diff --git a/MANIFEST.in b/MANIFEST.in index 7fa12f4563..283d62ef05 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -5,6 +5,7 @@ include *.txt include *.yml include .bowerrc include .dockerignore +include .editorconfig include ABOUT-NLS include AUTHORS include COPYING diff --git a/NEWS b/NEWS index 7593ec69b3..2da4577e56 100644 --- a/NEWS +++ b/NEWS @@ -543,6 +543,81 @@ Notes - Add `invenio.modules.unapi` to PACKAGES if you would like to keep the `/unapi` url. +Invenio v2.0.6 -- released 2015-09-01 +------------------------------------- + +Security fixes +~~~~~~~~~~~~~~ + ++ global + + - Fixes potential XSS issues by changing main flash messages + template so that they are not displayed as safe HTML by default. + ++ search + + - Fixes potential XSS issues by changing search flash messages + template so that they are not displayed as safe HTML by default. + + +Improved features +~~~~~~~~~~~~~~~~~ + ++ I18N + + - Completes Italian translation. + - Completes French translation. + ++ global + + - Adds super(SmartDict, self).__init__ call in the __init__ method + in SmartDict to be able to make multiple inheritance in Record + class in invenio-records and be able to call both parent's + __init__. + + +Bug fixes +~~~~~~~~~ + ++ OAIHarvest + + - Fixes the parsing of resumptiontoken in incoming OAI-PMH XML which + could fail when the resumptiontoken was empty. + ++ i18n + + - Updates PO message catalogues and cleans them of duplicated + messages. (#3455) + ++ installation + + - Fixes database creation and upgrading by limiting Alembic version + to <0.7. + ++ legacy + + - Addresses an issue with calling six urllib.parse in a wrong way, + making users unable to harvest manually from the command line. + + +Notes +~~~~~ + ++ global + + - Displaying HTML safe flash messages can be done by using one of + these flash contexts: '(html_safe)', 'info(html_safe)', + 'danger(html_safe)', 'error(html_safe)', 'warning(html_safe)', + 'success(html_safe)' instead of the standard ones (which are the + same without '(html safe)' at the end). + ++ search + + - Displaying HTML safe flash messages can be done by using one of + these flash contexts: 'search-results-after(html_safe)', + 'websearch-after-search-form(html_safe)' instead of the standard + ones (which are the same without '(html safe)' at the end). + Invenio v2.0.5 -- released 2015-07-17 ------------------------------------- diff --git a/invenio/base/templates/_macros.html b/invenio/base/templates/_macros.html index 13bd6419c5..f800c4d75e 100644 --- a/invenio/base/templates/_macros.html +++ b/invenio/base/templates/_macros.html @@ -19,11 +19,18 @@ {%- macro flashed_messages() -%} {% block messages %} - {% for category, msg in get_flashed_messages(with_categories=True, category_filter=['', 'info', 'danger', 'error', 'warning', 'success']) %} - {% set category = 'danger' if category == 'error' else category %} -
+ {% for category, msg in get_flashed_messages(with_categories=True, + category_filter=['', 'info', 'danger', 'error', 'warning', 'success', + '(html_safe)', 'info(html_safe)', 'danger(html_safe)', 'error(html_safe)', + 'warning(html_safe)', 'success(html_safe)']) %} + {% set category = 'danger' if category == 'error' or category == 'error(html_safe)' else category %} +
× - {{ msg|safe }} + {% if category.endswith('(html_safe)') %} + {{ msg|safe }} + {% else %} + {{ msg }} + {% endif %}
