From 136f77874373016e34dbb252473ab363d9a147b8 Mon Sep 17 00:00:00 2001
From: ccd0 <admin@containerchan.org>
Date: Sun, 29 Jun 2014 00:05:55 -0700
Subject: [PATCH] rewrite FileInfo for easier XSS checking

---
 src/General/Settings.coffee       |  2 +-
 src/Miscellaneous/FileInfo.coffee | 66 +++++++++++++++++++++----------
 2 files changed, 47 insertions(+), 21 deletions(-)

diff --git a/src/General/Settings.coffee b/src/General/Settings.coffee
index a35c656ed..ccd23aeea 100755
--- a/src/General/Settings.coffee
+++ b/src/General/Settings.coffee
@@ -420,7 +420,7 @@ Settings =
         dimensions: '1280x720'
         isImage: true
         isSpoiler: true
-    @nextElementSibling.innerHTML = FileInfo.h_format @value, data
+    FileInfo.format @value, data, @nextElementSibling
   favicon: ->
     Favicon.switch()
     Unread.update() if g.VIEW is 'thread' and Conf['Unread Favicon']
diff --git a/src/Miscellaneous/FileInfo.coffee b/src/Miscellaneous/FileInfo.coffee
index e10cfe86b..ab295d905 100755
--- a/src/Miscellaneous/FileInfo.coffee
+++ b/src/Miscellaneous/FileInfo.coffee
@@ -7,29 +7,55 @@ FileInfo =
       cb:   @node
   node: ->
     return if !@file or @isClone
-    @file.text.innerHTML = "<span class='file-info'>#{FileInfo.h_format Conf['fileInfo'], @}</span>"
-  h_format: (formatString, post) ->
+    @file.text.innerHTML = '<span class="file-info"></span>'
+    FileInfo.format Conf['fileInfo'], @, @file.text.firstElementChild
+  format: (formatString, post, outputNode) ->
+    output = innerHTML: ''
     formatString.replace /%([A-Za-z])|[^%]+/g, (s, c) ->
-      if c of FileInfo.h_formatters
-        FileInfo.h_formatters[c].call(post)
+      if c of FileInfo.formatters
+        FileInfo.formatters[c].call post, output
       else
-        E s
-  h_formatters:
-    t: -> E @file.URL.match(/\d+\..+$/)[0]
-    T: -> "<a href='#{E @file.URL}' target='_blank'>#{FileInfo.h_formatters.t.call @}</a>"
-    l: -> "<a href='#{E @file.URL}' target='_blank'>#{FileInfo.h_formatters.n.call @}</a>"
-    L: -> "<a href='#{E @file.URL}' target='_blank'>#{FileInfo.h_formatters.N.call @}</a>"
-    n: ->
+        output.innerHTML += E s
+      ''
+    outputNode.innerHTML = output.innerHTML
+  formatters:
+    t: (x) ->
+      timestamp = @file.URL.match(/\d+\..+$/)[0]
+      x.innerHTML += E timestamp
+    T: (x) ->
+      x.innerHTML += "<a href='#{E @file.URL}' target='_blank'>"
+      FileInfo.formatters.t.call @, x
+      x.innerHTML += '</a>'
+    l: (x) ->
+      x.innerHTML += "<a href='#{E @file.URL}' target='_blank'>"
+      FileInfo.formatters.n.call @, x
+      x.innerHTML += '</a>'
+    L: (x) ->
+      x.innerHTML += "<a href='#{E @file.URL}' target='_blank'>"
+      FileInfo.formatters.N.call @, x
+      x.innerHTML += '</a>'
+    n: (x) ->
       fullname  = @file.name
       shortname = Build.shortFilename @file.name, @isReply
       if fullname is shortname
-        E fullname
+        x.innerHTML += E fullname
       else
-        "<span class='fnswitch'><span class='fntrunc'>#{E shortname}</span><span class='fnfull'>#{E fullname}</span></span>"
-    N: -> E @file.name
-    p: -> if @file.isSpoiler then 'Spoiler, ' else ''
-    s: -> E @file.size
-    B: -> return "#{+@file.sizeInBytes} Bytes"
-    K: -> "#{+Math.round(@file.sizeInBytes/1024)} KB"
-    M: -> "#{+Math.round(@file.sizeInBytes/1048576*100)/100} MB"
-    r: -> E (@file.dimensions or 'PDF')
+        x.innerHTML += "<span class='fnswitch'><span class='fntrunc'>#{E shortname}</span><span class='fnfull'>#{E fullname}</span></span>"
+    N: (x) ->
+      x.innerHTML += E @file.name
+    p: (x) ->
+      if @file.isSpoiler
+        x.innerHTML += 'Spoiler, '
+    s: (x) ->
+      x.innerHTML += E @file.size
+    B: (x) ->
+      x.innerHTML += "#{+@file.sizeInBytes} Bytes"
+    K: (x) ->
+      sizeKB = Math.round(@file.sizeInBytes/1024)
+      x.innerHTML += "#{+sizeKB} KB"
+    M: (x) ->
+      sizeMB = Math.round(@file.sizeInBytes/1048576*100)/100
+      x.innerHTML += "#{+sizeMB} MB"
+    r: (x) ->
+      dim = @file.dimensions or 'PDF'
+      x.innerHTML += E dim