DEF
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+
test
+`"'>
+`"'>
+`"'>
+`"'>
+`"'>
+`"'>
+`"'>
+`"'>
+`"'>
+`"'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+"`'>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
XXX
+
+
+
+
+
+
+
+
+">
+
+
+
+
+
+
+
+
+
+
+
+perl -e 'print "";' > out
+
+
+
+
+<
+
+
+# SQL Injection
+#
+# Strings which can cause a SQL injection if inputs are not sanitized
+
+1;DROP TABLE users
+1'; DROP TABLE users-- 1
+' OR 1=1 -- 1
+' OR '1'='1
+'; EXEC sp_MSForEachTable 'DROP TABLE ?'; --
+
+%
+_
+
+# Server Code Injection
+#
+# Strings which can cause user to run code on server as a privileged user (c.f. https://news.ycombinator.com/item?id=7665153)
+
+-
+--
+--version
+--help
+$USER
+/dev/null; touch /tmp/blns.fail ; echo
+`touch /tmp/blns.fail`
+$(touch /tmp/blns.fail)
+@{[system "touch /tmp/blns.fail"]}
+
+# Command Injection (Ruby)
+#
+# Strings which can call system commands within Ruby/Rails applications
+
+eval("puts 'hello world'")
+System("ls -al /")
+`ls -al /`
+Kernel.exec("ls -al /")
+Kernel.exit(1)
+%x('ls -al /')
+
+# XXE Injection (XML)
+#
+# String which can reveal system files when parsed by a badly configured XML parser
+
+]>
&xxe;
+
+# Unwanted Interpolation
+#
+# Strings which can be accidentally expanded into different strings if evaluated in the wrong context, e.g. used as a printf format string or via Perl or shell eval. Might expose sensitive data from the program doing the interpolation, or might just represent the wrong string.
+
+$HOME
+$ENV{'HOME'}
+%d
+%s%s%s%s%s
+{0}
+%*.*s
+%@
+%n
+File:///
+
+# File Inclusion
+#
+# Strings which can cause user to pull in files that should not be a part of a web server
+
+../../../../../../../../../../../etc/passwd%00
+../../../../../../../../../../../etc/hosts
+
+# Known CVEs and Vulnerabilities
+#
+# Strings that test for known vulnerabilities
+
+() { 0; }; touch /tmp/blns.shellshock1.fail;
+() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }
+<<< %s(un='%s') = %u
++++ATH0
+
+# MSDOS/Windows Special Filenames
+#
+# Strings which are reserved characters in MSDOS/Windows
+
+CON
+PRN
+AUX
+CLOCK$
+NUL
+A:
+ZZ:
+COM1
+LPT1
+LPT2
+LPT3
+COM2
+COM3
+COM4
+
+# IRC specific strings
+#
+# Strings that may occur on IRC clients that make security products freak out
+
+DCC SEND STARTKEYLOGGER 0 0 0
+
+# Scunthorpe Problem
+#
+# Innocuous strings which may be blocked by profanity filters (https://en.wikipedia.org/wiki/Scunthorpe_problem)
+
+Scunthorpe General Hospital
+Penistone Community Church
+Lightwater Country Park
+Jimmy Clitheroe
+Horniman Museum
+shitake mushrooms
+RomansInSussex.co.uk
+http://www.cum.qc.ca/
+Craig Cockburn, Software Specialist
+Linda Callahan
+Dr. Herman I. Libshitz
+magna cum laude
+Super Bowl XXX
+medieval erection of parapets
+evaluate
+mocha
+expression
+Arsenal canal
+classic
+Tyson Gay
+Dick Van Dyke
+basement
+
+# Human injection
+#
+# Strings which may cause human to reinterpret worldview
+
+If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you.
+
+# Terminal escape codes
+#
+# Strings which punish the fools who use cat/type on this file
+
+Roses are [0;31mred[0m, violets are [0;34mblue. Hope you enjoy terminal hue
+But now...[20Cfor my greatest trick...[8m
+The quick brown fox... [Beeeep]
+
+# iOS Vulnerabilities
+#
+# Strings which crashed iMessage in various versions of iOS
+
+Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗
+🏳0🌈️
+జ్ఞా
+
+# Persian special characters
+#
+# This is a four characters string which includes Persian special characters (گچپژ)
+
+گچپژ
+
+# jinja2 injection
+#
+# first one is supposed to raise "MemoryError" exception
+# second, obviously, prints contents of /etc/passwd
+
+{% print 'x' * 64 * 1024**3 %}
+{{ "".__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}
\ No newline at end of file
diff --git a/pydoctor/themes/__init__.py b/pydoctor/themes/__init__.py
index 241a4984d..6c14494fd 100644
--- a/pydoctor/themes/__init__.py
+++ b/pydoctor/themes/__init__.py
@@ -5,15 +5,11 @@
>>> template_lookup = TemplateLookup(importlib_resources.files('pydoctor.themes') / 'base')
"""
