Merge branch 'master' into releases

Signed-off-by: Roberto Rosario <roberto.rosario.gonzalez@gmail.com>

HISTORY.rst

@@ -1,3 +1,11 @@
+3.0.3 (2018-08-17)
+==================
+- Tags app: Add explicit casting of escaped tag labels to prevent exploit
+  of cross site scripting. Thanks to Lokesh (@lokesh1095) for
+  the report and proposed solutions. Closes GitLab issue #496.
+- Tags app: Add explicit post action redirect for the tag attach and 
+  tag remove actions when working on a single document.
+
 3.0.2 (2018-08-16)
 ==================
 - Docker install script: Default to verbose.

docker/version

@@ -1 +1 @@
-3.0.2
+3.0.3

docs/releases/3.0.2.rst

@@ -131,6 +131,7 @@ Bugs fixed or issues closed
 
 * `GitLab issue #489 <https://gitlab.com/mayan-edms/mayan-edms/issues/489>`_ "next" parameter is not honored after login
 * `GitLab issue #490 <https://gitlab.com/mayan-edms/mayan-edms/issues/490>`_ Crop Transformation seems to not convert input to numeric values
+* `GitLab issue #491 <https://gitlab.com/mayan-edms/mayan-edms/issues/491>`_ "Warning Your database backend is set to use SQLite[...]" with docker compose
 * `GitLab issue #494 <https://gitlab.com/mayan-edms/mayan-edms/issues/494>`_ DOM based Cross Site Scripting
 * `GitLab issue #495 <https://gitlab.com/mayan-edms/mayan-edms/issues/495>`_ Persistent Cross Site Scripting
 

docs/releases/3.0.3.rst

@@ -0,0 +1,79 @@
+===============================
+Mayan EDMS v3.0.3 release notes
+===============================
+
+Released: August 17, 2018
+
+What's new
+==========
+
+Program code
+------------
+- Tags app: Add explicit post action redirect for the tag attach and
+  tag remove actions when working on a single document.
+
+Security
+--------
+- Tags app: Add explicit casting of escaped tag labels to prevent exploit
+  of cross site scripting. Thanks to Lokesh (@lokesh1095) for
+  the report and proposed solutions. Closes GitLab issue #496.
+
+Removals
+--------
+- None
+
+Upgrading from a previous version
+---------------------------------
+
+
+Using PIP
+~~~~~~~~~
+
+Type in the console::
+
+    $ pip install mayan-edms==3.0.3
+
+the requirements will also be updated automatically.
+
+
+Using Git
+~~~~~~~~~
+
+If you installed Mayan EDMS by cloning the Git repository issue the commands::
+
+    $ git reset --hard HEAD
+    $ git pull
+
+otherwise download the compressed archived and uncompress it overriding the
+existing installation.
+
+Next upgrade/add the new requirements::
+
+    $ pip install --upgrade -r requirements.txt
+
+
+Common steps
+~~~~~~~~~~~~
+
+Migrate existing database schema with::
+
+    $ mayan-edms.py performupgrade
+
+Add new static media::
+
+    $ mayan-edms.py collectstatic --noinput
+
+The upgrade procedure is now complete.
+
+
+Backward incompatible changes
+=============================
+
+* None
+
+Bugs fixed or issues closed
+===========================
+
+* `GitLab issue #496 <https://gitlab.com/mayan-edms/mayan-edms/issues/496>`_ Persistent Cross Site Scripting
+
+.. _PyPI: https://pypi.python.org/pypi/mayan-edms/

docs/releases/index.rst

@@ -22,6 +22,7 @@ versions of the documentation contain the release notes for any later releases.
 .. toctree::
    :maxdepth: 1
 
