Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

fixed xss bug

  • Loading branch information...
commit d2137529539dd50e519d12a58fc1936d9a9fceb5 1 parent 55f271d
Sebastian Senf authored January 13, 2012
5  index.html
@@ -58,7 +58,7 @@
58 58
       <div class="entry">
59 59
         <h2><span class="name">jQAPI offline version</span><span class="returns">Documentation for the road.</span></h2>
60 60
         <div class="longdesc">
61  
-          <p><a href="jqapi-latest.zip">Download HTML Version</a>. Documentation for jQuery version 1.7 - 1.8MB - 11/04/11</p>
  61
+          <p><a href="jqapi-latest.zip">Download HTML Version</a>. Documentation for jQuery version 1.7 - 1.8MB - 01/13/12</p>
62 62
           <p><a href="http://github.com/downloads/erikzaadi/jqapi/jQAPI-1.6.air?v=05182011">Download AIR Version</a>. Documentation for jQuery version 1.6 - 1.6MB - 05/18/11</p>
63 63
         </div>
64 64
       </div>
@@ -123,7 +123,8 @@
123 123
       <div class="entry">
124 124
         <h2><span class="name">Changelog</span><span class="returns">jQAPI history.</span></h2>
125 125
         <div class="longdesc">
126  
-<pre><code>[11/04/11] Updated Documentation for jQuery 1.7
  126
+<pre><code>[01/13/12] Fixed XSS bug found by <a href="http://twitter.com/bulkneets">bulkneets</a> (<a href="https://twitter.com/#!/bulkneets/status/156620076160786432">Tweet</a>).
  127
+[11/04/11] Updated Documentation for jQuery 1.7
127 128
            Updated to jQuery 1.7
128 129
            Added license information
129 130
            No way! Valid HTML!
BIN  jqapi-latest.zip
Binary file not shown
10  js/main.js
@@ -98,9 +98,15 @@ jqapi = function() {
98 98
     });
99 99
     
100 100
     $(window).bind('hashchange', function(event) {
101  
-      var state = event.getState();
  101
+      var state     = event.getState(),
  102
+          hasMarkup = /(<([^>]+)>)/ig.test(state.p);
102 103
       
103  
-      if(state.p) loadPage($('.sub a[href*="/' + state.p + '/"]:first'));
  104
+      //defeat html xss insertion like #p=<img src%3D/%20onerror%3Dalert(1)>
  105
+      //see https://twitter.com/#!/bulkneets/status/156620076160786432
  106
+      
  107
+      if(state.p && !hasMarkup) {
  108
+        loadPage($('.sub a[href*="/' + state.p + '/"]:first'));
  109
+      }
104 110
     }).trigger('hashchange');
105 111
     
106 112
     zebraItems(elements.list); //zebra the items in the static list
16  js/main.min.js
@@ -35,13 +35,13 @@ jQuery.fn.extend({highlight:function(a,c,d){a=new RegExp("(<[^>]*>)|(\\b"+a.repl
35 35
 (function($){var a={},c="doTimeout",d=Array.prototype.slice;$[c]=function(){return b.apply(window,[0].concat(d.call(arguments)))};$.fn[c]=function(){var f=d.call(arguments),e=b.apply(this,[c+f[0]].concat(f));return typeof f[0]==="number"||typeof f[1]==="number"?this:e};function b(l){var m=this,h,k={},g=l?$.fn:$,n=arguments,i=4,f=n[1],j=n[2],p=n[3];if(typeof f!=="string"){i--;f=l=0;j=n[1];p=n[2]}if(l){h=m.eq(0);h.data(l,k=h.data(l)||{})}else{if(f){k=a[f]||(a[f]={})}}k.id&&clearTimeout(k.id);delete k.id;function e(){if(l){h.removeData(l)}else{if(f){delete a[f]}}}function o(){k.id=setTimeout(function(){k.fn()},j)}if(p){k.fn=function(q){if(typeof p==="string"){p=g[p]}p.apply(m,d.call(n,i))===true&&!q?o():e()};o()}else{if(k.fn){j===undefined?e():k.fn(j===false);return true}else{e()}}}})(jQuery);
36 36
 
