Goyslop/4chan-x
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Disallow custom HTML in file info format.

Browse Source 
I doubt anyone is using it, and if someone manages to inject a
malicious script into the page, this could be used to install a
script permanently to be executed each time 4chan is visited.

I'll mention it in the changelog, and if anyone complains, I can
add it back with some security checks.
This commit is contained in:
ccd0 2014-05-13 14:20:19 -07:00
parent de5f4e0a85
commit 0415828e27
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/Miscellaneous/FileInfo.coffee
View File

@ -9,11 +9,11 @@ FileInfo =
return if !@file or @isClone return if !@file or @isClone
@file.text.innerHTML = "<span class=file-info>#{FileInfo.format Conf['fileInfo'], @}</span>" @file.text.innerHTML = "<span class=file-info>#{FileInfo.format Conf['fileInfo'], @}</span>"
format: (formatString, post) -> format: (formatString, post) ->
formatString.replace /%([A-Za-z])/g, (s, c) -> formatString.replace /%([A-Za-z])|[^%]+/g, (s, c) ->
if c of FileInfo.formatters if c of FileInfo.formatters
FileInfo.formatters[c].call(post) FileInfo.formatters[c].call(post)
else else
s FileInfo.escape s
convertUnit: (size, unit) -> convertUnit: (size, unit) ->
if unit is 'B' if unit is 'B'
return "#{size.toFixed()} Bytes" return "#{size.toFixed()} Bytes"