rewrite FileInfo for easier XSS checking

2014-06-29 00:05:55 -07:00 · 2014-06-29 00:05:55 -07:00 · 136f778743
commit 136f778743
parent 646c29c4bc
2 changed files with 47 additions and 21 deletions
--- a/src/General/Settings.coffee
+++ b/src/General/Settings.coffee
@ -420,7 +420,7 @@ Settings =
        dimensions: '1280x720'
        isImage: true
        isSpoiler: true
-    @nextElementSibling.innerHTML = FileInfo.h_format @value, data
+    FileInfo.format @value, data, @nextElementSibling
  favicon: ->
    Favicon.switch()
    Unread.update() if g.VIEW is 'thread' and Conf['Unread Favicon']
--- a/src/Miscellaneous/FileInfo.coffee
+++ b/src/Miscellaneous/FileInfo.coffee
@ -7,29 +7,55 @@ FileInfo =
      cb:   @node
  node: ->
    return if !@file or @isClone
-    @file.text.innerHTML = "<span class='file-info'>#{FileInfo.h_format Conf['fileInfo'], @}</span>"
-  h_format: (formatString, post) ->
+    @file.text.innerHTML = '<span class="file-info"></span>'
+    FileInfo.format Conf['fileInfo'], @, @file.text.firstElementChild
+  format: (formatString, post, outputNode) ->
+    output = innerHTML: ''
    formatString.replace /%([A-Za-z])|[^%]+/g, (s, c) ->
-      if c of FileInfo.h_formatters
-        FileInfo.h_formatters[c].call(post)
+      if c of FileInfo.formatters
+        FileInfo.formatters[c].call post, output
      else
-        E s
-  h_formatters:
-    t: -> E @file.URL.match(/\d+\..+$/)[0]
-    T: -> "<a href='#{E @file.URL}' target='_blank'>#{FileInfo.h_formatters.t.call @}</a>"
-    l: -> "<a href='#{E @file.URL}' target='_blank'>#{FileInfo.h_formatters.n.call @}</a>"
-    L: -> "<a href='#{E @file.URL}' target='_blank'>#{FileInfo.h_formatters.N.call @}</a>"
-    n: ->
+        output.innerHTML += E s
+      ''
+    outputNode.innerHTML = output.innerHTML
+  formatters:
+    t: (x) ->
+      timestamp = @file.URL.match(/\d+\..+$/)[0]
+      x.innerHTML += E timestamp
+    T: (x) ->
+      x.innerHTML += "<a href='#{E @file.URL}' target='_blank'>"
+      FileInfo.formatters.t.call @, x
+      x.innerHTML += '</a>'
+    l: (x) ->
+      x.innerHTML += "<a href='#{E @file.URL}' target='_blank'>"
+      FileInfo.formatters.n.call @, x
+      x.innerHTML += '</a>'
+    L: (x) ->
+      x.innerHTML += "<a href='#{E @file.URL}' target='_blank'>"
+      FileInfo.formatters.N.call @, x
+      x.innerHTML += '</a>'
+    n: (x) ->
      fullname  = @file.name
      shortname = Build.shortFilename @file.name, @isReply
      if fullname is shortname
-        E fullname
+        x.innerHTML += E fullname
      else
-        "<span class='fnswitch'><span class='fntrunc'>#{E shortname}</span><span class='fnfull'>#{E fullname}</span></span>"
-    N: -> E @file.name
-    p: -> if @file.isSpoiler then 'Spoiler, ' else ''
-    s: -> E @file.size
-    B: -> return "#{+@file.sizeInBytes} Bytes"
-    K: -> "#{+Math.round(@file.sizeInBytes/1024)} KB"
-    M: -> "#{+Math.round(@file.sizeInBytes/1048576*100)/100} MB"
-    r: -> E (@file.dimensions or 'PDF')
+        x.innerHTML += "<span class='fnswitch'><span class='fntrunc'>#{E shortname}</span><span class='fnfull'>#{E fullname}</span></span>"
+    N: (x) ->
+      x.innerHTML += E @file.name
+    p: (x) ->
+      if @file.isSpoiler
+        x.innerHTML += 'Spoiler, '
+    s: (x) ->
+      x.innerHTML += E @file.size
+    B: (x) ->
+      x.innerHTML += "#{+@file.sizeInBytes} Bytes"
+    K: (x) ->
+      sizeKB = Math.round(@file.sizeInBytes/1024)
+      x.innerHTML += "#{+sizeKB} KB"
+    M: (x) ->
+      sizeMB = Math.round(@file.sizeInBytes/1048576*100)/100
+      x.innerHTML += "#{+sizeMB} MB"
+    r: (x) ->
+      dim = @file.dimensions or 'PDF'
+      x.innerHTML += E dim