From 4d2d0f97221c53756629fdcd49f859b09ac6b67d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Janne=20He=C3=9F?= Date: Sat, 2 Aug 2025 18:20:35 +0200 Subject: [PATCH] templates: Hopefully escape all template inputs --- src/root/all.tt | 2 +- src/root/build.tt | 8 +-- src/root/channel-contents.tt | 8 +-- src/root/common.tt | 92 +++++++++++++++---------------- src/root/dashboard-my-jobs-tab.tt | 2 +- src/root/deps.tt | 6 +- src/root/edit-jobset.tt | 10 ++-- src/root/evals.tt | 2 +- src/root/job.tt | 2 +- src/root/jobset-channels-tab.tt | 2 +- src/root/jobset-eval.tt | 24 ++++---- src/root/jobset-jobs-tab.tt | 2 +- src/root/jobset.tt | 10 ++-- src/root/log.tt | 4 +- src/root/machine-status.tt | 24 ++++---- src/root/machines.tt | 8 +-- src/root/overview.tt | 2 +- src/root/queue-summary.tt | 2 +- src/root/runcommand-log.tt | 4 +- src/root/search.tt | 4 +- src/root/steps.tt | 6 +- src/root/topbar.tt | 4 +- src/root/user.tt | 2 +- src/root/users.tt | 2 +- 24 files changed, 116 insertions(+), 116 deletions(-) diff --git a/src/root/all.tt b/src/root/all.tt index e877f5b5..eee4488e 100644 --- a/src/root/all.tt +++ b/src/root/all.tt @@ -11,7 +11,7 @@ titleHTML="Latest builds" _ "") %] [% PROCESS common.tt %] -

Showing builds [% (page - 1) * resultsPerPage + 1 %] - [% (page - 1) * resultsPerPage + builds.size %] out of [% total %] in order of descending finish time.

+

Showing builds [% (page - 1) * resultsPerPage + 1 %] - [% (page - 1) * resultsPerPage + builds.size %] out of [% HTML.escape(total) %] in order of descending finish time.

[% INCLUDE renderBuildList hideProjectName=project hideJobsetName=jobset hideJobName=job %] [% INCLUDE renderPager %] diff --git a/src/root/build.tt b/src/root/build.tt index 46a949fa..8c52b489 100644 --- a/src/root/build.tt +++ b/src/root/build.tt @@ -86,7 +86,7 @@ END; [% ELSIF step.status == 11 %] Output limit exceeded [% ELSIF step.status == 12 %] - Non-determinism detected [% IF step.timesbuilt %] after [% step.timesbuilt %] times[% END %] + Non-determinism detected [% IF step.timesbuilt %] after [% HTML.escape(step.timesbuilt) %] times[% END %] [% ELSIF step.errormsg %] Failed: [% HTML.escape(step.errormsg) %] [% ELSE %] @@ -507,14 +507,14 @@ END;
[% IF not runcommandlog.is_running() %] [% IF runcommandlog.did_fail_with_signal() %] - Exit signal: [% runcommandlog.signal %] + Exit signal: [% runcommandlog.signal | html %] [% IF runcommandlog.core_dumped %] (Core Dumped) [% END %] [% ELSIF runcommandlog.did_fail_with_exec_error() %] - Exec error: [% runcommandlog.error_number %] + Exec error: [% runcommandlog.error_number | html %] [% ELSIF not runcommandlog.did_succeed() %] - Exit code: [% runcommandlog.exit_code %] + Exit code: [% runcommandlog.exit_code | html %] [% END %] [% END %]
diff --git a/src/root/channel-contents.tt b/src/root/channel-contents.tt index ff79dd0f..11d0323d 100644 --- a/src/root/channel-contents.tt +++ b/src/root/channel-contents.tt @@ -7,7 +7,7 @@ href="http://nixos.org/">Nix package manager. If you have Nix installed, you can subscribe to this channel by once executing

-$ nix-channel --add [% curUri +%]
+$ nix-channel --add [% HTML.escape(curUri) +%]
 $ nix-channel --update
@@ -49,9 +49,9 @@ installed, you can subscribe to this channel by once executing

