Tracker error messages are inadequately output encoded when rendered by the
tracker information page inside the WebUI, allowing a malicious tracker to
inject an XSS payload into the page. Esploiting this issue allows an
attacker to supply arbitrary client-side code that will ultimately be
rendered and executed within the end user's web browser.
Found by Rory McNamara (Gotham Digital Science). CVE pending.
The current icons are very hard to read at the current font size and it's not immediately visible which icon i which.
Additionally, spaces after icons are removed because upload icon is equally positioned between DL/UL speeds (like so `↓ 273 kB/s **↑** 0 kB/s`) which requires reading the whole line to make sense of which number the arrow applies to.
To further separate one type of information from another the hyphen is replaced by the slightly wider en dash.
Old vs New:
Downloading from 7 of 19 peers - ↓ 273 kB/s ↑ 167 kB/s
Downloading from 7 of 19 peers – ▼273 kB/s ▲167 kB/s
Identifying a dialog by it's header title is kinda dirty and now we use
the dialogs id instead. We also check if the dialog is visible before executing
the hotkey action.
Since torrents' info is fetched asynchronously, it may not yet be
available when inspector updates. Account for possibly undefined
creator.
Refine logic used to construct torrent origin phrase to prevent
results such as "Created by on <date>" or "Created by <creator>
on ".
If we use FormData and jQuery.ajax() calls to upload a torrent,
we can stop bundling the jquery.form.js module. In addition, this
simplifies passing arguments in the headers s.t. rpc-server.c doesn't
have to look for the CSRF token as one of the multiparts.
This changes the upload POST behavior, so give it a new name (upload2).
The old function (upload) will be deprecated but kept until 2.90 so
that third-party web clients using the old POST semantics will have
time to update.
Bug #5290 <https://trac.transmissionbt.com/ticket/5290>
inspector.js' functions, beginning with addSubtreeToView(), are leaked
into the DOM due to a missing comma at the end of the previous func.
Bug #5289 <https://trac.transmissionbt.com/ticket/5289>
Charles Kerr