diff --git a/www/kojiweb/activesession.chtml b/www/kojiweb/activesession.chtml index df4ca303..eec433f2 100644 --- a/www/kojiweb/activesession.chtml +++ b/www/kojiweb/activesession.chtml @@ -18,7 +18,7 @@ #for $act in $activesess $act.id - $util.escapeHTML($act.hostip) + $act.hostip $act.authtype $util.formatTimeLong($act.start_time) $act.lengthSession days diff --git a/www/kojiweb/archiveinfo.chtml b/www/kojiweb/archiveinfo.chtml index 9acb5e08..ee503733 100644 --- a/www/kojiweb/archiveinfo.chtml +++ b/www/kojiweb/archiveinfo.chtml @@ -6,7 +6,7 @@ #attr _PASSTHROUGH = ['archiveID', 'fileOrder', 'fileStart', 'buildrootOrder', 'buildrootStart'] #include "includes/header.chtml" -

Information for archive $util.escapeHTML($archive.filename)

+

Information for archive $archive.filename

@@ -16,7 +16,7 @@ #if $wininfo #else - + #end if #if $archive.metadata_only @@ -25,7 +25,7 @@ #end if - + @@ -62,7 +62,7 @@ #end if #if $archive.get('extra') - + #end if #if $files @@ -97,7 +97,7 @@ #for $file in $files - + #end for
File Name$koji.pathinfo.winfile($archive)File Name$util.escapeHTML($archive.filename)File Name$archive.filename
File Type$util.escapeHTML($archive_type.description)File Type$archive_type.description
Build$koji.buildLabel($build)
Extra$util.escapeHTML($pformat($archive.extra))Extra$pformat($archive.extra)
$util.escapeHTML($file.name)$util.formatNatural($file.size)$file.name$util.formatNatural($file.size)
@@ -116,7 +116,7 @@ Page: diff --git a/www/kojiweb/archivelist.chtml b/www/kojiweb/archivelist.chtml index c9f3149f..846f7b27 100644 --- a/www/kojiweb/archivelist.chtml +++ b/www/kojiweb/archivelist.chtml @@ -1,7 +1,8 @@ #from kojiweb import util #include "includes/header.chtml" -# + +#@util.safe_return #def getID() #if $type == 'image' imageID=$image.id #slurp @@ -13,7 +14,7 @@ buildrootID=$buildroot.id #slurp #if $type == 'component'

Component Archives of buildroot $util.brLabel($buildroot)

#elif $type == 'image' -

Archives installed in $util.escapeHTML($image.filename)

+

Archives installed in $image.filename

#else

Archives built in buildroot $util.brLabel($buildroot)

#end if @@ -52,8 +53,8 @@ buildrootID=$buildroot.id #slurp #if $len($archives) > 0 #for $archive in $archives - $util.escapeHTML($archive.filename) - $util.escapeHTML($archive.type_name) + $archive.filename + $archive.type_name #if $type == 'component' #set $project = $archive.project and 'yes' or 'no' $util.imageTag($project) diff --git a/www/kojiweb/buildinfo.chtml b/www/kojiweb/buildinfo.chtml index a721325b..aee3fb2c 100644 --- a/www/kojiweb/buildinfo.chtml +++ b/www/kojiweb/buildinfo.chtml @@ -13,7 +13,7 @@ ID$build.id - Package Name$util.escapeHTML($build.package_name) + Package Name$build.package_name Version$build.version @@ -64,12 +64,12 @@ #end if #if $summary - Summary$util.escapeHTML($summary) + Summary$summary #end if #if $description - Description$util.escapeHTML($description) + Description$description #end if #if $vcs @@ -83,7 +83,7 @@ #end if - Built by$util.escapeHTML($build.owner_name) + Built by$build.owner_name #set $stateName = $util.stateName($build.state) @@ -98,7 +98,7 @@ Volume - $util.escapeHTML($build.volume_name) + $build.volume_name Started$util.formatTimeLong($start_ts) @@ -119,12 +119,12 @@ Promoted$util.formatTimeLong($build.promotion_ts) - Promoted by$util.escapeHTML($build.promoter_name) + Promoted by$build.promoter_name #end if #if $build.cg_id - Content generator$util.escapeHTML($build.cg_name) + Content generator$build.cg_name #end if #if $task @@ -134,7 +134,7 @@ #end if #if $build.get('extra') - Extra$util.escapeHTML($pformat($build.extra)) + Extra$pformat($build.extra) #end if @@ -144,7 +144,7 @@ #for $tag in $tags - + #end for
$util.escapeHTML($tag.name)$tag.name
@@ -249,7 +249,7 @@ - $util.escapeHTML($loginfo.name) + $loginfo.name #end for @@ -261,7 +261,7 @@ #if $changelog Changelog - $util.escapeHTML($koji.util.formatChangelog($changelog)) + $koji.util.formatChangelog($changelog) #end if diff --git a/www/kojiweb/buildrootinfo.chtml b/www/kojiweb/buildrootinfo.chtml index 00ef53df..7f64ee1f 100644 --- a/www/kojiweb/buildrootinfo.chtml +++ b/www/kojiweb/buildrootinfo.chtml @@ -8,10 +8,10 @@ - + - + @@ -32,7 +32,7 @@ - + @@ -42,7 +42,7 @@ #if $buildroot.get('extra') - + #end if diff --git a/www/kojiweb/buildrootinfo_cg.chtml b/www/kojiweb/buildrootinfo_cg.chtml index 2f2a9b42..25edb6a5 100644 --- a/www/kojiweb/buildrootinfo_cg.chtml +++ b/www/kojiweb/buildrootinfo_cg.chtml @@ -11,23 +11,23 @@ - + - + - + - + - + #if $buildroot.get('extra') - + #end if diff --git a/www/kojiweb/buildroots.chtml b/www/kojiweb/buildroots.chtml index 6af03679..54f3ec7d 100644 --- a/www/kojiweb/buildroots.chtml +++ b/www/kojiweb/buildroots.chtml @@ -17,7 +17,7 @@
Host$util.escapeHTML($buildroot.host_name)Host$buildroot.host_name
Arch$util.escapeHTML($buildroot.arch)Arch$buildroot.arch
ID$buildroot.idRepo ID$buildroot.repo_id
Repo Tag$util.escapeHTML($buildroot.tag_name)Repo Tag$buildroot.tag_name
Repo State$util.imageTag($util.repoStateName($buildroot.repo_state))
Extra$util.escapeHTML($pformat($buildroot.extra))Extra$pformat($buildroot.extra)
ID$buildroot.id
Host OS$util.escapeHTML($buildroot.host_os)Host OS$buildroot.host_os
Host Arch$util.escapeHTML($buildroot.host_arch)Host Arch$buildroot.host_arch
Content Generator$util.escapeHTML($buildroot.cg_name) ($buildroot.cg_version)Content Generator$buildroot.cg_name ($buildroot.cg_version)
Container Type$util.escapeHTML($buildroot.container_type)Container Type$buildroot.container_type
Container Arch$util.escapeHTML($buildroot.container_arch)Container Arch$buildroot.container_arch
Extra$util.escapeHTML($pformat($buildroot.extra))Extra$pformat($buildroot.extra)
@@ -30,7 +30,7 @@ Page: @@ -59,7 +59,7 @@ $buildroot.id $buildroot.repo_id $buildroot.task_id - $util.escapeHTML($buildroot.tag_name) + $buildroot.tag_name #set $stateName = $util.brStateName($buildroot.state) $util.brStateImage($buildroot.state) @@ -76,7 +76,7 @@ Page: diff --git a/www/kojiweb/builds.chtml b/www/kojiweb/builds.chtml index dee5e2fd..15ecd85d 100644 --- a/www/kojiweb/builds.chtml +++ b/www/kojiweb/builds.chtml @@ -5,7 +5,32 @@ #include "includes/header.chtml" -

