| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
delimiters) instead of just the string contents.
Benefits: Using json_encode(), which is very robust. And as a user, it's clearer how to use this API compared to what it was before.
|
|
line snippet.
|
|
Updating XSS golden file.
|
|
instead of SafeString directly.
|
|
|
|
Adding SafeString::of_safe_html() calls where urls are passed as parameters to t() and t2().
|
|
Conflicts:
modules/akismet/views/admin_akismet.html.php
modules/comment/helpers/comment_rss.php
modules/gallery/helpers/gallery_rss.php
modules/gallery/libraries/I18n.php
modules/gallery/views/permissions_browse.html.php
modules/gallery/views/simple_uploader.html.php
modules/info/views/info_block.html.php
modules/organize/controllers/organize.php
modules/organize/views/organize.html.php
modules/organize/views/organize_album.html.php
themes/default/views/album.html.php
themes/default/views/movie.html.php
themes/default/views/photo.html.php
|
|
Xss: Rename UNKNOWN back to DIRTY, JS_XSS to DIRTY_JS.
(using a different flag value to highlight potential XSS vectors in JS)
|
|
SafeString::purify() and SafeString::of_safe_html().
Removing SafeString::mark_html_safe() since it's no longer needed.
|
|
|
|
|
|
is not working.
|
|
Benefits:
- url::site() is often used in views and we can ensure in the url class that returned strings are indeed safe for use in HTML. Makes the list of vars of unknown safety status shorter.
- url::site() is often used as message parameter to t() and t2(). The parameter would be HTML-escaped if it wasn't marked as safe HTML already. Makes the usage simpler / shorter.
|
|
|
|
Refactoring of Xss_Security_Test.
t() and t2() return a SafeString instance.
TODO:
- Update all code to use SafeString where appropriate.
- Update golden fole of Xss_Security_Test
- Stop reporting CLEAN vars in Xss_Security_Test
|
|
remove Gallery3 concepts from ORM_MPTT.
The following API methods:
ORM_MPTT::children
ORM_MPTT::children_count
ORM_MPTT::descendants
ORM_MPTT::descendants_count
All now take a $where clause that allow you to pass through additional
field parameters.
old API:
$album->children(10, 0, "photos")
$album->children_count("photos")
new API:
$album->children(10, 0, array("type" => "photos"))
$album->children_count(array("type" => "photos"))
This gives us a more flexible API and simplifies the code. While I
was in there, I changed the way we deal with default orderby values so
that we just assign the default value in the function definition,
which allows us to get rid of all conditionals in the implementation
which results in simpler code.
|
|
This reverts commit 1f014aae6c16bbda62d8f5937180f11ccb0eb1b1.
|
|
|
|
Old API: $obj->original("field_name")
New API: $obj->original()->field_name
This allows us to revert the varous xxx_updated events back to passing
an original ORM as well as the the updated one. This makes for a
cleaner event API.
Old API: comment_updated($comment) { $comment->original("field_name") }
Old API: comment_updated($old, $new) { $old->field_name }
|
|
|
|
|
|
|
|
tag_event:item_edit_form to use the new Form_Script library to inject
script into a form.
Signed-off-by: Tim Almdal <tnalmdal@shaw.ca>
|
|
tag_event:item_edit_form to use the new Form_Script library to inject
script into a form.
|
|
of either a url to a script file or in line text which will be included
in a script block.
Signed-off-by: Tim Almdal <tnalmdal@shaw.ca>
|
|
of either a url to a script file or in line text which will be included
in a script block.
|
|
javascript lib (gallery.reload.js) which defines the functions
gallery_reload() and gallery_location(new_location). They just
do a window.location.reload() and window.location = new_location.
This change breaks the assumption that all themes will handle page reloads
the same and allows the theme to customize the page refresh.
|
|
|
|
Revert "Changed access::user_can to force the owner of an item to have"
This reverts commit 0b97cfd6f098be08be5f3cf1dbca1cce580ae330.
|
|
|
|
view permission on the parent. Added a whitelist of allowable
owner permissions.
If the requested permission is view and the user requesting access
is the owner, check that they have view permission to the parent.
|
|
|
|
This required putting a wrapper view around the forms and passing
this view as the parameter to the item_edit_form event. The view
contains a $script variable that the modules can add script to be
included in the form html when rendered as part of the ajax response.
|
|
on the tag add form in the tag sidebar block. Updated the xss golden file as well. Still to do figure out how toget it into the edit popup dialog
|
|
|
|
|
|
|
|
their new target. After each move, recalculate the permissions for
the new parent's hierarchy.
Fixes ticket #552
|
|
|
|
1) The item_updated event no longer takes the old and new items.
Instead we overload ORM to track the original data and make
that available via the item. This will allow us to move event
publishing down into the API methods which in turn will give us
more stability since we won't require each controller to remember
to do it.
2) ORM class now tracks the original values. It doesn't track
the original relationships (no need for that, yet)
3) Added new events:
item_deleted
group_deleted
user_deleted
|
