aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMark Macdonald2012-10-18 18:07:49 (EDT)
committerskaegi2012-10-18 20:55:39 (EDT)
commit9eb0dfffeb8a586cf1b26629204c804fc8a3f892 (patch)
treedf84d8c9c73bb92643f6319022e0506a33d47643
parent455acf66132d5f994d7044b536859835c7fbf340 (diff)
downloadorg.eclipse.orion.client-9eb0dfffeb8a586cf1b26629204c804fc8a3f892.zip
org.eclipse.orion.client-9eb0dfffeb8a586cf1b26629204c804fc8a3f892.tar.gz
org.eclipse.orion.client-9eb0dfffeb8a586cf1b26629204c804fc8a3f892.tar.bz2
Bug 392386 - fix pervasive use of unsafe 'label' fields from dijit
-rw-r--r--bundles/org.eclipse.orion.client.core/web/orion/commands.js70
-rw-r--r--bundles/org.eclipse.orion.client.core/web/orion/widgets/UserMenu.js24
2 files changed, 79 insertions, 15 deletions
diff --git a/bundles/org.eclipse.orion.client.core/web/orion/commands.js b/bundles/org.eclipse.orion.client.core/web/orion/commands.js
index 4d51b4f..d43015e 100644
--- a/bundles/org.eclipse.orion.client.core/web/orion/commands.js
+++ b/bundles/org.eclipse.orion.client.core/web/orion/commands.js
@@ -9,7 +9,7 @@
* Contributors: IBM Corporation - initial API and implementation
******************************************************************************/
/*jslint sub:true*/
- /*global define window Image */
+ /*global define document window Image */
define(['i18n!orion/nls/messages', 'require', 'dojo', 'dijit', 'orion/uiUtils', 'orion/PageUtil', 'orion/explorers/navigationUtils', 'dijit/Menu', 'dijit/form/DropDownButton', 'dijit/MenuItem', 'dijit/PopupMenuItem', 'dijit/MenuSeparator', 'dijit/Tooltip', 'dijit/TooltipDialog' ], function(messages, require, dojo, dijit, UIUtil, PageUtil, mNavUtils){
@@ -124,6 +124,16 @@ define(['i18n!orion/nls/messages', 'require', 'dojo', 'dijit', 'orion/uiUtils',
this._anchorLocation = anchor.href;
}
},
+
+ // Override setter for 'label' attribute to prevent the use of innerHTML and allow a DOM node instead.
+ _setLabelAttr: function(value) {
+ if (typeof value === "string") {
+ this.containerNode.textContent = value;
+ } else if (value) {
+ dojo.empty(this.containerNode);
+ this.containerNode.appendChild(value);
+ }
+ },
setLink: function(href, name) {
href = PageUtil.validateURLScheme(href);
@@ -139,7 +149,30 @@ define(['i18n!orion/nls/messages', 'require', 'dojo', 'dijit', 'orion/uiUtils',
}
}
});
-
+
+ var CommandDropDownButton = dojo.declare(dijit.form.DropDownButton, {
+ // Override setter for 'label' attribute to prevent the use of innerHTML
+ _setLabelAttr: function(/*String*/ content) {
+ if (typeof content === "string") {
+ this._set("label", content);
+ this.containerNode.textContent = content;
+ if(this.showLabel === false && !this.params.title){
+ this.titleNode.title = dojo.trim(this.containerNode.innerText || this.containerNode.textContent || '');
+ }
+ } else if (content) {
+ dojo.empty(this.containerNode);
+ this.containerNode.appendChild(content);
+ }
+ }
+ });
+
+ var CommandPopupMenuItem = dojo.declare(dijit.PopupMenuItem, {
+ // Override setter for 'label' attribute to prevent the use of innerHTML
+ _setLabelAttr: function(content) {
+ this.containerNode.textContent = content;
+ }
+ });
+
/**
* Override the dijit Tooltip to handle cases where the tooltip is not dismissing
* when expected.