#if $latest then 'Latest ' else ''##if $state != None then $util.stateName($state).capitalize() + ' ' else ''##if $type then $type.capitalize() + ' ' else ''#Builds#if $package then ' of %s' % ($package.id, $util.escapeHTML($package.name)) else ''##if $prefix then ' starting with "%s"' % $prefix else ''##if $user then ' by %s' % ($user.id, $util.escapeHTML($user.name)) else ''##if $tag then ' in tag %s' % ($tag.id, $util.escapeHTML($tag.name)) else ''#

+#@util.safe_return +#def getDescription() +#if $latest +Latest +#elif $state != None +$util.stateName($state).capitalize() +#end if +#if $type +$type.capitalize() +#end if +Builds +#if $package +of $package.name +#end if +#if $user +by $user.name +#end if +#if $prefix +starting with "$prefix" +#end if +#if $tag +in tag $tag.name +#end if +#end def + +

$getDescription()

@@ -16,8 +41,8 @@ Latest: @@ -48,9 +73,9 @@ @@ -59,8 +84,8 @@ Inherited: #end if @@ -79,7 +104,7 @@ | #end for #if $prefix - all + all #else all #end if @@ -92,7 +117,7 @@ Page: @@ -122,11 +147,11 @@ #for $build in $builds - + #if $tag - + #end if - + #set $stateName = $util.stateName($build.state) @@ -144,7 +169,7 @@ Page: diff --git a/www/kojiweb/buildsbystatus.chtml b/www/kojiweb/buildsbystatus.chtml index 5d23cacf..e416f795 100644 --- a/www/kojiweb/buildsbystatus.chtml +++ b/www/kojiweb/buildsbystatus.chtml @@ -1,10 +1,11 @@ #from kojiweb import util +#@util.safe_return #def printOption(value, label=None) #if not $label #set $label = $value #end if - + #end def #set $numTotal = $numSucceeded + $numFailed + $numCanceled diff --git a/www/kojiweb/buildsbytarget.chtml b/www/kojiweb/buildsbytarget.chtml index 84f286b8..44db702b 100644 --- a/www/kojiweb/buildsbytarget.chtml +++ b/www/kojiweb/buildsbytarget.chtml @@ -1,11 +1,12 @@ #from kojiweb import util #from urllib.parse import quote +#@util.safe_return #def printOption(value, label=None) #if not $label #set $label = $value #end if - + #end def #include "includes/header.chtml" @@ -38,7 +39,7 @@ Page: @@ -62,7 +63,7 @@ #if $len($targets) > 0 #for $target in $targets - + @@ -79,7 +80,7 @@ Page: diff --git a/www/kojiweb/buildsbyuser.chtml b/www/kojiweb/buildsbyuser.chtml index ad523fc6..708c666e 100644 --- a/www/kojiweb/buildsbyuser.chtml +++ b/www/kojiweb/buildsbyuser.chtml @@ -11,7 +11,7 @@ Page: @@ -35,7 +35,7 @@ #if $len($userBuilds) > 0 #for $userBuild in $userBuilds - + @@ -52,7 +52,7 @@ Page: diff --git a/www/kojiweb/buildtargetedit.chtml b/www/kojiweb/buildtargetedit.chtml index b024d36f..493fe889 100644 --- a/www/kojiweb/buildtargetedit.chtml +++ b/www/kojiweb/buildtargetedit.chtml @@ -3,7 +3,7 @@ #include "includes/header.chtml" #if $target -

Edit target $util.escapeHTML($target.name)

+

Edit target $target.name

#else

Create build target

#end if @@ -17,7 +17,7 @@ #if $target @@ -31,7 +31,7 @@ @@ -42,7 +42,7 @@ diff --git a/www/kojiweb/buildtargetinfo.chtml b/www/kojiweb/buildtargetinfo.chtml index 55b10537..42a51f63 100644 --- a/www/kojiweb/buildtargetinfo.chtml +++ b/www/kojiweb/buildtargetinfo.chtml @@ -2,20 +2,20 @@ #include "includes/header.chtml" -

Information for target $util.escapeHTML($target.name)

+

Information for target $target.name

#else State: @@ -25,7 +50,7 @@ #end if @@ -33,12 +58,12 @@ Built by:
$build.build_id$util.escapeHTML($koji.buildLabel($build))$koji.buildLabel($build)$util.escapeHTML($build.tag_name)$build.tag_name$util.escapeHTML($build.owner_name)$build.owner_name $util.formatTime($build.completion_time)$util.stateImage($build.state)
$util.escapeHTML($target.name)$target.name graph row $target.builds
$util.escapeHTML($userBuild.name)$userBuild.name graph row $userBuild.builds
Name - +
- + - + - + #if 'admin' in $perms diff --git a/www/kojiweb/buildtargets.chtml b/www/kojiweb/buildtargets.chtml index 08eeab24..775a8561 100644 --- a/www/kojiweb/buildtargets.chtml +++ b/www/kojiweb/buildtargets.chtml @@ -11,7 +11,7 @@ Page: @@ -35,7 +35,7 @@ #for $target in $targets - + #end for #else @@ -50,7 +50,7 @@ Page: diff --git a/www/kojiweb/channelinfo.chtml b/www/kojiweb/channelinfo.chtml index 63a2d478..15c5d33b 100644 --- a/www/kojiweb/channelinfo.chtml +++ b/www/kojiweb/channelinfo.chtml @@ -2,17 +2,17 @@ #include "includes/header.chtml" -

Information for channel $util.escapeHTML($channel.name)

+

Information for channel $channel.name

Name$util.escapeHTML($target.name)Name$target.name
ID$target.id
Build Tag$util.escapeHTML($buildTag.name)Build Tag$buildTag.name
Destination Tag$util.escapeHTML($destTag.name)Destination Tag$destTag.name
$target.id$util.escapeHTML($target.name)$target.name
- + - + #set $enabled = $channel.enabled and 'yes' or 'no' @@ -22,7 +22,7 @@ - + @@ -39,7 +39,7 @@ #for $host in $hosts - + diff --git a/www/kojiweb/clusterhealth.chtml b/www/kojiweb/clusterhealth.chtml index f1b20fc5..b83ba104 100644 --- a/www/kojiweb/clusterhealth.chtml +++ b/www/kojiweb/clusterhealth.chtml @@ -1,10 +1,11 @@ #from kojiweb import util +#@util.safe_return #def printOption(value, label=None) #if not $label #set $label = $value #end if - + #end def #include "includes/header.chtml" @@ -60,7 +61,7 @@ #if $channel['enabled_channel'] #for $file in $files - + #end for
Name$util.escapeHTML($channel.name)Name$channel.name
ID$channel.id
Description$util.escapeHTML($channel.description)Description$channel.description
Comment$util.escapeHTML($channel.comment)Comment$channel.comment
Active Tasks$taskCount
$util.escapeHTML($host.name)$host.name #if $host.enabled then $util.imageTag('yes') else $util.imageTag('no')# #if $host.ready then $util.imageTag('yes') else $util.imageTag('no')#
- $util.escapeHTML($channel['name']) + $channel['name'] #if $channel['capacityPerc'] diff --git a/www/kojiweb/error.chtml b/www/kojiweb/error.chtml index 9d48a32a..4d148477 100644 --- a/www/kojiweb/error.chtml +++ b/www/kojiweb/error.chtml @@ -5,7 +5,7 @@

