From 79b8f341f8ca2331b1fb619f70714a121811604f Mon Sep 17 00:00:00 2001 From: pines Date: Sun, 13 May 2007 19:19:01 +0000 Subject: [PATCH] contentWindow wrapper to get around security git-svn-id: svn://svn.open-ils.org/ILS/trunk@7298 dcc99617-32d9-48b4-a31d-7c20da2025e4 --- .../chrome/content/OpenILS/global_util.js | 10 ++++++++ .../xul/staff_client/chrome/content/util/window.js | 4 ++-- .../server/admin/offline_manage_xacts.js | 2 +- .../staff_client/server/admin/printer_settings.js | 2 +- Open-ILS/xul/staff_client/server/cat/marc_new.xul | 2 +- .../staff_client/server/cat/volume_copy_creator.js | 2 +- Open-ILS/xul/staff_client/server/cat/z3950.js | 2 +- .../xul/staff_client/server/circ/circ_summary.xul | 6 ++--- .../xul/staff_client/server/circ/copy_details.xul | 6 ++--- .../staff_client/server/patron/bill_details.xul | 2 +- .../staff_client/server/patron/bill_history.xul | 2 +- Open-ILS/xul/staff_client/server/patron/display.js | 16 ++++++------- .../xul/staff_client/server/patron/display.xul | 8 +++---- .../staff_client/server/patron/hold_notices.xul | 2 +- Open-ILS/xul/staff_client/server/patron/info.xul | 27 ++++++++++------------ .../xul/staff_client/server/patron/info_group.xul | 20 ++++++++++------ 16 files changed, 63 insertions(+), 50 deletions(-) diff --git a/Open-ILS/xul/staff_client/chrome/content/OpenILS/global_util.js b/Open-ILS/xul/staff_client/chrome/content/OpenILS/global_util.js index 290764daf8..9fc4d8c755 100644 --- a/Open-ILS/xul/staff_client/chrome/content/OpenILS/global_util.js +++ b/Open-ILS/xul/staff_client/chrome/content/OpenILS/global_util.js @@ -29,6 +29,16 @@ } } + function get_contentWindow(frame) { + netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect'); + if (frame && frame.contentWindow) { + if (typeof frame.contentWindow.wrappedJSObject != 'undefined') return frame.contentWindow.wrappedJSObject; + return frame.contentWindow; + } else { + return null; + } + } + function update_modal_xulG(v) { try { JSAN.use('OpenILS.data'); var data = new OpenILS.data(); data.init({'via':'stash'}); diff --git a/Open-ILS/xul/staff_client/chrome/content/util/window.js b/Open-ILS/xul/staff_client/chrome/content/util/window.js index c7a73bfd6d..a167d9344d 100644 --- a/Open-ILS/xul/staff_client/chrome/content/util/window.js +++ b/Open-ILS/xul/staff_client/chrome/content/util/window.js @@ -98,8 +98,8 @@ util.window.prototype = { return x; } else { if (my_xulG) { - if (w.contentWindow) { - w.contentWindow.xulG = my_xulG; + if (get_contentWindow(w)) { + get_contentWindow(w).xulG = my_xulG; } else { w.xulG = my_xulG; } diff --git a/Open-ILS/xul/staff_client/server/admin/offline_manage_xacts.js b/Open-ILS/xul/staff_client/server/admin/offline_manage_xacts.js index 9e3d4b4b8c..73f856ae99 100644 --- a/Open-ILS/xul/staff_client/server/admin/offline_manage_xacts.js +++ b/Open-ILS/xul/staff_client/server/admin/offline_manage_xacts.js @@ -566,7 +566,7 @@ admin.offline_manage_xacts.prototype = { } } }; - x.contentWindow.xulG = newG; + get_contentWindow(x).xulG = newG; } catch(E) { obj.error.standard_unexpected_error_alert('Error uploading xacts',E); diff --git a/Open-ILS/xul/staff_client/server/admin/printer_settings.js b/Open-ILS/xul/staff_client/server/admin/printer_settings.js index 7d9b6e6760..fc60b49368 100644 --- a/Open-ILS/xul/staff_client/server/admin/printer_settings.js +++ b/Open-ILS/xul/staff_client/server/admin/printer_settings.js @@ -32,7 +32,7 @@ g.page_settings = function() { g.printer_settings = function() { netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); - var w = document.getElementById('sample').contentWindow; + var w = get_contentWindow(document.getElementById('sample')); g.print.NSPrint(w ? w : window, false, {}); g.print.save_settings(); } diff --git a/Open-ILS/xul/staff_client/server/cat/marc_new.xul b/Open-ILS/xul/staff_client/server/cat/marc_new.xul index 543563deb1..480d3b4ba1 100644 --- a/Open-ILS/xul/staff_client/server/cat/marc_new.xul +++ b/Open-ILS/xul/staff_client/server/cat/marc_new.xul @@ -116,7 +116,7 @@ }; $('marc_editor').setAttribute('src',url); netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); - $('marc_editor').contentWindow.xulG = params; + get_contentWindow($('marc_editor')).xulG = params; /* hide template widgets */ $('actions').hidden = true; diff --git a/Open-ILS/xul/staff_client/server/cat/volume_copy_creator.js b/Open-ILS/xul/staff_client/server/cat/volume_copy_creator.js index fb8c3ff0d5..96af32ce2d 100644 --- a/Open-ILS/xul/staff_client/server/cat/volume_copy_creator.js +++ b/Open-ILS/xul/staff_client/server/cat/volume_copy_creator.js @@ -21,7 +21,7 @@ function my_init() { g.doc_id = xul_param('doc_id'); document.getElementById('summary').setAttribute('src',urls.XUL_BIB_BRIEF); // + '?docid=' + window.escape(g.doc_id)); - document.getElementById('summary').contentWindow.xulG = { 'docid' : g.doc_id }; + get_contentWindow(document.getElementById('summary')).xulG = { 'docid' : g.doc_id }; g.copy_shortcut = xul_param('copy_shortcut',{'JSON2js_if_cgi':true}); g.error.sdump('D_ERROR','location.href = ' + location.href + '\n\ncopy_short cut = ' + g.copy_shortcut + '\n\nou_ids = ' + xul_param('ou_ids')); diff --git a/Open-ILS/xul/staff_client/server/cat/z3950.js b/Open-ILS/xul/staff_client/server/cat/z3950.js index efa4f3d340..ce5576034e 100644 --- a/Open-ILS/xul/staff_client/server/cat/z3950.js +++ b/Open-ILS/xul/staff_client/server/cat/z3950.js @@ -122,7 +122,7 @@ cat.z3950.prototype = { n.setAttribute('toggle','1'); n.setAttribute('label','Results View'); netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect'); - var f = document.getElementById('marc_frame').contentWindow; + var f = get_contentWindow(document.getElementById('marc_frame')); f.xulG = { 'marcxml' : obj.results.records[ n.getAttribute('retrieve_id') ].marcxml }; f.my_init(); f.document.body.firstChild.focus(); diff --git a/Open-ILS/xul/staff_client/server/circ/circ_summary.xul b/Open-ILS/xul/staff_client/server/circ/circ_summary.xul index 00abb79983..9b0988c886 100644 --- a/Open-ILS/xul/staff_client/server/circ/circ_summary.xul +++ b/Open-ILS/xul/staff_client/server/circ/circ_summary.xul @@ -61,9 +61,9 @@ if (typeof g.callnumber.ilsevent != 'undefined') throw(g.callnumber); $('top').setAttribute('src',urls.XUL_BIB_BRIEF);// + '?docid=' + g.callnumber.record()); - $('top').contentWindow.xulG = { 'docid' : g.callnumber.record() }; + get_contentWindow($('top')).xulG = { 'docid' : g.callnumber.record() }; $('mid').setAttribute('src',urls.XUL_COPY_SUMMARY); // + '?copy_id=' + g.copy.id()); - $('mid').contentWindow.xulG = { 'copy_id' : g.copy.id() }; + get_contentWindow($('mid')).xulG = { 'copy_id' : g.copy.id() }; show_circs(); @@ -89,7 +89,7 @@ iframe.setAttribute('flex','1'); gb.appendChild(iframe); iframe.setAttribute('src', urls.XUL_CIRC_BRIEF); // + '?circ_id=' + g.circs[j].id() ); - iframe.contentWindow.xulG = { 'circ_id' : g.circs[j].id() }; + get_contentWindow(iframe).xulG = { 'circ_id' : g.circs[j].id() }; } } catch(E) { g.error.standard_unexpected_error_alert('error showing circs',E); diff --git a/Open-ILS/xul/staff_client/server/circ/copy_details.xul b/Open-ILS/xul/staff_client/server/circ/copy_details.xul index 7a1d8761b4..4f63c476dc 100644 --- a/Open-ILS/xul/staff_client/server/circ/copy_details.xul +++ b/Open-ILS/xul/staff_client/server/circ/copy_details.xul @@ -67,18 +67,18 @@ //if (typeof g.callnumber.ilsevent != 'undefined') throw(g.callnumber); $('top').setAttribute('src',urls.XUL_BIB_BRIEF); // + '?docid=' + g.callnumber.record()); - $('top').contentWindow.xulG = { 'docid' : g.callnumber.record() }; + get_contentWindow($('top')).xulG = { 'docid' : g.callnumber.record() }; //g.data.temp_copy = g.copy; g.data.stash('temp_copy'); //g.data.temp_callnumber = g.callnumber; g.data.stash('temp_callnumber'); $('item_summary').setAttribute('src',urls.XUL_COPY_SUMMARY); - $('item_summary').contentWindow.xulG = { 'copy' : g.copy, 'callnumber' : g.callnumber }; + get_contentWindow($('item_summary')).xulG = { 'copy' : g.copy, 'callnumber' : g.callnumber }; $('r_last').disabled = true; if (g.circ) { $('r_last').disabled = false; g.data.temp_circ = g.circ; g.data.stash('temp_circ'); $('circ').setAttribute('src',urls.XUL_CIRC_BRIEF); // + '?no_border=1'); - $('circ').contentWindow.xulG = { 'no_border' : 1 }; + get_contentWindow($('circ')).xulG = { 'no_border' : 1 }; if (g.circ.checkin_time()) { $('circ_caption').setAttribute('label','Last Circulation'); } else { diff --git a/Open-ILS/xul/staff_client/server/patron/bill_details.xul b/Open-ILS/xul/staff_client/server/patron/bill_details.xul index 43320d21da..994922d837 100644 --- a/Open-ILS/xul/staff_client/server/patron/bill_details.xul +++ b/Open-ILS/xul/staff_client/server/patron/bill_details.xul @@ -116,7 +116,7 @@ netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); $('copy_summary').setAttribute('src',urls.XUL_COPY_SUMMARY); // + '?copy_id=' + r_circ.target_copy()); - $('copy_summary').contentWindow.xulG = { 'copy_id' : r_circ.target_copy() }; + get_contentWindow($('copy_summary')).xulG = { 'copy_id' : r_circ.target_copy() }; $('copy_summary').hidden=false; g.network.simple_request( diff --git a/Open-ILS/xul/staff_client/server/patron/bill_history.xul b/Open-ILS/xul/staff_client/server/patron/bill_history.xul index a90c08336d..ac1df9fe14 100644 --- a/Open-ILS/xul/staff_client/server/patron/bill_history.xul +++ b/Open-ILS/xul/staff_client/server/patron/bill_history.xul @@ -160,7 +160,7 @@ netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); $('copy_summary').setAttribute('src',urls.XUL_COPY_SUMMARY); // + '?copy_id=' + r_circ.target_copy()); - $('copy_summary').contentWindow.xulG = { 'copy_id' : r_circ.target_copy() }; + get_contentWindow($('copy_summary')).xulG = { 'copy_id' : r_circ.target_copy() }; $('copy_summary').hidden=false; g.network.simple_request( diff --git a/Open-ILS/xul/staff_client/server/patron/display.js b/Open-ILS/xul/staff_client/server/patron/display.js index 1480e24750..b1c686474e 100644 --- a/Open-ILS/xul/staff_client/server/patron/display.js +++ b/Open-ILS/xul/staff_client/server/patron/display.js @@ -67,7 +67,7 @@ patron.display.prototype = { } ); netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); - obj.checkout_window = frame.contentWindow; + obj.checkout_window = get_contentWindow(frame); } JSAN.use('util.controller'); obj.controller = new util.controller(); @@ -167,7 +167,7 @@ patron.display.prototype = { } ); netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); - obj.items_window = frame.contentWindow; + obj.items_window = get_contentWindow(frame); } ], 'cmd_patron_edit' : [ @@ -307,7 +307,7 @@ patron.display.prototype = { } ); netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); - obj.bill_window = f.contentWindow; + obj.bill_window = get_contentWindow(f); } ], 'patron_name' : [ @@ -476,7 +476,7 @@ patron.display.prototype = { } ); netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); - obj.summary_window = frame.contentWindow; + obj.summary_window = get_contentWindow(frame); } else { obj.render_search_form(params); } @@ -536,7 +536,7 @@ patron.display.prototype = { netscape.security.PrivilegeManager.enablePrivilege( "UniversalXPConnect" ); - obj.summary_window = frame.contentWindow; + obj.summary_window = get_contentWindow(frame); obj.patron = obj.summary_window.g.summary.patron; obj.controller.render('patron_name'); }, 0 @@ -545,7 +545,7 @@ patron.display.prototype = { } ); netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); - obj.search_result = list_frame.contentWindow; + obj.search_result = get_contentWindow(list_frame); } }; @@ -560,7 +560,7 @@ patron.display.prototype = { my_xulG ); netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); - obj.search_window = form_frame.contentWindow; + obj.search_window = get_contentWindow(form_frame); obj._checkout_spawned = true; }, @@ -572,7 +572,7 @@ patron.display.prototype = { for (var i = 0; i < obj.right_deck.node.childNodes.length; i++) { try { var f = obj.right_deck.node.childNodes[i]; - var w = f.contentWindow; + var w = get_contentWindow(f); if (url) { if (w.location.href == url) w.refresh(true); } else { diff --git a/Open-ILS/xul/staff_client/server/patron/display.xul b/Open-ILS/xul/staff_client/server/patron/display.xul index 5a602ccdee..ddb75ded24 100644 --- a/Open-ILS/xul/staff_client/server/patron/display.xul +++ b/Open-ILS/xul/staff_client/server/patron/display.xul @@ -68,12 +68,12 @@ try { netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); var node = g.patron.right_deck.node.selectedPanel; - if (node && node.contentWindow && typeof node.contentWindow.default_focus == 'function') { - node.contentWindow.default_focus(); + if (node && get_contentWindow(node) && typeof get_contentWindow(node).default_focus == 'function') { + get_contentWindow(node).default_focus(); } else { var node = g.patron.left_deck.node.selectedPanel; - if (node && node.contentWindow && typeof node.contentWindow.default_focus == 'function') { - node.contentWindow.default_focus(); + if (node && get_contentWindow(node) && typeof get_contentWindow(node).default_focus == 'function') { + get_contentWindow(node).default_focus(); } } } catch(E) { diff --git a/Open-ILS/xul/staff_client/server/patron/hold_notices.xul b/Open-ILS/xul/staff_client/server/patron/hold_notices.xul index 18d1bdd12b..5fe168ab85 100644 --- a/Open-ILS/xul/staff_client/server/patron/hold_notices.xul +++ b/Open-ILS/xul/staff_client/server/patron/hold_notices.xul @@ -58,7 +58,7 @@ a_list_of_one(); document.getElementById('bib_brief').setAttribute('src',urls.XUL_BIB_BRIEF); // + '?docid=' + g.ahr.target()); - document.getElementById('bib_brief').contentWindow.xulG = { 'docid' : g.ahr.target() }; + get_contentWindow(document.getElementById('bib_brief')).xulG = { 'docid' : g.ahr.target() }; refresh(); diff --git a/Open-ILS/xul/staff_client/server/patron/info.xul b/Open-ILS/xul/staff_client/server/patron/info.xul index a7f18d4f11..7bf2d040c5 100644 --- a/Open-ILS/xul/staff_client/server/patron/info.xul +++ b/Open-ILS/xul/staff_client/server/patron/info.xul @@ -54,19 +54,23 @@ try{ $('notes_frame').setAttribute('src',urls.XUL_PATRON_INFO_NOTES); - $('notes_frame').contentWindow.xulG = { 'patron_id' : g.patron_id }; + get_contentWindow($('notes_frame')).xulG = + { 'patron_id' : g.patron_id, 'url_prefix' : xulG.url_prefix, 'new_tab' : xulG.new_tab }; }catch(E){alert(E);} try{ $('stat_cats_frame').setAttribute('src',urls.XUL_PATRON_INFO_STAT_CATS); - $('stat_cats_frame').contentWindow.xulG = { 'patron_id' : g.patron_id }; + get_contentWindow($('stat_cats_frame')).xulG = + { 'patron_id' : g.patron_id, 'url_prefix' : xulG.url_prefix, 'new_tab' : xulG.new_tab }; }catch(E){alert(E);} try{ $('surveys_frame').setAttribute('src',urls.XUL_PATRON_INFO_SURVEYS); - $('surveys_frame').contentWindow.xulG = { 'patron_id' : g.patron_id }; + get_contentWindow($('surveys_frame')).xulG = + { 'patron_id' : g.patron_id, 'url_prefix' : xulG.url_prefix, 'new_tab' : xulG.new_tab }; }catch(E){alert(E);} try{ $('group_frame').setAttribute('src',urls.XUL_PATRON_INFO_GROUP); - $('group_frame').contentWindow.xulG = { 'patron_id' : g.patron_id }; + get_contentWindow($('group_frame')).xulG = + { 'patron_id' : g.patron_id, 'url_prefix' : xulG.url_prefix, 'new_tab' : xulG.new_tab }; }catch(E){alert(E);} } catch(E) { @@ -80,17 +84,10 @@ function refresh() { try { netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect'); - if ($('notes_frame').contentWindow && typeof $('notes_frame').contentWindow.refresh == 'function') { - $('notes_frame').contentWindow.refresh(); - } - if ($('stat_cats_frame').contentWindow && typeof $('stat_cats_frame').contentWindow.refresh == 'function') { - $('stat_cats_frame').contentWindow.refresh(); - } - if ($('surveys_frame').contentWindow && typeof $('surveys_frame').contentWindow.refresh == 'function') { - $('surveys_frame').contentWindow.refresh(); - } - if ($('group_frame').contentWindow && typeof $('group_frame').contentWindow.refresh == 'function') { - $('group_frame').contentWindow.refresh(); + for (var i in [ 'notes_frame', 'stat_cats_frame', 'surveys_frame', 'group_frame' ]) { + if (get_contentWindow($(i)) && typeof get_contentWindow($(i)).refresh == 'function') { + get_contentWindow($(i)).refresh(); + } } } catch(E) { alert(E); diff --git a/Open-ILS/xul/staff_client/server/patron/info_group.xul b/Open-ILS/xul/staff_client/server/patron/info_group.xul index cf5188a834..1bc57001e5 100644 --- a/Open-ILS/xul/staff_client/server/patron/info_group.xul +++ b/Open-ILS/xul/staff_client/server/patron/info_group.xul @@ -182,10 +182,15 @@ if (typeof window.xulG == 'object' && typeof window.xulG.new_tab == 'function') { for (var i = 0; i < g.sel_list.length; i++) { try { - var url = urls.XUL_PATRON_DISPLAY - + '?id=' + window.escape( g.sel_list[i] ); + var url = urls.XUL_PATRON_DISPLAY// + '?id=' + window.escape( g.sel_list[i] ); window.xulG.new_tab( - url, { 'tab_name' : 'Retrieving Patron..' }, {} + url, + { 'tab_name' : 'Retrieving Patron..' }, + { + 'id' : g.sel_list[i], + 'url_prefix' : xulG.url_prefix, + 'new_tab' : xulG.new_tab, + } ); } catch(E) { g.error.standard_unexpected_error_alert('Failed to retrieve patron.',E); @@ -204,7 +209,7 @@ var loc = xulG.url_prefix( urls.XUL_REMOTE_BROWSER ); //+ '?url=' + window.escape( urls.XUL_PATRON_EDIT + '?ses=' //+ window.escape( ses() ) + '&clone=' + g.sel_list[i] ); - xulG.new_tab( + if (typeof window.xulG == 'object' && typeof window.xulG.new_tab == 'function') xulG.new_tab( loc, {}, { @@ -212,7 +217,7 @@ 'show_print_button' : true , 'tab_name' : 'Register Patron Clone for Group' , 'passthru_content_params' : { - 'ses' : ses(, + 'ses' : ses(), 'clone' : g.sel_list[i], 'spawn_search' : spawn_search, 'spawn_editor' : spawn_editor, @@ -243,7 +248,7 @@ passthru[i] = p[i]; } var loc = xulG.url_prefix( urls.XUL_REMOTE_BROWSER ); // + '?url=' + window.escape( url ); - xulG.new_tab( + if (typeof window.xulG == 'object' && typeof window.xulG.new_tab == 'function') xulG.new_tab( loc, {}, { @@ -263,7 +268,8 @@ g.error.sdump('D_TRACE', 'Editor would like to search for: ' + js2JSON(s) ); var loc = xulG.url_prefix(urls.XUL_PATRON_DISPLAY); //loc += '?doit=1&query=' + window.escape(js2JSON(s)); - xulG.new_tab( loc, {}, {'doit':1,'query':s} ); + if (typeof window.xulG == 'object' && typeof window.xulG.new_tab == 'function') + xulG.new_tab( loc, {}, {'doit':1,'query':s} ); } catch(E) { g.error.standard_unexpected_error_alert('spawn search',E); } -- 2.11.0