diff options
| author | Chad Weider <cweider@oofn.net> | 2012-01-18 03:58:13 -0800 |
|---|---|---|
| committer | Chad Weider <cweider@oofn.net> | 2012-02-10 14:52:35 -0800 |
| commit | e0d23e3c5d9feb1fc4ff88fa923bb6d1fa1aae18 (patch) | |
| tree | 897f2e0b2f67a32a5f1fdfa9d605c17078d04b09 /node | |
| parent | 363e1685618b1bb05802a221021549eb0ee7a3bd (diff) | |
| download | etherpad-lite-e0d23e3c5d9feb1fc4ff88fa923bb6d1fa1aae18.zip | |
Create and use the Security module.
Use it to replace code on the client and server side.
Diffstat (limited to 'node')
| -rw-r--r-- | node/utils/ExportHtml.js | 25 | ||||
| -rw-r--r-- | node/utils/tar.json | 3 |
2 files changed, 7 insertions, 21 deletions
diff --git a/node/utils/ExportHtml.js b/node/utils/ExportHtml.js index 7296012f..afeafd3a 100644 --- a/node/utils/ExportHtml.js +++ b/node/utils/ExportHtml.js @@ -19,6 +19,7 @@ var async = require("async"); var Changeset = CommonCode.require("/Changeset"); var padManager = require("../db/PadManager"); var ERR = require("async-stacktrace"); +var Security = CommonCode.require('/security'); function getPadPlainText(pad, revNum) { @@ -270,7 +271,7 @@ function getHTMLFromAtext(pad, atext) //from but they break the abiword parser and are completly useless s = s.replace(String.fromCharCode(12), ""); - assem.append(_escapeHTML(s)); + assem.append(_encodeWhitespace(Security.escapeHTML(s))); } // end iteration over spans in line var tags2close = []; @@ -293,7 +294,7 @@ function getHTMLFromAtext(pad, atext) var url = urlData[1]; var urlLength = url.length; processNextChars(startIndex - idx); - assem.append('<a href="' + _escapeHTML(url) + '">'); + assem.append('<a href="' + Security.escapeHTMLAttribute(url) + '">'); processNextChars(urlLength); assem.append('</a>'); }); @@ -494,25 +495,7 @@ exports.getPadHTMLDocument = function (padId, revNum, noDocType, callback) }); } -function _escapeHTML(s) -{ - var re = /[&"<>]/g; - if (!re.MAP) - { - // persisted across function calls! - re.MAP = { - '&': '&', - '"': '"', - '<': '<', - '>': '>' - }; - } - - s = s.replace(re, function (c) - { - return re.MAP[c]; - }); - +function _encodeWhitespace(s) { return s.replace(/[^\x21-\x7E\s\t\n\r]/g, function(c) { return "&#" +c.charCodeAt(0) + ";" diff --git a/node/utils/tar.json b/node/utils/tar.json index 9bab03c0..e922ddde 100644 --- a/node/utils/tar.json +++ b/node/utils/tar.json @@ -1,6 +1,7 @@ { "pad.js": [ "jquery.js" + , "security.js" , "pad.js" , "ace2_common.js" , "pad_utils.js" @@ -25,6 +26,7 @@ ] , "timeslider.js": [ "jquery.js" + , "security.js" , "plugins.js" , "undo-xpopup.js" , "json2.js" @@ -53,6 +55,7 @@ "ace2_common.js" , "AttributePoolFactory.js" , "Changeset.js" + , "security.js" , "skiplist.js" , "virtual_lines.js" , "cssmanager.js" |