diff --git a/CHANGELOG b/CHANGELOG index 7662a0877c..281f857d06 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,10 @@ v3.4.5 (XXXX-XX-XX) ------------------- +* fixed some escaping issues within the web ui. + +* fixed issue #8165: AQL optimizer does not pick up multiple Geo index + * fix uniq array indices not accepting document updates * when restarting a follower in active failover mode, try an incremental sync instead diff --git a/js/apps/system/_admin/aardvark/APP/frontend/js/arango/arango.js b/js/apps/system/_admin/aardvark/APP/frontend/js/arango/arango.js index 420850f8a3..e8f118c4e3 100644 --- a/js/apps/system/_admin/aardvark/APP/frontend/js/arango/arango.js +++ b/js/apps/system/_admin/aardvark/APP/frontend/js/arango/arango.js @@ -120,7 +120,7 @@ } }); } - return shortName; + return arangoHelper.escapeHtml(shortName); }, getDatabaseShortName: function (id) { diff --git a/js/apps/system/_admin/aardvark/APP/frontend/js/collections/arangoDocument.js b/js/apps/system/_admin/aardvark/APP/frontend/js/collections/arangoDocument.js index 6ca1da679e..34f5fd1131 100644 --- a/js/apps/system/_admin/aardvark/APP/frontend/js/collections/arangoDocument.js +++ b/js/apps/system/_admin/aardvark/APP/frontend/js/collections/arangoDocument.js @@ -112,7 +112,7 @@ window.ArangoDocument = Backbone.Collection.extend({ $.ajax({ cache: false, type: 'GET', - url: arangoHelper.databaseUrl('/_api/collection/' + identifier + '?' + arangoHelper.getRandomToken()), + url: arangoHelper.databaseUrl('/_api/collection/' + encodeURIComponent(identifier) + '?' + arangoHelper.getRandomToken()), contentType: 'application/json', processData: false, success: function (data) { diff --git a/js/apps/system/_admin/aardvark/APP/frontend/js/routers/router.js b/js/apps/system/_admin/aardvark/APP/frontend/js/routers/router.js index e6287d9230..d2f1df356a 100644 --- a/js/apps/system/_admin/aardvark/APP/frontend/js/routers/router.js +++ b/js/apps/system/_admin/aardvark/APP/frontend/js/routers/router.js @@ -394,29 +394,6 @@ this.nodeView.render(); }, - nodeInfo: function (id, initialized) { - this.checkUser(); - if (!initialized || this.isCluster === undefined) { - this.waitForInit(this.nodeInfo.bind(this), id); - return; - } - if (this.isCluster === false) { - this.routes[''] = 'dashboard'; - this.navigate('#dashboard', {trigger: true}); - return; - } - - if (this.nodeInfoView) { - this.nodeInfoView.remove(); - } - this.nodeInfoView = new window.NodeInfoView({ - nodeId: id, - coordinators: this.coordinatorCollection, - dbServers: this.dbServers[0] - }); - this.nodeInfoView.render(); - }, - shards: function (initialized) { this.checkUser(); if (!initialized || this.isCluster === undefined) { @@ -533,10 +510,10 @@ xhr.setRequestHeader('Authorization', 'Basic ' + btoa(token)); }, - logger: function (name, initialized) { + logger: function (initialized) { this.checkUser(); if (!initialized) { - this.waitForInit(this.logger.bind(this), name); + this.waitForInit(this.logger.bind(this)); return; } if (!this.loggerView) { diff --git a/js/apps/system/_admin/aardvark/APP/frontend/js/templates/nodeInfoView.ejs b/js/apps/system/_admin/aardvark/APP/frontend/js/templates/nodeInfoView.ejs deleted file mode 100644 index 2889431ccc..0000000000 --- a/js/apps/system/_admin/aardvark/APP/frontend/js/templates/nodeInfoView.ejs +++ /dev/null @@ -1,27 +0,0 @@ - diff --git a/js/apps/system/_admin/aardvark/APP/frontend/js/views/collectionsItemView.js