Disallow custom HTML in file info format.

I doubt anyone is using it, and if someone manages to inject a malicious script into the page, this could be used to install a script permanently to be executed each time 4chan is visited. I'll mention it in the changelog, and if anyone complains, I can add it back with some security checks.
2014-05-13 14:20:19 -07:00 · 2014-05-13 14:20:19 -07:00 · 0415828e27
commit 0415828e27
parent de5f4e0a85
1 changed files with 2 additions and 2 deletions
--- a/src/Miscellaneous/FileInfo.coffee
+++ b/src/Miscellaneous/FileInfo.coffee
@ -9,11 +9,11 @@ FileInfo =
    return if !@file or @isClone
    @file.text.innerHTML = "<span class=file-info>#{FileInfo.format Conf['fileInfo'], @}</span>"
  format: (formatString, post) ->
-    formatString.replace /%([A-Za-z])/g, (s, c) ->
+    formatString.replace /%([A-Za-z])|[^%]+/g, (s, c) ->
      if c of FileInfo.formatters
        FileInfo.formatters[c].call(post)
      else
-        s
+        FileInfo.escape s
  convertUnit: (size, unit) ->
    if unit is 'B'
      return "#{size.toFixed()} Bytes"