From a6fb23302e8a84f93178b25f065e30c3d2106fbc Mon Sep 17 00:00:00 2001 From: Eymen Elkum Date: Sat, 24 Apr 2021 16:59:32 +0300 Subject: [PATCH 1/2] typo fix (#1974) --- application/Espo/Jobs/Cleanup.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/application/Espo/Jobs/Cleanup.php b/application/Espo/Jobs/Cleanup.php index 92b3a6e80b..80d88b7664 100644 --- a/application/Espo/Jobs/Cleanup.php +++ b/application/Espo/Jobs/Cleanup.php @@ -63,7 +63,7 @@ class Cleanup implements Job protected $config; protected $entityManager; - protected $metedata; + protected $metadata; protected $fileManager; protected $injectableFactory; protected $selectManagerFactory; From 1a672a8aa31631d466e36d098393172554d1da7d Mon Sep 17 00:00:00 2001 From: Yuri Kuznetsov Date: Tue, 4 May 2021 16:08:35 +0300 Subject: [PATCH 2/2] escaping --- client/src/views/fields/attachment-multiple.js | 7 +++++++ client/src/views/fields/file.js | 6 ++++++ .../src/views/fields/link-multiple-with-primary.js | 5 ++++- client/src/views/fields/link-multiple-with-role.js | 12 ++++++++++-- client/src/views/fields/link-multiple.js | 11 +++++++++-- client/src/views/fields/link.js | 9 ++++++++- client/src/views/fields/user.js | 3 +++ 7 files changed, 47 insertions(+), 6 deletions(-) diff --git a/client/src/views/fields/attachment-multiple.js b/client/src/views/fields/attachment-multiple.js index 6cd01b4403..40dc3b543a 100644 --- a/client/src/views/fields/attachment-multiple.js +++ b/client/src/views/fields/attachment-multiple.js @@ -293,6 +293,8 @@ define('views/fields/attachment-multiple', 'views/fields/base', function (Dep) { }, getDownloadUrl: function (id) { + id = Handlebars.Utils.escapeExpression(id); + var url = this.getBasePath() + '?entryPoint=download&id=' + id; if (this.getUser().get('portalId')) { @@ -354,6 +356,7 @@ define('views/fields/attachment-multiple', 'views/fields/base', function (Dep) { getEditPreview: function (name, type, id) { name = Handlebars.Utils.escapeExpression(name); + id = Handlebars.Utils.escapeExpression(id); var preview = name; @@ -365,6 +368,8 @@ define('views/fields/attachment-multiple', 'views/fields/base', function (Dep) { }, addAttachmentBox: function (name, type, id, link) { + id = Handlebars.Utils.escapeExpression(id); + var $attachments = this.$attachments; var removeLink = ''+ @@ -609,6 +614,7 @@ define('views/fields/attachment-multiple', 'views/fields/base', function (Dep) { getDetailPreview: function (name, type, id) { name = Handlebars.Utils.escapeExpression(name); + id = Handlebars.Utils.escapeExpression(id); var preview = name; @@ -648,6 +654,7 @@ define('views/fields/attachment-multiple', 'views/fields/base', function (Dep) { continue; } + var line = '
' + ' ' + '' + diff --git a/client/src/views/fields/file.js b/client/src/views/fields/file.js index a0b614a883..f418588048 100644 --- a/client/src/views/fields/file.js +++ b/client/src/views/fields/file.js @@ -308,6 +308,8 @@ define('views/fields/file', 'views/fields/link', function (Dep) { } } + id = Handlebars.Utils.escapeExpression(id); + var src = this.getBasePath() + '?entryPoint=image&size=' + previewSize + '&id=' + id; var img = ''; @@ -328,6 +330,8 @@ define('views/fields/file', 'views/fields/link', function (Dep) { getEditPreview: function (name, type, id) { name = Handlebars.Utils.escapeExpression(name); + id = Handlebars.Utils.escapeExpression(id); + var preview = name; if (~this.previewTypeList.indexOf(type)) { @@ -369,6 +373,8 @@ define('views/fields/file', 'views/fields/link', function (Dep) { }, getImageUrl: function (id, size) { + id = Handlebars.Utils.escapeExpression(id); + var url = this.getBasePath() + '?entryPoint=image&id=' + id; if (size) { diff --git a/client/src/views/fields/link-multiple-with-primary.js b/client/src/views/fields/link-multiple-with-primary.js index e5c5f7045e..ec12341053 100644 --- a/client/src/views/fields/link-multiple-with-primary.js +++ b/client/src/views/fields/link-multiple-with-primary.js @@ -125,6 +125,9 @@ Espo.define('views/fields/link-multiple-with-primary', 'views/fields/link-multip addLinkHtml: function (id, name) { name = name || id; + id = Handlebars.Utils.escapeExpression(id); + name = Handlebars.Utils.escapeExpression(name); + if (this.mode == 'search') { return Dep.prototype.addLinkHtml.call(this, id, name); } @@ -132,7 +135,7 @@ Espo.define('views/fields/link-multiple-with-primary', 'views/fields/link-multip var $container = this.$el.find('.link-container'); var $el = $('