37 37
 // main.js
38  
-jqapi=function(){var m,h,n,b,j,k,d,i,f,e,o,g,l;function p(){$("."+b).removeClass(b)}function q(a){a=a.attr("href");return a.substr(5,a.length-16)}function r(a){f.html(j).load(a.attr("href"),function(){document.title=k+a.children("span:first").text();pageTracker._trackPageview(q(a));s()})}function s(){var a=$("p.desc",f);$(".arguement:odd",f).addClass("arguement-odd");a.text().length<=13&&a.remove();$("img",f).attr("src",function(){return $(this).attr("src").substr(1)});$(".signatures",f).each(function(){var a=
  38
+jqapi=function(){var m,h,n,b,j,k,d,i,f,e,o,g,l;function p(){$("."+b).removeClass(b)}function q(a){a=a.attr("href");return a.substr(5,a.length-16)}function r(a){f.html(j).load(a.attr("href"),function(){document.title=k+a.children("span:first").text();pageTracker._trackPageview(q(a));s()})}function s(){var a=$("p.desc",f);$(".arguement:odd",f).addClass("arguement-odd");13>=a.text().length&&a.remove();$("img",f).attr("src",function(){return $(this).attr("src").substr(1)});$(".signatures",f).each(function(){var a=
39 39
 0,b=$(this).find(".arguement");b.children("strong").each(function(){var b=$(this).width();b>a&&(a=b)});b.css("padding-left",a+50)});t()}function t(){$("code.demo-code",f).each(function(){var a=$(this),c=a.parent().parent().find(".code-demo"),a=a.html().replace(/<\/?a.*?>/ig,"").replace(/<\/?strong.*?>/ig,"").replace(/&lt;/g,"<").replace(/&gt;/g,">").replace(/&amp;/g,"&").replace("/scripts/jquery-1.4.js","js/jquery.min.js").replace(/<script>([^<])/g,"<script>window.onload = (function(){\ntry{$1").replace(/([^>])<\/sc/g,
40  
-"$1\n}catch(e){}});</sc").replace("</head>","<style>html,body{border:0; margin:0; padding:10px; background: #FFE0BB;}</style></head>"),b=jQuery("<iframe>",{src:"blank.html",width:"100%",css:{height:c.attr("rel")||125,border:"none"}}).get(0);c.html(b);c=b.contentDocument||b.contentWindow&&b.contentWindow.document||b.document||null;c!=null&&(c.open(),c.write(a),c.close())})}function u(){d.doTimeout("text-type",300,function(){var a=d.val();if(a.length){g.html("").show();e.hide();var c=100,f=$;$(".searchable",
41  
-e).each(function(){var b=$(this),d=b.text(),e=d.toLowerCase().indexOf(a.toLowerCase());e!=-1&&g.text().indexOf(d)==-1&&(b=jQuery("<li>",{"class":"sub",html:b.parent().parent().html()}).appendTo(g),e<c&&(c=e,f=b))});g.prepend(f).highlight(a,!0,"highlight").children("li:first").addClass(b);$(".sub:odd",g).addClass("odd")}else g.hide(),e.show()})}d=void 0;i=void 0;f=void 0;e=void 0;o=void 0;g=void 0;l=void 0;h=null;b="selected";n=!0;j='<div id="loader"></div>';k="jQAPI - Alternative jQuery Documentation - ";
42  
-m=[13,27,38,40];return{initialize:function(){d=$("#search-field");i=$("#search");f=$("#content");e=$("#static-list");o=$(window);g=null;l=null;$('.category span:contains("Plugins")').remove();g=jQuery("<ul>",{id:"results"}).insertBefore(e);l=$(".category",e);h=i.innerHeight();o.resize(function(){var a=o.height(),b=a-h;e.height(b);g.height(b);f.height(a);d.width(i.width()-8)}).mousemove(function(a){a.pageX<e.width()&&d.focus()}).keydown(function(a){a.keyCode==27&&(d.val("").focus(),g.hide(),e.show())}).trigger("resize");
43  
-d.keyup(function(a){if($.inArray(a.keyCode,m)!=-1){if(a=a.keyCode,n){var c=$("."+b+":visible");c.length?(a==38&&c.prev().length&&c.removeClass(b).prev().addClass(b),a==40&&c.next().length&&c.removeClass(b).next().addClass(b),a==13&&$.bbq.pushState({p:q(c.children("a"))})):(c=$(".cat-selected",e),c.length?(a==38&&c.removeClass("cat-selected").prev().addClass("cat-selected"),a==40&&c.removeClass("cat-selected").next().addClass("cat-selected"),a==13&&c.removeClass("cat-selected").children("span").trigger("click")):
44  
-(c=$(".sub:visible",e),c.length?(a==38&&c.filter(":last").addClass(b),a==40&&c.filter(":first").addClass(b)):(a==38&&l.last().addClass("cat-selected"),a==40&&l.first().addClass("cat-selected"))))}}else u()}).focus(function(){n=!0}).blur(function(){n=!1}).focus();$(".category > span",e).toggle(function(){p();d.focus();$(this).parent().addClass("open").children("ul").show()},function(){p();d.focus();$(this).parent().removeClass("open").children("ul").hide()});$(".sub a").live("click",function(){var a=
45  
-$(this);p();d.focus();a.parent().addClass(b);$.bbq.pushState({p:q(a)});return!1});$(window).bind("hashchange",function(a){a=a.getState();a.p&&r($('.sub a[href*="/'+a.p+'/"]:first'))}).trigger("hashchange");$(".sub:odd",e).addClass("odd")}}}();
