Mercurial > kallithea
changeset 5665:12e7421e0469
comments: avoid js string formatting of html template from DOM - avoid insecure naming
Multiple inline comment forms were only distinguished by the line number - not
by the filename.
Instead, just keep it simple and avoid trying to assign "globally" unique names
and use jQuery instead.
author | Mads Kiilerich <madski@unity3d.com> |
---|---|
date | Wed, 20 Jan 2016 01:47:11 +0100 |
parents | 872d05f3d7cc |
children | b3ddd87f214f |
files | kallithea/public/js/base.js kallithea/templates/changeset/changeset_file_comment.html |
diffstat | 2 files changed, 10 insertions(+), 12 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/public/js/base.js Wed Jan 20 01:47:11 2016 +0100 +++ b/kallithea/public/js/base.js Wed Jan 20 01:47:11 2016 +0100 @@ -683,15 +683,18 @@ // append a comment form to $comment_div function _comment_div_append_form($comment_div, f_path, line_no) { - var $form_div = $($('#comment-inline-form-template').html().format(f_path, line_no)) + var $form_div = $('#comment-inline-form-template').children() + .clone() .addClass('comment-inline-form'); $comment_div.append($form_div); var $form = $comment_div.find("form"); + var $textarea = $form.find('textarea'); + var $mentions_container = $form.find('div.mentions-container'); $form.submit(function(e) { e.preventDefault(); - var text = $('#text_'+line_no).val(); + var text = $textarea.val(); if (!text){ return; } @@ -719,9 +722,8 @@ setTimeout(function() { // callbacks tooltip_activate(); - MentionsAutoComplete($('#text_'+line_no), $('#mentions_container_'+line_no), - _USERS_AC_DATA); - $('#text_'+line_no).focus(); + MentionsAutoComplete($textarea, $mentions_container, _USERS_AC_DATA); + $textarea.focus(); }, 10); }
--- a/kallithea/templates/changeset/changeset_file_comment.html Wed Jan 20 01:47:11 2016 +0100 +++ b/kallithea/templates/changeset/changeset_file_comment.html Wed Jan 20 01:47:11 2016 +0100 @@ -48,24 +48,20 @@ </%def> -## expanded with .format(f_path, line_no) -## TODO: don't assume line_no is globally unique ... <%def name="comment_inline_form()"> <div id='comment-inline-form-template' style="display:none"> <div class="ac"> %if c.authuser.username != 'default': ${h.form('#', class_='inline-form')} <div class="clearfix"> - <div class="comment-help">${_('Commenting on line {1}.')} + <div class="comment-help">${_('Commenting on line.')} <span style="color:#577632" class="tooltip">${_('Comments are in plain text. Use @username inside this text to notify another user.')|n}</span> </div> - <div class="mentions-container" id="mentions_container_{1}"></div> - <textarea id="text_{1}" name="text" class="comment-block-ta yui-ac-input"></textarea> + <div class="mentions-container"></div> + <textarea name="text" class="comment-block-ta yui-ac-input"></textarea> </div> <div class="comment-button"> <div class="submitting-overlay">${_('Submitting ...')}</div> - <input type="hidden" name="f_path" value="{0}"> - <input type="hidden" name="line" value="{1}"> ${h.submit('save', _('Comment'), class_='btn btn-small save-inline-form')} ${h.reset('hide-inline-form', _('Cancel'), class_='btn btn-small hide-inline-form')} </div>