mirror/piskel
1
0
Fork 0
mirror of https://github.com/piskelapp/piskel.git synced 2023-08-10 21:12:52 +03:00
Code Issues Projects Releases Wiki Activity

sanitize strings coming from user inputs

Browse Source
This commit is contained in:
Julian Descottes 2017-02-23 19:37:29 +01:00
parent 6f4413f353
commit 11a063de12
7 changed files with 42 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/js/controller/HeaderController.js
View File

@ -31,7 +31,7 @@
} }
if (this.piskelName_) { if (this.piskelName_) {
this.piskelName_.innerHTML = name; this.piskelName_.textContent = name;
} }
} catch (e) { } catch (e) {
console.warn('Could not update header : ' + e.message); console.warn('Could not update header : ' + e.message);

5
src/js/controller/dialogs/BrowseLocalController.js
View File

@ -48,7 +48,10 @@
keys.forEach((function (key) { keys.forEach((function (key) {
var date = pskl.utils.DateUtils.format(key.date, '{{Y}}/{{M}}/{{D}} {{H}}:{{m}}'); var date = pskl.utils.DateUtils.format(key.date, '{{Y}}/{{M}}/{{D}} {{H}}:{{m}}');
html += pskl.utils.Template.replace(this.localStorageItemTemplate_, {name : key.name, date : date}); html += pskl.utils.Template.replace(this.localStorageItemTemplate_, {
name : key.name,
date : date
});
}).bind(this)); }).bind(this));
var tableBody_ = this.piskelList.get(0).tBodies[0]; var tableBody_ = this.piskelList.get(0).tBodies[0];

2
src/js/controller/dialogs/ImportImageController.js
View File

@ -135,7 +135,7 @@
this.importedImage_.onload = function () {}; this.importedImage_.onload = function () {};
var fileName = this.extractFileNameFromPath_(this.file_.name); var fileName = this.extractFileNameFromPath_(this.file_.name);
this.fileNameContainer.html(fileName); this.fileNameContainer.text(fileName);
this.fileNameContainer.attr('title', fileName); this.fileNameContainer.attr('title', fileName);
this.resizeWidth.val(w); this.resizeWidth.val(w);

2
src/js/controller/settings/SaveController.js
View File

@ -62,7 +62,7 @@
ns.SaveController.prototype.insertSavePartials_ = function () { ns.SaveController.prototype.insertSavePartials_ = function () {
this.getPartials_().forEach(function (partial) { this.getPartials_().forEach(function (partial) {
pskl.utils.Template.insert(this.saveForm, 'beforeend', partial); this.saveForm.insertAdjacentHTML('beforeend', pskl.utils.Template.get(partial));
}.bind(this)); }.bind(this));
}; };

47
src/js/utils/Template.js
View File

@ -16,23 +16,12 @@
}, },
createFromHTML : function (html) { createFromHTML : function (html) {
var dummyEl = document.createElement('div'); var dummyEl = ns.Template._getDummyEl();
dummyEl.innerHTML = html; dummyEl.innerHTML = html;
return dummyEl.children[0]; var element = dummyEl.children[0];
}, dummyEl.innerHTML = '';
insert : function (parent, position, templateId, dict) { return element;
var html = pskl.utils.Template.getAndReplace(templateId, dict);
parent.insertAdjacentHTML(position, html);
},
getAndReplace : function (templateId, dict) {
var result = '';
var tpl = pskl.utils.Template.get(templateId);
if (tpl) {
result = pskl.utils.Template.replace(tpl, dict);
}
return result;
}, },
replace : function (template, dict) { replace : function (template, dict) {
@ -49,10 +38,38 @@
value = ''; value = '';
} }
} }
// Sanitize all values expect if the key is surrounded by `!`
if (!/^!.*!$/.test(key)) {
value = ns.Template.sanitize(value);
}
template = template.replace(new RegExp('\\{\\{' + key + '\\}\\}', 'g'), value); template = template.replace(new RegExp('\\{\\{' + key + '\\}\\}', 'g'), value);
} }
} }
return template; return template;
},
/**
* Sanitize the provided string to make it safer for using in templates.
*/
sanitize : function (string) {
var dummyEl = ns.Template._getDummyEl();
// Apply the unsafe string as text content and
dummyEl.textContent = string;
var sanitizedString = dummyEl.innerHTML;
dummyEl.innerHTML = '';
return sanitizedString;
},
_getDummyEl : function () {
if (!ns.Template._dummyEl) {
ns.Template._dummyEl = document.createElement('div');
}
return ns.Template._dummyEl;
} }
}; };
})(); })();

3
src/js/utils/TooltipFormatter.js
View File

@ -9,7 +9,8 @@
return pskl.utils.Template.replace(tpl, { return pskl.utils.Template.replace(tpl, {
helptext : helpText, helptext : helpText,
shortcut : shortcut, shortcut : shortcut,
descriptors : this.formatDescriptors_(descriptors) // Avoid sanitization for descriptors (markup)
'!descriptors!' : this.formatDescriptors_(descriptors)
}); });
}; };

2
src/templates/misc-templates.html
View File

@ -11,7 +11,7 @@
<script type="text/template" id="tooltip-container-template"> <script type="text/template" id="tooltip-container-template">
<div class='tooltip-container'> <div class='tooltip-container'>
<div>{{helptext}} <span class='tooltip-shortcut'>{{shortcut}}</span></div> <div>{{helptext}} <span class='tooltip-shortcut'>{{shortcut}}</span></div>
{{descriptors}} {{!descriptors!}}
</div> </div>
</script> </script>