-import sys
from typing import Iterator
# In newer Python versions, use importlib.resources from the standard library.
# On older versions, a compatibility package must be installed from PyPI.
-if sys.version_info < (3, 9):
- import importlib_resources
-else:
- import importlib.resources as importlib_resources
+import importlib.resources as importlib_resources
def get_themes() -> Iterator[str]:
"""
diff --git a/pydoctor/themes/base/apidocs-help.html b/pydoctor/themes/base/apidocs-help.html
new file mode 100644
index 000000000..10ed5f71c
--- /dev/null
+++ b/pydoctor/themes/base/apidocs-help.html
@@ -0,0 +1,39 @@
+
+
+
+
+
+
Head
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/pydoctor/themes/base/apidocs.css b/pydoctor/themes/base/apidocs.css
index 6387e6c0c..191a883d4 100644
--- a/pydoctor/themes/base/apidocs.css
+++ b/pydoctor/themes/base/apidocs.css
@@ -60,7 +60,6 @@ nav.navbar .navbar-header {
margin-bottom: 3px;
border-bottom: 0;
box-shadow: 0 0 8px 8px #fff;
- z-index: 99;
}
.navbar-brand {
@@ -1086,19 +1085,15 @@ input[type="search"]::-webkit-search-results-decoration { display: none; }
padding: 5px 0 0 8px;
}
-.search-help-hidden #search-help-box{
- display: none!important;
-}
-
-#search-help-button{
+#apidocs-help-button{
background-color: #e6e6e6;
}
-.search-help-hidden #search-help-button{
+.search-help-hidden #apidocs-help-button{
background-color: rgb(255, 255, 255);
}
-.search-help-hidden #search-help-button:hover {
+.search-help-hidden #apidocs-help-button:hover {
background-color: #e6e6e6;
}
diff --git a/pydoctor/themes/base/common.html b/pydoctor/themes/base/common.html
index 44f4a24dc..bbb1aceae 100644
--- a/pydoctor/themes/base/common.html
+++ b/pydoctor/themes/base/common.html
@@ -1,6 +1,6 @@
-
+
Head
diff --git a/pydoctor/themes/base/nav.html b/pydoctor/themes/base/nav.html
index 2e4a5c3de..c68c9226d 100644
--- a/pydoctor/themes/base/nav.html
+++ b/pydoctor/themes/base/nav.html
@@ -1,6 +1,6 @@
-
+
@@ -96,8 +63,8 @@
Cannot search: JavaScript is not supported/enabled in your browser.
-
-
Results provided by Lunr.js
+
+
For more information on the search, visit the help page.
diff --git a/pydoctor/themes/base/search.js b/pydoctor/themes/base/search.js
index 7fb34200c..f76b5dd86 100644
--- a/pydoctor/themes/base/search.js
+++ b/pydoctor/themes/base/search.js
@@ -113,16 +113,6 @@ function showResultContainer(){
updateClearSearchBtn();
}
-function toggleSearchHelpText() {
- document.body.classList.toggle("search-help-hidden");
- if (document.body.classList.contains("search-help-hidden") && input.value.length==0){
- hideResultContainer();
- }
- else{
- showResultContainer();
- }
-}
-
function resetResultList(){
resetLongSearchTimerInfo();
results_list.innerHTML = '';
@@ -168,20 +158,19 @@ function _stopSearchingProcess(){
//////// SEARCH WARPPER FUNCTIONS /////////
// Values configuring the search-as-you-type feature.
-var SEARCH_DEFAULT_DELAY = 100; // in miliseconds
-var SEARCH_INCREASED_DELAY = 200;
-var SEARCH_INDEX_SIZE_TRESH_INCREASE_DELAY = 10; // in MB
-var SEARCH_INDEX_SIZE_TRESH_DISABLE_SEARCH_AS_YOU_TYPE = 20;
-var SEARCH_AUTO_WILDCARD = true;
+var SEARCH_DEFAULT_DELAY = 150; // in miliseconds
+var SEARCH_INCREASED_DELAY = 300; // in miliseconds
+var SEARCH_INDEX_SIZE_TRESH_INCREASE_DELAY = 15; // in MB
+var SEARCH_INDEX_SIZE_TRESH_DISABLE_SEARCH_AS_YOU_TYPE = 25; // in MB
-// Search delay depends on index size.
