mirror of https://gitee.com/bigwinds/arangodb
prevent XSS in AQL editor
This commit is contained in:
Jan Steemann
parent
428865f3b5
commit
2f89193e6c
|
|
@ -273,7 +273,7 @@ return returnVal;
|
||||||
|
|
||||||
return dt.getUTCFullYear() + '-'
|
return dt.getUTCFullYear() + '-'
|
||||||
+ pad(dt.getUTCMonth() + 1) + '-'
|
+ pad(dt.getUTCMonth() + 1) + '-'
|
||||||
+ pad(dt.getUTCDate()) + ' <br>'
|
+ pad(dt.getUTCDate()) + ' '
|
||||||
+ pad(dt.getUTCHours()) + ':'
|
+ pad(dt.getUTCHours()) + ':'
|
||||||
+ pad(dt.getUTCMinutes()) + ':'
|
+ pad(dt.getUTCMinutes()) + ':'
|
||||||
+ pad(dt.getUTCSeconds());
|
+ pad(dt.getUTCSeconds());
|
||||||
|
|
|
||||||
|
|
@ -14,7 +14,7 @@
|
||||||
<% _.each(content.rows, function(k) { var counter=0;%>
|
<% _.each(content.rows, function(k) { var counter=0;%>
|
||||||
<tr>
|
<tr>
|
||||||
<% _.each(k, function(x) { %>
|
<% _.each(k, function(x) { %>
|
||||||
<td class="arangob-table-td table-cell<%=counter%>"><%=x%></td>
|
<td class="arangob-table-td table-cell<%=counter%>"><%=_.escape(x)%></td>
|
||||||
<% counter++;});%>
|
<% counter++;});%>
|
||||||
</tr>
|
</tr>
|
||||||
<%});%>
|
<%});%>
|
||||||
|
|
|
||||||
|
|
@ -71,7 +71,7 @@
|
||||||
|
|
||||||
invertArray: function (array) {
|
invertArray: function (array) {
|
||||||
var rtnArr = [], counter = 0, i;
|
var rtnArr = [], counter = 0, i;
|
||||||
for (i = array.length-1; i >= 0; i--) {
|
for (i = array.length - 1; i >= 0; i--) {
|
||||||
rtnArr[counter] = array[i];
|
rtnArr[counter] = array[i];
|
||||||
counter++;
|
counter++;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
/*jshint browser: true */
|
/*jshint browser: true */
|
||||||
/*jshint unused: false */
|
/*jshint unused: false */
|
||||||
/*global require, exports, Backbone, EJS, $, setTimeout, localStorage, ace, Storage, window, _ */
|
/*global require, exports, Backbone, EJS, $, setTimeout, localStorage, ace, Storage, window, _ */
|
||||||
/*global arangoHelper, templateEngine, jQuery, Joi*/
|
/*global _, arangoHelper, templateEngine, jQuery, Joi*/
|
||||||
|
|
||||||
(function () {
|
(function () {
|
||||||
"use strict";
|
"use strict";
|
||||||
|
|
@ -76,7 +76,7 @@
|
||||||
updateTable: function () {
|
updateTable: function () {
|
||||||
this.tableDescription.rows = this.customQueries;
|
this.tableDescription.rows = this.customQueries;
|
||||||
|
|
||||||
_.each(this.tableDescription.rows, function(k,v) {
|
_.each(this.tableDescription.rows, function(k, v) {
|
||||||
k.thirdRow = '<a class="deleteButton"><span class="icon_arangodb_roundminus"' +
|
k.thirdRow = '<a class="deleteButton"><span class="icon_arangodb_roundminus"' +
|
||||||
' title="Delete query"></span></a>';
|
' title="Delete query"></span></a>';
|
||||||
});
|
});
|
||||||
|
|
@ -123,7 +123,8 @@
|
||||||
$('#modalButton1').addClass('button-warning');
|
$('#modalButton1').addClass('button-warning');
|
||||||
$('#modalButton1').text('Update');
|
$('#modalButton1').text('Update');
|
||||||
boolTemp = true;
|
boolTemp = true;
|
||||||
} else {
|
}
|
||||||
|
else {
|
||||||
$('#modalButton1').removeClass('button-warning');
|
$('#modalButton1').removeClass('button-warning');
|
||||||
$('#modalButton1').addClass('button-success');
|
$('#modalButton1').addClass('button-success');
|
||||||
$('#modalButton1').text('Save');
|
$('#modalButton1').text('Save');
|
||||||
|
|
@ -188,9 +189,9 @@
|
||||||
var sizeBox = $('#querySize');
|
var sizeBox = $('#querySize');
|
||||||
sizeBox.empty();
|
sizeBox.empty();
|
||||||
[ 100, 250, 500, 1000, 2500, 5000 ].forEach(function (value) {
|
[ 100, 250, 500, 1000, 2500, 5000 ].forEach(function (value) {
|
||||||
sizeBox.append('<option value="' + value + '"' +
|
sizeBox.append('<option value="' + _.escape(value) + '"' +
|
