product-list: Escape untrusted values
This commit is contained in:
Janne Heß
@@ -1,17 +1,17 @@
|
||||
[% BLOCK renderProductLinks %]
|
||||
<tr>
|
||||
<th>URL:</th>
|
||||
<td><a href="[% uri %]"><tt>[% uri %]</tt></a></td>
|
||||
<td><a [% HTML.attributes(href => uri) %]><tt>[% uri | html %]</tt></a></td>
|
||||
</tr>
|
||||
[% IF latestRoot %]
|
||||
<tr>
|
||||
<th>Links to latest:</th>
|
||||
<td>
|
||||
[% uri2 = "${c.uri_for(latestRoot.join('/') 'download-by-type' product.type product.subtype)}" %]
|
||||
<a href="[% uri2 %]"><tt>[% uri2 %]</tt></a>
|
||||
<a [% HTML.attributes(href => uri2) %]><tt>[% uri2 | html %]</tt></a>
|
||||
<br />
|
||||
[% uri2 = "${c.uri_for(latestRoot.join('/') 'download' product.productnr)}" %]
|
||||
<a href="[% uri2 %]"><tt>[% uri2 %]</tt></a>
|
||||
<a [% HTML.attributes(href => uri2) %]><tt>[% uri2 | html %]</tt></a>
|
||||
</td>
|
||||
</tr>
|
||||
[% END %]
|
||||
@@ -49,7 +49,7 @@
|
||||
Error
|
||||
</td>
|
||||
<td>
|
||||
<a href="[% contents %]">
|
||||
<a [% HTML.attributes(href => contents) %]>
|
||||
Failed build produced output. Click here to inspect the output.
|
||||
</a>
|
||||
</td>
|
||||
@@ -58,9 +58,9 @@
|
||||
<p>If you have Nix installed on your machine, this failed build output and
|
||||
all its dependencies can be unpacked into your local Nix store by doing:</p>
|
||||
|
||||
<div class="card bg-light"><div class="card-body p-2"><code><span class="shell-prompt">$ </span>curl [% uri %] | gunzip | nix-store --import</code></div></div>
|
||||
<div class="card bg-light"><div class="card-body p-2"><code><span class="shell-prompt">$ </span>curl [% HTML.escape(uri) %] | gunzip | nix-store --import</code></div></div>
|
||||
|
||||
<p>The build output can then be found in the path <tt>[% product.path %]</tt>.</p>
|
||||
<p>The build output can then be found in the path <tt>[% product.path | html %]</tt>.</p>
|
||||
[% END %]
|
||||
</td>
|
||||
</tr>
|
||||
@@ -74,7 +74,7 @@
|
||||
Nix package
|
||||
</td>
|
||||
<td>
|
||||
<tt>[% HTML.escape(build.nixname) %]</tt>
|
||||
<tt>[% build.nixname | html %]</tt>
|
||||
</td>
|
||||
<td>
|
||||
[% WRAPPER makePopover title="Help" classes="btn-secondary btn-sm"
|
||||
@@ -84,7 +84,7 @@
|
||||
<div class="card bg-light"><div class="card-body p-2"><code><span class="shell-prompt">$ </span>nix-env -i [%HTML.escape(product.path)%][% IF binaryCachePublicUri %] --option binary-caches [% HTML.escape(binaryCachePublicUri) %][% END %]</code></div></div>
|
||||
[% END %]
|
||||
[% IF localStore %]
|
||||
<a class="btn btn-secondary btn-sm" href="[% contents %]">Contents</a>
|
||||
<a class="btn btn-secondary btn-sm" [% HTML.attributes(href => contents) %]>Contents</a>
|
||||
[% END %]
|
||||
</td>
|
||||
</tr>
|
||||
@@ -100,8 +100,8 @@
|
||||
[% filename = build.nixname _ (product.subtype ? "-" _ product.subtype : "") _ ".closure.gz" %]
|
||||
[% uri = c.uri_for('/build' build.id 'nix' 'closure' filename ) %]
|
||||
|
||||
<a href="[% uri %]">
|
||||
<tt>[% product.path %]</tt>
|
||||
<a [% HTML.attributes(href => uri) %]>
|
||||
<tt>[% product.path | html %]</tt>
|
||||
</a>
|
||||
</td>
|
||||
<td>
|
||||
@@ -110,16 +110,16 @@
|
||||
all its dependencies can be unpacked into your local Nix
|
||||
store by doing:</p>
|
||||
|
||||
<div class="card bg-light"><div class="card-body p-2"><code><span class="shell-prompt">$ </span>gunzip < [% filename %] | nix-store --import</code></div></div>
|
||||
<div class="card bg-light"><div class="card-body p-2"><code><span class="shell-prompt">$ </span>gunzip < [% HTML.escape(filename) %] | nix-store --import</code></div></div>
|
||||
|
||||
<p>or to download and unpack in one command:</p>
|
||||
|