Error

-$util.escapeHTML($explanation) +$explanation
#if $debug_level >= 1 @@ -13,7 +13,7 @@ $util.escapeHTML($explanation) #else
#end if -$util.escapeHTML($tb_short) +$tb_short
#if $debug_level >= 2 @@ -22,7 +22,7 @@ $util.escapeHTML($tb_short)
#end if 
-#echo $util.escapeHTML($tb_long)
+#echo $tb_long
diff --git a/www/kojiweb/externalrepoinfo.chtml b/www/kojiweb/externalrepoinfo.chtml index 897c7173..379f9c39 100644 --- a/www/kojiweb/externalrepoinfo.chtml +++ b/www/kojiweb/externalrepoinfo.chtml @@ -2,24 +2,24 @@ #include "includes/header.chtml" -

Information for external repo $util.escapeHTML($extRepo.name)

+

Information for external repo $extRepo.name

- + - + - + #if $tag or $user - - + + #end if @@ -103,7 +118,7 @@ Page: diff --git a/www/kojiweb/packagesbyuser.chtml b/www/kojiweb/packagesbyuser.chtml index 2c552fc4..6954b51e 100644 --- a/www/kojiweb/packagesbyuser.chtml +++ b/www/kojiweb/packagesbyuser.chtml @@ -11,7 +11,7 @@ Page: @@ -35,7 +35,7 @@ #if $len($users) > 0 #for $user in $users - + @@ -52,7 +52,7 @@ Page: diff --git a/www/kojiweb/recentbuilds.chtml b/www/kojiweb/recentbuilds.chtml index 48fdc6df..2f68c0ce 100644 --- a/www/kojiweb/recentbuilds.chtml +++ b/www/kojiweb/recentbuilds.chtml @@ -2,6 +2,7 @@ #import koji.util #from kojiweb import util +#@util.safe_return #def linkURL() #set $query = [] #if $tag @@ -22,18 +23,18 @@ - $siteName: recent builds#if $package then ' of package ' + $util.escapeHTML($package.name) else ''##if $tag then ' into tag ' + $util.escapeHTML($tag.name) else ''##if $user then ' by user ' + $util.escapeHTML($user.name) else ''# + $siteName: recent builds#if $package then ' of package ' + $package.name else ''##if $tag then ' into tag ' + $tag.name else ''##if $user then ' by user ' + $user.name else ''# $linkURL() A list of the most recent builds #if $package - of package $util.escapeHTML($package.name) + of package $package.name #end if #if $tag - into tag $util.escapeHTML($tag.name) + into tag $tag.name #end if #if $user - by user $util.escapeHTML($user.name) + by user $user.name #end if in the $siteName Build System. The list is sorted in reverse chronological order by build completion time. @@ -46,7 +47,7 @@ $util.formatTimeRSS($build.completion_ts) #end if #if $build.state == $koji.BUILD_STATES['COMPLETE'] and $build.changelog - <pre>$util.escapeHTML($koji.util.formatChangelog($build.changelog))</pre> + <pre>$koji.util.formatChangelog($build.changelog)</pre> #end if #end for diff --git a/www/kojiweb/repoinfo.chtml b/www/kojiweb/repoinfo.chtml index 2bf5c1d8..0f07b947 100644 --- a/www/kojiweb/repoinfo.chtml +++ b/www/kojiweb/repoinfo.chtml @@ -8,12 +8,12 @@ #if $repo
Name$util.escapeHTML($extRepo.name)Name$extRepo.name
ID$extRepo.id
URL$util.escapeHTML($extRepo.url)URL$extRepo.url
Tags using this external repo #if $len($repoTags) #for $tag in $repoTags - $util.escapeHTML($tag.tag_name)
+ $tag.tag_name
#end for #else No tags diff --git a/www/kojiweb/fileinfo.chtml b/www/kojiweb/fileinfo.chtml index 2a19b6b9..4631c783 100644 --- a/www/kojiweb/fileinfo.chtml +++ b/www/kojiweb/fileinfo.chtml @@ -4,14 +4,14 @@ #include "includes/header.chtml" #if $rpm -

Information for file $util.escapeHTML($file.name)

+

Information for file $file.name

#elif $archive -

Information for file $util.escapeHTML($file.name)

+

Information for file $file.name

#end if - + #if $rpm @@ -28,12 +28,12 @@ #end if #if 'user' in $file and $file.user - + #end if #if 'group' in $file and $file.group - + #end if #if 'mode' in $file and $file.mode @@ -56,7 +56,7 @@ #elif $archive - + #end if
Name$util.escapeHTML($file.name)Name$file.name
User$util.escapeHTML($file.user)User$file.user
Group$util.escapeHTML($file.group)Group$file.group
Archive$util.escapeHTML($archive.filename)Archive$archive.filename
diff --git a/www/kojiweb/hostedit.chtml b/www/kojiweb/hostedit.chtml index 5bed6e95..e9da7571 100644 --- a/www/kojiweb/hostedit.chtml +++ b/www/kojiweb/hostedit.chtml @@ -2,14 +2,14 @@ #include "includes/header.chtml" -

Edit host $util.escapeHTML($host.name)

+

Edit host $host.name

$util.authToken($self, form=True) - + @@ -20,7 +20,7 @@ - + @@ -28,11 +28,11 @@ - + - + @@ -43,7 +43,7 @@ diff --git a/www/kojiweb/hostinfo.chtml b/www/kojiweb/hostinfo.chtml index 883df3ff..2bf77f45 100644 --- a/www/kojiweb/hostinfo.chtml +++ b/www/kojiweb/hostinfo.chtml @@ -2,17 +2,17 @@ #include "includes/header.chtml" -

Information for host $util.escapeHTML($host.name)

+

Information for host $host.name

Name$util.escapeHTML($host.name)$host.name
ID
Arches
Capacity
Description
Comment
Enabled?
- + - + @@ -21,10 +21,10 @@ - + - + #set $enabled = $host.enabled and 'yes' or 'no' @@ -51,7 +51,7 @@ #for $buildroot in $buildroots - + diff --git a/www/kojiweb/hosts.chtml b/www/kojiweb/hosts.chtml index 9e777011..0a3d6c4e 100644 --- a/www/kojiweb/hosts.chtml +++ b/www/kojiweb/hosts.chtml @@ -1,5 +1,6 @@ #from kojiweb import util +#@util.safe_return #def headerState($state) #if $state == 'enabled' Enabled hosts @@ -10,6 +11,7 @@ Hosts #end if #end def +#@util.safe_return #def headerReady($ready) #if $ready == 'ready' which are ready @@ -18,6 +20,7 @@ which are not ready #end if #end def +#@util.safe_return #def headerArch($arch) #if $arch == 'all' on all arches @@ -26,6 +29,7 @@ on $arch arch #end if #end def +#@util.safe_return #def headerChannel($channel) #if $channel == 'all' in all channels @@ -47,18 +51,18 @@ in $channel channel State: @@ -67,17 +71,17 @@ in $channel channel Ready: @@ -91,7 +95,7 @@ in $channel channel Page: @@ -122,11 +126,11 @@ in $channel channel #for $host in $hosts - + @@ -148,7 +152,7 @@ in $channel channel Page: diff --git a/www/kojiweb/imageinfo.chtml b/www/kojiweb/imageinfo.chtml index 4bbc849e..d4904359 100644 --- a/www/kojiweb/imageinfo.chtml +++ b/www/kojiweb/imageinfo.chtml @@ -5,23 +5,23 @@ #include "includes/header.chtml" -

