You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by do...@apache.org on 2008/02/22 23:55:25 UTC
svn commit: r630344 - in /incubator/shindig/trunk/features: core/
opensocial-reference/
Author: doll
Date: Fri Feb 22 14:55:21 2008
New Revision: 630344
URL: http://svn.apache.org/viewvc?rev=630344&view=rev
Log:
All getField calls now return escaped data. This prevents the doEvil flag from doing real harm in the SocialHelloWorld. As long as gadgets don't use unescape they should be safe from bad data.
Changed the escapeString function to check if the passed in object is a string (makes the opensocial code cleaner)
Modified:
incubator/shindig/trunk/features/core/util.js
incubator/shindig/trunk/features/opensocial-reference/activity.js
incubator/shindig/trunk/features/opensocial-reference/address.js
incubator/shindig/trunk/features/opensocial-reference/bodytype.js
incubator/shindig/trunk/features/opensocial-reference/email.js
incubator/shindig/trunk/features/opensocial-reference/message.js
incubator/shindig/trunk/features/opensocial-reference/name.js
incubator/shindig/trunk/features/opensocial-reference/organization.js
incubator/shindig/trunk/features/opensocial-reference/person.js
incubator/shindig/trunk/features/opensocial-reference/phone.js
incubator/shindig/trunk/features/opensocial-reference/url.js
Modified: incubator/shindig/trunk/features/core/util.js
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/features/core/util.js?rev=630344&r1=630343&r2=630344&view=diff
==============================================================================
--- incubator/shindig/trunk/features/core/util.js (original)
+++ incubator/shindig/trunk/features/core/util.js Fri Feb 22 14:55:21 2008
@@ -196,10 +196,14 @@
* @return {String} The escaped string
*/
escapeString : function(str) {
- return str.replace(/</g, "<")
- .replace(/>/g, ">")
- .replace(/"/g, """)
- .replace(/'/g, "'");
+ if (typeof str == "string") {
+ return str.replace(/</g, "<")
+ .replace(/>/g, ">")
+ .replace(/"/g, """)
+ .replace(/'/g, "'");
+ } else {
+ return str;
+ }
},
/**
Modified: incubator/shindig/trunk/features/opensocial-reference/activity.js
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/features/opensocial-reference/activity.js?rev=630344&r1=630343&r2=630344&view=diff
==============================================================================
--- incubator/shindig/trunk/features/opensocial-reference/activity.js (original)
+++ incubator/shindig/trunk/features/opensocial-reference/activity.js Fri Feb 22 14:55:21 2008
@@ -354,7 +354,7 @@
* @member opensocial.Activity
*/
opensocial.Activity.prototype.getField = function(key) {
- return this.fields_[key];
+ return gadgets.util.escapeString(this.fields_[key]);
};
@@ -467,7 +467,7 @@
* @return {String} The data
*/
opensocial.Activity.MediaItem.prototype.getField = function(key) {
- return this.fields_[key];
+ return gadgets.util.escapeString(this.fields_[key]);
};
Modified: incubator/shindig/trunk/features/opensocial-reference/address.js
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/features/opensocial-reference/address.js?rev=630344&r1=630343&r2=630344&view=diff
==============================================================================
--- incubator/shindig/trunk/features/opensocial-reference/address.js (original)
+++ incubator/shindig/trunk/features/opensocial-reference/address.js Fri Feb 22 14:55:21 2008
@@ -142,5 +142,5 @@
* @return {String} The data
*/
opensocial.Address.prototype.getField = function(key) {
- return this.fields_[key];
+ return gadgets.util.escapeString(this.fields_[key]);
};
Modified: incubator/shindig/trunk/features/opensocial-reference/bodytype.js
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/features/opensocial-reference/bodytype.js?rev=630344&r1=630343&r2=630344&view=diff
==============================================================================
--- incubator/shindig/trunk/features/opensocial-reference/bodytype.js (original)
+++ incubator/shindig/trunk/features/opensocial-reference/bodytype.js Fri Feb 22 14:55:21 2008
@@ -97,5 +97,5 @@
* @return {String} The data
*/
opensocial.BodyType.prototype.getField = function(key) {
- return this.fields_[key];
+ return gadgets.util.escapeString(this.fields_[key]);
};
Modified: incubator/shindig/trunk/features/opensocial-reference/email.js
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/features/opensocial-reference/email.js?rev=630344&r1=630343&r2=630344&view=diff
==============================================================================
--- incubator/shindig/trunk/features/opensocial-reference/email.js (original)
+++ incubator/shindig/trunk/features/opensocial-reference/email.js Fri Feb 22 14:55:21 2008
@@ -76,5 +76,5 @@
* @return {String} The data
*/
opensocial.Email.prototype.getField = function(key) {