  40
+"$1\n}catch(e){}});</sc").replace("</head>","<style>html,body{border:0; margin:0; padding:10px; background: #FFE0BB;}</style></head>"),b=jQuery("<iframe>",{src:"blank.html",width:"100%",css:{height:c.attr("rel")||125,border:"none"}}).get(0);c.html(b);c=b.contentDocument||b.contentWindow&&b.contentWindow.document||b.document||null;null!=c&&(c.open(),c.write(a),c.close())})}function u(){d.doTimeout("text-type",300,function(){var a=d.val();if(a.length){g.html("").show();e.hide();var c=100,f=$;$(".searchable",
  41
+e).each(function(){var b=$(this),d=b.text(),e=d.toLowerCase().indexOf(a.toLowerCase());-1!=e&&-1==g.text().indexOf(d)&&(b=jQuery("<li>",{"class":"sub",html:b.parent().parent().html()}).appendTo(g),e<c&&(c=e,f=b))});g.prepend(f).highlight(a,!0,"highlight").children("li:first").addClass(b);$(".sub:odd",g).addClass("odd")}else g.hide(),e.show()})}d=void 0;i=void 0;f=void 0;e=void 0;o=void 0;g=void 0;l=void 0;h=null;b="selected";n=!0;j='<div id="loader"></div>';k="jQAPI - Alternative jQuery Documentation - ";
  42
+m=[13,27,38,40];return{initialize:function(){d=$("#search-field");i=$("#search");f=$("#content");e=$("#static-list");o=$(window);g=null;l=null;$('.category span:contains("Plugins")').remove();g=jQuery("<ul>",{id:"results"}).insertBefore(e);l=$(".category",e);h=i.innerHeight();o.resize(function(){var a=o.height(),b=a-h;e.height(b);g.height(b);f.height(a);d.width(i.width()-8)}).mousemove(function(a){a.pageX<e.width()&&d.focus()}).keydown(function(a){27==a.keyCode&&(d.val("").focus(),g.hide(),e.show())}).trigger("resize");
  43
+d.keyup(function(a){if(-1!=$.inArray(a.keyCode,m)){if(a=a.keyCode,n){var c=$("."+b+":visible");c.length?(38==a&&c.prev().length&&c.removeClass(b).prev().addClass(b),40==a&&c.next().length&&c.removeClass(b).next().addClass(b),13==a&&$.bbq.pushState({p:q(c.children("a"))})):(c=$(".cat-selected",e),c.length?(38==a&&c.removeClass("cat-selected").prev().addClass("cat-selected"),40==a&&c.removeClass("cat-selected").next().addClass("cat-selected"),13==a&&c.removeClass("cat-selected").children("span").trigger("click")):
  44
+(c=$(".sub:visible",e),c.length?(38==a&&c.filter(":last").addClass(b),40==a&&c.filter(":first").addClass(b)):(38==a&&l.last().addClass("cat-selected"),40==a&&l.first().addClass("cat-selected"))))}}else u()}).focus(function(){n=!0}).blur(function(){n=!1}).focus();$(".category > span",e).toggle(function(){p();d.focus();$(this).parent().addClass("open").children("ul").show()},function(){p();d.focus();$(this).parent().removeClass("open").children("ul").hide()});$(".sub a").live("click",function(){var a=
  45
+$(this);p();d.focus();a.parent().addClass(b);$.bbq.pushState({p:q(a)});return!1});$(window).bind("hashchange",function(a){var a=a.getState(),b=/(<([^>]+)>)/ig.test(a.p);a.p&&!b&&r($('.sub a[href*="/'+a.p+'/"]:first'))}).trigger("hashchange");$(".sub:odd",e).addClass("odd")}}}();
46 46
 $(document).ready(function(){$("#navigation").load("navigation.html",function(){jqapi.initialize()});var m=$("#feedback").click(function(){var h=$(this).attr("href"),b=$("#feedback-window"),j=$("#feedback-overlay");if(!b.length){var k=$("body"),d=$(window),i=d.width(),d=d.height(),b=jQuery("<div>",{id:"feedback-window",css:{left:(i-920)/2,height:d-100},html:jQuery("<iframe>",{src:h})}).appendTo(k),j=jQuery("<div>",{id:"feedback-overlay",css:{width:i,height:d},click:function(){$(this).fadeOut("fast");
47  
-b.fadeOut("fast")}}).appendTo(k);jQuery("<a>",{html:"&otimes; Close",href:"#close",css:{left:(i-920)/2},click:function(){j.click();return!1}}).appendTo(j)}j.fadeIn("fast");b.fadeIn("fast");return!1});$("#feedback-trigger").click(function(){m.trigger("click");return!1});var h=$("#topnav");$("#content").scroll(function(){$(this).scrollTop()>30?h.fadeOut("fast"):h.fadeIn("fast")})});
  47
+b.fadeOut("fast")}}).appendTo(k);jQuery("<a>",{html:"&otimes; Close",href:"#close",css:{left:(i-920)/2},click:function(){j.click();return!1}}).appendTo(j)}j.fadeIn("fast");b.fadeIn("fast");return!1});$("#feedback-trigger").click(function(){m.trigger("click");return!1});var h=$("#topnav");$("#content").scroll(function(){30<$(this).scrollTop()?h.fadeOut("fast"):h.fadeIn("fast")})});

0 notes on commit d213752

Please sign in to comment.
Something went wrong with that request. Please try again.