# HG changeset patch
# User Mads Kiilerich <madski@unity3d.com>
# Date 1453250831 -3600
# Node ID 12e7421e046967e71bff1ef9b37bf2f4f43866e5
# Parent  872d05f3d7cc46b9743fc17ec4a38db9f88d0c4a
comments: avoid js string formatting of html template from DOM - avoid insecure naming

Multiple inline comment forms were only distinguished by the line number - not
by the filename.

Instead, just keep it simple and avoid trying to assign "globally" unique names
and use jQuery instead.

diff -r 872d05f3d7cc -r 12e7421e0469 kallithea/public/js/base.js
--- a/kallithea/public/js/base.js	Wed Jan 20 01:47:11 2016 +0100
+++ b/kallithea/public/js/base.js	Wed Jan 20 01:47:11 2016 +0100
@@ -683,15 +683,18 @@
 
 // append a comment form to $comment_div
 function _comment_div_append_form($comment_div, f_path, line_no) {
-    var $form_div = $($('#comment-inline-form-template').html().format(f_path, line_no))
+    var $form_div = $('#comment-inline-form-template').children()
+        .clone()
         .addClass('comment-inline-form');
     $comment_div.append($form_div);
     var $form = $comment_div.find("form");
+    var $textarea = $form.find('textarea');
+    var $mentions_container = $form.find('div.mentions-container');
 
     $form.submit(function(e) {
         e.preventDefault();
 
-        var text = $('#text_'+line_no).val();
+        var text = $textarea.val();
         if (!text){
             return;
         }
@@ -719,9 +722,8 @@
     setTimeout(function() {
         // callbacks
         tooltip_activate();
-        MentionsAutoComplete($('#text_'+line_no), $('#mentions_container_'+line_no),
-                             _USERS_AC_DATA);
-        $('#text_'+line_no).focus();
+        MentionsAutoComplete($textarea, $mentions_container, _USERS_AC_DATA);
+        $textarea.focus();
     }, 10);
 }
 
diff -r 872d05f3d7cc -r 12e7421e0469 kallithea/templates/changeset/changeset_file_comment.html
--- a/kallithea/templates/changeset/changeset_file_comment.html	Wed Jan 20 01:47:11 2016 +0100
+++ b/kallithea/templates/changeset/changeset_file_comment.html	Wed Jan 20 01:47:11 2016 +0100
@@ -48,24 +48,20 @@
 </%def>
 
 
-## expanded with .format(f_path, line_no)
-## TODO: don't assume line_no is globally unique ...
 <%def name="comment_inline_form()">
 <div id='comment-inline-form-template' style="display:none">
   <div class="ac">
   %if c.authuser.username != 'default':
     ${h.form('#', class_='inline-form')}
       <div class="clearfix">
-        <div class="comment-help">${_('Commenting on line {1}.')}
+        <div class="comment-help">${_('Commenting on line.')}
           <span style="color:#577632" class="tooltip">${_('Comments are in plain text. Use @username inside this text to notify another user.')|n}</span>
         </div>
-        <div class="mentions-container" id="mentions_container_{1}"></div>
-        <textarea id="text_{1}" name="text" class="comment-block-ta yui-ac-input"></textarea>
+        <div class="mentions-container"></div>
+        <textarea name="text" class="comment-block-ta yui-ac-input"></textarea>
       </div>
       <div class="comment-button">
         <div class="submitting-overlay">${_('Submitting ...')}</div>
-        <input type="hidden" name="f_path" value="{0}">
-        <input type="hidden" name="line" value="{1}">
         ${h.submit('save', _('Comment'), class_='btn btn-small save-inline-form')}
         ${h.reset('hide-inline-form', _('Cancel'), class_='btn btn-small hide-inline-form')}
       </div>