)
    66     <tr><td>Administrator${helppopup("administrator")}:</td><td><input type="text" name="administrator", value="$defaults.administrator"/></td></tr>
     75#end filter
     76    <tr><td>Administrator#slurp
     77#filter None
     78$helppopup("administrator")#slurp
     79#end filter
     80:</td><td><input type="text" name="administrator", value="$defaults.administrator"/></td></tr>
     81#filter None
    6782$errorRow('administrator', $err)
     83#end filter
    6884    <tr><td>Contact email:</td><td><input type="text" name="contact" value="$defaults.contact"/></td></tr>
     85#filter None
    6986$errorRow('contact', $err)
     87#end filter
    7088#if not $on
    7189    <tr><td>Machine Name:</td><td><input type="text" name="name" value="$defaults.name"/></td></tr>
     90#filter None
    7291$errorRow('name', $err)
     92#end filter
    7393    <tr>
    74       <td>HVM/ParaVM$helppopup('hvm_paravm')</td>
    75       <td>$vmTypeList($defaults.type)</td>
     94      <td>HVM/ParaVM#slurp
     95#filter None
     96$helppopup('hvm_paravm')#slurp
     97#end filter
     98</td>
     99      <td>#slurp
     100#filter None
     101$vmTypeList($defaults.type)#slurp
     102#end filter
     103</td>
    76104    </tr>
    77105    <tr><td>Ram:</td><td><input type="text" size=3 name="memory" value="$defaults.memory"/>MiB (max $max_mem)</td></tr>
     106#filter None
    78107$errorRow('memory', $err)
     108#end filter
    79109    <tr><td>Disk:</td><td><input type="text" size=3 name="disk" value="$defaults.disk"/>GiB (max $max_disk)</td><td>WARNING: Modifying disk size may corrupt your data.</td></tr>
     110#filter None
    80111$errorRow('disk', $err)
     112#end filter
    81113#else
     114#filter None
    82115$errorRow('name', $err)
    83116$errorRow('memory', $err)
    84117$errorRow('disk', $err)
     118#end filter
    85119#end if
    86120    <tr><td><input type="submit" class="button" name="action" value="Change"/></td></tr>
     
    91125#def body
    92126<div id="info">
     127#filter None
    93128  $infoTable()
     129#end filter
    94130</div>
    95131
    96132<h2>Commands</h2>
    97133<div id="commands">
     134#filter None
    98135  $commands()
     136#end filter
    99137</div>
    100138<h2>Settings</h2>
    101139<div id="modify">
     140#filter None
    102141  $modifyForm()
     142#end filter
    103143</div>
    104144#end def
  • trunk/packages/sipb-xen-www/code/templates/list.tmpl

    r443 r447  
    2020    <input type="hidden" name="back" value="list"/>
    2121      <table>
     22#filter None
    2223      $errorRow('create', $err)
     24#end filter
    2325        <tr>
    2426          <td>Name</td>
    2527          <td><input type="text" name="name" value="$defaults.name"/></td>
    2628        </tr>
     29#filter None
    2730$errorRow('name', $err)
     31#end filter
    2832        <tr>
    2933          <td>Memory</td>
    3034          <td><input type="text" name="memory" value="$defaults.memory" size=3/> MiB ($max_memory max)</td>
    3135        </tr>
     36#filter None
    3237$errorRow('memory', $err)
     38#end filter
    3339        <tr>
    3440          <td>Disk</td>
    3541          <td><input type="text" name="disk" value="$defaults.disk" size=3/> GiB (${"%0.1f" % ($max_disk-0.05)} max)</td>
    3642        </tr>
     43#filter None
    3744$errorRow('disk', $err)
     45#end filter
    3846        <tr>
    39           <td>HVM/ParaVM$helppopup('hvm_paravm')</td>
    40           <td>$vmTypeList($defaults.type)</td>
     47          <td>HVM/ParaVM#slurp
     48#filter None
     49$helppopup('hvm_paravm')#slurp
     50#end filter
     51</td>
     52          <td>
     53#filter None
     54$vmTypeList($defaults.type)
     55#end filter
     56</td>
    4157        </tr>
     58#filter None
    4259$errorRow('vmtype', $err)
     60#end filter
    4361        <tr>
    44           <td>Autoinstall$helppopup('autoinstall')</td>
    45           <td><input type="radio" name="cd_or_auto" id="cd_or_auto_auto">$autoList($defaults.cdrom, "document.getElementById('cd_or_auto_auto').checked = true;document.getElementById('cdromlist').value = ''")
     62          <td>Autoinstall#slurp
     63#filter None
     64$helppopup('autoinstall')#slurp
     65#end filter
     66</td>
     67          <td><input type="radio" name="cd_or_auto" id="cd_or_auto_auto">
     68#filter None
     69$autoList($defaults.cdrom, "document.getElementById('cd_or_auto_auto').checked = true;document.getElementById('cdromlist').value = ''")
    4670              (experimental; 1-2 minutes, and you have a machine; root pw is 'password'.)
     71#end filter
    4772          </input>
    4873        </tr>
    4974        <tr>
    5075          <td>Boot CD</td>
    51           <td><input type="radio" name="cd_or_auto" id="cd_or_auto_cd" checked>$cdromList($defaults.cdrom, "document.getElementById('cd_or_auto_cd').checked = true;document.getElementById('autoinstalllist').value = ''")</td>
     76          <td><input type="radio" name="cd_or_auto" id="cd_or_auto_cd" checked>
     77#filter None
     78$cdromList($defaults.cdrom, "document.getElementById('cd_or_auto_cd').checked = true;document.getElementById('autoinstalllist').value = ''")
     79#end filter
     80</td>
    5281          </input>
    5382        </tr>
     
    5887          <td><input type="text" name="owner" value="$defaults.owner"/></td>
    5988        </tr>
     89#filter None
    6090        $errorRow('owner', $err)
     91#end filter
    6192      </table>
    6293      <input type="submit" class="button" value="Create it!"/>
     
    86117<a href="vnc?machine_id=$machine.machine_id">Console</a>#slurp
    87118#else if $has_vnc[$machine] != 'Off'
     119#filter None
    88120$has_vnc[$machine]
     121#end filter
    89122#end if
    90123</td>
     
    107140        <th>Name</th>
    108141        <th>Memory</th>
    109         <th>Owner$helppopup('owner')</th>
    110         <th>Administrator$helppopup('administrator')</th>
     142        <th>Owner#slurp
     143#filter None
     144$helppopup('owner')#slurp
     145#end filter
     146</th>
     147        <th>Administrator#slurp
     148#filter None
     149$helppopup('administrator')#slurp
     150#end filter
     151</th>
    111152        <th>IP</th>
    112153        <th>Uptime</th>
     
    115156      </tr>
    116157      #for $machine in $machines:
     158    #filter None
    117159        $machineRow($machine)
     160    #end filter
    118161      #end for
    119162    </table>
     
    128171    <p><a href="list">refresh</a></p>
    129172    <div id="machinelist">
     173    #filter None
    130174    $machineList($machines)
     175    #end filter
    131176    </div>
     177#filter None
    132178$createForm()
     179#end filter
    133180#end def
  • trunk/packages/sipb-xen-www/code/templates/skeleton.tmpl

    r445 r447  
    6060</ul>
    6161#end if
    62 
    6362<div id="result" class="result">
    6463#if $varExists('result')
     
    7069<h1>$title &mdash; SIPB Virtual Servers</h1>
    7170#end if
     71#filter None
    7272$body
     73#end filter
    7374#if not $varExists('simple') or not $simple
    7475<hr />
Note: See TracChangeset for help on using the changeset viewer.