+// Search delay depends on index size in MB
function _getIndexSizePromise(indexURL){
return httpGetPromise(indexURL).then((responseText) => {
if (responseText==null){
return 0;
}
- let indexSizeApprox = responseText.length / 1000000; // in MB
- return indexSizeApprox;
+ let indexSizeApprox = responseText.length / 1000000;
+ return indexSizeApprox; // in MB
});
}
function _getSearchDelayPromise(indexURL){ // -> Promise of a Search delay number.
@@ -293,8 +282,8 @@ function launchSearch(noDelay){
if (isSearchReadyPromise==null){
isSearchReadyPromise = _getIsSearchReadyPromise()
}
- return isSearchReadyPromise.then((r)=>{
- return lunrSearch(_query, indexURL, _fields, "lunr.js", !noDelay?searchDelay:0, SEARCH_AUTO_WILDCARD).then((lunrResults) => {
+ return isSearchReadyPromise.then((r)=>{
+ return lunrSearch(_query, indexURL, _fields, "lunr.js", !noDelay?searchDelay:0).then((lunrResults) => {
// outdated query results
if (_searchStartTime != _lastSearchStartTime){return;}
@@ -431,7 +420,6 @@ document.addEventListener('keyup', (evt) => {
// we don't want to show it if the browser do not support JS.
window.addEventListener('load', (event) => {
document.getElementById('search-box-container').style.display = 'block';
- document.getElementById('search-help-box').style.display = 'block';
hideResultContainer();
});
@@ -440,8 +428,7 @@ window.addEventListener("click", (event) => {
if (event){
// 1. Hide the dropdown if the user clicks outside of it
if (!event.target.closest('#search-results-container')
- && !event.target.closest('#search-box')
- && !event.target.closest('#search-help-button')){
+ && !event.target.closest('#search-box')){
hideResultContainer();
return;
}
@@ -456,7 +443,7 @@ window.addEventListener("click", (event) => {
// 3.Hide the dropdown if the user clicks on a link that brings them to the same page.
// This includes links in summaries.
- link = event.target.closest('#search-results a')
+ link = event.target.closest('#search-results-container a')
if (link){
page_parts = document.location.pathname.split('/')
current_page = page_parts[page_parts.length-1]
diff --git a/pydoctor/themes/base/searchlib.js b/pydoctor/themes/base/searchlib.js
index 882d77153..c1a3995f0 100644
--- a/pydoctor/themes/base/searchlib.js
+++ b/pydoctor/themes/base/searchlib.js
@@ -7,14 +7,13 @@
// Other required ressources like lunr.js, searchindex.json and all-documents.html are passed as URL
// to functions. This makes the code reusable outside of pydoctor build directory.
// Implementation note: Searches are designed to be launched synchronously, if lunrSearch() is called sucessively (while already running),
-// old promise will never resolves and the searhc worker will be restarted.
+// old promise will never resolves and the search worker will be restarted.
// Hacky way to make the worker code inline with the rest of the source file handling the search.
// Worker message params are the following:
// - query: string
// - indexJSONData: dict
// - defaultFields: list of strings
-// - autoWildcard: boolean
let _lunrWorkerCode = `
// The lunr.js code will be inserted here.
@@ -29,19 +28,17 @@ onmessage = (message) => {
if (!message.data.defaultFields) {
throw new Error('No default fields provided.');
}
- if (!message.data.hasOwnProperty('autoWildcard')){
- throw new Error('No value for auto wildcard provided.');
- }
+
// Create index
let index = lunr.Index.load(message.data.indexJSONData);
-
+
// Declare query function building
function _queryfn(_query){ // _query is the Query object
// Edit the parsed query clauses that are applicable for all fields (default) in order
// to remove the field 'kind' from the clause since this it's only useful when specifically requested.
var parser = new lunr.QueryParser(message.data.query, _query)
parser.parse()
- var hasTraillingWildcard = false;
+
_query.clauses.forEach(clause => {
if (clause.fields == _query.allFields){
// we change the query fields when they are applicable to all fields
@@ -49,27 +46,44 @@ onmessage = (message) => {
// which should not be matched by default.
clause.fields = message.data.defaultFields;
}
- // clause.wildcard is actually always NONE due to https://github.com/olivernn/lunr.js/issues/495
- // But this works...
- if (clause.term.slice(-1) == '*'){
- // we want to avoid the auto wildcard system only if a trailling wildcard is already added
- // not if a leading wildcard exists
- hasTraillingWildcard = true
- }
+
});
// Auto wilcard feature, see issue https://github.com/twisted/pydoctor/issues/648
var new_clauses = [];
- if ((message.data.autoWildcard == true) && (hasTraillingWildcard == false)){
- _query.clauses.forEach(clause => {
- // Setting clause.wildcard is useless.
