From 2d10e4ef95f3bd317883a702a7b991b1ac77ae62 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Thu, 26 Feb 2015 11:20:23 -0500
Subject: [PATCH] Merged #242 "issue-545: Enforce repository permissions in patch page"
---
src/main/java/com/gitblit/wicket/pages/TicketPage.java | 39 +++++++++++++++++----------------------
1 files changed, 17 insertions(+), 22 deletions(-)
diff --git a/src/main/java/com/gitblit/wicket/pages/TicketPage.java b/src/main/java/com/gitblit/wicket/pages/TicketPage.java
index b1f94a5..19788f2 100644
--- a/src/main/java/com/gitblit/wicket/pages/TicketPage.java
+++ b/src/main/java/com/gitblit/wicket/pages/TicketPage.java
@@ -37,7 +37,6 @@
import org.apache.wicket.PageParameters;
import org.apache.wicket.RestartResponseException;
import org.apache.wicket.ajax.AjaxRequestTarget;
-import org.apache.wicket.behavior.IBehavior;
import org.apache.wicket.behavior.SimpleAttributeModifier;
import org.apache.wicket.markup.html.basic.Label;
import org.apache.wicket.markup.html.image.ContextImage;
@@ -287,7 +286,9 @@
desc = getString("gb.noDescriptionGiven");
} else {
String bugtraq = bugtraqProcessor().processText(getRepository(), repositoryName, ticket.body);
- desc = MarkdownUtils.transformGFM(app().settings(), bugtraq, ticket.repository);
+ String html = MarkdownUtils.transformGFM(app().settings(), bugtraq, ticket.repository);
+ String safeHtml = app().xssFilter().relaxed(html);
+ desc = safeHtml;
}
add(new Label("ticketDescription", desc).setEscapeModelStrings(false));
@@ -377,7 +378,7 @@
}
TicketModel update = app().tickets().updateTicket(repository, ticket.number, change);
app().tickets().createNotifier().sendMailing(update);
- setResponsePage(TicketsPage.class, getPageParameters());
+ redirectTo(TicketsPage.class, getPageParameters());
}
};
String css = TicketsUI.getStatusClass(item.getModel().getObject());
@@ -441,7 +442,7 @@
}
TicketModel update = app().tickets().updateTicket(repository, ticket.number, change);
app().tickets().createNotifier().sendMailing(update);
- setResponsePage(TicketsPage.class, getPageParameters());
+ redirectTo(TicketsPage.class, getPageParameters());
}
};
item.add(link);
@@ -486,7 +487,7 @@
}
TicketModel update = app().tickets().updateTicket(repository, ticket.number, change);
app().tickets().createNotifier().sendMailing(update);
- setResponsePage(TicketsPage.class, getPageParameters());
+ redirectTo(TicketsPage.class, getPageParameters());
}
};
item.add(link);
@@ -523,7 +524,8 @@
} else {
// process the topic using the bugtraq config to link things
String topic = bugtraqProcessor().processText(getRepository(), repositoryName, ticket.topic);
- add(new Label("ticketTopic", topic).setEscapeModelStrings(false));
+ String safeTopic = app().xssFilter().relaxed(topic);
+ add(new Label("ticketTopic", safeTopic).setEscapeModelStrings(false));
}
@@ -558,7 +560,7 @@
change.vote(user.username);
}
app().tickets().updateTicket(repository, ticket.number, change);
- setResponsePage(TicketsPage.class, getPageParameters());
+ redirectTo(TicketsPage.class, getPageParameters());
}
};
add(link);
@@ -598,7 +600,7 @@
change.watch(user.username);
}
app().tickets().updateTicket(repository, ticket.number, change);
- setResponsePage(TicketsPage.class, getPageParameters());
+ redirectTo(TicketsPage.class, getPageParameters());
}
};
add(link);
@@ -684,15 +686,6 @@
Label status = new Label("statusChange", entry.getStatus().toString());
String css = TicketsUI.getLozengeClass(entry.getStatus(), false);
WicketUtils.setCssClass(status, css);
- for (IBehavior b : status.getBehaviors()) {
- if (b instanceof SimpleAttributeModifier) {
- SimpleAttributeModifier sam = (SimpleAttributeModifier) b;
- if ("class".equals(sam.getAttribute())) {
- status.add(new SimpleAttributeModifier("class", "status-change " + sam.getValue()));
- break;
- }
- }
- }
frag.add(status);
addUserAttributions(frag, entry, avatarWidth);
addDateAttributions(frag, entry);
@@ -703,6 +696,7 @@
*/
String bugtraq = bugtraqProcessor().processText(getRepository(), repositoryName, entry.comment.text);
String comment = MarkdownUtils.transformGFM(app().settings(), bugtraq, repositoryName);
+ String safeComment = app().xssFilter().relaxed(comment);
Fragment frag = new Fragment("entry", "commentFragment", this);
Label commentIcon = new Label("commentIcon");
if (entry.comment.src == CommentSource.Email) {
@@ -711,7 +705,7 @@
WicketUtils.setCssClass(commentIcon, "iconic-comment-alt2-stroke");
}
frag.add(commentIcon);
- frag.add(new Label("comment", comment).setEscapeModelStrings(false));
+ frag.add(new Label("comment", safeComment).setEscapeModelStrings(false));
addUserAttributions(frag, entry, avatarWidth);
addDateAttributions(frag, entry);
item.add(frag);
@@ -972,7 +966,8 @@
sb.append("</td></tr>");
}
sb.append("</tbody></table>");
- item.add(new Label("fields", sb.toString()).setEscapeModelStrings(false));
+ String safeHtml = app().xssFilter().relaxed(sb.toString());
+ item.add(new Label("fields", safeHtml).setEscapeModelStrings(false));
} else {
item.add(new Label("fields").setVisible(false));
}
@@ -1302,7 +1297,7 @@
}
TicketModel updatedTicket = app().tickets().updateTicket(getRepositoryModel(), ticket.number, change);
app().tickets().createNotifier().sendMailing(updatedTicket);
- setResponsePage(TicketsPage.class, getPageParameters());
+ redirectTo(TicketsPage.class, getPageParameters());
}
protected <X extends MarkupContainer> X setNewTarget(X x) {
@@ -1413,8 +1408,8 @@
GitBlitWebSession.get().cacheErrorMessage(msg);
logger.error(msg);
}
-
- setResponsePage(TicketsPage.class, getPageParameters());
+
+ redirectTo(TicketsPage.class, getPageParameters());
}
};
mergePanel.add(mergeButton);
--
Gitblit v1.9.1