{% endfor %} {% endblock messages %} diff --git a/invenio/ext/script/__init__.py b/invenio/ext/script/__init__.py index 19066ec4d5..3c608e1220 100644 --- a/invenio/ext/script/__init__.py +++ b/invenio/ext/script/__init__.py @@ -147,7 +147,7 @@ def check_for_software_updates(flash_message=False): 'download. You may want to visit ' '%()s', wiki='reset your password anew.", - link=url_for('webaccount.lost')), 'warning') + link=url_for('webaccount.lost')), 'warning(html_safe)') class ProfileForm(InvenioBaseForm): diff --git a/invenio/modules/annotations/views.py b/invenio/modules/annotations/views.py index 5c8752877e..4a5da6717f 100644 --- a/invenio/modules/annotations/views.py +++ b/invenio/modules/annotations/views.py @@ -196,7 +196,7 @@ def notes(recid): flash(_('This is a summary of all the comments that includes only the \ existing annotations. The full discussion is available \ here.'), "info") + '">here.'), "info(html_safe)") from invenio.utils.washers import wash_html_id diff --git a/invenio/modules/search/templates/search/form/index_base.html b/invenio/modules/search/templates/search/form/index_base.html index 7d2b8fd5b8..e02de61614 100644 --- a/invenio/modules/search/templates/search/form/index_base.html +++ b/invenio/modules/search/templates/search/form/index_base.html @@ -1,6 +1,6 @@ {# # This file is part of Invenio. -# Copyright (C) 2014 CERN. +# Copyright (C) 2014, 2015 CERN. # # Invenio is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as @@ -35,10 +35,15 @@
{%- block search_form_flashed_messages -%} {%- for category, msg in get_flashed_messages(with_categories=True, - category_filter=['websearch-after-search-form']) %} + category_filter=['websearch-after-search-form', + 'websearch-after-search-form(html_safe)']) %}
- {{ msg|safe }} + {% if category.endswith('(html_safe)') %} + {{ msg|safe }} + {% else %} + {{ msg }} + {% endif %}
{%- endfor %} diff --git a/invenio/modules/search/templates/search/results_base.html b/invenio/modules/search/templates/search/results_base.html index 4eb698e5e4..2323404240 100644 --- a/invenio/modules/search/templates/search/results_base.html +++ b/invenio/modules/search/templates/search/results_base.html @@ -256,8 +256,13 @@ {%- endblock search_results_footer %} - {% for category, msg in get_flashed_messages(with_categories=True, category_filter=['search-results-after']) %} - {{ msg|safe }} + {% for category, msg in get_flashed_messages(with_categories=True, + category_filter=['search-results-after', 'search-results-after(html_safe)']) %} + {% if category.endswith('(html_safe)') %} + {{ msg|safe }} + {% else %} + {{ msg }} + {% endif %} {% endfor %} {% endblock %}{% endmacro %} diff --git a/invenio/modules/tags/views.py b/invenio/modules/tags/views.py index e8405f9232..8292f20088 100644 --- a/invenio/modules/tags/views.py +++ b/invenio/modules/tags/views.py @@ -21,8 +21,8 @@ from __future__ import unicode_literals -from flask import Blueprint, flash, jsonify, redirect, render_template, \ - request, url_for +from flask import Blueprint, escape, flash, jsonify, redirect, \ + render_template, request, url_for from flask_breadcrumbs import default_breadcrumb_root, register_breadcrumb @@ -188,8 +188,8 @@ def tag_edit(id_tag): flash(_('Tag Successfully edited.'), 'success') else: - flash(_('Tag name') + ' ' + tag.name + ' ' + - _('is already in use.'), 'error') + flash(_('Tag name') + ' ' + escape(tag.name) + + ' ' + _('is already in use.'), 'error(html_safe)') return dict(tag=tag, form=form) diff --git a/invenio/version.py b/invenio/version.py index 9206906506..d95a70df4a 100644 --- a/invenio/version.py +++ b/invenio/version.py @@ -30,7 +30,7 @@ # - revision can be set if you want to override the date coming from git. # # See the doctest below. -version = (2, 1, 1, 'dev', 20150616) +version = (2, 1, 1, 'dev', 20150901) def build_version(*args):