Fixed select2 for admin and apps page

Added explicit escaping. Now internally using a pipe symbol as separator for select2, to make it possible to use group names containing commas.
10 years ago · a064536ec1
parent 0d28ba0662
commit a064536ec1
4 changed files with 29 additions and 13 deletions
--- a/settings/admin.php
+++ b/settings/admin.php
@ -58,7 +58,8 @@ $tmpl->assign('shareEnforceExpireDate', OC_Appconfig::getValue('core', 'shareapi
 $excludeGroups = OC_Appconfig::getValue('core', 'shareapi_exclude_groups', 'no') === 'yes' ? true : false;
 $tmpl->assign('shareExcludeGroups', $excludeGroups);
 $excludedGroupsList = OC_Appconfig::getValue('core', 'shareapi_exclude_groups_list', '');
-$tmpl->assign('shareExcludedGroupsList', $excludedGroupsList);
+$excludedGroupsList = explode(',', $excludedGroupsList); // FIXME: this should be JSON!
+$tmpl->assign('shareExcludedGroupsList', implode('|', $excludedGroupsList));

 // Check if connected using HTTPS
 $tmpl->assign('isConnectedViaHTTPS', OC_Request::serverProtocol() === 'https');
--- a/settings/js/admin.js
+++ b/settings/js/admin.js
@ -20,6 +20,15 @@ $(document).ready(function(){

 	$('#excludedGroups').each(function (index, element) {
 		OC.Settings.setupGroupsSelect($(element));
+		$(element).change(function(ev) {
+			var groups = ev.val || [];
+			if (groups.length > 0) {
+				groups = ev.val.join(','); // FIXME: make this JSON
+			} else {
+				groups = '';
+			}
+			OC.AppConfig.setValue('core', $(this).attr('name'), groups);
+		});
 	});


@ -42,7 +51,7 @@ $(document).ready(function(){
 		$('#shareAPI p:not(#enable)').toggleClass('hidden', !this.checked);
 	});

-	$('#shareAPI input').change(function() {
+	$('#shareAPI input:not(#excludedGroups)').change(function() {
 		if ($(this).attr('type') === 'checkbox') {
 			if (this.checked) {
 				var value = 'yes';
--- a/settings/js/apps.js
+++ b/settings/js/apps.js
@ -123,10 +123,10 @@ OC.Settings.Apps = OC.Settings.Apps || {
 			page.find("label[for='groups_enable']").hide();
 			page.find("#groups_enable").attr('checked', null);
 		} else {
-			$('#group_select').val((app.groups || []).join(','));
 			if (app.active) {
 				if (app.groups.length) {
 					OC.Settings.Apps.setupGroupsSelect();
+					$('#group_select').select2('val', app.groups || []);
 					page.find("#groups_enable").attr('checked','checked');
 				} else {
 					page.find("#groups_enable").attr('checked', null);
@ -378,14 +378,10 @@ $(document).ready(function(){
 		}
 	});

-	$('#group_select').change(function() {
+	$('#group_select').change(function(ev) {
 		var element = $('#app-content input.enable');
-		var groups = $(this).val();
-		if (groups && groups !== '') {
-			groups = groups.split(',');
-		} else {
-			groups = [];
-		}
+		// getting an array of values from select2
+		var groups = ev.val || [];
 		var appid = element.data('appid');
 		if (appid) {
 			OC.Settings.Apps.enableApp(appid, false, element, groups);
--- a/settings/js/settings.js
+++ b/settings/js/settings.js
@ -7,6 +7,11 @@ OC.Settings = OC.Settings || {};
 OC.Settings = _.extend(OC.Settings, {
 	/**
 	 * Setup selection box for group selection.
+	 *
+	 * Values need to be separated by a pipe "|" character.
+	 * (mostly because a comma is more likely to be used
+	 * for groups)
+	 *
 	 * @param $elements jQuery element (hidden input) to setup select2 on
 	 * @param [extraOptions] extra options hash to pass to select2
 	 */
@ -18,6 +23,7 @@ OC.Settings = _.extend(OC.Settings, {
 				placeholder: t('core', 'Groups'),
 				allowClear: true,
 				multiple: true,
+				separator: '|',
 				ajax: {
 					url: OC.generateUrl('/settings/ajax/grouplist'),
 					dataType: 'json',
@ -50,7 +56,7 @@ OC.Settings = _.extend(OC.Settings, {
 				},
 				initSelection: function(element, callback) {
 					var selection =
-						_.map(($(element).val() || []).split(',').sort(),
+						_.map(($(element).val() || []).split('|').sort(),
 							function(groupName) {
 						return {
 							id: groupName,
@ -60,10 +66,14 @@ OC.Settings = _.extend(OC.Settings, {
 					callback(selection);
 				},
 				formatResult: function (element) {
-					return element.displayname;
+					return escapeHTML(element.displayname);
 				},
 				formatSelection: function (element) {
-					return element.displayname;
+					return escapeHTML(element.displayname);
+				},
+				escapeMarkup: function(m) {
+					// prevent double markup escape
+					return m;
 				}
 			}, extraOptions || {}));
 		}