sipwise
/
ngcp-panel
mirror of https://github.com/sipwise/ngcp-panel.git
1
0
Fork 0
Code Issues Releases Wiki Activity

TT#114401 fix missing html escape in preferences

Browse Source 
* subscriber/preferences.tt and helper/pref_table.tt
  contained directly rendered data, without using
  helper/datatable.tt, leading to unescaped html in
  rendered data values. such cases are now fixed
  by using tt2 html filter

Change-Id: If266903cc5df754c6e6fe6b8363398b9e4f3236c
(cherry picked from commit 9da6c9914c)
mr7.5.9
Kirill Solomko 4 years ago
parent aa691a47c7
commit f90ef4c31a
2 changed files with 49 additions and 40 deletions
Show Stats Download Patch File Download Diff File

32
share/templates/helpers/pref_table.tt
Unescape View File

@ -57,7 +57,7 @@
}); return false;"><i class="icon-question-sign"></i></a>
</td>
[% UNLESS c.user.roles == 'subscriber' || c.user.roles == 'subscriberadmin' -%]
<td>[% r.attribute %]</td>
<td>[% r.attribute | html %]</td>
[% END -%]
<td>
[% c.loc(r.label||" ") %]
@ -67,72 +67,72 @@
<select disabled="disabled">
<option>&nbsp;</option>
[% FOR set IN helper.rewrite_rule_sets -%]
<option [% (r.rwrs_id.defined && r.rwrs_id == set.id) ? 'selected="selected"' : '' %]>[% set.name %]</option>
<option [% (r.rwrs_id.defined && r.rwrs_id == set.id) ? 'selected="selected"' : '' %]>[% set.name | html %]</option>
[% END -%]
</select>
[% ELSIF r.attribute == "cdr_export_sclidui_rwrs" -%]
<select disabled="disabled">
<option>&nbsp;</option>
[% FOR set IN helper.rewrite_rule_sets -%]
<option [% (r.rwrs_id.defined && r.rwrs_id == set.id) ? 'selected="selected"' : '' %]>[% set.name %]</option>
<option [% (r.rwrs_id.defined && r.rwrs_id == set.id) ? 'selected="selected"' : '' %]>[% set.name | html %]</option>
[% END -%]
</select>
[% ELSIF r.attribute == "header_rule_set" -%]
<select disabled="disabled">
<option>&nbsp;</option>
[% FOR set IN helper.header_rule_sets -%]
<option [% (r.value == set.id) ? 'selected="selected"' : '' %]>[% set.name %]</option>
<option [% (r.value == set.id) ? 'selected="selected"' : '' %]>[% set.name | html %]</option>
[% END -%]
</select>
[% ELSIF r.attribute == "ncos" -%]
<select disabled="disabled">
<option>&nbsp;</option>
[% FOR level IN helper.ncos_levels -%]
<option [% (r.ncos_id.defined && r.ncos_id == level.id) ? 'selected="selected"' : '' %]>[% level.level %]</option>
<option [% (r.ncos_id.defined && r.ncos_id == level.id) ? 'selected="selected"' : '' %]>[% level.level | html %]</option>
[% END -%]
</select>
[% ELSIF r.attribute == "adm_ncos" -%]
<select disabled="disabled">
<option>&nbsp;</option>
[% FOR level IN helper.ncos_levels -%]
<option [% (r.adm_ncos_id.defined && r.adm_ncos_id == level.id) ? 'selected="selected"' : '' %]>[% level.level %]</option>
<option [% (r.adm_ncos_id.defined && r.adm_ncos_id == level.id) ? 'selected="selected"' : '' %]>[% level.level | html %]</option>
[% END -%]
</select>