[% b = pkg.build %] - c.uri_for('/build' b.id)) %]>[% b.id %] - [% b.get_column('releasename') || b.nixname %] - [% b.system %] + c.uri_for('/build' b.id)) %]>[% HTML.escape(b.id) %] + [% b.get_column('releasename') || b.nixname | html %] + [% b.system | html %] [% IF b.homepage %] b.homepage) %]>[% HTML.escape(b.description) %] diff --git a/src/root/common.tt b/src/root/common.tt index 455629c3..38bb64f2 100644 --- a/src/root/common.tt +++ b/src/root/common.tt @@ -55,17 +55,17 @@ BLOCK renderRelativeDate %] [% END; BLOCK renderProjectName %] - c.uri_for('/project' project)) %]>[% project %] + c.uri_for('/project' project)) %]>[% project | html %] [% END; BLOCK renderJobsetName %] - c.uri_for('/jobset' project jobset)) %]>[% jobset %] + c.uri_for('/jobset' project jobset)) %]>[% jobset | html %] [% END; BLOCK renderJobName %] - c.uri_for('/job' project jobset job)) %]>[% job %] + c.uri_for('/job' project jobset job)) %]>[% job | html %] [% END; @@ -98,7 +98,7 @@ BLOCK renderDrvInfo; .substr(0, -4); # strip `.drv` IF drvname != releasename; IF step.type == 0; action = "Build"; ELSE; action = "Substitution"; END; - IF drvname; %] ([% action %] of [% drvname %])[% END; + IF drvname; %] ([% HTML.escape(action) %] of [% HTML.escape(drvname) %])[% END; END; END; @@ -140,20 +140,20 @@ BLOCK renderBuildListBody; [% IF showSchedulingInfo %] [% IF busy %]Started[% ELSE %]Queued[% END %] [% END %] - link) %]>[% build.id %] + link) %]>[% HTML.escape(build.id) %] [% IF !hideJobName %] - link) %]>[% IF !hideJobsetName %][% build.jobset.get_column("project") %]:[% build.jobset.get_column("name") %]:[% END %][% build.get_column("job") %] + link) %]>[% IF !hideJobsetName %][% HTML.escape(build.jobset.get_column("project")) %]:[% HTML.escape(build.jobset.get_column("name")) %]:[% END %][% HTML.escape(build.get_column("job")) %] [% IF showStepName %] [% INCLUDE renderDrvInfo step=build.buildsteps releasename=build.nixname %] [% END %] [% END %] [% t = showSchedulingInfo ? build.timestamp : build.stoptime; IF t; INCLUDE renderRelativeDate timestamp=(showSchedulingInfo ? build.timestamp : build.stoptime); ELSE; "-"; END %] - [% !showSchedulingInfo and build.get_column('releasename') ? build.get_column('releasename') : build.nixname %] - [% build.system %] + [% !showSchedulingInfo and build.get_column('releasename') ? HTML.escape(build.get_column('releasename')) : HTML.escape(build.nixname) %] + [% build.system | html %] [% IF showDescription %] - [% build.description %] + [% HTML.escape(build.description) %] [% END %] [% END; @@ -176,11 +176,11 @@ BLOCK renderBuildList; END; -BLOCK renderLink %] uri) %]>[% title %][% END; +BLOCK renderLink %] uri) %]>[% HTML.escape(title) %][% END; BLOCK maybeLink; - IF uri %] uri, class => class); IF confirmmsg +%] onclick="javascript:return confirm('[% confirmmsg %]')"[% END %]>[% content %][% ELSE; content; END; + IF uri %] uri, class => class); IF confirmmsg +%] onclick="javascript:return confirm('[% confirmmsg %]')"[% END %]>[% HTML.escape(content) %][% ELSE; HTML.escape(content); END; END; @@ -192,7 +192,7 @@ BLOCK renderSelection; [% END %] @@ -200,7 +200,7 @@ BLOCK renderSelection; [% ELSE %] [% END; @@ -216,12 +216,12 @@ BLOCK editString; %] BLOCK renderFullBuildLink; - INCLUDE renderFullJobNameOfBuild build=build %] c.uri_for('/build' build.id)) %]>build [% build.id %][% + INCLUDE renderFullJobNameOfBuild build=build %] c.uri_for('/build' build.id)) %]>build [% HTML.escape(build.id) %][% END; BLOCK renderBuildIdLink; %] - c.uri_for('/build' id)) %]>build [% id %] + c.uri_for('/build' id)) %]>build [% HTML.escape(id) %] [% END; @@ -320,7 +320,7 @@ END; BLOCK renderShortInputValue; IF input.type == "build" || input.type == "sysbuild" %] - c.uri_for('/build' input.dependency.id)) %]>[% input.dependency.id %] + c.uri_for('/build' input.dependency.id)) %]>[% HTML.escape(input.dependency.id) %] [% ELSIF input.type == "string" %] "[% HTML.escape(input.value) %]" [% ELSIF input.type == "nix" || input.type == "boolean" %] @@ -338,7 +338,7 @@ BLOCK renderDiffUri; url = bi1.uri; path = url.replace(base, ''); IF url.match(base) %] - m.uri.replace('_path_', path).replace('_1_', bi1.revision).replace('_2_', bi2.revision)) %]>[% contents %] + m.uri.replace('_path_', path).replace('_1_', bi1.revision).replace('_2_', bi2.revision)) %]>[% HTML.escape(contents) %] [% nouri = 0; END; END; @@ -353,7 +353,7 @@ BLOCK renderDiffUri; rev2 = bi2.revision, type = bi1.type, branch = branch - })) %]>[% contents %] + })) %]>[% HTML.escape(contents) %] [% ELSE; contents; END; @@ -369,8 +369,8 @@ BLOCK renderInputs; %] [% FOREACH input IN inputs %] - [% input.name %] - [% type = input.type; inputTypes.$type %] + [% input.name | html %] + [% type = input.type; HTML.escape(inputTypes.$type) %] [% IF input.type == "build" || input.type == "sysbuild" %] [% INCLUDE renderFullBuildLink build=input.dependency %] @@ -383,7 +383,7 @@ BLOCK renderInputs; %] [% END %] [% IF input.revision %][% HTML.escape(input.revision) %][% END %] - [% input.path %] + [% input.path | html %] [% END %] @@ -407,33 +407,33 @@ BLOCK renderInputDiff; %] IF bi1.name == bi2.name; IF bi1.type == bi2.type; IF bi1.value != bi2.value || bi1.uri != bi2.uri %] - [% bi1.name %][% INCLUDE renderShortInputValue input=bi1 %] to [% INCLUDE renderShortInputValue input=bi2 %] + [% HTML.escape(bi1.name) %][% INCLUDE renderShortInputValue input=bi1 %] to [% INCLUDE renderShortInputValue input=bi2 %] [% ELSIF bi1.uri == bi2.uri && bi1.revision != bi2.revision %] [% IF bi1.type == "git" %] - [% bi1.name %][% INCLUDE renderDiffUri contents=(bi1.revision.substr(0, 12) _ ' to ' _ bi2.revision.substr(0, 12)) %] + [% HTML.escape(bi1.name) %][% INCLUDE renderDiffUri contents=(bi1.revision.substr(0, 12) _ ' to ' _ bi2.revision.substr(0, 12)) %] [% ELSE %] - [% bi1.name %][% INCLUDE renderDiffUri contents=(bi1.revision _ ' to ' _ bi2.revision) %] + [% HTML.escape(bi1.name) %][% INCLUDE renderDiffUri contents=(bi1.revision _ ' to ' _ bi2.revision) %] [% END %] [% ELSIF bi1.dependency.id != bi2.dependency.id || bi1.path != bi2.path %] - [% bi1.name %][% INCLUDE renderShortInputValue input=bi1 %] to [% INCLUDE renderShortInputValue input=bi2 %] + [% HTML.escape(bi1.name) %][% INCLUDE renderShortInputValue input=bi1 %] to [% INCLUDE renderShortInputValue input=bi2 %]

