- Updates import UI to escape HTML text
- Allows mixing of escaped and unescaped HTML text - Removes server-side text escaping
This commit is contained in:
Vlad
@@ -7,7 +7,6 @@ define(
|
|||||||
'handlebars',
|
'handlebars',
|
||||||
'papaparse',
|
'papaparse',
|
||||||
'asyncqueue',
|
'asyncqueue',
|
||||||
'xss',
|
|
||||||
'moment',
|
'moment',
|
||||||
'select2'
|
'select2'
|
||||||
],
|
],
|
||||||
@@ -19,7 +18,6 @@ define(
|
|||||||
Handlebars,
|
Handlebars,
|
||||||
Papa,
|
Papa,
|
||||||
AsyncQueue,
|
AsyncQueue,
|
||||||
xss,
|
|
||||||
Moment
|
Moment
|
||||||
) {
|
) {
|
||||||
if (!jQuery('#mailpoet_subscribers_import').length) {
|
if (!jQuery('#mailpoet_subscribers_import').length) {
|
||||||
@@ -337,17 +335,7 @@ define(
|
|||||||
complete: function (CSV) {
|
complete: function (CSV) {
|
||||||
for (var rowCount in CSV.data) {
|
for (var rowCount in CSV.data) {
|
||||||
var rowData = CSV.data[rowCount].map(function (el) {
|
var rowData = CSV.data[rowCount].map(function (el) {
|
||||||
// sanitize data
|
return el.trim();
|
||||||
el = filterXSS(el.trim());
|
|
||||||
var entityMap = {
|
|
||||||
"<": "<",
|
|
||||||
">": ">",
|
|
||||||
"/": '/'
|
|
||||||
};
|
|
||||||
el = String(el).replace(/[&<>"'\/]/g, function (s) {
|
|
||||||
return entityMap[s];
|
|
||||||
});
|
|
||||||
return el;
|
|
||||||
});
|
});
|
||||||
var rowColumnCount = rowData.length;
|
var rowColumnCount = rowData.length;
|
||||||
// set the number of row elements based on the first non-empty row
|
// set the number of row elements based on the first non-empty row
|
||||||
@@ -679,8 +667,15 @@ define(
|
|||||||
return options.fn(displayedColumns);
|
return options.fn(displayedColumns);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
// sanitize unsafe data
|
||||||
|
Handlebars.registerHelper('sanitize_data', function(data) {
|
||||||
|
return (data instanceof Handlebars.SafeString) ?
|
||||||
|
data :
|
||||||
|
new Handlebars.SafeString(Handlebars.Utils.escapeExpression(data));
|
||||||
|
});
|
||||||
|
|
||||||
// start array index from 1
|
// start array index from 1
|
||||||
Handlebars.registerHelper('show_real_index', function (index) {
|
Handlebars.registerHelper('calculate_index', function (index) {
|
||||||
var index = parseInt(index);
|
var index = parseInt(index);
|
||||||
// display filler data (e.g., ellipsis) if we've reached the maximum number of rows and
|
// display filler data (e.g., ellipsis) if we've reached the maximum number of rows and
|
||||||
// subscribers count is greater than the maximum number of rows we're displaying
|
// subscribers count is greater than the maximum number of rows we're displaying
|
||||||
@@ -889,7 +884,9 @@ define(
|
|||||||
jQuery(matchedColumn.element).data('validation-rule', validationRule);
|
jQuery(matchedColumn.element).data('validation-rule', validationRule);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if (validationRule === 'datetime') validationRule = Moment.ISO_8601;
|
if (validationRule === 'datetime') {
|
||||||
|
validationRule = Moment.ISO_8601;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
jQuery.map(subscribersClone.subscribers, function (data, index) {
|
jQuery.map(subscribersClone.subscribers, function (data, index) {
|
||||||
@@ -898,18 +895,22 @@ define(
|
|||||||
var date = Moment(rowData, testedFormat, true);
|
var date = Moment(rowData, testedFormat, true);
|
||||||
// validate date
|
// validate date
|
||||||
if (date.isValid()) {
|
if (date.isValid()) {
|
||||||
data[matchedColumn.index] +=
|
data[matchedColumn.index] = new Handlebars.SafeString(
|
||||||
'<span class="mailpoet_data_match" title="'
|
Handlebars.Utils.escapeExpression(data[matchedColumn.index])
|
||||||
+ MailPoet.I18n.t('verifyDateMatch') + '">'
|
+ '<span class="mailpoet_data_match" title="'
|
||||||
+ MailPoet.Date.format(date)
|
+ MailPoet.I18n.t('verifyDateMatch') + '">'
|
||||||
+ '</span>';
|
+ MailPoet.Date.format(date)
|
||||||
|
+ '</span>'
|
||||||
|
);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
data[matchedColumn.index] +=
|
data[matchedColumn.index] = new Handlebars.SafeString(
|
||||||
'<span class="mailpoet_data_match mailpoet_import_error" title="'
|
Handlebars.Utils.escapeExpression(data[matchedColumn.index])
|
||||||
|
+ '<span class="mailpoet_data_match mailpoet_import_error" title="'
|
||||||
+ MailPoet.I18n.t('noDateFieldMatch') + '">'
|
+ MailPoet.I18n.t('noDateFieldMatch') + '">'
|
||||||
+ MailPoet.I18n.t('dateMatchError')
|
+ (new Handlebars.SafeString(MailPoet.I18n.t('dateMatchError')))
|
||||||
+ '</span>';
|
+ '</span>'
|
||||||
|
);
|
||||||
preventNextStep = true;
|
preventNextStep = true;
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
|
|||||||
@@ -110,8 +110,6 @@ class Import {
|
|||||||
function validateSubscribersFields($subscribers_data, $validation_rules) {
|
function validateSubscribersFields($subscribers_data, $validation_rules) {
|
||||||
$invalid_records = array();
|
$invalid_records = array();
|
||||||
foreach($subscribers_data as $column => &$data) {
|
foreach($subscribers_data as $column => &$data) {
|
||||||
// sanitize each data field
|
|
||||||
$data = array_map('sanitize_text_field', $data);
|
|
||||||
$validation_rule = $validation_rules[$column];
|
$validation_rule = $validation_rules[$column];
|
||||||
// if this is a custom column
|
// if this is a custom column
|
||||||
if(in_array($column, $this->subscriber_custom_fields)) {
|
if(in_array($column, $this->subscriber_custom_fields)) {
|
||||||
|
|||||||
@@ -116,11 +116,11 @@
|
|||||||
{{#subscribers}}
|
{{#subscribers}}
|
||||||
<tr>
|
<tr>
|
||||||
<td>
|
<td>
|
||||||
{{show_real_index @index}}
|
{{calculate_index @index}}
|
||||||
</td>
|
</td>
|
||||||
{{#.}}
|
{{#.}}
|
||||||
<td>
|
<td>
|
||||||
{{{this}}}
|
{{sanitize_data this}}
|
||||||
</td>
|
</td>
|
||||||
{{/.}}
|
{{/.}}
|
||||||
</tr>
|
</tr>
|
||||||
|
|||||||
Reference in New Issue
Block a user