Mercurial > kallithea
view LICENSE-MERGELY.html @ 5219:c9cfaeb1cdfe stable
tooltips: fix unsafe insertion of userdata into the DOM as html
This fixes js injection in the admin journal ... and probably also in other places.
Tooltips are used both with hardcoded strings (which is safe and simple) and
with user provided strings wrapped in html formatting (which requires careful
escaping before being put into the DOM as html). The templating will
automatically take care of one level of escaping, but here it requires two
levels to do it correctly ... and that was not always done correctly.
Instead, by default, just insert it into the DOM as text, not as html.
The few places where we know the tooltip contains safe html are handled
specially - the element is given the safe-html-title class. That is the case in
file annotation and in display of tip revision in repo lists.
author | Mads Kiilerich <madski@unity3d.com> |
---|---|
date | Tue, 07 Jul 2015 02:09:35 +0200 |
parents | aa3b55946089 |
children |
line wrap: on
line source
<!DOCTYPE html> <html lang="en"> <!--[if IE]> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <![endif]--> <head> <meta charset="utf-8" /><title>Mergely License</title> <meta http-equiv="content-type" content="text/html; charset=UTF-8"/> <meta name="description" content="Mergely license requirements for open source software and commercial software" /> <meta name="keywords" content="diff,merge,compare,compare documents,js diff,javascript diff,comparison,online diff,difference,file,text,unix,patch,algorithm,saas,longest common subsequence,diff online" /> <meta name="author" content="Jamie Peabody" /> <meta name="author" content="Jamie Peabody" /> <link rel="shortcut icon" href="http://www.mergely.com/favicon.ico" /> <link href='http://fonts.googleapis.com/css?family=Noto+Sans:400,700' rel='stylesheet' type='text/css' /> <link href='fonts/berlin-sans-fb-demi.css' rel='stylesheet' type='text/css' /> <link href='style/mergely.css' rel='stylesheet' type='text/css' /> <link href='/Mergely/lib/mergely.css' rel='stylesheet' type='text/css' /> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.0/jquery.min.js"></script> <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-85576-5']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); </script> </head> <body> <div id="page"> <div id="content"> <div id="header"> <h1><span>Mergely License - Closed Distribution License</span></h1> <div id="options"> <a href="/editor" class="button">Online Diff</a> <a href="/download" class="button">Download</a> </div> <nav> <ul> <li><a href="/">Home</a></li> <li><a href="/doc">Documentation</a></li> <li><a href="/about">About Mergely</a></li> <li><a href="/license">License</a></li> <li><a href="#footer">Contact</a></li> </ul> </nav> </div> <div id="main"> <h1>Mergely License</h1> <p> All Mergely code is Copyright 2014 by Jamie Peabody. Mergely is distributed under the <a href="http://www.gnu.org/licenses/gpl.html">GPL</a>, <a href="http://www.gnu.org/licenses/lgpl.html">LGPL</a> and <a href="http://www.mozilla.org/MPL/MPL-1.1.html">MPL</a> open source licenses. This triple <b>copyleft</b> licensing model avoids incompatibility with other open source licenses. These open source licenses are specially indicated for: <ul> <li>Integrating Mergely into Open Source software;</li> <li>Personal and educational use of Mergely;</li> <li> Integrating Mergely in commercial software, taking care of satisfying the Open Source licenses terms, while not able or interested on supporting Mergely and its development. </li> </ul> </p> <h2>Mergely Commercial License - Closed Distribution License - CDL</h2> <p> You may contact <a href="mailto:jamie.peabody@gmail.com">Jamie Peabody</a> to enquire about obtaining a CDL license. </p> <p> This license offers a very flexible way to integrate Mergely in your commercial application. These are the main advantages it offers over an Open Source license: </p> <p> Modifications and enhancements do not need to be released under an Open Source license; There is no need to distribute any Open Source license terms along with your product and no reference to it have to be done; You do not have to mention any reference to Mergely in your product; Mergely source code does not have to be distributed with your product; You can remove any file from Mergely when integrating it with your product. </p> <p> The CDL is a lifetime license valid for all previous releases of Mergely published prior to the year of purchase, and any releases in the following year. Please select the license option that best fit your needs above. It includes 1 year of <b>personal e-mail support</b>. </p> <h2>Third party codes</h2> <p> Mergely utilizes <b>CodeMirror</b>, a third-party library released under an <a href="http://en.wikipedia.org/wiki/MIT_License">MIT</a> license. Also used is <b>jQuery</b> and is released under the <a href="http://en.wikipedia.org/wiki/MIT_License">MIT</a> or <a href="http://www.gnu.org/licenses/gpl.html">GPL</a> Version 2 license. </p> </div> <div id="footer"> <a href="/download" class="download">Download</a> <ul> <li id="google-plus"><a target="_blank" href="http://groups.google.com/group/mergely">http://groups.google.com/group/mergely</a></li> <li id="github"><a target="_blank" href="https://github.com/wickedest/Mergely">https://github.com/wickedest/Mergely</a></li> <li id="email"><a target="_blank" href="mailto:jamie.peabody@gmail.com">jamie.peabody@gmail.com</a></li> </ul> </div> </div> <div id="copyright">By <b>Jamie Peabody</b></div> </div> </body> </html>