||||
<div class="card bg-light"><div class="card-body p-2"><code><span class="shell-prompt">$ </span>curl [% uri %] | gunzip | nix-store --import</code></div></div>
|
||||
<div class="card bg-light"><div class="card-body p-2"><code><span class="shell-prompt">$ </span>curl [% HTML.escape(uri) %] | gunzip | nix-store --import</code></div></div>
|
||||
|
||||
<p>The package can then be found in the path <tt>[%
|
||||
product.path %]</tt>. You’ll probably also want to do</p>
|
||||
product.path | html %]</tt>. You’ll probably also want to do</p>
|
||||
|
||||
<div class="card bg-light"><div class="card-body p-2"><code><span class="shell-prompt">$ </span>nix-env -i [% product.path %]</code></div></div>
|
||||
<div class="card bg-light"><div class="card-body p-2"><code><span class="shell-prompt">$ </span>nix-env -i [% HTML.escape(product.path) %]</code></div></div>
|
||||
|
||||
<p>to actually install the package in your Nix user environment.</p>
|
||||
|
||||
@@ -174,16 +174,16 @@
|
||||
</td>
|
||||
<td>
|
||||
Channel expression tarball
|
||||
[% IF product.subtype != "-" %]for <tt>[% product.subtype %]</tt>[% END %]
|
||||
[% IF product.subtype != "-" %]for <tt>[% product.subtype | html %]</tt>[% END %]
|
||||
</td>
|
||||
[% ELSE %]
|
||||
<td>File</td>
|
||||
<td>[% product.subtype %]</td>
|
||||
<td>[% HTML.escape(product.subtype) %]</td>
|
||||
[% END %]
|
||||
[% END %]
|
||||
<td>
|
||||
<a href="[% uri %]">
|
||||
<tt>[% product.name %]</tt>
|
||||
<a [% HTML.attributes(href => uri) %]>
|
||||
<tt>[% product.name | html %]</tt>
|
||||
</a>
|
||||
</td>
|
||||
<td>
|
||||
@@ -191,12 +191,12 @@
|
||||
<table class="info-table">
|
||||
[% INCLUDE renderProductLinks %]
|
||||
<tr><th>File size:</th><td>[% product.filesize %] bytes ([% mibs(product.filesize / (1024 * 1024)) %] MiB)</td></tr>
|
||||
<tr><th>SHA-256 hash:</th><td><tt>[% product.sha256hash %]</tt></td></tr>
|
||||
<tr><th>Full path:</th><td><tt>[% product.path %]</tt></td></tr>
|
||||
<tr><th>SHA-256 hash:</th><td><tt>[% product.sha256hash | html %]</tt></td></tr>
|
||||
<tr><th>Full path:</th><td><tt>[% product.path | html %]</tt></td></tr>
|
||||
</table>
|
||||
[% END %]
|
||||
[% IF localStore %]
|
||||
<a class="btn btn-secondary btn-sm" href="[% contents %]">Contents</a>
|
||||
<a class="btn btn-secondary btn-sm" [% HTML.attributes(href => contents) %]>Contents</a>
|
||||
[% END %]
|
||||
</td>
|
||||
</tr>
|
||||
@@ -211,15 +211,15 @@
|
||||
[% CASE "coverage" %]
|
||||
<td>Code coverage</td>
|
||||
<td>
|
||||
<a href="[% uri %]">
|
||||
<a [% HTML.attributes(href => uri) %]>
|
||||
Analysis report
|
||||
</a>
|
||||
</td>
|
||||
[% CASE DEFAULT %]
|
||||
<td>Report</td>
|
||||
<td>
|
||||
<a href="[% uri %]">
|
||||
<tt>[% product.subtype %]</tt>
|
||||
<a [% HTML.attributes(href => uri) %]>
|
||||
<tt>[% product.subtype | html %]</tt>
|
||||
</a>
|
||||
</td>
|
||||
[% END %]
|
||||
@@ -240,7 +240,7 @@
|
||||
Documentation
|
||||
</td>
|
||||
<td>
|
||||
<a href="[% uri %]">
|
||||
<a [% HTML.attributes(href => uri) %]>
|
||||
[% SWITCH product.subtype %]
|
||||
[% CASE "readme" %]
|
||||
Read Me!
|
||||
@@ -249,7 +249,7 @@
|
||||
[% CASE "release-notes" %]
|
||||
Release notes
|
||||
[% CASE DEFAULT %]
|
||||
[% product.subtype %]
|
||||
[% HTML.escape(product.subtype) %]
|
||||
[% END %]
|
||||
</a>
|
||||
</td>
|
||||
@@ -266,12 +266,12 @@
|
||||
|
||||
<tr class="product">
|
||||
<td>
|
||||
<tt>[% product.type %]</tt>
|
||||
<tt>[% product.type | html %]</tt>
|
||||
</td>
|
||||
<td>
|
||||
</td>
|
||||
<td>
|
||||
[% product %]
|
||||
[% HTML.escape(product) %]
|
||||
</td>
|
||||
<td>
|
||||
</td>
|
||||
|
||||
Reference in New Issue
Block a user