[% INCLUDE renderInputDiff inputs1=bi1.dependency.inputs inputs2=bi2.dependency.inputs nestedDiff=1 nestLevel=nestLevel+1 %] [% END %] [% ELSE %] - [% bi1.name %]Changed input type from '[% type = bi1.type; inputTypes.$type %]' to '[% type = bi2.type; inputTypes.$type %]' + [% HTML.escape(bi1.name) %]Changed input type from '[% type = bi1.type; HTML.escape(inputTypes.$type) %]' to '[% type = bi2.type; HTML.escape(inputTypes.$type) %]' [% END; deletedInput = 0; END; END; IF deletedInput == 1 %] - [% bi1.name %]Input not present in this build. + [% HTML.escape(bi1.name) %]Input not present in this build. [% END; END; END %] @@ -455,13 +455,13 @@ BLOCK renderShortEvalInput; IF input.type == "svn" || input.type == "svn-checkout" || input.type == "bzr" || input.type == "bzr-checkout" %] r[% input.revision %] [% ELSIF input.type == "git" %] - [% input.revision.substr(0, 7) %] + [% input.revision.substr(0, 7) | html %] [% ELSIF input.type == "hg" %] - [% input.revision.substr(0, 12) %] + [% input.revision.substr(0, 12) | html %] [% ELSIF input.type == "build" || input.type == "sysbuild" %] - c.uri_for('/build' input.get_column('dependency'))) %]>[% input.get_column('dependency') %] + c.uri_for('/build' input.get_column('dependency'))) %]>[% HTML.escape(input.get_column('dependency')) %] [% ELSE %] - [% input.revision %] + [% input.revision | html %] [% END; END; @@ -498,7 +498,7 @@ BLOCK renderEvals %] eval = e.eval; link = c.uri_for(c.controller('JobsetEval').action_for('view'), [eval.id]) %] - link) %]>[% eval.id %] + link) %]>[% HTML.escape(eval.id) %] [% IF !jobset && !build %] [% INCLUDE renderFullJobsetName project=eval.jobset.project.name jobset=eval.jobset.name %] [% END %] @@ -507,7 +507,7 @@ BLOCK renderEvals %] [% IF e.changedInputs.size > 0; sep=''; FOREACH input IN e.changedInputs; - sep; %] [% input.name %] → [% INCLUDE renderShortEvalInput input=input; + sep; %] [% HTML.escape(input.name) %] → [% INCLUDE renderShortEvalInput input=input; sep=', '; END; ELSE %] @@ -518,23 +518,23 @@ BLOCK renderEvals %] [% END %] - [% e.nrSucceeded %] + [% HTML.escape(e.nrSucceeded) %] [% IF e.nrFailed > 0 %] - [% e.nrFailed %] + [% HTML.escape(e.nrFailed) %] [% END %] [% IF e.nrScheduled > 0 %] - [% e.nrScheduled %] + [% HTML.escape(e.nrScheduled) %] [% END %] [% IF e.diff > 0 %] - +[% e.diff %] + +[% HTML.escape(e.diff) %] [% ELSIF e.diff < 0 && e.nrScheduled == 0 %] - [% e.diff %] + [% HTML.escape(e.diff) %] [% END %] @@ -553,14 +553,14 @@ BLOCK renderLogLinks %] BLOCK makeLazyTab %] -
+
tabName) %] class="tab-pane">
[% END; @@ -587,7 +587,7 @@ BLOCK navItem %]
  • uri) %]> - [% title %] + [% HTML.escape(title) %]
    • [% END; @@ -657,17 +657,17 @@ BLOCK renderJobsetOverview %] [% successrate FILTER format('%d') %]% [% IF j.get_column('nrsucceeded') > 0 %] - [% j.get_column('nrsucceeded') %] + [% HTML.escape(j.get_column('nrsucceeded')) %] [% END %] [% IF j.get_column('nrfailed') > 0 %] - [% j.get_column('nrfailed') %] + [% HTML.escape(j.get_column('nrfailed')) %] [% END %] [% IF j.get_column('nrscheduled') > 0 %] - [% j.get_column('nrscheduled') %] + [% HTML.escape(j.get_column('nrscheduled')) %] [% END %] @@ -700,7 +700,7 @@ BLOCK createChart %] diff --git a/src/root/dashboard-my-jobs-tab.tt b/src/root/dashboard-my-jobs-tab.tt index a1e82612..470c174c 100644 --- a/src/root/dashboard-my-jobs-tab.tt +++ b/src/root/dashboard-my-jobs-tab.tt @@ -9,7 +9,7 @@ [% ELSE %] -