Information for image $util.escapeHTML($image.filename)

+

Information for image $image.filename

Name$util.escapeHTML($host.name)Name$host.name
ID$host.id
Arches$util.escapeHTML($host.arches)Arches$host.arches
Capacity$host.capacityTask Load#echo '%.2f' % $host.task_load#
Description$util.escapeHTML($host.description)Description$host.description
Comment$util.escapeHTML($host.comment)Comment$host.comment
Channels #for $channel in $channels - $util.escapeHTML($channel.name)
+ $channel.name
#end for #if not $channels No channels @@ -68,7 +68,7 @@
$util.escapeHTML($buildroot.tag_name)-$buildroot.id-$buildroot.repo_id$buildroot.tag_name-$buildroot.id-$buildroot.repo_id $util.formatTime($buildroot.create_event_time) $util.imageTag($util.brStateName($buildroot.state))
Channels: Arches:
$host.id$util.escapeHTML($host.name)$host.name $host.arches #for $channame, $chan_id, $chan_enabled in zip($host.channels, $host.channels_id, $host.channels_enabled) - $util.escapeHTML($channame) + $channame #end for #if $host.enabled then $util.imageTag('yes') else $util.imageTag('no')#
- + - + - + #if $len($image.hash) == 32 @@ -42,7 +42,7 @@ - + diff --git a/www/kojiweb/includes/header.chtml b/www/kojiweb/includes/header.chtml index 45eb38f1..3a5c7f36 100644 --- a/www/kojiweb/includes/header.chtml +++ b/www/kojiweb/includes/header.chtml @@ -49,12 +49,7 @@ $localnav #end if - #try - #set $old_terms = util.escapeHTML($terms) - #except - #set $old_terms = "" - #end try - + diff --git a/www/kojiweb/index.chtml b/www/kojiweb/index.chtml index 2f72a56e..27427329 100644 --- a/www/kojiweb/index.chtml +++ b/www/kojiweb/index.chtml @@ -20,9 +20,9 @@ #set $stateName = $util.stateName($build.state) - + #if not $user - + #end if @@ -54,13 +54,13 @@ #set $state = $util.taskState($task.state) - + #if not $user #end if @@ -88,7 +88,7 @@ Page: @@ -111,8 +111,8 @@ #for $package in $packages - - + + #set $included = $package.blocked and 'no' or 'yes' @@ -140,8 +140,8 @@ #for $notif in $notifs - - + + diff --git a/www/kojiweb/index.py b/www/kojiweb/index.py index 087957ff..23d25bdb 100644 --- a/www/kojiweb/index.py +++ b/www/kojiweb/index.py @@ -36,7 +36,7 @@ import koji from koji.tasks import parse_task_params import kojiweb.util from koji.server import ServerRedirect -from kojiweb.util import _genHTML, _getValidTokens, _initValues, formatRPM +from kojiweb.util import _genHTML, _getValidTokens, _initValues, formatRPM, SafeValue from koji.util import extract_build_task @@ -1534,7 +1534,7 @@ def rpminfo(environ, rpmID, fileOrder='name', fileStart=None, buildrootOrder='-i except koji.GenericError: raise koji.GenericError('No such RPM ID: %i' % rpmID) - values['title'] = formatRPM(rpm) + ' | RPM Info' + values['title'] = formatRPM(rpm) + SafeValue(' | RPM Info') build = None if rpm['build_id'] is not None: diff --git a/www/kojiweb/notificationedit.chtml b/www/kojiweb/notificationedit.chtml index b0fe3ba1..1ded9e4c 100644 --- a/www/kojiweb/notificationedit.chtml +++ b/www/kojiweb/notificationedit.chtml @@ -18,9 +18,9 @@ @@ -29,9 +29,9 @@ diff --git a/www/kojiweb/packageinfo.chtml b/www/kojiweb/packageinfo.chtml index 7e885d13..39c48fca 100644 --- a/www/kojiweb/packageinfo.chtml +++ b/www/kojiweb/packageinfo.chtml @@ -2,11 +2,11 @@ #include "includes/header.chtml" -

Information for package $util.escapeHTML($package.name)

+

Information for package $package.name

ID$image.id
File Name$util.escapeHTML($image.filename)File Name$image.filename
File Size$util.formatNatural($image.filesize)
Arch$util.escapeHTML($image.arch)Arch$image.arch
Media Type$util.escapeHTML($image.mediatype)Media Type$image.mediatype
Task$koji.taskLabel($task)
Buildroot$util.escapeHTML(/var/lib/mock/$buildroot.tag_name-$buildroot.id-$buildroot.repo_id)Buildroot/var/lib/mock/$buildroot.tag_name-$buildroot.id-$buildroot.repo_id
Included RPMs
$build.build_id$util.escapeHTML($build.nvr)$build.nvr$util.escapeHTML($build.owner_name)$build.owner_name$util.formatTime($build.completion_ts) $util.stateImage($build.state)
$task.id$util.escapeHTML($koji.taskLabel($task))$koji.taskLabel($task) #if $task.owner_type == $koji.USERTYPES['HOST'] - $util.escapeHTML($task.owner_name) + $task.owner_name #else - $util.escapeHTML($task.owner_name) + $task.owner_name #end if
$util.escapeHTML($package.package_name)$util.escapeHTML($package.tag_name)$package.package_name$package.tag_name$util.imageTag($included)
#if $notif.package then $util.escapeHTML($notif.package.name) else 'all'##if $notif.tag then $util.escapeHTML($notif.tag.name) else 'all'##if $notif.package then $notif.package.name else 'all'##if $notif.tag then $notif.tag.name else 'all'# #if $notif.success_only then 'success only' else 'all'# edit deletePackage Tag
- + @@ -24,7 +24,7 @@ Page: @@ -46,8 +46,8 @@ #for $build in $builds - - + + #set $stateName = $util.stateName($build.state) @@ -79,7 +79,7 @@ Page: @@ -101,8 +101,8 @@ #for $tag in $tags - - + + #set $included = $tag.blocked and 'no' or 'yes' diff --git a/www/kojiweb/packages.chtml b/www/kojiweb/packages.chtml index 16ad4d33..e4d8a465 100644 --- a/www/kojiweb/packages.chtml +++ b/www/kojiweb/packages.chtml @@ -1,10 +1,25 @@ #from kojiweb import util +#from kojiweb.util import safe_return #attr _PASSTHROUGH = ['userID', 'tagID', 'order', 'prefix', 'inherited', 'blocked'] #include "includes/header.chtml" -

Packages#if $prefix then ' starting with "%s"' % $prefix else ''##if $tag then ' in tag %s' % ($tag.id, $util.escapeHTML($tag.name)) else ''##if $user then ' owned by %s' % ($user.id, $util.escapeHTML($user.name)) else ''#

+#@safe_return +#def getDescription() +Packages +#if $prefix +starting with $prefix +#end if +#if $tag +in tag $tag.name +#end if +#if $user +owned by $user.name +#end if +#end def + +

$getDescription()