b/js/apps/system/_admin/aardvark/APP/frontend/js/views/collectionsItemView.js index aae9ef9c02..6e07710da6 100644 --- a/js/apps/system/_admin/aardvark/APP/frontend/js/views/collectionsItemView.js +++ b/js/apps/system/_admin/aardvark/APP/frontend/js/views/collectionsItemView.js @@ -139,8 +139,8 @@ deleteCollection: function () { this.model.destroy( { - error: function () { - arangoHelper.arangoError('Could not delete collection.'); + error: function (_, data) { + arangoHelper.arangoError('Could not drop collection: ' + data.responseJSON.errorMessage); }, success: function () { window.modalView.hide(); diff --git a/js/apps/system/_admin/aardvark/APP/frontend/js/views/databaseView.js b/js/apps/system/_admin/aardvark/APP/frontend/js/views/databaseView.js index 08d38f7165..a5a024762e 100644 --- a/js/apps/system/_admin/aardvark/APP/frontend/js/views/databaseView.js +++ b/js/apps/system/_admin/aardvark/APP/frontend/js/views/databaseView.js @@ -250,7 +250,7 @@ reducedCollection; searchInput = $('#databaseSearchInput'); - searchString = $('#databaseSearchInput').val(); + searchString = arangoHelper.escapeHtml($('#databaseSearchInput').val()); reducedCollection = this.collection.filter( function (u) { return u.get('name').indexOf(searchString) !== -1; diff --git a/js/apps/system/_admin/aardvark/APP/frontend/js/views/documentsView.js b/js/apps/system/_admin/aardvark/APP/frontend/js/views/documentsView.js index be9cf59578..056be4ca36 100644 --- a/js/apps/system/_admin/aardvark/APP/frontend/js/views/documentsView.js +++ b/js/apps/system/_admin/aardvark/APP/frontend/js/views/documentsView.js @@ -121,7 +121,7 @@ $('#docPureTable').html( '
' + '

Error

' + - '

Collection not found. Requested name was: "' + name + '".

' + + '

Collection not found. Requested name was: "' + arangoHelper.escapeHtml(name) + '".

' + '
' ); $('#subNavigationBar .breadcrumb').html(); @@ -982,6 +982,7 @@ this.collectionName = window.location.hash.split('/')[1]; $(this.el).html(this.template.render({})); + if (this.type === 2) { this.type = 'document'; } else if (this.type === 3) { @@ -1062,9 +1063,9 @@ if (window.App.naviView && $('#subNavigationBar .breadcrumb').html() !== undefined) { $('#subNavigationBar .breadcrumb').html( - 'Collection: ' + this.collectionName + 'Collection: ' + arangoHelper.escapeHtml(this.collectionName) ); - window.arangoHelper.buildCollectionSubNav(this.collectionName, 'Content'); + arangoHelper.buildCollectionSubNav(this.collectionName, 'Content'); } else { window.setTimeout(function () { self.breadcrumb(); diff --git a/js/apps/system/_admin/aardvark/APP/frontend/js/views/nodeInfoView.js b/js/apps/system/_admin/aardvark/APP/frontend/js/views/nodeInfoView.js deleted file mode 100644 index 9877b3478a..0000000000 --- a/js/apps/system/_admin/aardvark/APP/frontend/js/views/nodeInfoView.js +++ /dev/null @@ -1,118 +0,0 @@ -/* jshint browser: true */ -/* jshint unused: false */ -/* global arangoHelper, $, Backbone, templateEngine, window */ -(function () { - 'use strict'; - - window.NodeInfoView = Backbone.View.extend({ - el: '#content', - - template: templateEngine.createTemplate('nodeInfoView.ejs'), - - initialize: function (options) { - if (window.App.isCluster) { - this.nodeId = options.nodeId; - this.dbServers = options.dbServers; - this.coordinators = options.coordinators; - } - }, - - remove: function () { - this.$el.empty().off(); /* off to unbind the events */ - this.stopListening(); - this.unbind(); - delete this.el; - return this; - }, - - render: function () { - this.