    Below are the most recent builds of the [% builds.size %] jobs of which you +

    Below are the most recent builds of the [% HTML.escape(builds.size) %] jobs of which you ([% HTML.escape(user.emailaddress) %]) are a maintainer.

    [% INCLUDE renderBuildList %] diff --git a/src/root/deps.tt b/src/root/deps.tt index b9f3ba7e..4cb49af4 100644 --- a/src/root/deps.tt +++ b/src/root/deps.tt @@ -3,20 +3,20 @@ [% BLOCK renderNode %]
  • [% IF done.${node.path} %] - [% node.name %] (repeated) + [% node.name | html %] ( "#" _ done.${node.path}) %]>repeated) [% ELSE %] [% done.${node.path} = global.nodeId; global.nodeId = global.nodeId + 1; %] [% IF node.refs.size > 0 %] [% END %] - + done.${node.path}) %]> [% IF node.buildStep %] c.uri_for('/build' node.buildStep.get_column('build'))) %]>[% node.name %] [% IF buildStepLogExists(node.buildStep); INCLUDE renderLogLinks url=c.uri_for('/build' node.buildStep.get_column('build') 'nixlog' node.buildStep.stepnr); END %] [% ELSE %] - [% node.name %] (no info) + [% node.name | html %] (no info) [% END %] [% IF isRoot %] diff --git a/src/root/edit-jobset.tt b/src/root/edit-jobset.tt index 429ab546..a3c1c9c5 100644 --- a/src/root/edit-jobset.tt +++ b/src/root/edit-jobset.tt @@ -7,17 +7,17 @@ [% USE format %] [% BLOCK renderJobsetInput %] - + id) %][% END %]> - input.name) %]/> + baseName _ "-name", name => baseName _ "-name", value => input.name) %] /> [% INCLUDE renderSelection curValue=input.type param="$baseName-type" options=inputTypes edit=1 %] - + baseName) %]> [% IF createFromEval %] [% value = (input.uri or input.value); IF input.revision; value = value _ " " _ input.revision; END; warn = input.altnr != 0; @@ -36,7 +36,7 @@ value, id => "$baseName-value", name => "$baseName-value") %]/> - + "$baseName-emailresponsible", name => "$baseName-emailresponsible") %] [% IF input.emailresponsible; 'checked="checked"'; END %]/> [% END %] @@ -149,7 +149,7 @@
    diff --git a/src/root/evals.tt b/src/root/evals.tt index c12079d1..b65fe15d 100644 --- a/src/root/evals.tt +++ b/src/root/evals.tt @@ -10,7 +10,7 @@ [% PROCESS common.tt %]

    Showing evaluations [% (page - 1) * resultsPerPage + 1 %] - [% -(page - 1) * resultsPerPage + evals.size %] out of [% total %].

    +(page - 1) * resultsPerPage + evals.size %] out of [% HTML.escape(total) %].

