Merge branch 'maint-2.0' into maint-2.1

* maint-2.0:
  installation: post-release version bump
  Invenio v2.0.6
  global: fix flash message CSS class bug
  tags: fix flash message
  annotations: fix link display in flash message
  accounts: fix link display in flash message
  search: fix flash messages security
  global: fix standard flash messages security

Signed-off-by: Jiri Kuncar <[email protected]>

MANIFEST.in

@@ -5,6 +5,7 @@ include *.txt
 include *.yml
 include .bowerrc
 include .dockerignore
+include .editorconfig
 include ABOUT-NLS
 include AUTHORS
 include COPYING

NEWS

@@ -543,6 +543,81 @@ Notes
   - Add `invenio.modules.unapi` to PACKAGES if you would like to keep
     the `/unapi` url.
 
+Invenio v2.0.6 -- released 2015-09-01
+-------------------------------------
+
+Security fixes
+~~~~~~~~~~~~~~
+
++ global
+
+  - Fixes potential XSS issues by changing main flash messages
+    template so that they are not displayed as safe HTML by default.
+
++ search
+
+  - Fixes potential XSS issues by changing search flash messages
+    template so that they are not displayed as safe HTML by default.
+
+
+Improved features
+~~~~~~~~~~~~~~~~~
+
++ I18N
+
+  - Completes Italian translation.
+  - Completes French translation.
+
++ global
+
+  - Adds super(SmartDict, self).__init__ call in the __init__ method
+    in SmartDict to be able to make multiple inheritance in Record
+    class in invenio-records and be able to call both parent's
+    __init__.
+
+
+Bug fixes
+~~~~~~~~~
+
++ OAIHarvest
+
+  - Fixes the parsing of resumptiontoken in incoming OAI-PMH XML which
+    could fail when the resumptiontoken was empty.
+
++ i18n
+
+  - Updates PO message catalogues and cleans them of duplicated
+    messages.  (#3455)
+
++ installation
+
+  - Fixes database creation and upgrading by limiting Alembic version
+    to <0.7.
+
++ legacy
+
+  - Addresses an issue with calling six urllib.parse in a wrong way,
+    making users unable to harvest manually from the command line.
+
+
+Notes
+~~~~~
+
++ global
+
+  - Displaying HTML safe flash messages can be done by using one of
+    these flash contexts: '(html_safe)', 'info(html_safe)',
+    'danger(html_safe)', 'error(html_safe)', 'warning(html_safe)',
+    'success(html_safe)' instead of the standard ones (which are the
+    same without '(html safe)' at the end).
+
++ search
+
+  - Displaying HTML safe flash messages can be done by using one of
+    these flash contexts: 'search-results-after(html_safe)',
+    'websearch-after-search-form(html_safe)' instead of the standard
+    ones (which are the same without '(html safe)' at the end).
+
 Invenio v2.0.5 -- released 2015-07-17
 -------------------------------------
 

invenio/base/templates/_macros.html

@@ -19,11 +19,18 @@
 
 {%- macro flashed_messages() -%}
   {% block messages %}
-    {% for category, msg in get_flashed_messages(with_categories=True, category_filter=['', 'info', 'danger', 'error', 'warning', 'success']) %}
-    {% set category = 'danger' if category == 'error' else category %}
-      <div class="alert alert-{{ category }}">
+    {% for category, msg in get_flashed_messages(with_categories=True,
+    category_filter=['', 'info', 'danger', 'error', 'warning', 'success',
+    '(html_safe)', 'info(html_safe)', 'danger(html_safe)', 'error(html_safe)',
+    'warning(html_safe)', 'success(html_safe)']) %}
+    {% set category = 'danger' if category == 'error' or category == 'error(html_safe)' else category %}
+      <div class="alert alert-{{ category[:-('(html_safe)'|length)] if category.endswith('(html_safe)') else category }}">
         <a class="close" data-dismiss="alert" href="#">&times;</a>
-        {{ msg|safe }}
+        {% if category.endswith('(html_safe)') %}
+            {{ msg|safe }}
+        {% else %}
+            {{ msg }}
+        {% endif %}
       </div>
     {% endfor %}
   {% endblock messages %}

