mirror of https://github.com/zulip/zulip.git
Escape variables interpolated into <script> within index.html
Django's escapejs prevents breaking out with an embedded </script> tag. It only works on bare string contents, not JSON-ish lists and such. So we generate stream_list and people_list with template loops now. (imported from commit 07fe4bebaa3fa11bc479b4378b8989560ce77f6f)
This commit is contained in:
parent
4715d2144c
commit
7137787984
|
@ -43,11 +43,25 @@
|
||||||
|
|
||||||
<script type="text/javascript">
|
<script type="text/javascript">
|
||||||
{% autoescape off %}
|
{% autoescape off %}
|
||||||
|
|
||||||
|
{# Not escaped, because it's guaranteed by the model to be an integer. #}
|
||||||
var initial_pointer = {{ user_profile.pointer }};
|
var initial_pointer = {{ user_profile.pointer }};
|
||||||
var email = "{{ user_profile.user.email }}";
|
|
||||||
var stream_list = {{ streams }};
|
var email = "{{ user_profile.user.email|escapejs }}";
|
||||||
var people_list = {{ people }};
|
var have_initial_messages = {{ have_initial_messages|escapejs }};
|
||||||
var have_initial_messages = {{ have_initial_messages }};
|
|
||||||
|
var stream_list = [
|
||||||
|
{% for stream in streams %}
|
||||||
|
"{{ stream|escapejs }}",
|
||||||
|
{% endfor %}
|
||||||
|
];
|
||||||
|
|
||||||
|
var people_list = [
|
||||||
|
{% for person in people %}
|
||||||
|
"{{ person|escapejs }}",
|
||||||
|
{% endfor %}
|
||||||
|
];
|
||||||
|
|
||||||
{% endautoescape %}
|
{% endautoescape %}
|
||||||
</script>
|
</script>
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|
|
@ -173,8 +173,8 @@ def home(request):
|
||||||
return render_to_response('zephyr/index.html',
|
return render_to_response('zephyr/index.html',
|
||||||
{'user_profile': user_profile,
|
{'user_profile': user_profile,
|
||||||
'email_hash' : hashlib.md5(user_profile.user.email).hexdigest(),
|
'email_hash' : hashlib.md5(user_profile.user.email).hexdigest(),
|
||||||
'people' : simplejson.dumps(people),
|
'people' : people,
|
||||||
'streams' : simplejson.dumps(streams),
|
'streams' : streams,
|
||||||
'have_initial_messages':
|
'have_initial_messages':
|
||||||
'true' if messages else 'false',
|
'true' if messages else 'false',
|
||||||
'show_debug':
|
'show_debug':
|
||||||
|
|
Loading…
Reference in New Issue