Name$util.escapeHTML($package.name)Name$package.name
ID$package.id
$util.escapeHTML($build.nvr)$util.escapeHTML($build.owner_name)$build.nvr$build.owner_name $util.formatTime($build.completion_ts)$util.stateImage($build.state)
$util.escapeHTML($tag.name)$util.escapeHTML($tag.owner_name)$tag.name$tag.owner_name$util.imageTag($included) $tag.extra_arches
#if $tag @@ -15,16 +30,16 @@ Inherited:
With blocked:
@@ -41,7 +56,7 @@ | #end for #if $prefix - all + all #else all #end if @@ -54,7 +69,7 @@ Page: @@ -83,10 +98,10 @@ #for $package in $packages
$package.package_id$util.escapeHTML($package.package_name)$package.package_name$util.escapeHTML($package.tag_name)$util.escapeHTML($package.owner_name)$package.tag_name$package.owner_name #if $package.blocked then $util.imageTag('no') else $util.imageTag('yes')#
$util.escapeHTML($user.name)$user.name graph row $user.packages
- + #if $repo.task_id #end if #set $state = $util.repoState($repo.state) - + #if $repo.state != koji.REPO_STATES['DELETED'] diff --git a/www/kojiweb/rpminfo.chtml b/www/kojiweb/rpminfo.chtml index 40a3eb04..88274943 100644 --- a/www/kojiweb/rpminfo.chtml +++ b/www/kojiweb/rpminfo.chtml @@ -8,7 +8,7 @@ #include "includes/header.chtml" #set $epoch = ($rpm.epoch != None and $str($rpm.epoch) + ':' or '') -

Information for RPM $util.escapeHTML($rpm.name)-$epoch$rpm.version-$rpm.release.${rpm.arch}.rpm

+

Information for RPM $rpm.name-$epoch$rpm.version-$rpm.release.${rpm.arch}.rpm

ID$repo.id
Tag$util.escapeHTML($repo.tag_name)
Tag$repo.tag_name
Task ID$repo.task_id
State$util.escapeHTML($state)
State$state
Event$repo.create_event ($util.formatTimeLong($repo.create_ts))
URLrepodata
@@ -21,9 +21,9 @@ #end if #if $build - + #else - + #end if @@ -40,7 +40,7 @@ - + #if $rpm.draft @@ -50,10 +50,10 @@ #end if #if $rpm.external_repo_id == 0 - + - + #end if @@ -66,7 +66,7 @@ #end if #if $rpm.external_repo_id - + #end if @@ -77,7 +77,7 @@ #if $rpm.external_repo_id == 0 - + #if $vcs @@ -97,7 +97,7 @@ #end if #if $rpm.get('extra') - + #end if #if $rpm.external_repo_id == 0 @@ -108,7 +108,7 @@
Name$util.escapeHTML($rpm.name)Name$rpm.nameName$util.escapeHTML($rpm.name)Name$rpm.name
Epoch$rpm.epoch
Arch$util.escapeHTML($rpm.arch)Arch$rpm.arch
Summary$util.escapeHTML($summary)Summary$summary
Description$util.escapeHTML($description)Description$description
External Repository$util.escapeHTML($rpm.external_repo_name)External Repository$rpm.external_repo_name
License$util.escapeHTML($license)License$license
Extra$util.escapeHTML($pformat($rpm.extra))Extra$pformat($rpm.extra)
#for $dep in $provides - + #end for
$util.escapeHTML($util.formatDep($dep.name, $dep.version, $dep.flags))$util.formatDep($dep.name, $dep.version, $dep.flags)
@@ -124,7 +124,7 @@ #for $dep in $obsoletes - + #end for
$util.escapeHTML($util.formatDep($dep.name, $dep.version, $dep.flags))$util.formatDep($dep.name, $dep.version, $dep.flags)
@@ -140,7 +140,7 @@ #for $dep in $conflicts - + #end for
$util.escapeHTML($util.formatDep($dep.name, $dep.version, $dep.flags))$util.formatDep($dep.name, $dep.version, $dep.flags)
@@ -156,7 +156,7 @@ #for $dep in $requires - + #end for
$util.escapeHTML($util.formatDep($dep.name, $dep.version, $dep.flags))$util.formatDep($dep.name, $dep.version, $dep.flags)
@@ -172,7 +172,7 @@ #for $dep in $recommends - + #end for
$util.escapeHTML($util.formatDep($dep.name, $dep.version, $dep.flags))$util.formatDep($dep.name, $dep.version, $dep.flags)
@@ -188,7 +188,7 @@ #for $dep in $suggests - + #end for
$util.escapeHTML($util.formatDep($dep.name, $dep.version, $dep.flags))$util.formatDep($dep.name, $dep.version, $dep.flags)
@@ -204,7 +204,7 @@ #for $dep in $supplements - + #end for
$util.escapeHTML($util.formatDep($dep.name, $dep.version, $dep.flags))$util.formatDep($dep.name, $dep.version, $dep.flags)
@@ -220,7 +220,7 @@ #for $dep in $enhances - + #end for
$util.escapeHTML($util.formatDep($dep.name, $dep.version, $dep.flags))$util.formatDep($dep.name, $dep.version, $dep.flags)
@@ -241,7 +241,7 @@ Page: @@ -261,7 +261,7 @@
$util.escapeHTML($file.name)$util.formatNatural($file.size)$file.name$util.formatNatural($file.size)
@@ -283,7 +283,7 @@ Page: diff --git a/www/kojiweb/rpmlist.chtml b/www/kojiweb/rpmlist.chtml index 05862754..d818ee1d 100644 --- a/www/kojiweb/rpmlist.chtml +++ b/www/kojiweb/rpmlist.chtml @@ -2,6 +2,7 @@ #include "includes/header.chtml" +#@util.safe_return #def getID() #if $type == 'image' imageID=$image.id #slurp @@ -10,6 +11,7 @@ buildrootID=$buildroot.id #slurp #end if #end def +#@util.safe_return #def getColspan() #if $type == 'component' colspan="3" #slurp @@ -23,7 +25,7 @@ colspan="2" #slurp #if $type == 'component'

Component RPMs of buildroot $util.brLabel($buildroot)

#elif $type == 'image' -

RPMs installed in $util.escapeHTML($image.filename)

+

RPMs installed in $image.filename

#else

RPMs built in buildroot $util.brLabel($buildroot)