- return this.fields_[key];
+ return gadgets.util.escapeString(this.fields_[key]);
};
Modified: incubator/shindig/trunk/features/opensocial-reference/message.js
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/features/opensocial-reference/message.js?rev=630344&r1=630343&r2=630344&view=diff
==============================================================================
--- incubator/shindig/trunk/features/opensocial-reference/message.js (original)
+++ incubator/shindig/trunk/features/opensocial-reference/message.js Fri Feb 22 14:55:21 2008
@@ -135,7 +135,7 @@
* @member opensocial.Message
*/
opensocial.Message.prototype.getField = function(key) {
- return this.fields_[key];
+ return gadgets.util.escapeString(this.fields_[key]);
};
Modified: incubator/shindig/trunk/features/opensocial-reference/name.js
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/features/opensocial-reference/name.js?rev=630344&r1=630343&r2=630344&view=diff
==============================================================================
--- incubator/shindig/trunk/features/opensocial-reference/name.js (original)
+++ incubator/shindig/trunk/features/opensocial-reference/name.js Fri Feb 22 14:55:21 2008
@@ -103,5 +103,5 @@
* @return {String} The data
*/
opensocial.Name.prototype.getField = function(key) {
- return this.fields_[key];
+ return gadgets.util.escapeString(this.fields_[key]);
};
Modified: incubator/shindig/trunk/features/opensocial-reference/organization.js
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/features/opensocial-reference/organization.js?rev=630344&r1=630343&r2=630344&view=diff
==============================================================================
--- incubator/shindig/trunk/features/opensocial-reference/organization.js (original)
+++ incubator/shindig/trunk/features/opensocial-reference/organization.js Fri Feb 22 14:55:21 2008
@@ -140,5 +140,5 @@
* @return {String} The data
*/
opensocial.Organization.prototype.getField = function(key) {
- return this.fields_[key];
+ return gadgets.util.escapeString(this.fields_[key]);
};
Modified: incubator/shindig/trunk/features/opensocial-reference/person.js
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/features/opensocial-reference/person.js?rev=630344&r1=630343&r2=630344&view=diff
==============================================================================
--- incubator/shindig/trunk/features/opensocial-reference/person.js (original)
+++ incubator/shindig/trunk/features/opensocial-reference/person.js Fri Feb 22 14:55:21 2008
@@ -527,7 +527,7 @@
* @return {String} The data
*/
opensocial.Person.prototype.getField = function(key) {
- return this.fields_[key];
+ return gadgets.util.escapeString(this.fields_[key]);
};
Modified: incubator/shindig/trunk/features/opensocial-reference/phone.js
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/features/opensocial-reference/phone.js?rev=630344&r1=630343&r2=630344&view=diff
==============================================================================
--- incubator/shindig/trunk/features/opensocial-reference/phone.js (original)
+++ incubator/shindig/trunk/features/opensocial-reference/phone.js Fri Feb 22 14:55:21 2008
@@ -76,5 +76,5 @@
* @return {String} The data
*/
opensocial.Phone.prototype.getField = function(key) {
- return this.fields_[key];
+ return gadgets.util.escapeString(this.fields_[key]);
};
Modified: incubator/shindig/trunk/features/opensocial-reference/url.js
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/features/opensocial-reference/url.js?rev=630344&r1=630343&r2=630344&view=diff
==============================================================================
--- incubator/shindig/trunk/features/opensocial-reference/url.js (original)
+++ incubator/shindig/trunk/features/opensocial-reference/url.js Fri Feb 22 14:55:21 2008
@@ -83,5 +83,5 @@
* @return {String} The data
*/
opensocial.Url.prototype.getField = function(key) {
- return this.fields_[key];
+ return gadgets.util.escapeString(this.fields_[key]);
};
Re: svn commit: r630344 - in /incubator/shindig/trunk/features: core/ opensocial-reference/
Posted by Kevin Brown <et...@google.com>.
I haven't seen any modern browser that has this issue -- I was trying to
avoid double escaping problems when entities are already present. It looks
like this is what the old igoogle escaping routines were doing as well.
On Fri, Feb 22, 2008 at 8:54 PM, Peter Valchev <pv...@sightly.net> wrote:
> On Fri, Feb 22, 2008 at 2:55 PM, <do...@apache.org> wrote:
> > Author: doll
> > Date: Fri Feb 22 14:55:21 2008
> > New Revision: 630344
> >
> > URL: http://svn.apache.org/viewvc?rev=630344&view=rev
> > Log:
> > All getField calls now return escaped data. This prevents the doEvil
> flag from doing real harm in the SocialHelloWorld. As long as gadgets don't
> use unescape they should be safe from bad data.
