subject:"\[MediaWiki\-commits\] \[Gerrit\] wikimedia...discernatron\[master\]\: Create dom elements explicitly"

[MediaWiki-commits] [Gerrit] wikimedia...discernatron[master]: Create dom elements explicitly

2016-09-13 Thread EBernhardson (Code Review)

EBernhardson has submitted this change and it was merged.

Change subject: Create dom elements explicitly
..


Create dom elements explicitly

The use of innerHTML here makes it open to XSS, clean that up by
explicitly creating dom elements and text nodes, rather than using
innerHTML.

Bug: T145563
Change-Id: Id5d6bf2fcd1666b5ec90bfb36d8a708a10330f2f
---
M public/js/discernadeck.js
1 file changed, 37 insertions(+), 5 deletions(-)

Approvals:
  EBernhardson: Verified; Looks good to me, approved



diff --git a/public/js/discernadeck.js b/public/js/discernadeck.js
index ace3dd7..fa01437 100644
--- a/public/js/discernadeck.js
+++ b/public/js/discernadeck.js
@@ -159,12 +159,44 @@
}
},
createCardDOM: function() {
-   var el = document.createElement('div'),
-   link = window.scoringData.baseWikiUrl + '/' + 
this.cardData.title;
-   snippet = 
this.cardData.snippet.split('\uE000').join('').split('\uE001').join('');
+   var i, b,
+   el = document.createElement('div'),
+   snippetPieces = 
this.cardData.snippet.split('\uE000').map(function (s) { return 
s.split('\uE001') }),
+
+   a = document.createElement('a'),
+   p = document.createElement('p');
+
+   a.setAttribute('target', '_blank');
+   a.setAttribute('href', window.scoringData.baseWikiUrl + '/' + 
this.cardData.title);
+   a.appendChild(document.createTextNode(this.cardData.title));
+
+   /**
+* The snippet has markers that indicate which part should be 
bolded,
+* by splitting above we have converted
+*   -some+ text that should be -bold+
+* into
+*  [[""], ["some", " text that should be "], ["bold, ""]]
+* This loop then works through those pieces and bolds the 
appropriate parts.
+*/
+   for (i = 0; i < snippetPieces.length; i++) {
+   if ( snippetPieces[i].length == 1 ) {
+   if (snippetPieces[i][0].length > 0) {
+   
p.appendChild(document.createTextNode(snippetPieces[i][0]));
+   }
+   } else {
+   b = document.createElement('b');
+   
b.appendChild(document.createTextNode(snippetPieces[i][0]));
+   p.appendChild(b);
+   if (snippetPieces[i][1].length > 0) {
+   
p.appendChild(document.createTextNode(snippetPieces[i][1]));
+   }
+   }
+   }
+
+   el.appendChild(a);
+   el.appendChild(p);
el.classList.add('card');
-   // note this isn't safe from XSS. should use 
document.createElement
-   el.innerHTML = "" + 
this.cardData.title + "" + snippet + "";
+
this.domEl = el;
document.querySelector( '.stack' ).appendChild( this.domEl );
},

-- 
To view, visit https://gerrit.wikimedia.org/r/310444
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Id5d6bf2fcd1666b5ec90bfb36d8a708a10330f2f
Gerrit-PatchSet: 3
Gerrit-Project: wikimedia/discovery/discernatron
Gerrit-Branch: master
Gerrit-Owner: EBernhardson 
Gerrit-Reviewer: EBernhardson 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] wikimedia...discernatron[master]: Create dom elements explicitly

2016-09-13 Thread EBernhardson (Code Review)

EBernhardson has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/310444

Change subject: Create dom elements explicitly
..

Create dom elements explicitly

The use of innerHTML here makes it open to XSS, clean that up by
explicitly creating dom elements and text nodes, rather than using
innerHTML.

Bug: T145563
Change-Id: Id5d6bf2fcd1666b5ec90bfb36d8a708a10330f2f
---
M public/js/discernadeck.js
1 file changed, 24 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/wikimedia/discovery/discernatron 
refs/changes/44/310444/1

diff --git a/public/js/discernadeck.js b/public/js/discernadeck.js
index ace3dd7..5a3201f 100644
--- a/public/js/discernadeck.js
+++ b/public/js/discernadeck.js
@@ -159,12 +159,31 @@
}
},
createCardDOM: function() {
-   var el = document.createElement('div'),
-   link = window.scoringData.baseWikiUrl + '/' + 
this.cardData.title;
-   snippet = 
this.cardData.snippet.split('\uE000').join('').split('\uE001').join('');
+   var i, b,
+el = document.createElement('div'),
+   snippetPieces = 
this.cardData.snippet.split('\uE000').map(function (s) { return 
s.split('\uE001') }),
+a = document.createElement('a'),
+p = document.createElement('p');
+
+a.setAttribute('target', '_blank');
+a.setAttribute('href', window.scoringData.baseWikiUrl + '/' + 
this.cardData.title);
+a.appendChild(document.createTextNode(this.cardData.title));
+
+for (var i = 0; i < snippetPieces.length; i++) {
+if ( snippetPieces[i].length == 1 ) {
+p.appendChild(document.createTextNode(snippetPieces[i][0]));
+} else {
+b = document.createElement('b');
+b.appendChild(document.createTextNode(snippetPieces[i][0]));
+p.appendChild(b);
+p.appendChild(document.createTextNode(snippetPieces[i][1]));
+}
+}
+
+el.appendChild(a);
+el.appendChild(p);
el.classList.add('card');
-   // note this isn't safe from XSS. should use 
document.createElement
-   el.innerHTML = "" + 
this.cardData.title + "" + snippet + "";
+
this.domEl = el;
document.querySelector( '.stack' ).appendChild( this.domEl );
},

-- 
To view, visit https://gerrit.wikimedia.org/r/310444
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Id5d6bf2fcd1666b5ec90bfb36d8a708a10330f2f
Gerrit-PatchSet: 1
Gerrit-Project: wikimedia/discovery/discernatron
Gerrit-Branch: master
Gerrit-Owner: EBernhardson 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] wikimedia...discernatron[master]: Create dom elements explicitly

[MediaWiki-commits] [Gerrit] wikimedia...discernatron[master]: Create dom elements explicitly

2 matches

Site Navigation

Mail list logo

Footer information