+   3.0.3
    3.0.2
    3.0.1
    3.0

docs/topics/development.rst

@@ -396,7 +396,6 @@ X.Y     # Final release
 
 Release checklist
 ~~~~~~~~~~~~~~~~~
-
 1. Check for missing migrations::
 
     make check-missing-migrations
@@ -420,31 +419,40 @@ or with::
 
     make check-readme
 
-8. Bump version in `mayan/__init__.py` and in `docker/version`.
-9. Update requirements version in `setup.py` using::
+8. Bump version in `mayan/__init__.py`.
+9. Bump version in `docker/version`.
+10. Update requirements version in `setup.py` using::
 
     make generate-setup
 
-10. Build source package and test::
+11. Build source package and test::
 
      make test-sdist-via-docker-ubuntu
 
-11. Build wheel package and test::
+12. Build wheel package and test::
 
      make test-wheel-via-docker-ubuntu
 
-12. Tag version::
+13. Tag version::
 
      git tag -a vX.Y.Z -m "Version X.Y.Z"
 
-13. Push tag upstream::
+14. Switch to the `releases` branch::
+
+    git checkout releases
+
+15. Push tag upstream::
 
      git push --tags
 
-14. Build and upload a test release::
+16. Push code to trigger builds::
+
+    git push
+
+17. Build and upload a test release::
 
      make release-test-via-docker-ubuntu
 
-15. Build and upload a final release::
+18. Build and upload a final release::
 
      make release-via-docker-ubuntu

mayan/__init__.py

@@ -1,8 +1,8 @@
 from __future__ import unicode_literals
 
 __title__ = 'Mayan EDMS'
-__version__ = '3.0.2'
-__build__ = 0x030002
+__version__ = '3.0.3'
+__build__ = 0x030003
 __author__ = 'Roberto Rosario'
 __author_email__ = 'roberto.rosario@mayan-edms.com'
 __description__ = 'Free Open Source Electronic Document Management System'

mayan/apps/tags/views.py

@@ -3,7 +3,7 @@ from __future__ import absolute_import, unicode_literals
 import logging
 
 from django.contrib import messages
-from django.shortcuts import get_object_or_404
+from django.shortcuts import get_object_or_404, reverse
 from django.urls import reverse_lazy
 from django.utils.translation import ugettext_lazy as _, ungettext
 
@@ -77,6 +77,13 @@ class TagAttachActionView(MultipleObjectFormActionView):
 
         return result
 
+    def get_post_action_redirect(self):
+        queryset = self.get_queryset()
+        if queryset.count() == 1:
+            return reverse('tags:document_tags', args=(queryset.first().pk,))
+        else:
+            return super(TagAttachActionView, self).get_post_action_redirect()
+
     def object_action(self, form, instance):
         attached_tags = instance.attached_tags()
 
@@ -291,6 +298,13 @@ class TagRemoveActionView(MultipleObjectFormActionView):
 
         return result
 
+    def get_post_action_redirect(self):
+        queryset = self.get_queryset()
+        if queryset.count() == 1:
+            return reverse('tags:document_tags', args=(queryset.first().pk,))
+        else:
+            return super(TagRemoveActionView, self).get_post_action_redirect()
+
     def object_action(self, form, instance):
         attached_tags = instance.attached_tags()
 

mayan/apps/tags/widgets.py

@@ -3,6 +3,7 @@ from __future__ import absolute_import, unicode_literals
 from django import forms
 from django.apps import apps
 from django.template.loader import render_to_string
+from django.utils.html import conditional_escape
 from django.utils.safestring import mark_safe
 
 from .permissions import permission_tag_view
@@ -17,8 +18,8 @@ class TagFormWidget(forms.SelectMultiple):
 
     def create_option(self, name, value, label, selected, index, subindex=None, attrs=None):
         result = super(TagFormWidget, self).create_option(
-            name=name, value=value, label=label, selected=selected,
-            index=index, subindex=subindex, attrs=attrs
+            name=name, value=value, label='{}'.format(conditional_escape(label)),
+            selected=selected, index=index, subindex=subindex, attrs=attrs
         )
 
         result['attrs']['data-color'] = self.queryset.get(pk=value).color