Bug 978070: Do not use document.write() to insert HTML code

r/a=justdave
author: Frédéric Buclin <LpSolit@gmail.com> 2014-03-26 20:10:07 +0100
committer: Frédéric Buclin <LpSolit@gmail.com> 2014-03-26 20:10:07 +0100
commit: cf74a17e34f66ecdeb092f7b020bed95821a2492 (patch)
tree: 0b188f062dd96107ee6cc75ba4570a5ef44bea96
parent: fd518e1e24aa4b1164634ef5c432621f2c6bbb64 (diff)
download: bugzilla-cf74a17e34f66ecdeb092f7b020bed95821a2492.tar.gz
bugzilla-cf74a17e34f66ecdeb092f7b020bed95821a2492.tar.xz
5 files changed, 58 insertions, 56 deletions
diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl
index 1ab30853c..87ae525e7 100644
--- a/template/en/default/attachment/edit.html.tmpl
+++ b/template/en/default/attachment/edit.html.tmpl
@@ -28,7 +28,7 @@
 %]
 
 [%# No need to display the Diff button and iframe if the attachment is not a patch. %]
-[% use_patchviewer = (feature_enabled('patch_viewer') && attachment.ispatch) %]
+[% use_patchviewer = (feature_enabled('patch_viewer') && attachment.ispatch) ? 1 : 0 %]
 [% can_edit = attachment.validate_can_edit %]
 [% editable_or_hide = can_edit ? "" : " bz_hidden_option" %]
 
@@ -202,30 +202,33 @@
                 <a href="attachment.cgi?id=[% attachment.id %]">View the attachment on a separate page</a>.</b>
               </iframe>
             [% END %]
+
+            [% IF use_patchviewer %]
+              <iframe id="viewDiffFrame" class="bz_default_hidden"></iframe>
+            [% END %]
+
+            [% IF user.id %]
+              <button type="button" id="editButton" class="bz_default_hidden"
+                      onclick="editAsComment([% use_patchviewer %]);">Edit Attachment As Comment</button>
+              <button type="button" id="undoEditButton" class="bz_default_hidden"
+                      onclick="undoEditAsComment([% use_patchviewer %]);">Undo Edit As Comment</button>
+              <button type="button" id="redoEditButton" class="bz_default_hidden"
+                      onclick="redoEditAsComment([% use_patchviewer %]);">Redo Edit As Comment</button>
+            [% END %]
+
+            [% IF use_patchviewer %]
+              <button type="button" id="viewDiffButton" class="bz_default_hidden"
+                      onclick="viewDiff([% attachment.id %], [% use_patchviewer %]);">View Attachment As Diff</button>
+            [% END %]
+            <button type="button" id="viewRawButton" class="bz_default_hidden"
+                    onclick="viewRaw([% use_patchviewer %]);">View Attachment As Raw</button>
+
             <script type="text/javascript">
-              <!--
-              var patchviewerinstalled = 0;
-              var attachment_id = [% attachment.id %];
-              if (typeof document.getElementById == "function") {
-                [% IF use_patchviewer %]
-                  var patchviewerinstalled = 1;
-                  document.write('<iframe id="viewDiffFrame" class="bz_default_hidden"><\/iframe>');
-                [% END %]
-                [% IF user.id %]
-                  document.write('<button type="button" id="editButton" onclick="editAsComment(patchviewerinstalled);">Edit Attachment As Comment<\/button>');
-                  document.write('<button type="button" id="undoEditButton" onclick="undoEditAsComment(patchviewerinstalled);" class="bz_default_hidden">Undo Edit As Comment<\/button>');
-                  document.write('<button type="button" id="redoEditButton" onclick="redoEditAsComment(patchviewerinstalled);" class="bz_default_hidden">Redo Edit As Comment<\/button>');
-                  var editFrame = document.getElementById('editFrame');
-                  if (editFrame) {
-                    editFrame.disabled = false;
-                  }
-                [% END %]
-                [% IF use_patchviewer %]
-                  document.write('<button type="button" id="viewDiffButton" onclick="viewDiff(attachment_id, patchviewerinstalled);">View Attachment As Diff<\/button>');
-                [% END %]
-                document.write('<button type="button" id="viewRawButton" onclick="viewRaw(patchviewerinstalled);" class="bz_default_hidden">View Attachment As Raw<\/button>');
-              }
-              //-->
+              [% IF user.id %]
+                document.getElementById('editFrame').disabled = false;
+                YAHOO.util.Dom.removeClass("editButton", "bz_default_hidden");
+              [% END %]
+              YAHOO.util.Dom.removeClass("viewDiffButton", "bz_default_hidden");
             </script>
           </div>
         [% ELSE %]
diff --git a/template/en/default/bug/create/create-guided.html.tmpl b/template/en/default/bug/create/create-guided.html.tmpl
index 5cc9df64f..4c087c637 100644
--- a/template/en/default/bug/create/create-guided.html.tmpl
+++ b/template/en/default/bug/create/create-guided.html.tmpl
@@ -29,13 +29,12 @@ var descriptions = [
 ];
 
 function PutDescription() {
-    if ((document.getElementById) && (document.body.innerHTML)) {
-        var componentIndex = document.getElementById('component').selectedIndex;
-        if (componentIndex != -1) {
-            var description = document.getElementById('description');
-            description.innerHTML = descriptions[componentIndex];
-        }
-    }
+  var description = document.getElementById('description');
+  var componentIndex = document.getElementById('component').selectedIndex;
+  YAHOO.util.Dom.removeClass("description", "bz_default_hidden");
+  if (componentIndex != -1) {
+    description.innerHTML = descriptions[componentIndex];
+  }
 }
 </script>
 