[% ELSIF r.attribute == "adm_cf_ncos" -%]
<select disabled="disabled">
<option>&nbsp;</option>
[% FOR level IN helper.ncos_levels -%]
<option [% (r.adm_cf_ncos_id.defined && r.adm_cf_ncos_id == level.id) ? 'selected="selected"' : '' %]>[% level.level %]</option>
<option [% (r.adm_cf_ncos_id.defined && r.adm_cf_ncos_id == level.id) ? 'selected="selected"' : '' %]>[% level.level | html %]</option>
[% END -%]
</select>
[% ELSIF r.attribute == "emergency_mapping_container" -%]
<select disabled="disabled">
<option>&nbsp;</option>
[% FOR container IN helper.emergency_mapping_containers -%]
<option [% (r.emergency_mapping_container_id.defined && r.emergency_mapping_container_id == container.id) ? 'selected="selected"' : '' %]>[% container.name %]</option>
<option [% (r.emergency_mapping_container_id.defined && r.emergency_mapping_container_id == container.id) ? 'selected="selected"' : '' %]>[% container.name | html %]</option>
[% END -%]
</select>
[% ELSIF r.attribute == "sound_set" -%]
<select disabled="disabled">
<option>&nbsp;</option>
[% FOR set IN helper.sound_sets -%]
<option [% (r.value.defined && r.value == set.id) ? 'selected="selected"' : '' %]>[% set.name %]</option>
<option [% (r.value.defined && r.value == set.id) ? 'selected="selected"' : '' %]>[% set.name | html %]</option>
[% END -%]
</select>
[% ELSIF r.attribute == "contract_sound_set" -%]
<select disabled="disabled">
<option>&nbsp;</option>
[% FOR set IN helper.contract_sound_sets -%]
<option [% (r.value.defined && r.value == set.id) ? 'selected="selected"' : '' %]>[% set.name %]</option>
<option [% (r.value.defined && r.value == set.id) ? 'selected="selected"' : '' %]>[% set.name | html %]</option>
[% END -%]
</select>
[% ELSIF r.attribute == "allowed_ips" -%]
[% FOR ipnet IN r.allowed_ips_rs.all -%]
[% ipnet.ipnet -%]<br/>
[% ipnet.ipnet | html -%]<br/>
[% END -%]
[% ELSIF r.attribute == "man_allowed_ips" -%]
[% FOR ipnet IN r.man_allowed_ips_rs.all -%]
[% ipnet.ipnet -%]<br/>
[% ipnet.ipnet | html -%]<br/>
[% END -%]
[% ELSIF r.data_type == "boolean" %]
@ -140,13 +140,13 @@
[% IF r.value %]checked="checked"[% END %]/>
[% ELSIF r.data_type == "string" || r.data_type == "int" %]
[% IF r.max_occur == 1 %]
[% r.value %]
[% r.value | html %]
[% ELSE %]
[% FOR value IN r.value -%]
[% IF value.substr(0,1) == '#' -%]
<span class="ngcp-entry-disabled">[% value.substr(1) %]</span>
<span class="ngcp-entry-disabled">[% value.substr(1) | html %]</span>
[% ELSE -%]
[% value %]
[% value | html %]
[% END -%]
<br/>
[% END %]
@ -154,7 +154,7 @@
[% ELSIF r.data_type == "enum" %]
<select disabled="disabled">
[% FOREACH e IN r.enums %]
<option [% IF r.value == e.value || (!r.value.defined && ! e.value.defined) %]selected="selected"[% END %]>[% e.label %]</option>
<option [% IF r.value == e.value || (!r.value.defined && ! e.value.defined) %]selected="selected"[% END %]>[% e.label | html %]</option>
[% END %]
</select>
[% END %]