#end if @@ -36,7 +38,7 @@ colspan="2" #slurp Page: @@ -70,7 +72,7 @@ colspan="2" #slurp #if $rpm.external_repo_id == 0 internal #else - $util.escapeHTML($rpm.external_repo_name) + $rpm.external_repo_name #end if #end if #if $type == 'component' @@ -91,7 +93,7 @@ colspan="2" #slurp Page: diff --git a/www/kojiweb/rpmsbyhost.chtml b/www/kojiweb/rpmsbyhost.chtml index 4ce41cf8..aec6106e 100644 --- a/www/kojiweb/rpmsbyhost.chtml +++ b/www/kojiweb/rpmsbyhost.chtml @@ -14,7 +14,7 @@ #end if #end for #if $hostArch - all + all #else all #end if @@ -30,7 +30,7 @@ #end if #end for #if $rpmArch - all + all #else all #end if @@ -43,7 +43,7 @@ Page: @@ -67,7 +67,7 @@ #if $len($hosts) > 0 #for $host in $hosts - $util.escapeHTML($host.name) + $host.name graph row $host.rpms @@ -84,7 +84,7 @@ Page: diff --git a/www/kojiweb/search.chtml b/www/kojiweb/search.chtml index 2ccae349..552ec711 100644 --- a/www/kojiweb/search.chtml +++ b/www/kojiweb/search.chtml @@ -12,12 +12,7 @@ $error #end if Search - #try - #set $old_terms = util.escapeHTML($terms) - #except - #set $old_terms = "" - #end try - + #for $pageNum in $resultPages - + #end for @@ -86,7 +81,7 @@ #for $result in $results $result.id - $util.escapeHTML($result.name) + $result.name #end for #else @@ -101,7 +96,7 @@ Page: diff --git a/www/kojiweb/tagedit.chtml b/www/kojiweb/tagedit.chtml index b2ad1e89..0050e17b 100644 --- a/www/kojiweb/tagedit.chtml +++ b/www/kojiweb/tagedit.chtml @@ -14,7 +14,7 @@ Name - + #if $tag #end if @@ -22,7 +22,7 @@ Arches - + Locked @@ -32,9 +32,9 @@ Permission diff --git a/www/kojiweb/taginfo.chtml b/www/kojiweb/taginfo.chtml index 44bcca97..7568cb67 100644 --- a/www/kojiweb/taginfo.chtml +++ b/www/kojiweb/taginfo.chtml @@ -4,22 +4,22 @@ #include "includes/header.chtml" -

Information for tag $util.escapeHTML($tag.name)

+

Information for tag $tag.name

#if $child and 'admin' in $perms - + #end if - + - + @@ -38,7 +38,7 @@
Add $util.escapeHTML($tag.name) as parent of $util.escapeHTML($child.name)Add $tag.name as parent of $child.name
Name$util.escapeHTML($tag.name)Name$tag.name
ID$tag.id
Arches$util.escapeHTML($tag.arches)Arches$tag.arches
Locked#if $tag.locked then 'yes' else 'no'#
Inheritance - $util.escapeHTML($tag.name) + $tag.name #set $numParents = $len($inheritance) #set $iter = 0 #set $maxDepth = 0 @@ -62,7 +62,7 @@ #silent $tagsByChild[$parent.child_id].pop() - $util.escapeHTML($parent.name) + $parent.name #if $depth == 1 and 'admin' in $perms (edit) (remove) #end if @@ -103,9 +103,9 @@ External repos #for $external_repo in $external_repos - $util.escapeHTML($external_repo.external_repo_name) [$external_repo.merge_mode] + $external_repo.external_repo_name [$external_repo.merge_mode] #if $external_repo.tag_id != $tag.id - (inherited from $util.escapeHTML($external_repo.tag_name)) + (inherited from $external_repo.tag_name) #end if
#end for @@ -137,7 +137,7 @@ 		#if $len($srcTargets) #for $target in $srcTargets - $util.escapeHTML($target.name)
+ $target.name
#end for #else No build targets @@ -149,7 +149,7 @@ 		#if $len($destTargets) #for $target in $destTargets - $util.escapeHTML($target.name)
+ $target.name
#end for #else No build targets diff --git a/www/kojiweb/taginfo_deleted.chtml b/www/kojiweb/taginfo_deleted.chtml index be4302c7..158923ee 100644 --- a/www/kojiweb/taginfo_deleted.chtml +++ b/www/kojiweb/taginfo_deleted.chtml @@ -4,11 +4,11 @@ #include "includes/header.chtml" -

Information for deleted tag $util.escapeHTML($tag.name)

+

Information for deleted tag $tag.name

- + diff --git a/www/kojiweb/tagparent.chtml b/www/kojiweb/tagparent.chtml index b38c05b9..cd391f22 100644 --- a/www/kojiweb/tagparent.chtml +++ b/www/kojiweb/tagparent.chtml @@ -15,14 +15,14 @@ diff --git a/www/kojiweb/tags.chtml b/www/kojiweb/tags.chtml index 4f91c625..03b9f253 100644 --- a/www/kojiweb/tags.chtml +++ b/www/kojiweb/tags.chtml @@ -11,7 +11,7 @@ Page: @@ -35,7 +35,7 @@ #for $tag in $tags - + #end for #else @@ -50,7 +50,7 @@ Page: diff --git a/www/kojiweb/taskinfo.chtml b/www/kojiweb/taskinfo.chtml index de0b04c2..2ccee383 100644 --- a/www/kojiweb/taskinfo.chtml +++ b/www/kojiweb/taskinfo.chtml @@ -4,6 +4,7 @@ #from urllib.parse import quote #import datetime +#@util.safe_return #def printChildren($taskID, $childMap) #set $iter = 0 #set $children = $childMap[$str($taskID)] @@ -20,7 +21,7 @@ $util.imageTag($childState) - $util.escapeHTML($koji.taskLabel($child)) + $koji.taskLabel($child) $printChildren($child.id, $childMap) @@ -30,6 +31,7 @@ #end if #end def +#@util.safe_return #def printMap($vals, $prefix='') #for $key, $value in $vals.items() #if $key == 'properties' @@ -40,6 +42,7 @@ #end for #end def +#@util.safe_return #def printOpts($opts) #if $opts Options:
@@ -47,6 +50,7 @@ #end if #end def +#@util.safe_return #def printValue($key, $value, $sep=', ') #if $value is None None @@ -84,6 +88,7 @@ $value #end if #end def +#@util.safe_return #def printProperties($props) #echo ', '.join([$v is not None and '%s=%s' % ($n, $v) or $str($n) for $n, $v in $props.items()]) #end def @@ -91,7 +96,7 @@ $value #include "includes/header.chtml" -

Information for task $util.escapeHTML($koji.taskLabel($task))

+

Information for task $koji.taskLabel($task)

Name$util.escapeHTML($tag.name)Name$tag.name
ID$tag.id
Tag Name - $util.escapeHTML($tag.name) + $tag.name
Parent Tag Name - $util.escapeHTML($parent.name) + $parent.name
$tag.id$util.escapeHTML($tag.name)$tag.name
@@ -130,7 +135,7 @@ $value #if $taskBuilds #for $build in $taskBuilds - + #end for #end if @@ -173,9 +178,9 @@ $value @@ -184,7 +189,7 @@ $value @@ -192,12 +197,12 @@ $value - + #if $buildroots @@ -213,7 +218,7 @@ $value diff --git a/www/kojiweb/tasks.chtml b/www/kojiweb/tasks.chtml index 098516b2..71b5a60a 100644 --- a/www/kojiweb/tasks.chtml +++ b/www/kojiweb/tasks.chtml @@ -1,6 +1,8 @@ #import koji #from kojiweb import util +#from kojiweb.util import SafeValue as S +#@util.safe_return #def printChildren($taskID, $childMap) #set $iter = 0 #set $children = $childMap[$str($taskID)] @@ -16,7 +18,7 @@ #set $childState = $util.taskState($child.state) - $util.escapeHTML($koji.taskLabel($child)) + $koji.taskLabel($child) $printChildren($child.id, $childMap) @@ -26,6 +28,7 @@ #end if #end def +#@util.safe_return #def headerPrefix($state) #if $state == 'active' Active @@ -40,7 +43,7 @@ All #include "includes/header.chtml" -

$headerPrefix($state) #if $view == 'toplevel' then 'toplevel' else ''# #if $method != 'all' then $method else ''# Tasks#if $ownerObj then ' owned by %s' % ($ownerObj.id, $util.escapeHTML($ownerObj.name)) else ''##if $host then ' on host %s' % ($host.id, $util.escapeHTML($host.name)) else ''# #if $channel then ' in channel %s' % ($channel.id, $util.escapeHTML($channel.name)) else ''#