||||||
(querySize === value ? ' selected' : '') +
|
(querySize === value ? ' selected' : '') +
|
||||||
'>' + value + ' results</option>');
|
'>' + _.escape(value) + ' results</option>');
|
||||||
});
|
});
|
||||||
|
|
||||||
var outputEditor = ace.edit("queryOutput");
|
var outputEditor = ace.edit("queryOutput");
|
||||||
|
|
@ -446,7 +447,7 @@
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!isUpdate) {
|
if (! isUpdate) {
|
||||||
//this.customQueries.push({
|
//this.customQueries.push({
|
||||||
// name: saveName,
|
// name: saveName,
|
||||||
// value: content
|
// value: content
|
||||||
|
|
@ -469,8 +470,6 @@
|
||||||
$('#querySelect').val(saveName);
|
$('#querySelect').val(saveName);
|
||||||
},
|
},
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
getSystemQueries: function () {
|
getSystemQueries: function () {
|
||||||
var self = this;
|
var self = this;
|
||||||
$.ajax({
|
$.ajax({
|
||||||
|
|
@ -498,6 +497,7 @@
|
||||||
});
|
});
|
||||||
return returnVal;
|
return returnVal;
|
||||||
},
|
},
|
||||||
|
|
||||||
importSelected: function (e) {
|
importSelected: function (e) {
|
||||||
var inputEditor = ace.edit("aqlEditor");
|
var inputEditor = ace.edit("aqlEditor");
|
||||||
$.each(this.queries, function (k, v) {
|
$.each(this.queries, function (k, v) {
|
||||||
|
|
@ -513,6 +513,7 @@
|
||||||
|
|
||||||
this.deselect(ace.edit("aqlEditor"));
|
this.deselect(ace.edit("aqlEditor"));
|
||||||
},
|
},
|
||||||
|
|
||||||
renderSelectboxes: function () {
|
renderSelectboxes: function () {
|
||||||
this.sortQueries();
|
this.sortQueries();
|
||||||
var selector = '';
|
var selector = '';
|
||||||
|
|
@ -523,16 +524,14 @@
|
||||||
|
|
||||||
$(selector).append('<optgroup label="Example queries">');
|
$(selector).append('<optgroup label="Example queries">');
|
||||||
jQuery.each(this.queries, function (k, v) {
|
jQuery.each(this.queries, function (k, v) {
|
||||||
var escapedName = arangoHelper.escapeHtml(v.name);
|
$(selector).append('<option id="' + _.escape(v.name) + '">' + _.escape(v.name) + '</option>');
|
||||||
$(selector).append('<option id="' + escapedName + '">' + escapedName + '</option>');
|
|
||||||
});
|
});
|
||||||
$(selector).append('</optgroup>');
|
$(selector).append('</optgroup>');
|
||||||
|
|
||||||
if (this.customQueries.length > 0) {
|
if (this.customQueries.length > 0) {
|
||||||
$(selector).append('<optgroup label="Custom queries">');
|
$(selector).append('<optgroup label="Custom queries">');
|
||||||
jQuery.each(this.customQueries, function (k, v) {
|
jQuery.each(this.customQueries, function (k, v) {
|
||||||
var escapedName = arangoHelper.escapeHtml(v.name);
|
$(selector).append('<option id="' + _.escape(v.name) + '">' + _.escape(v.name) + '</option>');
|
||||||
$(selector).append('<option id="' + escapedName + '">' + escapedName + '</option>');
|
|
||||||
});
|
});
|
||||||
$(selector).append('</optgroup>');
|
$(selector).append('</optgroup>');
|
||||||
}
|
}
|
||||||
|
|
@ -614,7 +613,7 @@
|
||||||
var changeTab = function (element, index, array){
|
var changeTab = function (element, index, array){
|
||||||
var divId = "#" + element.replace("-switch", "");
|
var divId = "#" + element.replace("-switch", "");
|
||||||
var contentDivId = "#tabContent" + divId.charAt(1).toUpperCase() + divId.substr(2);
|
var contentDivId = "#tabContent" + divId.charAt(1).toUpperCase() + divId.substr(2);
|
||||||
if ( element === switchId){
|
if (element === switchId) {
|
||||||
$("#" + element).parent().addClass("active");
|
$("#" + element).parent().addClass("active");
|
||||||
$(divId).addClass("active");
|
$(divId).addClass("active");
|
||||||
$(contentDivId).show();
|
$(contentDivId).show();
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue