Skip to content

Commit

Permalink
Prevent xss
Browse files Browse the repository at this point in the history 
This commit isn't pretty, but we need to basically re-do this site
anyway, so meh.
  • Loading branch information
@isaacs
isaacs committed Sep 16, 2011
1 parent 8b717de commit 28c79f4
Showing 1 changed file with 29 additions and 8 deletions.
37 changes: 29 additions & 8 deletions www/attachments/site.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,12 @@ app.index = function () {
var doc = docsInPage[i];
doc.rank = 0
doc.tagsInSearch = [];
if (doc.description) doc.htmlDescription = doc.description;
if (doc.description) {
doc.htmlDescription = doc.description.split('&').join('&')
.split('"').join('"')
.split('<').join('&lt;')
.split('>').join('&gt;')
}

if (doc._id.toLowerCase() === currentSearch) doc.rank += 1000

Expand Down Expand Up @@ -279,7 +284,6 @@ app.index = function () {
resp.rows.forEach(function (row) {
searchResults[term].push(row.key);
row.value.name = row.value.name.toLowerCase();
if (row.value.description) row.value.description = row.value.description;
docs[row.key] = row.value;
updateResults();
})
Expand Down Expand Up @@ -364,10 +368,15 @@ app.showPackage = function () {
var showVersion = function (version) {
var v = doc.versions[version];

v.htmlDescription = v.description.split('&').join('&amp;')
.split('"').join('&quot;')
.split('<').join('&lt;')
.split('>').join('&gt;')

$('div#version-info').html(
'<div class="version-info-cell">' +
'<div class="version-info-key">Description</div>' +
'<div class="version-info-value">'+v.description+'</div>' +
'<div class="version-info-value">'+v.htmlDescription+'</div>' +
'</div>' +
'<div class="spacer"></div>' +
'<div class="version-info-cell">' +
Expand Down Expand Up @@ -480,11 +489,11 @@ app.showPackage = function () {
// +
// '<div class="version-info-cell">' +
// '<span class="version-info-key">Author</span>' +
// '<span class="version-info-value">'+v.description+'<span>' +
// '<span class="version-info-value">'+v.htmlDescription+'<span>' +
// '</div>' +
// '<div class="version-info-cell">' +
// '<span class="version-info-key">Repository</span>' +
// '<span class="version-info-value">'+v.description+'<span>' +
// '<span class="version-info-value">'+v.htmlDescription+'<span>' +
// '</div>' +

}
Expand Down Expand Up @@ -582,11 +591,15 @@ app.browse = function () {
, function (r) {
var h = ''
r.rows.forEach(function (row) {
row.htmlDescription = row.description.split('&').join('&amp;')
.split('"').join('&quot;')
.split('<').join('&lt;')
.split('>').join('&gt;')
if (row.id[0] !== '_') {
h += (
'<div class="all-package">' +
'<div class="all-package-name"><a href="/#/'+row.id+'">' + row.id + '</a></div>' +
'<div class="all-package-desc">' + row.doc.description + '</div>' +
'<div class="all-package-desc">' + row.doc.htmlDescription + '</div>' +
'</div>' +
'<div class="spacer"></div>'
)
Expand Down Expand Up @@ -688,10 +701,14 @@ app.tags = function () {
.append('<div id="main-container"></div>');
request({url:'/_view/tags?reduce=false&include_docs=true&key="'+tag+'"'}, function (e, resp) {
resp.rows.forEach(function (row) {
row.doc.htmlDescription = row.doc.description.split('&').join('&amp;')
.split('"').join('&quot;')
.split('<').join('&lt;')
.split('>').join('&gt;')
$('div#main-container').append(
'<div class="all-package">' +
'<div class="tags-pkg-name"><a href="/#/'+encodeURIComponent(row.key)+'">' + row.id + '</a></div>' +
'<div class="tags-pkg-desc">'+row.doc.description+'</div>' +
'<div class="tags-pkg-desc">'+row.doc.htmlDescription+'</div>' +
'</div>' +
'<div class="spacer"></div>'
);
Expand All @@ -707,10 +724,14 @@ app.author = function () {
.append('<div id="main-container"></div>');
request({url:'/_view/author?reduce=false&include_docs=true&key="'+author+'"'}, function (e, resp) {
resp.rows.forEach(function (row) {
row.doc.htmlDescription = row.doc.description.split('&').join('&amp;')
.split('"').join('&quot;')
.split('<').join('&lt;')
.split('>').join('&gt;')
$('div#main-container').append(
'<div class="all-package">' +
'<div class="tags-pkg-name"><a href="/#/'+encodeURIComponent(row.id)+'">' + row.id + '</a></div>' +
'<div class="tags-pkg-desc">'+row.doc.description+'</div>' +
'<div class="tags-pkg-desc">'+row.doc.htmlDescription+'</div>' +
'</div>' +
'<div class="spacer"></div>'
);
Expand Down

0 comments on commit 28c79f4

Please sign in to comment.