@@ -226,6 +259,16 @@ define(['i18n!orion/nls/messages', 'require', 'dojo', 'dijit', 'orion/uiUtils',
dojo.connect(this.options.commandParent, "onClose", dojo.hitch(this, function() {this.close();})); //$NON-NLS-0$
}
}
+ },
+
+ _setLabelAttr: function(content) {
+ this.label = null;
+ if (typeof content === "string") {
+ this.domNode.textContent = content;
+ } else {
+ dojo.empty(this.domNode);
+ this.domNode.appendChild(content);
+ }
}
});
@@ -890,12 +933,12 @@ define(['i18n!orion/nls/messages', 'require', 'dojo', 'dijit', 'orion/uiUtils',
var newMenu= new dijit.Menu({
style: "display: none;" //$NON-NLS-0$
});
- menuButton = new dijit.form.DropDownButton({
+ menuButton = new CommandDropDownButton({
+ label: group.title === "*" ? messages["Actions"] : group.title, //TODO undocumented hack, even mode dangerous when we have globalization //$NON-NLS-0$
showLabel: group.title !== "*", //$NON-NLS-0$
style: "visibility: hidden;", //$NON-NLS-0$
dropDown: newMenu
});
- menuButton.containerNode.textContent = group.title === "*" ? messages["Actions"] : group.title; //TODO undocumented hack, even mode dangerous when we have globalization //$NON-NLS-0$
dojo.addClass(menuButton.domNode, "commandMenu"); //$NON-NLS-0$
if(domNodeWrapperList){
//we need to add the menuButton as the optional widget param
@@ -937,8 +980,10 @@ define(['i18n!orion/nls/messages', 'require', 'dojo', 'dijit', 'orion/uiUtils',
if (this.emptyGroupMessage) {
dojo.connect(menuButton.focusNode, "onclick", this, function() { //$NON-NLS-0$
//Show the empty group message.
+ var emptyGroupMessage = document.createElement("p"); //$NON-NLS-0$
+ emptyGroupMessage.textContent = this.emptyGroupMessage;
var tooltipDialog = new dijit.TooltipDialog({
- content: "<p>"+this.emptyGroupMessage+"</p>",
+ content: emptyGroupMessage,
onMouseLeave: function() {
dijit.popup.close(tooltipDialog);
tooltipDialog.destroyRecursive();
@@ -986,7 +1031,7 @@ define(['i18n!orion/nls/messages', 'require', 'dojo', 'dijit', 'orion/uiUtils',
var subMenu = new dijit.Menu();
// popup menu placeholder must be added synchronously to respect order.
// We will remove it if it ends up empty
- var groupPopup = new dijit.PopupMenuItem({
+ var groupPopup = new CommandPopupMenuItem({
label: group.title,
popup: subMenu
});
@@ -1060,7 +1105,7 @@ define(['i18n!orion/nls/messages', 'require', 'dojo', 'dijit', 'orion/uiUtils',
style: "display: none;" //$NON-NLS-0$
});
if (renderType === "tool" || renderType === "button") { //$NON-NLS-1$ //$NON-NLS-0$
- menuButton = new dijit.form.DropDownButton({
+ menuButton = new CommandDropDownButton({
label: command.name,
dropDown: choicesMenu,
postCreate: function() {
@@ -1068,7 +1113,7 @@ define(['i18n!orion/nls/messages', 'require', 'dojo', 'dijit', 'orion/uiUtils',
dojo.connect(this._buttonNode, "mousedown", this, function(e) { //$NON-NLS-0$
this.eclipseCommand.populateChoicesMenu(this.eclipseChoices, items, handler, userData);
});
- dijit.form.DropDownButton.prototype.postCreate.apply(this, Array.prototype.slice.call(arguments));
+ CommandDropDownButton.prototype.postCreate.apply(this, Array.prototype.slice.call(arguments));
}});
dojo.addClass(menuButton.domNode, "commandMenu"); //$NON-NLS-0$
dojo.removeAttr(menuButton.titleNode, "title"); // there is no need for a native browser tooltip //$NON-NLS-0$
@@ -1082,7 +1127,7 @@ define(['i18n!orion/nls/messages', 'require', 'dojo', 'dijit', 'orion/uiUtils',
menuButton.eclipseChoices = choicesMenu;
} else if (renderType === "menu") { //$NON-NLS-0$
// parent is already a menu
- var popup = new dijit.PopupMenuItem({
+ var popup = new CommandPopupMenuItem({
label: command.name,
popup: choicesMenu
});
@@ -1189,7 +1234,12 @@ define(['i18n!orion/nls/messages', 'require', 'dojo', 'dijit', 'orion/uiUtils',
_init: function(options) {
this.id = options.id; // unique id
this.name = options.name;
- this.tooltip = options.tooltip || options.name;
+ if (options.tooltip || options.name) {
+ this.tooltip = document.createElement("span"); //$NON-NLS-0$
+ this.tooltip.textContent = options.tooltip || options.name;
+ } else {
+ this.tooltip = null;
+ }
this.callback = options.callback; // optional callback that should be called when command is activated (clicked)
this.hrefCallback = options.hrefCallback; // optional callback that returns an href for a command link
this.choiceCallback = options.choiceCallback; // optional callback indicating that the command will supply secondary choices.
