mirror of https://github.com/perkeep/perkeep.git
blobinfo: protect against xss from filename
http://camlistore.org/issue/173 Change-Id: I0b94578cea671ab3ba330a498f835a6e0bfdfc68
This commit is contained in:
parent
574b5feb96
commit
4a36967bc1
|
@ -113,7 +113,7 @@ function(bmap) {
|
|||
blobmeta.innerHTML = "(not found)";
|
||||
return;
|
||||
}
|
||||
blobmeta.innerHTML = JSON.stringify(binfo, null, 2);
|
||||
blobmeta.innerHTML = htmlEscape(JSON.stringify(binfo, null, 2));
|
||||
if (binfo.camliType || (binfo.type && binfo.type.indexOf("text/") == 0)) {
|
||||
this.connection_.getBlobContents(blobref,
|
||||
goog.bind(function(data) {
|
||||
|
@ -130,7 +130,7 @@ function(bmap) {
|
|||
// That's why we do this messy business here. Fix it server side.
|
||||
finfo = JSON.parse(data);
|
||||
bd.innerHTML = "<a href=''></a>";
|
||||
var fileName = finfo.fileName || blobref;
|
||||
var fileName = htmlEscape(finfo.fileName) || blobref;
|
||||
bd.firstChild.href = "./download/" + blobref + "/" + fileName;
|
||||
// If the mime type was not detected by magic pkg, we end up
|
||||
// with an empty mimetype value in the indexer's fileinfo,
|
||||
|
@ -176,9 +176,13 @@ function(bmap) {
|
|||
}
|
||||
}
|
||||
|
||||
function htmlEscape(data) {
|
||||
return goog.string.htmlEscape(data);
|
||||
}
|
||||
|
||||
function linkifyBlobRefs(schemaBlob) {
|
||||
var re = /(\w{3,6}-[a-f0-9]{30,})/g;
|
||||
return schemaBlob.replace(re, "<a href='./?b=$1'>$1</a>");
|
||||
return htmlEscape(schemaBlob).replace(re, "<a href='./?b=$1'>$1</a>");
|
||||
};
|
||||
|
||||
// Gets the |p| query parameter, assuming that it looks like a blobref.
|
||||
|
|
Loading…
Reference in New Issue