wamo/Qvitter
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

stop xss

Browse Source
This commit is contained in:
Hannes Mannerheim 2015-09-06 01:21:43 +02:00
parent fff77da69c
commit 76dcc86ffc
2 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
QvitterPlugin.php
View File

@ -766,10 +766,10 @@ class QvitterPlugin extends Plugin {
if(!$user_is_deleted) {
$rendered = sprintf(_m('<a href="%1$s">%2$s</a> deleted notice <a href="%3$s">{{%4$s}}</a>.'),
$profile->getUrl(),
$profile->getBestName(),
$notice->getUrl(),
$notice->uri);
htmlspecialchars($profile->getUrl()),
htmlspecialchars($profile->getBestName()),
htmlspecialchars($notice->getUrl()),
htmlspecialchars($notice->uri));
$text = sprintf(_m('%1$s deleted notice {{%2$s}}.'),
$profile->getBestName(),
$notice->uri);

8
js/dom-functions.js
View File

@ -1437,6 +1437,10 @@ function showConversation(q, qid, data) {
var queetTime = parseTwitterDate(obj.created_at);
if(obj.source == 'activity') {
// because we had an xss issue, the obj.statusnet_html of qvitter-deleted-activity-notices can contain unwanted html, so we escape..
obj.statusnet_html = replaceHtmlSpecialChars(obj.statusnet_html);
var queetHtml = '<div id="conversation-stream-item-' + obj.id + '" class="stream-item conversation activity hidden-conversation" data-source="' + escape(obj.source) + '" data-quitter-id="' + obj.id + '" data-quitter-id-in-stream="' + obj.id + '"><div class="queet" id="conversation-q-' + obj.id + '"><div class="queet-content"><div class="stream-item-header"><small class="created-at" data-created-at="' + obj.created_at + '"><a>' + queetTime + '</a></small></div><div class="queet-text">' + $.trim(obj.statusnet_html) + '</div></div></div></div>';
// detect rtl
@ -1821,6 +1825,10 @@ function addToFeed(feed, after, extraClasses, isReply) {
// activity get special design
if(obj.source == 'activity' || obj.is_activity === true) {
// because we had an xss issue, the obj.statusnet_html of qvitter-deleted-activity-notices can contain unwanted html, so we escape..
obj.statusnet_html = replaceHtmlSpecialChars(obj.statusnet_html);
var queetTime = parseTwitterDate(obj.created_at);
var queetHtml = '<div id="stream-item-' + obj.id + '" class="stream-item activity ' + extraClassesThisRun + '" data-quitter-id="' + obj.id + '" data-conversation-id="' + obj.statusnet_conversation_id + '" data-quitter-id-in-stream="' + obj.id + '"><div class="queet" id="q-' + obj.id + '"><div class="queet-content"><div class="stream-item-header"><small class="created-at" data-created-at="' + obj.created_at + '"><a href="' + window.siteInstanceURL + 'notice/' + obj.id + '">' + queetTime + '</a></small></div><div class="queet-text">' + $.trim(obj.statusnet_html) + '</div></div></div></div>';