    [% INCLUDE renderEvals %] diff --git a/src/root/job.tt b/src/root/job.tt index acb874a3..1a82a86b 100644 --- a/src/root/job.tt +++ b/src/root/job.tt @@ -46,7 +46,7 @@ removed or had an evaluation error.
    its success or failure is determined entirely by the result of building its constituent jobs. The table below shows the status of each constituent job for the [% - aggregates.keys.size %] most recent builds of the + HTML.escape(aggregates.keys.size) %] most recent builds of the aggregate.
    • [% aggs = aggregates.keys.nsort.reverse %] diff --git a/src/root/jobset-channels-tab.tt b/src/root/jobset-channels-tab.tt index 3fa4ba69..5ea8ce1b 100644 --- a/src/root/jobset-channels-tab.tt +++ b/src/root/jobset-channels-tab.tt @@ -22,7 +22,7 @@ [% FOREACH chan IN channels-%] - c.uri_for('/channel/custom' project.name jobset.name chan)) %]>[% chan %] + c.uri_for('/channel/custom' project.name jobset.name chan)) %]>[% HTML.escape(chan) %] [% FOREACH eval IN evalIds %] [% r = evals.$eval.builds.$chan; IF r.id %] c.uri_for('/build' r.id)) %]>[% INCLUDE renderBuildStatusIcon size=16 build=r %][% END %] [% END %] diff --git a/src/root/jobset-eval.tt b/src/root/jobset-eval.tt index 265f472e..6e97c386 100644 --- a/src/root/jobset-eval.tt +++ b/src/root/jobset-eval.tt @@ -14,7 +14,7 @@ [% IF project.jobsets_rs.count > 1 %]
    [% FOREACH j IN project.jobsets.sort('name'); IF j.name != jobset.name %] - Jobset [% project.name %]:[% j.name %] + Jobset [% project.name | html %]:[% j.name | html %] [% END; END %] [% END %] @@ -23,13 +23,13 @@

    This evaluation was performed [% IF eval.flake %]from the flake [% HTML.escape(eval.flake) %][% END %] on [% INCLUDE renderDateTime timestamp=eval.timestamp %]. Fetching the dependencies took [% -eval.checkouttime %]s and evaluation took [% eval.evaltime %]s.

    +eval.checkouttime %]s and evaluation took [% HTML.escape(eval.evaltime) %]s.

    [% IF otherEval %]

    Comparisons are relative to [% INCLUDE renderFullJobsetName project=otherEval.jobset.project.name jobset=otherEval.jobset.name %] evaluation c.uri_for(c.controller('JobsetEval').action_for('view'), -[otherEval.id])) %]>[% otherEval.id %].

    +[otherEval.id])) %]>[% HTML.escape(otherEval.id) %].