+

$headerPrefix($state) #if $view == 'toplevel' then 'toplevel' else ''# #if $method != 'all' then $method else ''# Tasks#if $ownerObj then S(' owned by %s' % ($ownerObj.id, $ownerObj.name)) else ''##if $host then ' on host %s' % ($host.id, $host.name) else ''# #if $channel then ' in channel %s' % ($channel.id, $channel.name) else ''#

Build$util.escapeHTML($koji.buildLabel($build))Build$koji.buildLabel($build)
#if $owner #if $owner.usertype == $koji.USERTYPES['HOST'] - $util.escapeHTML($owner.name) + $owner.name #else - $util.escapeHTML($owner.name) + $owner.name #end if #end if Channel #if $task.channel_id - $util.escapeHTML($channelName) + $channelName #end if
Host #if $task.host_id - $util.escapeHTML($hostName) + $hostName #end if
Arch$util.escapeHTML($task.arch)Arch$task.arch
Parent #if $parent - $util.escapeHTML($koji.taskLabel($parent)) + $koji.taskLabel($parent) #end if
@@ -53,23 +56,23 @@ All @@ -86,7 +89,7 @@ All #elif $task_type == 'wrapperRPM' and not ($mavenEnabled or $winEnabled) #continue #else - + #end if #end for @@ -111,7 +114,7 @@ All Page: @@ -129,8 +132,8 @@ All Page: Tasks #echo $taskStart + 1 # through #echo $taskStart + $taskCount# of ??? @@ -151,17 +154,17 @@ All #set $taskState = $util.taskState($task.state) - - #if $treeDisplay then ' ' else ''#$util.escapeHTML($koji.taskLabel($task)) + + #if $treeDisplay then ' ' else ''#$koji.taskLabel($task) #if $treeDisplay $printChildren($task.id, $task.descendents) #end if @@ -182,7 +185,7 @@ All Page: @@ -200,8 +203,8 @@ All Page: Tasks #echo $taskStart + 1 # through #echo $taskStart + $taskCount# of ??? diff --git a/www/kojiweb/tasksbyhost.chtml b/www/kojiweb/tasksbyhost.chtml index 337466f2..255c3d2b 100644 --- a/www/kojiweb/tasksbyhost.chtml +++ b/www/kojiweb/tasksbyhost.chtml @@ -14,7 +14,7 @@ #end if #end for #if $hostArch - all + all #else all #end if @@ -27,7 +27,7 @@ Page: @@ -51,7 +51,7 @@ #if $len($hosts) > 0 #for $host in $hosts - + @@ -68,7 +68,7 @@ Page: diff --git a/www/kojiweb/tasksbyuser.chtml b/www/kojiweb/tasksbyuser.chtml index 87620ec0..df05534d 100644 --- a/www/kojiweb/tasksbyuser.chtml +++ b/www/kojiweb/tasksbyuser.chtml @@ -11,7 +11,7 @@ Page: @@ -35,7 +35,7 @@ #if $len($users) > 0 #for $user in $users - + @@ -52,7 +52,7 @@ Page: diff --git a/www/kojiweb/userinfo.chtml b/www/kojiweb/userinfo.chtml index a97d6162..029f45ee 100644 --- a/www/kojiweb/userinfo.chtml +++ b/www/kojiweb/userinfo.chtml @@ -2,11 +2,11 @@ #include "includes/header.chtml" -

Information for user $util.escapeHTML($user.name)