+
+ _query.clauses.forEach(clause => {
+ if (clause.presence === 1) { // ignore clauses that have explicit presence (+/-)
+ // Setting clause.wildcard is useless, and clause.wildcard is actually always NONE
+ // due to https://github.com/olivernn/lunr.js/issues/495
// But this works...
- let new_clause = {...clause}
- new_clause.term = new_clause.term + '*'
- clause.boost = 2
- new_clause.boost = 0
- new_clauses.push(new_clause)
- });
- }
+ if (clause.term.slice(-1) != '*'){
+ let new_clause = {...clause}
+ new_clause.term = new_clause.term + '*'
+ clause.boost = 2
+ new_clause.boost = 1
+ new_clauses.push(new_clause)
+ }
+
+ // Adding a leading wildcard if the dot is included as well.
+ // This should only apply to terms that are applicable to name-like fields.
+ // so we refer to the default fields
+ if (clause.term.indexOf('.') != -1) {
+ if (clause.term.slice(0,1) != '*'){
+ let second_new_clause = {...clause}
+ second_new_clause.boost = 1
+ if (clause.term.slice(0,1) != '.'){
+ second_new_clause.term = '.' + second_new_clause.term
+ }
+ second_new_clause.term = '*' + second_new_clause.term
+ if (clause.term.slice(-1) != '*'){
+ second_new_clause.term = second_new_clause.term + '*'
+ }
+ new_clauses.push(second_new_clause)
+ }
+ }
+ }
+ });
+
new_clauses.forEach(clause => {
_query.clauses.push(clause)
});
@@ -78,8 +92,8 @@ onmessage = (message) => {
}
// Launch the search
- let results = index.query(_queryfn)
-
+ var results = index.query(_queryfn)
+
// Post message with results
postMessage({'results':results});
};
@@ -174,9 +188,8 @@ function _getWorkerPromise(lunJsSourceCode){ // -> Promise of a fresh worker to
* @param lunrJsURL: URL pointing to a copy of lunr.js.
* @param searchDelay: Number of miliseconds to wait before actually launching the query. This is useful to set for "search as you type" kind of search box
* because it let a chance to users to continue typing without triggering useless searches (because previous search is aborted on launching a new one).
- * @param autoWildcard: Whether to automatically append wildcards to all query clauses when no wildcard is already specified. boolean.
- */
-function lunrSearch(query, indexURL, defaultFields, lunrJsURL, searchDelay, autoWildcard){
+*/
+function lunrSearch(query, indexURL, defaultFields, lunrJsURL, searchDelay){
// Abort ongoing search
abortSearch();
@@ -187,7 +200,7 @@ function lunrSearch(query, indexURL, defaultFields, lunrJsURL, searchDelay, auto
searchEventsEnv.removeEventListener('abortSearch', this);
});
- // Pref:
+ // Perf:
// Because this function can be called a lot of times in a very few moments,
// Actually launch search after a delay to let a chance to users to continue typing,
// which would trigger a search abort event, which would avoid wasting a worker
@@ -220,7 +233,6 @@ function lunrSearch(query, indexURL, defaultFields, lunrJsURL, searchDelay, auto
'query': query,
'indexJSONData': lunrIndexData,
'defaultFields': defaultFields,
- 'autoWildcard': autoWildcard,
}
if (!_aborted){
diff --git a/pydoctor/themes/readthedocs/common.html b/pydoctor/themes/readthedocs/common.html
index e30fab52e..4c5232472 100644
--- a/pydoctor/themes/readthedocs/common.html
+++ b/pydoctor/themes/readthedocs/common.html
@@ -1,6 +1,6 @@
-
+
Head
@@ -28,70 +28,6 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Search bar offers the following options:
-
- -
- Term presence. The below example searches for documents that
- must contain “foo”, might contain “bar” and must not contain “baz”:
+foo bar -baz
-
-
- -
- Wildcards. The below example searches for documents with words beginning with “foo”:
foo*
-
-
- -
- Search in specific fields. The following search matches all objects
- in "twisted.mail" that matches “search”:
+qname:twisted.mail.* +search
-
-
- Possible fields: 'name', 'qname' (fully qualified name), 'docstring', and 'kind'.
- Last two fields are only applicable if "search in docstrings" is enabled.
-
-
-
- -
- Fuzzy matches. The following search matches all documents
- that have a word within 1 edit distance of “foo”:
foo~1
-
-
-
-
-
-
-
-
-
-
-
-
-
-