YunoHost-Apps/ihatemoney_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/ihatemoney_ynh.git synced 2024-09-03 19:26:15 +02:00
Code Issues Activity Actions

Fix xss (#173)

Browse source 
Fix #173
Rewrite multi select widget as a template in order to have all values properly escaped.
This commit is contained in:
Alexandre Avenel 2017-02-16 23:11:30 +01:00
parent 3dd7c67ecf
commit baba943e62
3 changed files with 14 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
budget/forms.py
View file

@ -118,7 +118,7 @@ class BillForm(Form):
payer = SelectField(_("Payer"), validators=[Required()], coerce=int) payer = SelectField(_("Payer"), validators=[Required()], coerce=int)
amount = CommaDecimalField(_("Amount paid"), validators=[Required()]) amount = CommaDecimalField(_("Amount paid"), validators=[Required()])
payed_for = SelectMultipleField(_("For whom?"), payed_for = SelectMultipleField(_("For whom?"),
validators=[Required()], widget=select_multi_checkbox, coerce=int) validators=[Required()], coerce=int)
submit = SubmitField(_("Submit")) submit = SubmitField(_("Submit"))
submit2 = SubmitField(_("Submit and add a new one")) submit2 = SubmitField(_("Submit and add a new one"))

13
budget/templates/forms.html
View file

@ -85,7 +85,18 @@
{{ input(form.what, inline=True) }} {{ input(form.what, inline=True) }}
{{ input(form.payer, inline=True, class="form-control custom-select") }} {{ input(form.payer, inline=True, class="form-control custom-select") }}
{{ input(form.amount, inline=True) }} {{ input(form.amount, inline=True) }}
{{ input(form.payed_for, inline=True, class="form-check-input") }}
<div class="form-group row">
<label class="col-3" for="payed_for">{{ _("For whom?") }}</label>
<div class="controls col-9">
<ul id="payed_for" class="inputs-list">
<p><a href="#" id="selectall" onclick="selectall()">{{ _("Select all") }}</a> | <a href="#" id="selectnone" onclick="selectnone()">{{_("Select none")}}</a></p>
{% for key, value, checked in form.payed_for.iter_choices() %}
<p class="form-check"><label for="payed_for-{{key}}" class="form-check-label"><input name="payed_for" type="checkbox" {% if checked %}checked{% endif %} class="form-check-input" value="{{key}}"/><span>{{value}}</span></label></p>
{% endfor %}
</ul>
</div>
</div>
</fieldset> </fieldset>
<div class="actions"> <div class="actions">
{{ form.submit(class="btn btn-primary") }} {{ form.submit(class="btn btn-primary") }}

2
budget/templates/list_bills.html
View file

@ -107,7 +107,7 @@
<thead><tr><th>{{ _("When?") }}</th><th>{{ _("Who paid?") }}</th><th>{{ _("For what?") }}</th><th>{{ _("For whom?") }}</th><th>{{ _("How much?") }}</th><th>{{ _("Actions") }}</th></tr></thead> <thead><tr><th>{{ _("When?") }}</th><th>{{ _("Who paid?") }}</th><th>{{ _("For what?") }}</th><th>{{ _("For whom?") }}</th><th>{{ _("How much?") }}</th><th>{{ _("Actions") }}</th></tr></thead>
<tbody> <tbody>
{% for bill in bills %} {% for bill in bills %}
<tr owers={{bill.owers|join(',','id')}} payer={{bill.payer.id}}> <tr owers="{{bill.owers|join(',','id')}}" payer="{{bill.payer.id}}">
<td>{{ bill.date }}</td> <td>{{ bill.date }}</td>
<td>{{ bill.payer }}</td> <td>{{ bill.payer }}</td>
<td>{{ bill.what }}</td> <td>{{ bill.what }}</td>