57
share/templates/subscriber/preferences.tt
Unescape View File

@ -137,13 +137,14 @@ $( document ).ready(function() {
always
[% jdx = jdx + 1 %]
[% ELSE -%]
[% maps.tset_name -%]
[% escaped_tset_name = maps.tset_name | html -%]
[% escaped_tset_name -%]
[% tset_unique_id = cf.type _ idx _ jdx _ maps.id -%]
<a href="#" data-toggle="modal" data-target="#[% tset_unique_id %]" class="pull-right"><i class="icon-question-sign"></i></a>
[% modal_header_dynamic(m.header = c.loc('Timeset "[_1]" Details', maps.tset_name), m.id=tset_unique_id) %]
[% modal_header_dynamic(m.header = c.loc('Timeset "[_1]" Details', escaped_tset_name), m.id=tset_unique_id) %]
<div class="modal-body">
[% FOR p IN maps.periods -%]
[% p.as_string %]<br/>
[% p.as_string | html %]<br/>
[% END -%]
</div>
[% modal_footer() %]
@ -161,13 +162,13 @@ $( document ).ready(function() {
[% c.loc('all sources'); %]
[% jdx = jdx + 1 %]
[% ELSE -%]
[% maps.sset_name -%] ([% maps.sset_mode -%])
[% maps.sset_name | html -%] ([% maps.sset_mode -%])
[% sset_unique_id = cf.type _ idx _ jdx _ maps.id _ 's' -%]
<a href="#" data-toggle="modal" data-target="#[% sset_unique_id %]" class="pull-right"><i class="icon-question-sign"></i></a>
[% modal_header_dynamic(m.header = c.loc('Sourceset "[_1]" Details', maps.sset_name), m.id=sset_unique_id) %]
<div class="modal-body">
[% FOR s IN maps.sources -%]
[% s.as_string %]<br/>
[% s.as_string | html %]<br/>
[% END -%]
</div>
[% modal_footer() %]
@ -186,13 +187,14 @@ $( document ).ready(function() {
[% c.loc('any number'); %]
[% jdx = jdx + 1 %]
[% ELSE -%]
[% maps.bset_name -%] ([% maps.bset_mode -%])
[% escaped_bset_name = maps.bset_name | html -%]
[% escaped_bset_name -%] ([% maps.bset_mode -%])
[% bset_unique_id = cf.type _ idx _ '-' _ jdx _ '-' _ maps.id _ 'b' -%]
<a href="#" data-toggle="modal" data-target="#[% bset_unique_id %]" class="pull-right"><i class="icon-question-sign"></i></a>
[% modal_header_dynamic(m.header = c.loc('B-Number Set "[_1]" Details', maps.bset_name), m.id=bset_unique_id) %]
[% modal_header_dynamic(m.header = c.loc('B-Number Set "[_1]" Details', escaped_bset_name), m.id=bset_unique_id) %]
<div class="modal-body">
[% FOR s IN maps.bnumbers -%]
[% s.as_string %]<br/>
[% s.as_string | html %]<br/>
[% END -%]
</div>
[% modal_footer() %]
@ -209,17 +211,22 @@ $( document ).ready(function() {
[% idx = 0 -%]
[% FOR maps IN cf_destinations.${cf.type} -%]
[% IF maps.dset_name.search('^quickset_') && maps.destinations.size == 1 %]
[% FILTER html -%]
[% PROCESS print_destination d=maps.destinations.0; -%]
[% END -%]
[% ELSE %]
[% jdx = 0 -%]
[% maps.dset_name -%]
[% escaped_dset_name = maps.dset_name | html -%]
[% escaped_dset_name -%]
[% dset_unique_id = cf.type _ "dset" _ idx _ jdx _ maps.id -%]
<a href="#" data-toggle="modal" data-target="#[% dset_unique_id %]" class="pull-right"><i class="icon-question-sign"></i></a>
[% modal_header_dynamic(m.header = c.loc('Destination Set "[_1]" Details', maps.dset_name), m.id=dset_unique_id) %]
[% modal_header_dynamic(m.header = c.loc('Destination Set "[_1]" Details', escaped_dset_name), m.id=dset_unique_id) %]
<div class="modal-body">
[% FOR d IN maps.destinations -%]
[% FILTER html -%]
[% PROCESS print_destination d=d; %]<br/>
[% END -%]
[% jdx = jdx + 1 -%]
[% END -%]
</div>
@ -275,7 +282,7 @@ $( document ).ready(function() {
<tr class="sw_action_row">
<td>[% c.loc('PIN') %]</td>
<td>
[% subscriber.provisioning_voip_subscriber.voicemail_user.password %]
[% subscriber.provisioning_voip_subscriber.voicemail_user.password | html %]
</td>
<td class="ngcp-actions-column">
<div class="sw_actions">
@ -289,7 +296,7 @@ $( document ).ready(function() {
<tr class="sw_action_row">
<td>[% c.loc('Email') %]</td>
<td>
[% subscriber.provisioning_voip_subscriber.voicemail_user.email %]
