[SCM] ktp-text-ui packaging branch, master, updated. debian/15.12.1-1-1918-gdf4b0ec
Maximiliano Curia
maxy at moszumanska.debian.org
Sat May 28 00:23:47 UTC 2016
Gitweb-URL: http://git.debian.org/?p=pkg-kde/applications/ktp-text-ui.git;a=commitdiff;h=14b5daf
The following commit has been merged in the master branch:
commit 14b5daf4cab4c534b5d29720b2092c1563db4e6a
Author: Nikita Skovoroda <chalkerx at gmail.com>
Date: Mon Apr 8 12:05:43 2013 +0200
Bugzilla filter: escape html to block injection.
BUG: 317936.
REVIEW: 109905
Also, fix a "not an object" js error when referencing an inexisting bug (and got a null result).
---
filters/bugzilla/showBugzillaInfo.js | 30 +++++++++++++++++++++++++++---
1 file changed, 27 insertions(+), 3 deletions(-)
diff --git a/filters/bugzilla/showBugzillaInfo.js b/filters/bugzilla/showBugzillaInfo.js
index 1906257..728f4c0 100644
--- a/filters/bugzilla/showBugzillaInfo.js
+++ b/filters/bugzilla/showBugzillaInfo.js
@@ -1,3 +1,23 @@
+//escape HTML special symbols
+//this function escapes symbols &<>"' with entities
+//the chars-to-codes map is created only once, not on every call
+
+var escapeHTML = (function() {
+ 'use strict';
+ var codes = {
+ '&': '&',
+ '<': '<',
+ '>': '>',
+ '"': '"',
+ "'": '''
+ };
+ return function(string) {
+ return string.replace(/[&<>"']/g, function(char) {
+ return codes[char];
+ });
+ };
+}());
+
//add bugzilla information to the UI
//the message processor adds a div with a specific ID to the message
//this ID is passed to the bugzilla RPC instance as an ID, which is returned in the query
@@ -6,6 +26,10 @@
function showBugCallback(response)
{
var id = response["id"];
+
+ if (!response["result"])
+ return;
+
var bug = response["result"]["bugs"][0];
var bugId = bug["id"];
@@ -14,13 +38,13 @@ function showBugCallback(response)
var status = bug["status"]
var resolution = bug["resolution"]
- var html = "[BUG "+bugId+"] "+summary + " " + status;
+ var text = "[BUG " + bugId + "] " + summary + " " + status;
if (status == "RESOLVED") {
- html += " (" + resolution +")";
+ text += " (" + resolution +")";
}
- document.getElementById(id).innerHTML = html;
+ document.getElementById(id).innerHTML = escapeHTML(text);
}
//use jsonp to avoid problems with web security origin
--
ktp-text-ui packaging
More information about the pkg-kde-commits
mailing list