$el.html(this.template.render({entries: []})); - - var callback = function () { - this.continueRender(); - this.breadcrumb(arangoHelper.getCoordinatorShortName(this.nodeId)); - $(window).trigger('resize'); - }.bind(this); - - if (!this.initCoordDone) { - this.waitForCoordinators(); - } - - if (!this.initDBDone) { - this.waitForDBServers(callback); - } else { - this.nodeId = window.location.hash.split('/')[1]; - this.coordinator = this.coordinators.findWhere({name: this.coordname}); - callback(); - } - }, - - continueRender: function () { - var model; - if (this.coordinator) { - model = this.coordinator.toJSON(); - } else { - model = this.dbServer.toJSON(); - } - - var renderObj = {}; - if (model.name) { - renderObj.Name = model.name; - } - if (model.address) { - renderObj.Address = model.address; - } - if (model.status) { - renderObj.Status = model.status; - } - if (model.protocol) { - renderObj.Protocol = model.protocol; - } - if (model.role) { - renderObj.Role = model.role; - } - this.$el.html(this.template.render({entries: renderObj})); - }, - - breadcrumb: function (name) { - $('#subNavigationBar .breadcrumb').html('Node: ' + name); - }, - - waitForCoordinators: function (callback) { - var self = this; - - window.setTimeout(function () { - if (self.coordinators.length === 0) { - self.waitForCoordinators(callback); - } else { - self.coordinator = self.coordinators.findWhere({name: self.nodeId}); - self.initCoordDone = true; - if (callback) { - callback(); - } - } - }, 200); - }, - - waitForDBServers: function (callback) { - var self = this; - - window.setTimeout(function () { - if (self.dbServers.length === 0) { - self.waitForDBServers(callback); - } else { - self.initDBDone = true; - - self.dbServers.each(function (model) { - if (model.get('id') === self.nodeId) { - self.dbServer = model; - } - }); - - callback(); - } - }, 200); - } - - }); -}()); diff --git a/js/apps/system/_admin/aardvark/APP/frontend/js/views/queryView.js b/js/apps/system/_admin/aardvark/APP/frontend/js/views/queryView.js index b506629f51..0029ed2691 100644 --- a/js/apps/system/_admin/aardvark/APP/frontend/js/views/queryView.js +++ b/js/apps/system/_admin/aardvark/APP/frontend/js/views/queryView.js @@ -310,16 +310,24 @@ $(e.currentTarget).addClass('selected'); var name = this.getQueryNameFromTable(e); - this.queryPreview.setValue(this.getCustomQueryValueByName(name), 1); + + try { + this.queryPreview.setValue(this.getCustomQueryValueByName(name), 1); + } catch (e) { + this.queryPreview.setValue('Invalid query name', 1); + arangoHelper.arangoError('Query', 'Invalid query name'); + throw (e); + } + this.deselect(this.queryPreview); }, getQueryNameFromTable: function (e) { var name; if ($(e.currentTarget).is('tr')) { - name = $(e.currentTarget).children().first().text(); + name = arangoHelper.escapeHtml($(e.currentTarget).children().first().text()); } else if ($(e.currentTarget).is('span')) { - name = $(e.currentTarget).parent().parent().prev().text(); + name = arangoHelper.escapeHtml($(e.currentTarget).parent().parent().prev().text()); } return name; }, @@ -374,8 +382,13 @@ this.state.lastQuery.query = this.aqlEditor.getValue(); this.state.lastQuery.bindParam = this.bindParamTableObj; - this.aqlEditor.setValue(this.getCustomQueryValueByName(name), 1); - this.fillBindParamTable(this.getCustomQueryParameterByName(name)); + try { + this.aqlEditor.setValue(this.getCustomQueryValueByName(name), 1); + this.fillBindParamTable(this.getCustomQueryParameterByName(name)); + } catch (e) { + arangoHelper.arangoError('Query', 'Invalid query name'); + throw (e); + } this.updateBindParams(); this.currentQuery = this.collection.findWhere({name: name}); @@ -1570,7 +1583,7 @@ }, checkSaveName: function () { - var saveName = $('#new-query-name').val(); + var saveName = arangoHelper.escapeHtml($('#new-query-name').val()); if (saveName === 'Insert Query') { $('#new-query-name').val(''); return; @@ -1600,7 +1613,7 @@ // update queries first, before writing this.refreshAQL(); - var saveName = $('#new-query-name').val(); + var saveName = arangoHelper.escapeHtml($('#new-query-name').val()); var bindVars = this.bindParamTableObj; if ($('#new-query-name').hasClass('invalid-input')) { diff --git a/js/apps/system/_admin/aardvark/APP/frontend/js/views/replicationView.js b/js/apps/system/_admin/aardvark/APP/frontend/js/views/replicationView.js index 76727fa2fa..9a19c18563 100644 --- a/js/apps/system/_admin/aardvark/APP/frontend/js/views/replicationView.js +++ b/js/apps/system/_admin/aardvark/APP/frontend/js/views/replicationView.js @@ -142,23 +142,6 @@ }); }, - getActiveFailoverHealth: function () { - /* - $.ajax({ - type: 'GET', - cache: false, - url: arangoHelper.databaseUrl('/_admin/cluster/health'), - contentType: 'application/json', - success: function (data) { - console.log(data); - }, - error: function (data) { - console.log(data); - } - }); - */ - }, - renderEndpoints: function (endpoints) { var self = this; @@ -363,7 +346,6 @@ if (this.mode === 3) { this.getActiveFailoverEndpoints(); this.getLoggerState(); - this.getActiveFailoverHealth(); } else if (this.mode === 2) { if (this.info.role === 'leader') { this.getLoggerState(); diff --git a/js/apps/system/_admin/aardvark/APP/frontend/js/views/settingsView.js b/js/apps/system/_admin/aardvark/APP/frontend/js/views/settingsView.js index b904405fad..6a22f2ef77 100644 --- a/js/apps/system/_admin/aardvark/APP/frontend/js/views/settingsView.js +++ b/js/apps/system/_admin/aardvark/APP/frontend/js/views/settingsView.js @@ -96,8 +96,8 @@ if (!this.readOnly) { this.model.destroy( { - error: function () { - arangoHelper.arangoError('Could not delete collection.'); + error: function (_, data) { + arangoHelper.arangoError('Could not drop collection: ' + data.responseJSON.errorMessage); }, success: function () { window.App.navigate('#collections', {trigger: true}); diff --git a/js/apps/system/_admin/aardvark/APP/frontend/js/views/userManagementView.js b/js/apps/system/_admin/aardvark/APP/frontend/js/views/userManagementView.js index 98ce0f3db4..810d5440f3 100644 --- a/js/apps/system/_admin/aardvark/APP/frontend/js/views/userManagementView.js +++ b/js/apps/system/_admin/aardvark/APP/frontend/js/views/userManagementView.js @@ -21,10 +21,6 @@ events: { 'click #createUser': 'createUser', 'click #submitCreateUser': 'submitCreateUser', - // "click #deleteUser" : "removeUser", - // "click #submitDeleteUser" : "submitDeleteUser", - // "click .editUser" : "editUser", - // "click .icon" : "editUser", 'click #userManagementThumbnailsIn .tile': 'editUser', 'click #submitEditUser': 'submitEditUser', 'click #userManagementToggle': 'toggleView', @@ -129,7 +125,7 @@ reducedCollection; searchInput = $('#userManagementSearchInput'); - searchString = $('#userManagementSearchInput').val(); + searchString = arangoHelper.escapeHtml($('#userManagementSearchInput').val()); reducedCollection = this.collection.filter( function (u) { return u.get('user').indexOf(searchString) !