invenio/ext/script/__init__.py

@@ -147,7 +147,7 @@ def check_for_software_updates(flash_message=False):
                         'download. You may want to visit '
                         '<a href="%(wiki)s">%()s</a>',
                         wiki='<a href=\"http://invenio-software.org/wiki/'
-                             '/Installation/Download'), 'warning')
+                             '/Installation/Download'), 'warning(html_safe)')
 
             return False
     except Exception as e:

invenio/modules/accounts/forms.py

@@ -173,7 +173,7 @@ def validate_email(self, field):
         from flask import flash, url_for
         flash(_("Note that if you have changed your email address, you \
                 will have to <a href=%(link)s>reset</a> your password anew.",
-                link=url_for('webaccount.lost')), 'warning')
+                link=url_for('webaccount.lost')), 'warning(html_safe)')
 
 
 class ProfileForm(InvenioBaseForm):

invenio/modules/annotations/views.py

@@ -196,7 +196,7 @@ def notes(recid):
         flash(_('This is a summary of all the comments that includes only the \
                  existing annotations. The full discussion is available \
                  <a href="' + url_for('comments.comments', recid=recid) +
-                '">here</a>.'), "info")
+                '">here</a>.'), "info(html_safe)")
 
     from invenio.utils.washers import wash_html_id
 

invenio/modules/search/templates/search/form/index_base.html

@@ -1,6 +1,6 @@
 {#
 # This file is part of Invenio.
-# Copyright (C) 2014 CERN.
+# Copyright (C) 2014, 2015 CERN.
 #
 # Invenio is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License as
@@ -35,10 +35,15 @@
 </div>
 {%- block search_form_flashed_messages -%}
 {%- for category, msg in get_flashed_messages(with_categories=True,
-                                             category_filter=['websearch-after-search-form']) %}
+                                             category_filter=['websearch-after-search-form',
+                                             'websearch-after-search-form(html_safe)']) %}
 <div class="row">
   <div class="col-md-12">
-    {{ msg|safe }}
+    {% if category.endswith('(html_safe)') %}
+      {{ msg|safe }}
+    {% else %}
+      {{ msg }}
+    {% endif %}
   </div>
 </div>
   {%- endfor %}

invenio/modules/search/templates/search/results_base.html

@@ -256,8 +256,13 @@
         {%- endblock search_results_footer %}
       </form>
 
-  {% for category, msg in get_flashed_messages(with_categories=True, category_filter=['search-results-after']) %}
-    {{ msg|safe }}
+  {% for category, msg in get_flashed_messages(with_categories=True,
+  category_filter=['search-results-after', 'search-results-after(html_safe)']) %}
+    {% if category.endswith('(html_safe)') %}
+      {{ msg|safe }}
+    {% else %}
+      {{ msg }}
+    {% endif %}
   {% endfor %}
 {% endblock %}{% endmacro %}
 

invenio/modules/tags/views.py

@@ -21,8 +21,8 @@
 
 from __future__ import unicode_literals
 
-from flask import Blueprint, flash, jsonify, redirect, render_template, \
-    request, url_for
+from flask import Blueprint, escape, flash, jsonify, redirect, \
+    render_template, request, url_for
 
 from flask_breadcrumbs import default_breadcrumb_root, register_breadcrumb
 
@@ -188,8 +188,8 @@ def tag_edit(id_tag):
             flash(_('Tag Successfully edited.'), 'success')
 
         else:
-            flash(_('Tag name') + ' <strong>' + tag.name + '</strong> ' +
-                  _('is already in use.'), 'error')
+            flash(_('Tag name') + ' <strong>' + escape(tag.name) +
+                  '</strong> ' + _('is already in use.'), 'error(html_safe)')
 
     return dict(tag=tag, form=form)
 

invenio/version.py

@@ -30,7 +30,7 @@
 # - revision can be set if you want to override the date coming from git.
 #
 # See the doctest below.
-version = (2, 1, 1, 'dev', 20150616)
+version = (2, 1, 1, 'dev', 20150901)
 
 
 def build_version(*args):