diff --git a/bundles/org.eclipse.orion.client.core/web/orion/widgets/UserMenu.js b/bundles/org.eclipse.orion.client.core/web/orion/widgets/UserMenu.js
index 2a9db46..d6fbfb6 100644
--- a/bundles/org.eclipse.orion.client.core/web/orion/widgets/UserMenu.js
+++ b/bundles/org.eclipse.orion.client.core/web/orion/widgets/UserMenu.js
@@ -21,10 +21,10 @@ define(['i18n!orion/widgets/nls/messages', 'require', 'dojo', 'dijit', 'orion/co
'<tbody class="dijitReset" dojoAttachPoint="containerNode"></tbody>' + //$NON-NLS-0$
'</table>', //$NON-NLS-0$
- label: messages['test'],
-
postCreate : function() {
this.inherited(arguments);
+
+ this.label = messages['test'];
dojo.style( this.domNode, 'border-radius', '3px' ); //$NON-NLS-1$ //$NON-NLS-0$
dojo.style( this.domNode, 'border', '1px solid #DDD' ); //$NON-NLS-1$ //$NON-NLS-0$
@@ -92,8 +92,16 @@ define(['i18n!orion/widgets/nls/messages', 'require', 'dojo', 'dijit', 'orion/co
}else{
loginForm+= "&redirect=" + eclipse.globalCommandUtils.notifyAuthenticationSite + "?key=" + key; //$NON-NLS-1$ //$NON-NLS-0$
}
+ var link = document.createElement("a"); //$NON-NLS-0$
+ link.target = "_blank"; //$NON-NLS-0$
+ link.href = loginForm;
+ if (where) {
+ link.textContent = messages["Sign In To "] + where;
+ } else {
+ link.textContent = messages["Sign In"];
+ }
this.addChild(new mCommands.Command.MenuItem({
- label: where ? "<a target='_blank' href="+loginForm+">"+messages["Sign In To "]+ where +"</a>" : "<a target='_blank' href="+loginForm+">"+messages["Sign In"]+"</a>", //$NON-NLS-8$ //$NON-NLS-6$ //$NON-NLS-4$ //$NON-NLS-3$ //$NON-NLS-1$ //$NON-NLS-0$
+ label: link,
hasLink: true
}), startIndex);
@@ -142,8 +150,11 @@ define(['i18n!orion/widgets/nls/messages', 'require', 'dojo', 'dijit', 'orion/co
// _onClick: function(evt) { this.getParent().onItemClick(this, evt); }
// }));
+ var helpLink = document.createElement("a"); //$NON-NLS-0$
+ helpLink.href = require.toUrl("help/index.jsp"); //$NON-NLS-0$
+ helpLink.textContent = messages["Help"];
this.addChild(new mCommands.CommandMenuItem({
- label: "<a href="+require.toUrl("help/index.jsp") + ">"+messages["Help"]+"</a>", //$NON-NLS-4$ //$NON-NLS-2$ //$NON-NLS-1$ //$NON-NLS-0$
+ label: helpLink,
hasLink: true
}));
if(this.keyAssistFunction){
@@ -155,9 +166,12 @@ define(['i18n!orion/widgets/nls/messages', 'require', 'dojo', 'dijit', 'orion/co
this.addChild(new dijit.MenuSeparator());
+ var settingsLink = document.createElement("a"); //$NON-NLS-0$
+ settingsLink.href = require.toUrl("settings/settings.html"); //$NON-NLS-0$
+ settingsLink.textContent = messages["Settings"];
this.addChild(new mCommands.CommandMenuItem({
- label: "<a href="+require.toUrl("settings/settings.html") + ">"+messages["Settings"]+"</a>", //$NON-NLS-4$ //$NON-NLS-2$ //$NON-NLS-1$ //$NON-NLS-0$
+ label: settingsLink,
hasLink: true
}));