replace html special chars to stop xss
This commit is contained in:
Hannes Mannerheim
parent
4765039f43
commit
5b711d981f
|
|
@ -107,6 +107,8 @@ function getFromAPI(stream, actionOnSuccess) {
|
|||
|
||||
data = convertEmptyObjectToEmptyArray(data);
|
||||
|
||||
data = iterateRecursiveReplaceHtmlSpecialChars(data);
|
||||
|
||||
actionOnSuccess(data);
|
||||
},
|
||||
error: function(data) {
|
||||
|
|
@ -118,6 +120,7 @@ function getFromAPI(stream, actionOnSuccess) {
|
|||
}
|
||||
|
||||
|
||||
|
||||
/* ·
|
||||
·
|
||||
· Post new link color
|
||||
|
|
|
|||
|
|
@ -930,7 +930,7 @@ function expand_queet(q,doScrolling) {
|
|||
getFromAPI("attachment/" + attachmentId + ".json",function(data){
|
||||
if(data) {
|
||||
console.log(data);
|
||||
q.children('.queet').find('.queet-text').html($.trim(data.replace(/@<a href="/gi,'<a href="').replace(/!<a href="/gi,'<a href="').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/!<span class="vcard">/gi,'<span class="vcard">').replace(/#<span class="tag">/gi,'<span class="tag">').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/!<span class="vcard">/gi,'<span class="vcard">').replace(/#<span class="tag">/gi,'<span class="tag">')));
|
||||
q.children('.queet').find('.queet-text').html($.trim(data.replace(/@<a/gi,'<a').replace(/!<a/gi,'<a').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/!<span class="vcard">/gi,'<span class="vcard">').replace(/#<span class="tag">/gi,'<span class="tag">').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/!<span class="vcard">/gi,'<span class="vcard">').replace(/#<span class="tag">/gi,'<span class="tag">')));
|
||||
}
|
||||
});
|
||||
}
|
||||
|
|
@ -1286,6 +1286,7 @@ function showConversation(qid) {
|
|||
else { // proceed if we got a conversation_id
|
||||
$.ajax({ url: external_base_url + '/api/statusnet/conversation/' + data.statusnet_conversation_id + ".json?count=100", type: "GET", dataType: "jsonp", success: function(data) {
|
||||
var before_or_after = 'after';
|
||||
data = iterateRecursiveReplaceHtmlSpecialChars(data);
|
||||
$.each(data, function (key,obj) {
|
||||
|
||||
// switch to append after original queet
|
||||
|
|
|
|||
|
|
@ -33,6 +33,41 @@
|
|||
· ·
|
||||
· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · */
|
||||
|
||||
/* ·
|
||||
·
|
||||
· Removes HTML special chars recursively from strings in objects
|
||||
· with one exception: statusnet_html found in notices
|
||||
·
|
||||
· @param obj: the object to search and replace in
|
||||
·
|
||||
· · · · · · · · · · · · · */
|
||||
|
||||
|
||||
function iterateRecursiveReplaceHtmlSpecialChars(obj) {
|
||||
for (var property in obj) {
|
||||
if (obj.hasOwnProperty(property)) {
|
||||
if (typeof obj[property] == "object") {
|
||||
iterateRecursiveReplaceHtmlSpecialChars(obj[property]);
|
||||
}
|
||||
else {
|
||||
if(typeof obj[property] == 'string' && property != 'statusnet_html') {
|
||||
obj[property] = replaceHtmlSpecialChars(obj[property]);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return obj;
|
||||
}
|
||||
function replaceHtmlSpecialChars(text) {
|
||||
var map = {
|
||||
'&': '&',
|
||||
'<': '<',
|
||||
'>': '>',
|
||||
'"': '"',
|
||||
"'": '''
|
||||
};
|
||||
return text.replace(/[&<>"']/g, function(m) { return map[m]; });
|
||||
}
|
||||
|
||||
/* ·
|
||||
·
|
||||
|
|
@ -262,6 +297,7 @@ function detectRTL(s) {
|
|||
var $queetText = $('<div>').append($streamItem.find('.queet-text').html()); // create an jquery object
|
||||
var $a = $queetText.find('a'); $a.remove(); // remove links
|
||||
var $vcard = $queetText.find('.vcard'); $vcard.remove(); // remove users, groups
|
||||
var $hcard = $queetText.find('.h-card'); $hcard.remove(); // remove users, groups
|
||||
var $tag = $queetText.find('.tag'); $tag.remove(); // remove tags
|
||||
if($queetText.find('.rtl').length>0) { $queetText.html($queetText.find('.rtl').html()); } // remove rtl container if there is one
|
||||
// remove chars we're not interested in
|
||||
|
|
@ -283,7 +319,7 @@ function detectRTL(s) {
|
|||
else if ($queetText.html().length==0 && $('body').hasClass('rtl')) {
|
||||
$streamItem.children('.stream-item').children('.queet').addClass('rtl');
|
||||
}
|
||||
return $streamItem.html().replace(/@<a href="/gi,'<a href="').replace(/!<a href="/gi,'<a href="').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/!<span class="vcard">/gi,'<span class="vcard">').replace(/#<span class="tag">/gi,'<span class="tag">'); // hacky way to get @#! into mention tags to stop bidirection (css sets an @ with before content method)
|
||||
return $streamItem.html().replace(/@<a/gi,'<a').replace(/!<a/gi,'<a').replace(/@<span class="vcard">/gi,'<span class="vcard">').replace(/!<span class="vcard">/gi,'<span class="vcard">').replace(/#<span class="tag">/gi,'<span class="tag">'); // hacky way to get @#! into mention tags to stop bidirection (css sets an @ with before content method)
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user