[MediaWiki-commits] [Gerrit] wikimedia...discernatron[master]: Create dom elements explicitly

Tue, 13 Sep 2016 14:50:21 -0700 

EBernhardson has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/310444

Change subject: Create dom elements explicitly
......................................................................

Create dom elements explicitly

The use of innerHTML here makes it open to XSS, clean that up by
explicitly creating dom elements and text nodes, rather than using
innerHTML.

Bug: T145563
Change-Id: Id5d6bf2fcd1666b5ec90bfb36d8a708a10330f2f
---
M public/js/discernadeck.js
1 file changed, 24 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/wikimedia/discovery/discernatron 
refs/changes/44/310444/1

diff --git a/public/js/discernadeck.js b/public/js/discernadeck.js
index ace3dd7..5a3201f 100644
--- a/public/js/discernadeck.js
+++ b/public/js/discernadeck.js
@@ -159,12 +159,31 @@
                }
        },
        createCardDOM: function() {
-               var el = document.createElement('div'),
-                       link = window.scoringData.baseWikiUrl + '/' + 
this.cardData.title;
-                       snippet = 
this.cardData.snippet.split('\uE000').join('<b>').split('\uE001').join('</b>');
+               var i, b,
+            el = document.createElement('div'),
+                       snippetPieces = 
this.cardData.snippet.split('\uE000').map(function (s) { return 
s.split('\uE001') }),
+            a = document.createElement('a'),
+            p = document.createElement('p');
+
+        a.setAttribute('target', '_blank');
+        a.setAttribute('href', window.scoringData.baseWikiUrl + '/' + 
this.cardData.title);
+        a.appendChild(document.createTextNode(this.cardData.title));
+
+        for (var i = 0; i < snippetPieces.length; i++) {
+            if ( snippetPieces[i].length == 1 ) {
+                p.appendChild(document.createTextNode(snippetPieces[i][0]));
+            } else {
+                b = document.createElement('b');
+                b.appendChild(document.createTextNode(snippetPieces[i][0]));
+                p.appendChild(b);
+                p.appendChild(document.createTextNode(snippetPieces[i][1]));
+            }
+        }
+
+        el.appendChild(a);
+        el.appendChild(p);
                el.classList.add('card');
-               // note this isn't safe from XSS. should use 
document.createElement
-               el.innerHTML = "<a target='_blank' href='" + link + "'>" + 
this.cardData.title + "</a><p>" + snippet + "</p>";
+
                this.domEl = el;
                document.querySelector( '.stack' ).appendChild( this.domEl );
        },

-- 
To view, visit https://gerrit.wikimedia.org/r/310444
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Id5d6bf2fcd1666b5ec90bfb36d8a708a10330f2f
Gerrit-PatchSet: 1
Gerrit-Project: wikimedia/discovery/discernatron
Gerrit-Branch: master
Gerrit-Owner: EBernhardson <ebernhard...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to