== -1; diff --git a/js/apps/system/_admin/aardvark/APP/frontend/js/views/userPermissions.js b/js/apps/system/_admin/aardvark/APP/frontend/js/views/userPermissions.js index 4ea3938bd5..5af86d7aca 100644 --- a/js/apps/system/_admin/aardvark/APP/frontend/js/views/userPermissions.js +++ b/js/apps/system/_admin/aardvark/APP/frontend/js/views/userPermissions.js @@ -233,14 +233,8 @@ this.currentUser = this.collection.findWhere({ user: this.username }); - this.breadcrumb(); var url = arangoHelper.databaseUrl('/_api/user/' + encodeURIComponent(self.currentUser.get('user')) + '/database?full=true'); - /* - if (frontendConfig.db === '_system') { - url = arangoHelper.databaseUrl('/_api/user/root/database'); - } - */ // FETCH COMPLETE DB LIST $.ajax({ @@ -281,6 +275,7 @@ arangoHelper.createTooltips(); // check if current user is root this.checkRoot(); + this.breadcrumb(); }, checkRoot: function () { @@ -342,7 +337,7 @@ if (window.App.naviView) { $('#subNavigationBar .breadcrumb').html( - 'User: ' + this.currentUser.get('user') + 'User: ' + arangoHelper.escapeHtml(this.currentUser.get('user')) ); arangoHelper.buildUserSubNav(self.currentUser.get('user'), 'Permissions'); } else { diff --git a/js/apps/system/_admin/aardvark/APP/frontend/js/views/userView.js b/js/apps/system/_admin/aardvark/APP/frontend/js/views/userView.js index c5917d4e46..f455a06c6f 100644 --- a/js/apps/system/_admin/aardvark/APP/frontend/js/views/userView.js +++ b/js/apps/system/_admin/aardvark/APP/frontend/js/views/userView.js @@ -1,6 +1,6 @@ /* jshint browser: true */ /* jshint unused: false */ -/* global CryptoJS, _, arangoHelper, Backbone, window $ */ +/* global CryptoJS, _, arangoHelper, Backbone, window, $ */ (function () { 'use strict'; @@ -158,7 +158,7 @@ { type: window.modalView.tables.TEXT, label: 'Name', - value: name, + value: _.escape(name), id: 'editName', placeholder: 'Name' }, @@ -301,7 +301,7 @@ if (window.App.naviView) { $('#subNavigationBar .breadcrumb').html( - 'User: ' + this.username + 'User: ' + _.escape(this.username) ); arangoHelper.buildUserSubNav(self.currentUser.get('user'), 'General'); } else { diff --git a/js/apps/system/_admin/aardvark/APP/frontend/js/views/viewView.js b/js/apps/system/_admin/aardvark/APP/frontend/js/views/viewView.js index daab770593..e4c5de0793 100644 --- a/js/apps/system/_admin/aardvark/APP/frontend/js/views/viewView.js +++ b/js/apps/system/_admin/aardvark/APP/frontend/js/views/viewView.js @@ -323,11 +323,11 @@ if (window.App.naviView) { $('#subNavigationBar .breadcrumb').html( - 'View: ' + self.name + 'View: ' + arangoHelper.escapeHtml(self.name) ); window.setTimeout(function () { $('#subNavigationBar .breadcrumb').html( - 'View: ' + self.name + 'View: ' + arangoHelper.escapeHtml(self.name) ); self.checkIfInProgress(); }, 100); diff --git a/js/apps/system/_admin/aardvark/APP/frontend/js/views/viewsView.js b/js/apps/system/_admin/aardvark/APP/frontend/js/views/viewsView.js index 5a3945f285..79a4dede59 100644 --- a/js/apps/system/_admin/aardvark/APP/frontend/js/views/viewsView.js +++ b/js/apps/system/_admin/aardvark/APP/frontend/js/views/viewsView.js @@ -98,7 +98,7 @@ }, search: function () { - this.setSearchString($('#viewsSearchInput').val()); + this.setSearchString(arangoHelper.escapeHtml($('#viewsSearchInput').val())); this.render(); },