+

Information for user $user.name

Owner:
$task.id #if $task.owner_type == $koji.USERTYPES['HOST'] - $util.escapeHTML($task.owner_name) + $task.owner_name #else - $util.escapeHTML($task.owner_name) + $task.owner_name #end if $task.arch
$util.escapeHTML($host.name)$host.name graph row $host.tasks
$util.escapeHTML($user.name)$user.name graph row $user.tasks
- + @@ -26,7 +26,7 @@ Page: @@ -47,8 +47,8 @@ #for $package in $packages - - + + #end for @@ -70,7 +70,7 @@ Page: @@ -92,7 +92,7 @@ #for $build in $builds #set $stateName = $util.stateName($build.state) - + diff --git a/www/kojiweb/users.chtml b/www/kojiweb/users.chtml index 340c0e8c..117e884b 100644 --- a/www/kojiweb/users.chtml +++ b/www/kojiweb/users.chtml @@ -16,7 +16,7 @@ | #end for #if $prefix - all + all #else all #end if @@ -29,7 +29,7 @@ Page: @@ -56,7 +56,7 @@ #for $user in $users - + @@ -74,7 +74,7 @@ Page: diff --git a/www/lib/kojiweb/util.py b/www/lib/kojiweb/util.py index 301951b4..c5296e9e 100644 --- a/www/lib/kojiweb/util.py +++ b/www/lib/kojiweb/util.py @@ -29,6 +29,7 @@ import urllib # a bunch of exception classes that explainError needs from socket import error as socket_error from xml.parsers.expat import ExpatError +from functools import wraps import Cheetah.Template @@ -53,6 +54,7 @@ def _initValues(environ, title='Build System Info', pageID='summary'): values['pageID'] = pageID values['currentDate'] = str(datetime.datetime.now()) values['literalFooter'] = environ['koji.options'].get('LiteralFooter', True) + values['terms'] = '' themeCache.clear() themeInfo.clear() themeInfo['name'] = environ['koji.options'].get('KojiTheme', None) @@ -91,23 +93,51 @@ def themePath(path, local=False): return ret -class DecodeUTF8(Cheetah.Filters.Filter): - def filter(self, *args, **kw): - """Convert all strs to unicode objects""" - result = super(DecodeUTF8, self).filter(*args, **kw) - if isinstance(result, str): - pass +class EscapeFilter(Cheetah.Filters.Filter): + def filter(self, val, *args, **kw): + """Apply html escaping to most values""" + if isinstance(val, SafeValue): + result = str(val.value) else: - result = result.decode('utf-8', 'replace') + result = escapeHTML(val) return result -# Escape ampersands so the output can be valid XHTML + +class SafeValue: + + def __init__(self, value): + if isinstance(value, SafeValue): + self.value = value.value + else: + self.value = value + + def __str__(self): + return str(self.value) + + def __repr__(self): + return "SafeValue(%r)" % self.value + + def __add__(self, other): + if not isinstance(other, SafeValue): + raise ValueError('Adding safe and nonsafe value') + return SafeValue(self.value + other.value) + + def __iadd__(self, other): + if not isinstance(other, SafeValue): + raise ValueError('Adding safe and nonsafe value') + self.value += other.value + return self + + def __len__(self): + # mainly needed for boolean evaluation in templates + return len(self.value) -class XHTMLFilter(DecodeUTF8): - def filter(self, *args, **kw): - result = super(XHTMLFilter, self).filter(*args, **kw) - return re.sub(r'&(?![a-zA-Z0-9#]+;)', '&', result) +def safe_return(func): + @wraps(func) + def _safe(*args, **kwargs): + return SafeValue(func(*args, **kwargs)) + return _safe TEMPLATES = {} @@ -143,7 +173,7 @@ def _genHTML(environ, fileName): if not tmpl_class: tmpl_class = Cheetah.Template.Template.compile(file=fileName) TEMPLATES[fileName] = tmpl_class - tmpl_inst = tmpl_class(namespaces=[environ['koji.values']], filter=XHTMLFilter) + tmpl_inst = tmpl_class(namespaces=[environ['koji.values']], filter=EscapeFilter) return tmpl_inst.respond() @@ -187,6 +217,7 @@ def toggleOrder(template, sortKey, orderVar='order'): return sortKey +@safe_return # avoid escaping quotes def toggleSelected(template, var, option, checked=False): """ If the passed in variable var equals the literal value in option, @@ -203,6 +234,7 @@ def toggleSelected(template, var, option, checked=False): return '' +@safe_return def sortImage(template, sortKey, orderVar='order'): """ Return an html img tag suitable for inclusion in the sortKey of a sortable table, @@ -219,15 +251,20 @@ def sortImage(template, sortKey, orderVar='order'): return '' -def passthrough(template, *vars): +@safe_return +def passthrough(template, *vars, prefix='&'): """ - Construct a string suitable for use as URL - parameters. For each variable name in *vars, - if the template has a corresponding non-None value, - append that name-value pair to the string. The name-value - pairs will be separated by ampersands (&), and prefixed by - an ampersand if there are any name-value pairs. If there - are no name-value pairs, an empty string will be returned. + Construct a url parameter string from template vars + + Forms a url parameter string like '&key=value&key2=value' where + the keys are the requested variable names and the values are pulled + from the template vars. + + None/missing values are omitted + + If there are no non-None values, an empty string is returned + + The prefix value (default '&') is prepended if any values were found """ result = [] for var in vars: @@ -240,12 +277,14 @@ def passthrough(template, *vars): value = urllib.parse.quote(value) result.append('%s=%s' % (var, value)) if result: - return '&' + '&'.join(result) + if prefix is None: + prefix = '' + return prefix + '&'.join(result) else: return '' -def passthrough_except(template, *exclude): +def passthrough_except(template, *exclude, prefix='&'): """ Construct a string suitable for use as URL parameters. The template calling this method must have @@ -259,7 +298,7 @@ def passthrough_except(template, *exclude): for var in template._PASSTHROUGH: if var not in exclude: passvars.append(var) - return passthrough(template, *passvars) + return passthrough(template, *passvars, prefix=prefix) def sortByKeyFuncNoneGreatest(key): @@ -413,8 +452,10 @@ def stateName(stateID): return koji.BUILD_STATES[stateID].lower() +@safe_return def imageTag(name): """Return an img tag that loads an icon with the given name""" + name = escapeHTML(name) return '%s' \ % (themePath("images/%s.png" % name), name, name) @@ -557,6 +598,7 @@ def formatNatural(value): return '{:.2f} {}'.format(value, suffix[suff_index]) +@safe_return def formatLink(url): """Turn a string into an HTML link if it looks vaguely like a URL. If it doesn't, just return it properly escaped.""" @@ -568,6 +610,7 @@ def formatLink(url): return url +@safe_return def formatRPM(rpminfo, link=True): """Format an rpm dict for display""" rpminfo = rpminfo.copy() @@ -581,7 +624,7 @@ def formatRPM(rpminfo, link=True): rpminfo['suffix'] = '' label = escapeHTML("%(name)s-%(epoch)s%(version)s-%(release)s.%(arch)s%(suffix)s" % rpminfo) if link: - rpm_id = rpminfo['id'] + rpm_id = escapeHTML(rpminfo['id']) return f'{label}' else: return label @@ -650,8 +693,10 @@ def escapeHTML(value): " : " ' : ' """ + if isinstance(value, SafeValue): + return value.value if not value: - return value + return str(value) value = koji.fixEncoding(str(value)) return re.sub(r'&(?![a-zA-Z0-9#]+;)', '&', value).\ @@ -661,6 +706,7 @@ def escapeHTML(value): replace("'", ''') +@safe_return def authToken(template, first=False, form=False): """Return the current authToken if it exists. If form is True, return it enclosed in a hidden input field. @@ -669,6 +715,7 @@ def authToken(template, first=False, form=False): with &. If no authToken exists, return an empty string.""" token = template.getVar('authToken', default=None) if token is not None: + token = escapeHTML(token) if form: return '' % token if first: @@ -752,7 +799,7 @@ class TaskResultFragment(object): - empty_str_placeholder """ - def __init__(self, text='', size=None, need_escape=None, begin_tag='', + def __init__(self, text='', size=None, need_escape=True, begin_tag='', end_tag='', composer=None, empty_str_placeholder=None): self.text = text if size is None: @@ -798,7 +845,7 @@ class TaskResultLine(object): - composer """ - def __init__(self, fragments=None, need_escape=None, begin_tag='', + def __init__(self, fragments=None, need_escape=True, begin_tag='', end_tag='
', composer=None): if fragments is None: self.fragments = [] @@ -849,10 +896,12 @@ def _parse_value(key, value, sep=', '): end_tag = '' need_escape = True if key in ('brootid', 'buildroot_id'): - _str = str(value) - begin_tag = '' % _str - end_tag = '' + # do the escaping ourselves since we include html need_escape = False + brid = urllib.parse.quote(value) + _str = escapeHTML(value) + begin_tag = '' % brid + end_tag = '' elif isinstance(value, list): _str = sep.join([str(val) for val in value]) elif isinstance(value, dict): @@ -890,6 +939,7 @@ def task_result_to_html(result=None, exc_class=None, max_abbr_len = default_max_abbr_result_len postscript_fragment = TaskResultFragment( + need_escape=False, text='...', end_tag='', begin_tag='' % ( 'id="toggle-full-result"', @@ -922,6 +972,7 @@ def task_result_to_html(result=None, exc_class=None, _str = "%s: %s" % (exc_class.__name__, str(result)) fragment = TaskResultFragment(text=_str, need_escape=True) line = TaskResultLine(fragments=[fragment], + need_escape=False, # fragment already escaped begin_tag='
', end_tag='
') lines.append(line) elif isinstance(result, dict): @@ -947,18 +998,20 @@ def task_result_to_html(result=None, exc_class=None, for k, v in result.items(): if k == 'properties': _str = "properties = %s" % _parse_properties(v) - fragment = TaskResultFragment(text=_str) + fragment = TaskResultFragment(text=_str, need_escape=False) line = TaskResultLine(fragments=[fragment], need_escape=True) elif k != '__starstar': val_fragment = _parse_value(k, v) key_fragment = TaskResultFragment(text=k, need_escape=True) + # fragment already escaped line = TaskResultLine(fragments=[key_fragment, val_fragment], need_escape=False, composer=composer) lines.append(line) else: if result is not None: fragment = _parse_value('', result) - line = TaskResultLine(fragments=[fragment]) + # fragment already escaped + line = TaskResultLine(fragments=[fragment], need_escape=False) lines.append(line) if not lines: @@ -986,4 +1039,4 @@ def task_result_to_html(result=None, exc_class=None, total_abbr_lines += 1 total_abbr_len += line_len - return full_ret_str, abbr_ret_str + return SafeValue(full_ret_str), SafeValue(abbr_ret_str)
Name$util.escapeHTML($user.name)Name$user.name
ID$user.id
$util.escapeHTML($package.package_name)$util.escapeHTML($package.tag_name)$package.package_name$package.tag_name #if $package.blocked then $util.imageTag('no') else $util.imageTag('yes')#
$util.escapeHTML($build.nvr)$build.nvr $util.formatTime($build.completion_ts) $util.stateImage($build.state)
$user.id$util.escapeHTML($user.name)$user.name view view view