@@ -130,12 +129,8 @@ function PutDescription() {
         [% END %]
       </select>
 
-      <div id="description" class="comment">
-        <script type="text/javascript">
-          if ((document.getElementById) && (document.body.innerHTML)) {
-            document.write("Select a component to see its description here.");
-          }
-        </script>
+      <div id="description" class="comment bz_default_hidden">
+        Select a component to see its description here.
       </div>
 
       <p>
diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index 8a0b459b3..1c3422fa8 100644
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -430,15 +430,9 @@
   with details of what you were doing at the time this message appeared.
 </p>
 
-<samp>
-  <script type="text/javascript"> <!--
-    document.write("<p>URL: " +
-                    document.location.href.replace(/&/g,"&amp;")
-                                          .replace(/</g,"&lt;")
-                                          .replace(/>/g,"&gt;") + "</p>");
-  // -->
-  </script>
-</samp>
+<p>
+  <samp>URL: [% Bugzilla.cgi.self_url FILTER html %]</samp>
+</p>
 
 <div id="error_msg" class="throw_error">
   [% error_message FILTER none %]
diff --git a/template/en/default/list/edit-multiple.html.tmpl b/template/en/default/list/edit-multiple.html.tmpl
index 80204a613..2282d69f4 100644
--- a/template/en/default/list/edit-multiple.html.tmpl
+++ b/template/en/default/list/edit-multiple.html.tmpl
@@ -10,6 +10,11 @@
 <input type="hidden" name="dontchange" value="[% dontchange FILTER html %]">
 <input type="hidden" name="token" value="[% token FILTER html %]">
 
+<input type="button" id="uncheck_all" value="Uncheck All"
+       class="bz_default_hidden" onclick="SetCheckboxes(false);">
+<input type="button" id="check_all" value="Check All"
+       class="bz_default_hidden" onclick="SetCheckboxes(true);">
+
 <script type="text/javascript">
   function SetCheckboxes(value) {
       var elements = document.forms.changeform.getElementsByTagName('input'),
@@ -22,8 +27,8 @@
           }
       }
   }
-  document.write(' <input type="button" name="uncheck_all" value="Uncheck All" onclick="SetCheckboxes(false);">');
-  document.write(' <input type="button" name="check_all" value="Check All" onclick="SetCheckboxes(true);">');
+  YAHOO.util.Dom.removeClass("check_all", "bz_default_hidden");
+  YAHOO.util.Dom.removeClass("uncheck_all", "bz_default_hidden");
 </script>
 
 <hr>
diff --git a/template/en/default/list/quips.html.tmpl b/template/en/default/list/quips.html.tmpl
index 8fb89af7c..e928cf0c5 100644
--- a/template/en/default/list/quips.html.tmpl
+++ b/template/en/default/list/quips.html.tmpl
@@ -107,7 +107,15 @@
         [% END %]
         </tbody>
       </table>
-      <script type="text/javascript"><!--
+
+      <input type="button" id="uncheck_all" value="Uncheck All"
+             class="bz_default_hidden" onclick="SetCheckboxes(false);">
+      <input type="button" id="check_all" value="Check All"
+             class="bz_default_hidden" onclick="SetCheckboxes(true);">
+      <input type="submit" id="update" value="Save Changes">
+
+      <script type="text/javascript">
+        <!--
         var numelements = document.forms.editform.elements.length;
         function SetCheckboxes(value) {
           var item;
@@ -116,13 +124,10 @@
             item.checked = value;
           }
         }
-        document.write(' <input type="button" name="uncheck_all" '
-                      +'value="Uncheck All" onclick="SetCheckboxes(false);">');
-        document.write(' <input type="button" name="check_all" '
-                      +'value="Check All" onclick="SetCheckboxes(true);">');
-        //--></script>
-
-      <input type="submit" id="update" value="Save Changes">
+        YAHOO.util.Dom.removeClass("check_all", "bz_default_hidden");
+        YAHOO.util.Dom.removeClass("uncheck_all", "bz_default_hidden");
+        //-->
+      </script>
     </form>
     <br>
   [% END %]
author	Frédéric Buclin <LpSolit@gmail.com>	2014-03-26 20:10:07 +0100
committer	Frédéric Buclin <LpSolit@gmail.com>	2014-03-26 20:10:07 +0100
commit	cf74a17e34f66ecdeb092f7b020bed95821a2492 (patch)
tree	0b188f062dd96107ee6cc75ba4570a5ef44bea96
parent	fd518e1e24aa4b1164634ef5c432621f2c6bbb64 (diff)
download	bugzilla-cf74a17e34f66ecdeb092f7b020bed95821a2492.tar.gz bugzilla-cf74a17e34f66ecdeb092f7b020bed95821a2492.tar.xz