Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix reflected XSS in new_window.php
  • Loading branch information
Framartin authored and ciubotaru committed Aug 23, 2017
1 parent 9e86515 commit fb6fae2
Showing 1 changed file with 12 additions and 2 deletions.
14 changes: 12 additions & 2 deletions trunk/new_window.php
Expand Up @@ -42,6 +42,16 @@
</style>

<script type="text/javascript">
// Use to prevent XSS
// Code from http://shebang.brandonmintern.com/foolproof-html-escaping-in-javascript/
// Use the browser's built-in functionality to quickly and safely escape
// the string
function escapeHtml(str) {
var div = document.createElement('div');
div.appendChild(document.createTextNode(str));
return div.innerHTML;
}

function extras(a) {
var b = document.getElementById("remember").checked;
var c = document.getElementById("markdown").checked;
Expand Down Expand Up @@ -252,7 +262,7 @@ function redirect() {
location.href = "about"
} else {
if (localStorage["remember"] && localStorage["remember"] === "true" && localStorage["lastPod"] && redir !== "false") {
document.getElementsByTagName('body')[0].innerHTML = "Sharing <b>" + title + "</b> (" + url + ") to " + localStorage["lastPod"];
document.getElementsByTagName('body')[0].innerHTML = "Sharing <b>" + escapeHtml(title) + "</b> (" + escapeHtml(url) + ") to " + escapeHtml(localStorage["lastPod"]);
var a = "http://" + localStorage["lastPod"] + "/bookmarklet?url=" + encodeURIComponent(url) + "&title=" + encodeURIComponent(title);
if (notes !== "") {
a += "&notes=" + encodeURIComponent(notes)
Expand All @@ -262,7 +272,7 @@ function redirect() {
return true
} else {
document.getElementById("sharetitle").value = title;
document.getElementById("shareurl").innerHTML = url;
document.getElementById("shareurl").innerHTML = escapeHtml(url);
crealinks();
return false
}
Expand Down

0 comments on commit fb6fae2

Please sign in to comment.