replace html special chars to stop xss
This commit is contained in:
parent
4765039f43
commit
5b711d981f
|
@ -107,6 +107,8 @@ function getFromAPI(stream, actionOnSuccess) {
|
||||||
|
|
||||||
data = convertEmptyObjectToEmptyArray(data);
|
data = convertEmptyObjectToEmptyArray(data);
|
||||||
|
|
||||||
|
data = iterateRecursiveReplaceHtmlSpecialChars(data);
|
||||||
|
|
||||||
actionOnSuccess(data);
|
actionOnSuccess(data);
|
||||||
},
|
},
|
||||||
error: function(data) {
|
error: function(data) {
|
||||||
|
@ -118,6 +120,7 @@ function getFromAPI(stream, actionOnSuccess) {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
/* ·
|
/* ·
|
||||||
·
|
·
|
||||||
· Post new link color
|
· Post new link color
|
||||||
|
|
|
@ -930,7 +930,7 @@ function expand_queet(q,doScrolling) {
|
||||||
getFromAPI("attachment/" + attachmentId + ".json",function(data){
|
getFromAPI("attachment/" + attachmentId + ".json",function(data){
|
||||||
if(data) {
|
if(data) {
|
||||||
console.log(data);
|
console.log(data);
|
||||||
q.children('.queet').find('.queet-text').html($.trim(data.replace(/@<a href="/gi,'<a href="').replace(/!<a href="/gi,'<a href="').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/!<span class="vcard">/gi,'<span class="vcard">').replace(/#<span class="tag">/gi,'<span class="tag">').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/!<span class="vcard">/gi,'<span class="vcard">').replace(/#<span class="tag">/gi,'<span class="tag">')));
|
q.children('.queet').find('.queet-text').html($.trim(data.replace(/@<a/gi,'<a').replace(/!<a/gi,'<a').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/!<span class="vcard">/gi,'<span class="vcard">').replace(/#<span class="tag">/gi,'<span class="tag">').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/!<span class="vcard">/gi,'<span class="vcard">').replace(/#<span class="tag">/gi,'<span class="tag">')));
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
@ -1286,6 +1286,7 @@ function showConversation(qid) {
|
||||||
else { // proceed if we got a conversation_id
|
else { // proceed if we got a conversation_id
|
||||||
$.ajax({ url: external_base_url + '/api/statusnet/conversation/' + data.statusnet_conversation_id + ".json?count=100", type: "GET", dataType: "jsonp", success: function(data) {
|
$.ajax({ url: external_base_url + '/api/statusnet/conversation/' + data.statusnet_conversation_id + ".json?count=100", type: "GET", dataType: "jsonp", success: function(data) {
|
||||||
var before_or_after = 'after';
|
var before_or_after = 'after';
|
||||||
|
data = iterateRecursiveReplaceHtmlSpecialChars(data);
|
||||||
$.each(data, function (key,obj) {
|
$.each(data, function (key,obj) {
|
||||||
|
|
||||||
// switch to append after original queet
|
// switch to append after original queet
|
||||||
|
|
|
@ -33,6 +33,41 @@
|
||||||
· ·
|
· ·
|
||||||
· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · */
|
· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · */
|
||||||
|
|
||||||
|
/* ·
|
||||||
|
·
|
||||||
|
· Removes HTML special chars recursively from strings in objects
|
||||||
|
· with one exception: statusnet_html found in notices
|
||||||
|
·
|
||||||
|
· @param obj: the object to search and replace in
|
||||||
|
·
|
||||||
|
· · · · · · · · · · · · · */
|
||||||
|
|
||||||
|
|
||||||
|
function iterateRecursiveReplaceHtmlSpecialChars(obj) {
|
||||||
|
for (var property in obj) {
|
||||||
|
if (obj.hasOwnProperty(property)) {
|
||||||
|
if (typeof obj[property] == "object") {
|
||||||
|
iterateRecursiveReplaceHtmlSpecialChars(obj[property]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
if(typeof obj[property] == 'string' && property != 'statusnet_html') {
|
||||||
|
obj[property] = replaceHtmlSpecialChars(obj[property]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return obj;
|
||||||
|
}
|
||||||
|
function replaceHtmlSpecialChars(text) {
|
||||||
|
var map = {
|
||||||
|
'&': '&',
|
||||||
|
'<': '<',
|
||||||
|
'>': '>',
|
||||||
|
'"': '"',
|
||||||
|
"'": '''
|
||||||
|
};
|
||||||
|
return text.replace(/[&<>"']/g, function(m) { return map[m]; });
|
||||||
|
}
|
||||||
|
|
||||||
/* ·
|
/* ·
|
||||||
·
|
·
|
||||||
|
@ -262,6 +297,7 @@ function detectRTL(s) {
|
||||||
var $queetText = $('<div>').append($streamItem.find('.queet-text').html()); // create an jquery object
|
var $queetText = $('<div>').append($streamItem.find('.queet-text').html()); // create an jquery object
|
||||||
var $a = $queetText.find('a'); $a.remove(); // remove links
|
var $a = $queetText.find('a'); $a.remove(); // remove links
|
||||||
var $vcard = $queetText.find('.vcard'); $vcard.remove(); // remove users, groups
|
var $vcard = $queetText.find('.vcard'); $vcard.remove(); // remove users, groups
|
||||||
|
var $hcard = $queetText.find('.h-card'); $hcard.remove(); // remove users, groups
|
||||||
var $tag = $queetText.find('.tag'); $tag.remove(); // remove tags
|
var $tag = $queetText.find('.tag'); $tag.remove(); // remove tags
|
||||||
if($queetText.find('.rtl').length>0) { $queetText.html($queetText.find('.rtl').html()); } // remove rtl container if there is one
|
if($queetText.find('.rtl').length>0) { $queetText.html($queetText.find('.rtl').html()); } // remove rtl container if there is one
|
||||||
// remove chars we're not interested in
|
// remove chars we're not interested in
|
||||||
|
@ -283,7 +319,7 @@ function detectRTL(s) {
|
||||||
else if ($queetText.html().length==0 && $('body').hasClass('rtl')) {
|
else if ($queetText.html().length==0 && $('body').hasClass('rtl')) {
|
||||||
$streamItem.children('.stream-item').children('.queet').addClass('rtl');
|
$streamItem.children('.stream-item').children('.queet').addClass('rtl');
|
||||||
}
|
}
|
||||||
return $streamItem.html().replace(/@<a href="/gi,'<a href="').replace(/!<a href="/gi,'<a href="').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/!<span class="vcard">/gi,'<span class="vcard">').replace(/#<span class="tag">/gi,'<span class="tag">'); // hacky way to get @#! into mention tags to stop bidirection (css sets an @ with before content method)
|
return $streamItem.html().replace(/@<a/gi,'<a').replace(/!<a/gi,'<a').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/!<span class="vcard">/gi,'<span class="vcard">').replace(/#<span class="tag">/gi,'<span class="tag">'); // hacky way to get @#! into mention tags to stop bidirection (css sets an @ with before content method)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user