From 97ca89c83da3973dc9e6b8c35a4ee3511e2608a8 Mon Sep 17 00:00:00 2001 From: ccd0 Date: Mon, 12 May 2014 22:20:04 -0700 Subject: [PATCH] Escape file info more aggressively. Most of this isn't strictly necessary, but it makes the script more robust against changes, either in 4chan or the script itself. I don't want to have to review this code for vulnerabilities each time something changes. --- src/Miscellaneous/FileInfo.coffee | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/Miscellaneous/FileInfo.coffee b/src/Miscellaneous/FileInfo.coffee index 923bd3ce5..951f8ab30 100755 --- a/src/Miscellaneous/FileInfo.coffee +++ b/src/Miscellaneous/FileInfo.coffee @@ -25,13 +25,13 @@ FileInfo = size.toFixed() "#{size} #{unit}" escape: (name) -> - name.replace /<|>/g, (c) -> - c is '<' and '<' or '>' + name.replace /[&"'<>]/g, (c) -> + {'&': '&', "'": ''', '"': '"', '<': '<', '>': '>'}[c] formatters: - t: -> @file.URL.match(/\d+\..+$/)[0] - T: -> "#{FileInfo.formatters.t.call @}" - l: -> "#{FileInfo.formatters.n.call @}" - L: -> "#{FileInfo.formatters.N.call @}" + t: -> FileInfo.escape @file.URL.match(/\d+\..+$/)[0] + T: -> "#{FileInfo.formatters.t.call @}" + l: -> "#{FileInfo.formatters.n.call @}" + L: -> "#{FileInfo.formatters.N.call @}" n: -> fullname = @file.name shortname = Build.shortFilename @file.name, @isReply @@ -41,8 +41,8 @@ FileInfo = "#{FileInfo.escape shortname}#{FileInfo.escape fullname}" N: -> FileInfo.escape @file.name p: -> if @file.isSpoiler then 'Spoiler, ' else '' - s: -> @file.size + s: -> FileInfo.escape @file.size B: -> FileInfo.convertUnit @file.sizeInBytes, 'B' K: -> FileInfo.convertUnit @file.sizeInBytes, 'KB' M: -> FileInfo.convertUnit @file.sizeInBytes, 'MB' - r: -> if @file.isImage or @file.isVideo then @file.dimensions else 'PDF' + r: -> FileInfo.escape (@file.dimensions or 'PDF')