Author: channa Date: Tue Jun 24 04:17:02 2008 New Revision: 18597 URL: http://wso2.org/svn/browse/wso2?view=rev&revision=18597
Log: Sanitizing HTML in bio and comment fields, allowing only bold, underline and italics. MASHUP-660. Modified: trunk/mashup/java/modules/www/js/common.js trunk/mashup/java/modules/www/mashup.jsp trunk/mashup/java/modules/www/user.jsp Modified: trunk/mashup/java/modules/www/js/common.js URL: http://wso2.org/svn/browse/wso2/trunk/mashup/java/modules/www/js/common.js?rev=18597&r1=18596&r2=18597&view=diff ============================================================================== --- trunk/mashup/java/modules/www/js/common.js (original) +++ trunk/mashup/java/modules/www/js/common.js Tue Jun 24 04:17:02 2008 @@ -145,3 +145,31 @@ return node; } } + +/* + * Sanitizes a given HTML string, limiting it to whitelisted formatting HTML only. + * Currently allows bold, italic and underline and used in formattable text areas. + */ +function sanitizeHtml(rawHtml) { + // first strip all the HTML tags from the code. + var safeHtml = escapeHtml(rawHtml); + + // Then allow only what we've whitelisted. + safeHtml = safeHtml.replace(/<b>/g, "<b>"); + safeHtml = safeHtml.replace(/<\/b>/g, "</b>"); + safeHtml = safeHtml.replace(/<i>/g, "<i>"); + safeHtml = safeHtml.replace(/<\/i>/g, "</i>"); + safeHtml = safeHtml.replace(/<u>/g, "<u>"); + safeHtml = safeHtml.replace(/<\/u>/g, "</u>"); + + return safeHtml; +} + +/* + * Globally escape all HTML tags. + */ +function escapeHtml (rawHtml) +{ + var safeHtml = rawHtml.replace(/</g, "<"); + return safeHtml.replace(/>/g, ">"); +}; Modified: trunk/mashup/java/modules/www/mashup.jsp URL: http://wso2.org/svn/browse/wso2/trunk/mashup/java/modules/www/mashup.jsp?rev=18597&r1=18596&r2=18597&view=diff ============================================================================== --- trunk/mashup/java/modules/www/mashup.jsp (original) +++ trunk/mashup/java/modules/www/mashup.jsp Tue Jun 24 04:17:02 2008 @@ -215,6 +215,7 @@ function addComment() { var newValue = $("Comment_commentText").value; + newValue = sanitizeHtml(newValue); if (newValue == "") return; var path = $('Comment_path').value; var commenter = $('Comment_commenter').value; Modified: trunk/mashup/java/modules/www/user.jsp URL: http://wso2.org/svn/browse/wso2/trunk/mashup/java/modules/www/user.jsp?rev=18597&r1=18596&r2=18597&view=diff ============================================================================== --- trunk/mashup/java/modules/www/user.jsp (original) +++ trunk/mashup/java/modules/www/user.jsp Tue Jun 24 04:17:02 2008 @@ -120,6 +120,10 @@ function saveEditable(field, fieldtype, user) { var newValue = $(field + "_input_text").value; + if (fieldtype == "bio") { + newValue = sanitizeHtml(newValue); + } + $(field + "_value").update(newValue); cancelEditable(field); _______________________________________________ Mashup-dev mailing list [email protected] http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev
