[Fedora-directory-commits] dsgw/config display-dnedit.html.in, 1.1, 1.2 display-dneditpeople.html.in, 1.1, 1.2

Richard Allen Megginson (rmeggins) fedora-directory-commits at redhat.com
Tue Feb 19 15:20:24 UTC 2008 

Author: rmeggins

Update of /cvs/dirsec/dsgw/config
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv23811/dsgw/config

Modified Files:
	display-dnedit.html.in display-dneditpeople.html.in 
Log Message:
1) The old code used a CGI variable called completion_javascript - this variable contained arbitrary javascript code that was eval'd on in the client browser.  I have removed this code and put it in the resource file.  The dsgw code will set completion_javascript to one of the 3 keywords, and the new function emit_completion_javascript will look up the code in the resource file and output it with any required arguments.  It just seems like a really bad idea to execute arbitrary blobs of javascript passed in a CGI argument.

2) Make the checking for the template file names stricter.

3) Added many new tests.

4) When removing unused or duplicate LDAP Mods, if we remove the last one, just free the entire array.



Index: display-dnedit.html.in
===================================================================
RCS file: /cvs/dirsec/dsgw/config/display-dnedit.html.in,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- display-dnedit.html.in	14 Jan 2008 22:31:17 -0000	1.1
+++ display-dnedit.html.in	19 Feb 2008 15:20:21 -0000	1.2
@@ -108,7 +108,7 @@
 <!-- DS_HELPBUTTON "topic=EDIT_GROUPMEM" -->
 </TD></TR></TABLE></CENTER>
 
-<INPUT TYPE=hidden NAME=completion_javascript VALUE='parent.updateList(parent.controlFrame.document.searchForm.faMode.value, parent.dnlist, parent.stagingFrame.dnlist, parent.outputFrame);parent.controlFrame.document.searchForm.faMode.value="add";'>
+<INPUT TYPE=hidden NAME=completion_javascript VALUE='ADD'>
 <!-- DS_END_DNSEARCHFORM -->
 
 <!-- DS_ENTRYEND -->


Index: display-dneditpeople.html.in
===================================================================
RCS file: /cvs/dirsec/dsgw/config/display-dneditpeople.html.in,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- display-dneditpeople.html.in	14 Jan 2008 22:31:17 -0000	1.1
+++ display-dneditpeople.html.in	19 Feb 2008 15:20:21 -0000	1.2
@@ -106,7 +106,7 @@
 <!-- DS_HELPBUTTON "topic=EDIT_PERSON_REF" -->
 </TD></TR></TABLE></CENTER>
 
-<INPUT TYPE=hidden NAME=completion_javascript VALUE='parent.updateList(parent.controlFrame.document.searchForm.faMode.value, parent.dnlist, parent.stagingFrame.dnlist, parent.outputFrame);parent.controlFrame.document.searchForm.faMode.value="add";'>
+<INPUT TYPE=hidden NAME=completion_javascript VALUE='ADD'>
 <!-- DS_END_DNSEARCHFORM -->
 
 <!-- DS_ENTRYEND -->

More information about the Fedora-directory-commits mailing list