[% subscriber.provisioning_voip_subscriber.voicemail_user.email | html %]
</td>
<td class="ngcp-actions-column">
<div class="sw_actions">
@ -332,7 +339,7 @@ $( document ).ready(function() {
<tr class="sw_action_row">
<td>[% c.loc('SMS Number') %]</td>
<td>
[% subscriber.provisioning_voip_subscriber.voicemail_user.pager %]
[% subscriber.provisioning_voip_subscriber.voicemail_user.pager | html %]
</td>
<td class="ngcp-actions-column">
<div class="sw_actions">
@ -409,7 +416,7 @@ $( document ).ready(function() {
<tr class="sw_action_row">
<td>[% c.loc('Name in Fax Header for Sendfax') %]</td>
<td>
[% faxpref.name %]
[% faxpref.name | html %]
</td>
<td class="ngcp-actions-column">
<div class="sw_actions">
@ -442,7 +449,9 @@ $( document ).ready(function() {
<td>[% c.loc('Destinations') %]</td>
<td>
[% FOR faxdest IN faxdests -%]
[% FILTER html -%]
[% c.loc('[_1] as [_2]', faxdest.destination, faxdest.filetype) %]<br/>
[% END -%]
[% END -%]
</td>
<td class="ngcp-actions-column">
@ -524,7 +533,7 @@ $( document ).ready(function() {
<tr class="sw_action_row">
<td>[% c.loc('Secret Key (empty=disabled)') %]</td>
<td>
[% mtf_pref.secret_key %]
[% mtf_pref.secret_key | html %]
</td>
<td class="ngcp-actions-column">
<div class="sw_actions">
@ -565,7 +574,7 @@ $( document ).ready(function() {
<td>[% c.loc('Secret Key Renew Notify') %]</td>
<td>
[% FOR notify_email IN mtf_secret_renew_notify -%]
[% notify_email.destination %]<br/>
[% notify_email.destination | html %]<br/>
[% END -%]
</td>
<td class="ngcp-actions-column">
@ -583,7 +592,7 @@ $( document ).ready(function() {
<td>[% c.loc('ACL') %]</td>
<td>
[% FOR acl IN mtf_acl -%]
[% acl.use_regex ? c.loc('regex') : '' %] [% c.loc('from_email') %] <u>[% acl.from_email ? acl.from_email : c.loc('any') %]</u> [% c.loc('and') %] [% c.loc('received_from') %] <u>[% acl.received_from ? acl.received_from : c.loc('any') %]</u> [% c.loc('to') %] <u>[% acl.destination ? acl.destination : c.loc('any') %]</u> [% c.loc('destination') %]<br/>
[% acl.use_regex ? c.loc('regex') : '' %] [% c.loc('from_email') | html %] <u>[% acl.from_email ? acl.from_email : c.loc('any') | html %]</u> [% c.loc('and') %] [% c.loc('received_from') | html %] <u>[% acl.received_from ? acl.received_from : c.loc('any') | html %]</u> [% c.loc('to') | html %] <u>[% acl.destination ? acl.destination : c.loc('any') | html %]</u> [% c.loc('destination') | html %]<br/>
[% END -%]
</td>
<td class="ngcp-actions-column">
@ -973,7 +982,7 @@ $( document ).ready(function() {
<tbody>
[% FOREACH set IN cf_sets -%]
<tr class="sw_action_row">
<td>[% set.name %]</td>
<td>[% set.name | html %]</td>
<td>
[% FOREACH d IN set.destinations -%]
[% c.loc('[_1]<span class="pull-right">for [_2]s</span>', d.as_string, d.timeout) %]<br/>
@ -1023,10 +1032,10 @@ $( document ).ready(function() {
<tbody>
[% FOREACH set IN cf_sets -%]
<tr class="sw_action_row">
<td>[% set.name %]</td>
<td>[% set.name | html %]</td>
<td>
[% FOREACH p IN set.periods -%]
[% p.as_string %]<br/>
[% p.as_string | html %]<br/>
[% END -%]
</td>
<td class="ngcp-actions-column">
@ -1074,11 +1083,11 @@ $( document ).ready(function() {
<tbody>
[% FOREACH set IN cf_source_sets -%]
<tr class="sw_action_row">
<td>[% set.name %]</td>
<td>[% set.name | html %]</td>
<td>[% set.mode %]</td>
<td>
[% FOREACH source IN set.sources -%]
[% source.as_string %]<br/>
[% source.as_string | html %]<br/>
[% END -%]
</td>
<td class="ngcp-actions-column">
@ -1126,11 +1135,11 @@ $( document ).ready(function() {
<tbody>
[% FOREACH set IN cf_bnumber_sets -%]
<tr class="sw_action_row">
<td>[% set.name %]</td>
<td>[% set.name | html %]</td>
<td>[% set.mode %]</td>
<td>
[% FOREACH number IN set.bnumbers -%]
[% number.as_string %]<br/>
[% number.as_string | html %]<br/>
[% END -%]
</td>
<td class="ngcp-actions-column">

Write Preview
Loading…
Cancel
Save