Use <%- when interpolating XSS targets

- I tried to not be super heavy handed, only using <%- for values that could be set with XSS payloads or otherwise come from a user/data.
author: Kyle Snavely <ksnavely@cloudant.com> 2014-05-01 11:57:42 -0400
committer: Kyle Snavely <ksnavely@cloudant.com> 2014-05-01 14:08:47 -0400
commit: 5e63892323139c62fbb9194d3f287fb8e829f1cb (patch)
tree: 36d4ceb0653b1ffd37c9c536e87c3e8b67378d50
parent: 519a488876323f822eaa77b435b1d28e56fd273a (diff)
download: couchdb-5e63892323139c62fbb9194d3f287fb8e829f1cb.tar.gz
11 files changed, 17 insertions, 17 deletions
diff --git a/src/fauxton/app/addons/auth/templates/nav_dropdown.html b/src/fauxton/app/addons/auth/templates/nav_dropdown.html
index d61c24a88..983b5f7f3 100644
--- a/src/fauxton/app/addons/auth/templates/nav_dropdown.html
+++ b/src/fauxton/app/addons/auth/templates/nav_dropdown.html
@@ -14,7 +14,7 @@ the License.
 
 <div id="sidenav">
 <header class="row-fluid">
-  <h3> <%= user.name %> </h3>
+  <h3> <%- user.name %> </h3>
 </header>
 <nav>
 <ul class="nav nav-list">
diff --git a/src/fauxton/app/addons/auth/templates/nav_link_title.html b/src/fauxton/app/addons/auth/templates/nav_link_title.html
index 1ec9bf45c..db3587d69 100644
--- a/src/fauxton/app/addons/auth/templates/nav_link_title.html
+++ b/src/fauxton/app/addons/auth/templates/nav_link_title.html
@@ -20,7 +20,7 @@ the License.
 <% } else if (user) { %>
   <a  href="#changePassword" >
   	<span class="fonticon-user fonticon"></span>
-  	<%= user.name %>
+  	<%- user.name %>
 	</a>
 <% } else { %>
   <a  href="#login" >
diff --git a/src/fauxton/app/addons/config/templates/item.html b/src/fauxton/app/addons/config/templates/item.html
index 8af9a50ed..f5fd73ec7 100644
--- a/src/fauxton/app/addons/config/templates/item.html
+++ b/src/fauxton/app/addons/config/templates/item.html
@@ -13,13 +13,13 @@ the License.
 -->
 
 <% if (option.index === 0) {%>
-<th> <%= option.section %> </th>
+<th> <%- option.section %> </th>
 <% } else { %>
 <td></td>
 <% } %>
 <td class="js-edit-value"> 
   <div class="js-show-value">
-    <%= option.name %>
+    <%- option.name %>
   </div>
   <div class="js-edit-value-form js-hidden">
     <input class="js-value-input" type="text" name="name" value="<%- option.name %>" />
@@ -29,7 +29,7 @@ the License.
 </td>
 <td class="js-edit-value">
   <div class="js-show-value">
-    <%= option.value %>
+    <%- option.value %>
   </div>
   <div class="js-edit-value-form js-hidden">
     <input class="js-value-input" type="text" name="value" value="<%- option.value %>" />
diff --git a/src/fauxton/app/addons/documents/templates/changes.html b/src/fauxton/app/addons/documents/templates/changes.html
index 5978e839e..d038361c8 100644
--- a/src/fauxton/app/addons/documents/templates/changes.html
+++ b/src/fauxton/app/addons/documents/templates/changes.html
@@ -36,7 +36,7 @@ the License.
           <% if (change.deleted) { %>
             <%= change.id %>
           <% } else { %>
-            <a href="#<%= database.url('app') %>/<%= safeURL(change.id) %>"><%= change.id %></a>
+            <a href="#<%- database.url('app') %>/<%- safeURL(change.id) %>"><%= change.id %></a>
           <% } %>    </div>
         <div class="span2 text-right">
           <a class="js-copy" data-clipboard-text="<%= change.id %>" data-bypass="true" href="#">
diff --git a/src/fauxton/app/addons/documents/templates/ddoc_info.html b/src/fauxton/app/addons/documents/templates/ddoc_info.html
index ed0aed6a7..b33e49b1a 100644
--- a/src/fauxton/app/addons/documents/templates/ddoc_info.html
+++ b/src/fauxton/app/addons/documents/templates/ddoc_info.html
@@ -18,7 +18,7 @@ the License.
 		<% if(i%2==0){%>
 			<div class="row-fluid">
 		<% }; %>
-	    <div class="span6 well-item"><strong> <%= key %></strong> : <%= val %>  </div>
+	    <div class="span6 well-item"><strong> <%- key %></strong> : <%- val %>  </div>
 	    <% if(i%2==1){%>
 			</div>
 		<% }; %>
diff --git a/src/fauxton/app/addons/documents/templates/delete_database_modal.html b/src/fauxton/app/addons/documents/templates/delete_database_modal.html
index 7ea3bc47e..2b5448cbd 100644
--- a/src/fauxton/app/addons/documents/templates/delete_database_modal.html
+++ b/src/fauxton/app/addons/documents/templates/delete_database_modal.html
@@ -20,7 +20,7 @@ the License.
   <div class="modal-body">
     <form id="delete-db-check" class="form" method="post">
       <p>
-      You've asked to <b>permanently delete</b> <code><%= database.id %></code>.
+      You've asked to <b>permanently delete</b> <code><%- database.id %></code>.
       Please enter the database name below to confirm the deletion of the
       database and all documents and attachments within.
       </p>
diff --git a/src/fauxton/app/addons/documents/templates/design_doc_selector.html b/src/fauxton/app/addons/documents/templates/design_doc_selector.html
index 7bbe31021..b8f8b3f4b 100644
--- a/src/fauxton/app/addons/documents/templates/design_doc_selector.html
+++ b/src/fauxton/app/addons/documents/templates/design_doc_selector.html
@@ -12,15 +12,15 @@ License for the specific language governing permissions and limitations under
 the License.
 -->
 <div class="span3">
-  <label for="ddoc">Save to Design Document <a href="<%=getDocUrl('design_doc')%>" target="_blank"><i class="icon-question-sign"></i></a></label>
+  <label for="ddoc">Save to Design Document <a href="<%-getDocUrl('design_doc')%>" target="_blank"><i class="icon-question-sign"></i></a></label>
   <select id="ddoc">
     <optgroup label="Select a document">
       <option value="new-doc">New document</option>
       <% ddocs.each(function(ddoc) { %>
       <% if (ddoc.id === ddocName) { %>
-      <option selected="selected" value="<%= ddoc.id %>"><%= ddoc.id %></option>
+      <option selected="selected" value="<%- ddoc.id %>"><%- ddoc.id %></option>
       <% } else { %>
-      <option value="<%= ddoc.id %>"><%= ddoc.id %></option>
+      <option value="<%- ddoc.id %>"><%- ddoc.id %></option>
       <% } %>
       <% }); %>
     </optgroup>
diff --git a/src/fauxton/app/addons/documents/templates/doc.html b/src/fauxton/app/addons/documents/templates/doc.html
index 94338680a..e9a46cfec 100644
--- a/src/fauxton/app/addons/documents/templates/doc.html
+++ b/src/fauxton/app/addons/documents/templates/doc.html
@@ -31,8 +31,8 @@ the License.
       <ul class="dropdown-menu">
         <%_.each(attachments, function (att) { %>
         <li>
-        <a href="<%= att.url %>" target="_blank"> <strong> <%= att.fileName %> </strong> -
-          <span> <%= att.contentType %>, <%= formatSize(att.size)%> </span>
+        <a href="<%- att.url %>" target="_blank"> <strong> <%- att.fileName %> </strong> -
+          <span> <%- att.contentType %>, <%- formatSize(att.size)%> </span>
         </a>
         </li>
         <% }) %>
diff --git a/src/fauxton/app/addons/permissions/templates/section.html b/src/fauxton/app/addons/permissions/templates/section.html
index 0459562b1..fe228f5ff 100644
--- a/src/fauxton/app/addons/permissions/templates/section.html
+++ b/src/fauxton/app/addons/permissions/templates/section.html
@@ -13,7 +13,7 @@ the License.
 -->
 <header class="page-header">
 <h3> <%= (section) %> </h3>
-<p class="help"> <%= help %> <a href="<%=getDocUrl('database_permission')%>" target="_blank"><i class="icon-question-sign"> </i> </a></p>
+<p class="help"> <%= help %> <a href="<%-getDocUrl('database_permission')%>" target="_blank"><i class="icon-question-sign"> </i> </a></p>
 </header>
 
 <div class="row-fluid">
diff --git a/src/fauxton/app/addons/replication/templates/form.html b/src/fauxton/app/addons/replication/templates/form.html
index 32a87dca3..342a4fd9a 100644
--- a/src/fauxton/app/addons/replication/templates/form.html
+++ b/src/fauxton/app/addons/replication/templates/form.html
@@ -63,7 +63,7 @@ the License.
 
 			<label for="createTarget">
 				<input type="checkbox" name="create_target" value="true" id="createTarget">
-				Create Target <a href="<%=getDocUrl('replication_doc')%>" target="_blank"><i class="icon-question-sign" rel="tooltip" title="Create the target database"></i></a>
+				Create Target <a href="<%-getDocUrl('replication_doc')%>" target="_blank"><i class="icon-question-sign" rel="tooltip" title="Create the target database"></i></a>
 			</label>
 		</div>
 
diff --git a/src/fauxton/app/addons/replication/templates/progress.html b/src/fauxton/app/addons/replication/templates/progress.html
index 1e6ef9018..ea9d6c311 100644
--- a/src/fauxton/app/addons/replication/templates/progress.html
+++ b/src/fauxton/app/addons/replication/templates/progress.html
@@ -11,12 +11,12 @@ WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 License for the specific language governing permissions and limitations under
 the License.
 -->
-<p class="span6 break">Replicating <strong><%=source%></strong> to <strong><%=target%></strong></p>
+<p class="span6 break">Replicating <strong><%-source%></strong> to <strong><%-target%></strong></p>
 
 <div class="span4 progress progress-striped active">
   <div class="bar" style="width: <%=progress || 0%>%;"><%=progress || "0"%>%</div>
 </div>
 
 <span class="span1">
-	<button class="cancel btn btn-danger btn-large delete" data-source="<%=source%>"  data-rep-id="<%=repid%>" data-continuous="<%=continuous%>" data-target="<%=target%>">Cancel</a>
+	<button class="cancel btn btn-danger btn-large delete" data-source="<%-source%>"  data-rep-id="<%-repid%>" data-continuous="<%-continuous%>" data-target="<%-target%>">Cancel</a>
 </span>
author	Kyle Snavely <ksnavely@cloudant.com>	2014-05-01 11:57:42 -0400
committer	Kyle Snavely <ksnavely@cloudant.com>	2014-05-01 14:08:47 -0400
commit	5e63892323139c62fbb9194d3f287fb8e829f1cb (patch)
tree	36d4ceb0653b1ffd37c9c536e87c3e8b67378d50
parent	519a488876323f822eaa77b435b1d28e56fd273a (diff)
download	couchdb-5e63892323139c62fbb9194d3f287fb8e829f1cb.tar.gz