#156 Prefill request creation form #157
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ruKurz
reviewed
Nov 29, 2017
| if (this.find('input[name="expertise"]').value) { | ||
| this.find('input[name="request_title"]').focus(); | ||
| } else { | ||
| this.find('input[name="expertise"]').focus(); |
There was a problem hiding this comment.
For performance reasons it might be good calling find on 'input[name="expertise"]' only once.
| @@ -162,6 +167,13 @@ Template.AssistifyCreateRequest.onCreated(function() { | |||
| instance.requestTitle = new ReactiveVar(''); | |||
| instance.openingQuestion = new ReactiveVar(''); | |||
|
|
|||
| if (FlowRouter._current.queryParams) { | |||
| const expertise = FlowRouter._current.queryParams['topic'] || FlowRouter._current.queryParams['expertise']; | |||
There was a problem hiding this comment.
I assume that FlowRouter is the Rocket.Chat deafult for accessing request params.
| if (FlowRouter._current.queryParams) { | ||
| const expertise = FlowRouter._current.queryParams['topic'] || FlowRouter._current.queryParams['expertise']; | ||
| if (expertise) { | ||
| instance.expertise.set(expertise); |
There was a problem hiding this comment.
Where is instance.expertise printed into the DOM?
Reading a HTTP request parameter and print it into the DOM, is a typical cross site scripting pitfall.
Did you check that the value of instance.expertise.get() is being escaped?
There was a problem hiding this comment.
I'd expect FlowRouter to do the escaping, but let me validate...
There was a problem hiding this comment.
FlowRouter moves the parameters to an object. The properties are already escaped.
http://localhost:3000/create-channel?topic=demo&title=something&question=%3Cscript%3Evar%20buh%20=%20%22buh!%22%22%3C/script%3E leads to a string in the input.
This way, fixes #20 : The consumer (e. g. the wiki page) can create a simple form an pass the content as parameter
```
FlowRouter.current
ƒ () { // 248
// We can't trust outside, that's why we clone this …
```
- refactor query-selectors => reuse
|
@ruKurz thx for the review, adapted the code. |
|
Travis has failed with an exception. But this seems not to be related with this PR. |
ruKurz
pushed a commit
that referenced
this pull request
Dec 7, 2017
* Fixed Issues 87, 88 * Feature/#23 title first message to new request (#149) * Request title and first message while creating new request * Make titles of inputs and placeholders more consistent * Fix display issues: - Dropdown overlapped by input field - In English, the width of the creation dialog was not 100%, thus input fields within too narrow * Minor corrections with respect to error handling: - Refactor error display to an own template - Show error if selected expertise on request creation is invalid (not chosen from the dropdown) - Fix positioning of "at" on members selection if invalid * Fixes #151 - Misspelled label "jetzt chaten" (#152) * Corrections to creation dialog (#154) * Corrections to creation dialog - Propagate first message properly (fixes #153) - Change "Name" to "Title" - get rid of flashing error message on auto-complete-confirmation with tab * Corrections to creation dialog - more robust error handling - prevent flashing of validation errors * Fix improper clearing of request title * Invalid Expertise field highlight * #156 Prefill request creation form (#157) * fixes #156 - Pass topic as URL param (URL encoded) as `topic` or `expertise` (same effect) - Title is focused if expertise is passed * Allow pre-filling of title and question as well. This way, fixes #20 : The consumer (e. g. the wiki page) can create a simple form an pass the content as parameter * - Use the copied current() instead of the internal value ``` FlowRouter.current ƒ () { // 248 // We can't trust outside, that's why we clone this … ``` - refactor query-selectors => reuse * use FlowRouter API properly * Setting based permissions - downport (#158) * Allow maintenance of per-setting permissions (cherry picked from commit eed869a) * Implicitly assign and revoke setting group permissions (cherry picked from commit 28b769b) * Improve Display of setting permissions (cherry picked from commit 8523456) * Add path to permission title (cherry picked from commit c87a30d) * Permission to access setting permissions (cherry picked from commit 48b1076) * Adapt wording (cherry picked from commit daccad8) * UI-adaptation: Allow users with permission 'manage-selected-permissions' to see and change the affected settings. However, this is not reactive: Once the permissions for a particular setting are changed, the user needs to log off and on again before it becomes effective in the UI. This is most probably a consequence of the CachedCollection. This collection needed to be changed on permission-change. In the backend however, the permissions become effective immediately. (cherry picked from commit 00e4bb5) * Don't adapt sorting on the client side (cherry picked from commit 9b71b62) * Fix: Apply changed setting permissions reactively (cherry picked from commit 293ad73) * Move setting-based permissions to own collection (cherry picked from commit 8f59f1c) * Unify collections for setting and other permissions again into one (cherry picked from commit 8d923c2) * Get rid of frontend exceptions on changing selected settings (cherry picked from commit a7fdc87) * - Sort permissions by group - Do not try to create permissions for hidden settings in higher-level-callbacks - Remove `setting-permissions` collection - fully integrated into `permissions` (cherry picked from commit f007231) * Harmonize wording in German (cherry picked from commit 5cf5df2) * German language informalized (#160) * German language informalized - Liebe Deutsche, wir kennen euch nun besser. Wir wollen ab jetzt “Du” zu einander sagen 😉 * Update de.i18n.json * Update de.i18n.json * Update de.i18n.json * Allow administration even if user has got only `edit-privileged-setting` but not `view-privileged-setting` * Revert "Fixed Issues 87, 88 (livechat on mobile devices)" (#164) * Create configuration expert role on startup (#159) * Allow maintenance of per-setting permissions (cherry picked from commit eed869a) * Implicitly assign and revoke setting group permissions (cherry picked from commit 28b769b) * Improve Display of setting permissions (cherry picked from commit 8523456) * Add path to permission title (cherry picked from commit c87a30d) * Permission to access setting permissions (cherry picked from commit 48b1076) * Adapt wording (cherry picked from commit daccad8) * UI-adaptation: Allow users with permission 'manage-selected-permissions' to see and change the affected settings. However, this is not reactive: Once the permissions for a particular setting are changed, the user needs to log off and on again before it becomes effective in the UI. This is most probably a consequence of the CachedCollection. This collection needed to be changed on permission-change. In the backend however, the permissions become effective immediately. (cherry picked from commit 00e4bb5) * Don't adapt sorting on the client side (cherry picked from commit 9b71b62) * Fix: Apply changed setting permissions reactively (cherry picked from commit 293ad73) * Move setting-based permissions to own collection (cherry picked from commit 8f59f1c) * Unify collections for setting and other permissions again into one (cherry picked from commit 8d923c2) * Get rid of frontend exceptions on changing selected settings (cherry picked from commit a7fdc87) * - Sort permissions by group - Do not try to create permissions for hidden settings in higher-level-callbacks - Remove `setting-permissions` collection - fully integrated into `permissions` (cherry picked from commit f007231) * Harmonize wording in German (cherry picked from commit 5cf5df2) * add configuration package * Add default role configuration on startup * set default system language to DE * Reduce capabilities of config expert and introduce minor admin * Parted the roles for configuration and managing the rest - Manager - well - manages the application, like a minor admin. Target is that this role is capable of doing everything which is necessary while *regularly* running the application - Config-expert is allowed to customize the application (affecting all users' experience) * Informal german language for our custom texts (#165) * German language informalized - Liebe Deutsche, wir kennen euch nun besser. Wir wollen ab jetzt “Du” zu einander sagen 😉 * German texts of custom enhancement informalized * Bump version to 0.5.0 * Update HISTORY.md
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fixes #156 …
topicorexpertise(same effect)