>
> Thanks for making this change! One comment below:
>
> > Changed the escapeString function to check if the passed in object is a
> string (makes the opensocial code cleaner)
> >
> >
> >
> > Modified:
> > incubator/shindig/trunk/features/core/util.js
> > incubator/shindig/trunk/features/opensocial-reference/activity.js
> > incubator/shindig/trunk/features/opensocial-reference/address.js
> > incubator/shindig/trunk/features/opensocial-reference/bodytype.js
> > incubator/shindig/trunk/features/opensocial-reference/email.js
> > incubator/shindig/trunk/features/opensocial-reference/message.js
> > incubator/shindig/trunk/features/opensocial-reference/name.js
> >
> incubator/shindig/trunk/features/opensocial-reference/organization.js
> > incubator/shindig/trunk/features/opensocial-reference/person.js
> > incubator/shindig/trunk/features/opensocial-reference/phone.js
> > incubator/shindig/trunk/features/opensocial-reference/url.js
> >
> > Modified: incubator/shindig/trunk/features/core/util.js
> > URL:
> http://svn.apache.org/viewvc/incubator/shindig/trunk/features/core/util.js?rev=630344&r1=630343&r2=630344&view=diff
> >
> ==============================================================================
> > --- incubator/shindig/trunk/features/core/util.js (original)
> > +++ incubator/shindig/trunk/features/core/util.js Fri Feb 22 14:55:21
> 2008
> > @@ -196,10 +196,14 @@
> > * @return {String} The escaped string
> > */
> > escapeString : function(str) {
> > - return str.replace(/</g, "<")
> > - .replace(/>/g, ">")
> > - .replace(/"/g, """)
> > - .replace(/'/g, "'");
> > + if (typeof str == "string") {
> > + return str.replace(/</g, "<")
> > + .replace(/>/g, ">")
> > + .replace(/"/g, """)
> > + .replace(/'/g, "'");
>
> Can you add '&' too:
> + .replace(/&/g, "&")
>
> if an ampersand isn't escaped, the browser may interpret it as the
> beginning of an entity and not display it.
>
> > + } else {
> > + return str;
> > + }
>
--
~Kevin
If you received this email by mistake, please delete it, cancel your mail
account, destroy your hard drive, silence any witnesses, and burn down the
building that you're in.
Re: svn commit: r630344 - in /incubator/shindig/trunk/features: core/ opensocial-reference/
Posted by Peter Valchev <pv...@sightly.net>.
On Fri, Feb 22, 2008 at 2:55 PM, <do...@apache.org> wrote:
> Author: doll
> Date: Fri Feb 22 14:55:21 2008
> New Revision: 630344
>
> URL: http://svn.apache.org/viewvc?rev=630344&view=rev
> Log:
> All getField calls now return escaped data. This prevents the doEvil flag from doing real harm in the SocialHelloWorld. As long as gadgets don't use unescape they should be safe from bad data.
Thanks for making this change! One comment below:
> Changed the escapeString function to check if the passed in object is a string (makes the opensocial code cleaner)
>
>
>
> Modified:
> incubator/shindig/trunk/features/core/util.js
> incubator/shindig/trunk/features/opensocial-reference/activity.js
> incubator/shindig/trunk/features/opensocial-reference/address.js
> incubator/shindig/trunk/features/opensocial-reference/bodytype.js
> incubator/shindig/trunk/features/opensocial-reference/email.js
> incubator/shindig/trunk/features/opensocial-reference/message.js
> incubator/shindig/trunk/features/opensocial-reference/name.js
> incubator/shindig/trunk/features/opensocial-reference/organization.js
> incubator/shindig/trunk/features/opensocial-reference/person.js
> incubator/shindig/trunk/features/opensocial-reference/phone.js
> incubator/shindig/trunk/features/opensocial-reference/url.js
>
> Modified: incubator/shindig/trunk/features/core/util.js
> URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/features/core/util.js?rev=630344&r1=630343&r2=630344&view=diff
> ==============================================================================
> --- incubator/shindig/trunk/features/core/util.js (original)
> +++ incubator/shindig/trunk/features/core/util.js Fri Feb 22 14:55:21 2008
> @@ -196,10 +196,14 @@
> * @return {String} The escaped string
> */
> escapeString : function(str) {
> - return str.replace(/</g, "<")
> - .replace(/>/g, ">")
> - .replace(/"/g, """)
> - .replace(/'/g, "'");
> + if (typeof str == "string") {
> + return str.replace(/</g, "<")
> + .replace(/>/g, ">")
> + .replace(/"/g, """)
> + .replace(/'/g, "'");
Can you add '&' too:
+ .replace(/&/g, "&")
if an ampersand isn't escaped, the browser may interpret it as the
beginning of an entity and not display it.
> + } else {
> + return str;
> + }