    [% END %]
    @@ -63,28 +63,28 @@ HTML.attributes(href => c.uri_for(c.controller('JobsetEval').action_for('view'), [% END %] [% IF aborted.size > 0 %] -
  • Aborted / Timed out Jobs ([% aborted.size %])
    • +
  • Aborted / Timed out Jobs ([% HTML.escape(aborted.size) %])
    • [% END %] [% IF nowFail.size > 0 %] -
  • Newly Failing Jobs ([% nowFail.size %])
    • +
  • Newly Failing Jobs ([% HTML.escape(nowFail.size) %])
    • [% END %] [% IF nowSucceed.size > 0 %] -
  • Newly Succeeding Jobs ([% nowSucceed.size %])
    • +
  • Newly Succeeding Jobs ([% HTML.escape(nowSucceed.size) %])
    • [% END %] [% IF new.size > 0 %] -
  • New Jobs ([% new.size %])
    • +
  • New Jobs ([% HTML.escape(new.size) %])
    • [% END %] [% IF removed.size > 0 %] -
  • Removed Jobs ([% removed.size %])
    • +
  • Removed Jobs ([% HTML.escape(removed.size) %])
    • [% END %] [% IF stillFail.size > 0 %] -
  • Still Failing Jobs ([% stillFail.size %])
    • +
  • Still Failing Jobs ([% HTML.escape(stillFail.size) %])
    • [% END %] [% IF stillSucceed.size > 0 %] -
  • Still Succeeding Jobs ([% stillSucceed.size %])
    • +
  • Still Succeeding Jobs ([% HTML.escape(stillSucceed.size) %])
    • [% END %] [% IF unfinished.size > 0 %] -
  • Queued Jobs ([% unfinished.size %])
    • +
  • Queued Jobs ([% HTML.escape(unfinished.size) %])
    • [% END %]
  • Inputs
    • @@ -132,7 +132,7 @@ HTML.attributes(href => c.uri_for(c.controller('JobsetEval').action_for('view'), [% FOREACH j IN removed.slice(0,(size > max ? max : size) - 1) %] [% INCLUDE renderJobName project=project.name jobset=jobset.name job=j.job %] - [% j.system %] + [% j.system | html %] [% END %] [% IF size > max; params = c.req.params; params.full = 1 %] diff --git a/src/root/jobset-jobs-tab.tt b/src/root/jobset-jobs-tab.tt index 2785e802..ddb63caa 100644 --- a/src/root/jobset-jobs-tab.tt +++ b/src/root/jobset-jobs-tab.tt @@ -41,7 +41,7 @@ [% ELSE %] [% IF nrJobs > jobs.size %] -
    Showing the first [% jobs.size %] jobs. Show all [% nrJobs %] jobs...
    +
    Showing the first [% HTML.escape(jobs.size) %] jobs. Show all [% HTML.escape(nrJobs) %] jobs...
    [% END %] [% evalIds = evals.keys.nsort.reverse %] diff --git a/src/root/jobset.tt b/src/root/jobset.tt index 1e570cf3..c0b6e4cd 100644 --- a/src/root/jobset.tt +++ b/src/root/jobset.tt @@ -6,14 +6,14 @@ [% BLOCK renderJobsetInput %] - + id) %][% END %]> [% HTML.escape(input.name) %] [% INCLUDE renderSelection curValue=input.type param="$baseName-type" options=inputTypes %] - + baseName) %]> [% FOREACH alt IN input.search_related('jobsetinputalts', {}, { order_by => 'altnr' }) %] [% IF input.type == "string" %] @@ -153,11 +153,11 @@ [% END %] Check interval: - [% jobset.checkinterval || "disabled" %] + [% HTML.escape(jobset.checkinterval) || "disabled" %] Scheduling shares: - [% jobset.schedulingshares %] [% IF totalShares %] ([% f = format("%.2f"); f(jobset.schedulingshares / totalShares * 100) %]% out of [% totalShares %] shares)[% END %] + [% HTML.escape(jobset.schedulingshares) %] [% IF totalShares %] ([% f = format("%.2f"); f(jobset.schedulingshares / totalShares * 100) %]% out of [% HTML.escape(totalShares) %] shares)[% END %] Enable Dynamic RunCommand Hooks: @@ -175,7 +175,7 @@ [% END %] Number of evaluations to keep: - [% jobset.keepnr %] + [% HTML.escape(jobset.keepnr) %] diff --git a/src/root/log.tt b/src/root/log.tt index d5eb18e0..783927fe 100644 --- a/src/root/log.tt +++ b/src/root/log.tt @@ -14,7 +14,7 @@ the build log ( step ? c.uri_for('/build' build.id 'nixlog' step.stepnr, 'raw') : c.uri_for('/build' build.id 'log', 'raw')) %]>raw) of derivation [% IF step; step.drvpath; ELSE; build.drvpath; END %]. [% IF step && step.machine %] - It was built on [% step.machine %]. + It was built on [% step.machine | html %]. [% END %] [% IF tail %] The step ? c.uri_for('/build' build.id 'nixlog' step.stepnr) @@ -37,7 +37,7 @@ [% IF tail %] /* The server may give us a full log (e.g. if the log is in S3). So extract the last lines. */ - log_data = log_data.split("\n").slice(-[% tail %]).join("\n"); + log_data = log_data.split("\n").slice(-[% HTML.escape(tail) %]).join("\n"); [% END %] $("#contents").text(log_data); diff --git a/src/root/machine-status.tt b/src/root/machine-status.tt index d1c2a6cd..fcb201cf 100644 --- a/src/root/machine-status.tt +++ b/src/root/machine-status.tt @@ -21,22 +21,22 @@ [% INCLUDE renderMachineName machine=m.key %] [% IF m.value.primarySystemType %] - ([% m.value.primarySystemType %]) + ([% m.value.primarySystemType | html %])   [% WRAPPER makePopover title="Details" classes="btn-secondary btn-sm" %]