svn commit: r630328 - in /incubator/shindig/trunk/features/opensocial-samplecontainer: feature.xml samplecontainer.js statefileparser.js

Fri, 22 Feb 2008 13:35:06 -0800 

Author: doll
Date: Fri Feb 22 13:34:32 2008
New Revision: 630328

URL: http://svn.apache.org/viewvc?rev=630328&view=rev
Log:
Created a "do evil" checkbox in the sample container. If you check this box it 
will wrap all people names and ids in a div with a mouseover.. thereby hacking 
your app unless a gadget escapes those fields. 

Escaping by default is coming next. 



Modified:
    incubator/shindig/trunk/features/opensocial-samplecontainer/feature.xml
    
incubator/shindig/trunk/features/opensocial-samplecontainer/samplecontainer.js
    
incubator/shindig/trunk/features/opensocial-samplecontainer/statefileparser.js

Modified: 
incubator/shindig/trunk/features/opensocial-samplecontainer/feature.xml
URL: 
http://svn.apache.org/viewvc/incubator/shindig/trunk/features/opensocial-samplecontainer/feature.xml?rev=630328&r1=630327&r2=630328&view=diff
==============================================================================
--- incubator/shindig/trunk/features/opensocial-samplecontainer/feature.xml 
(original)
+++ incubator/shindig/trunk/features/opensocial-samplecontainer/feature.xml Fri 
Feb 22 13:34:32 2008
@@ -86,12 +86,18 @@
         StateFileParser.dumpState(opensocial.Container.get(), 
document.getElementById("stateXml"));
       }
 
+      function changeEvilness() {
+        
opensocial.Container.get().setEvilness(document.getElementById("doEvilCheckbox").checked);
+        changeState();
+      }
+
       var stateHtml = "<div style=\"padding: 5px; margin-bottom: 20px; 
background-color: #FAFAD2;"
           + "color: #DAA520; font-size: smaller; 
font-weight:bold\">Displaying state:"
           + "<input type=\"radio\" id=\"stateTypeUrl\" name=\"stateType\" 
value=\"url\" onclick=\"toggleStateType()\" checked=\"checked\" >use 
url</input>"
           + "<input type=\"radio\" id=\"stateTypeXml\" name=\"stateType\" 
value=\"xml\" onclick=\"toggleStateType()\">use textbox</input>"
           + "<input type=\"button\" value=\"load\" 
onclick=\"changeState();\"/>"
           + "<input type=\"button\" value=\"dump\" onclick=\"dumpState(); 
showXmlState();\"/>"
+          + "<input type=\"checkbox\" id=\"doEvilCheckbox\" 
onclick=\"changeEvilness();\" >do evil</input>"
           + "<input type=\"text\" size=\"75\" id=\"stateUrl\" 
style=\"display:block;\"/>"
           + "<textarea id=\"stateXml\" rows=\"15\" cols=\"120\" 
style=\"display:none;\" ></textarea>"
           + "</div>";

Modified: 
incubator/shindig/trunk/features/opensocial-samplecontainer/samplecontainer.js
URL: 
http://svn.apache.org/viewvc/incubator/shindig/trunk/features/opensocial-samplecontainer/samplecontainer.js?rev=630328&r1=630327&r2=630328&view=diff
==============================================================================
--- 
incubator/shindig/trunk/features/opensocial-samplecontainer/samplecontainer.js 
(original)
+++ 
incubator/shindig/trunk/features/opensocial-samplecontainer/samplecontainer.js 
Fri Feb 22 13:34:32 2008
@@ -37,6 +37,7 @@
 opensocial.SampleContainer = function() {
   opensocial.Container.call(this);
   this.resetData(this.newPerson());
+  this.doEvil_ = false;
 };
 opensocial.SampleContainer.inherits(opensocial.Container);
 
@@ -422,3 +423,45 @@
     idSpec, opt_params) {
   return {'type' : 'FETCH_ACTIVITIES', 'idSpec' : idSpec};
 };
+
+/**
+ * If the doEvil flag is set, will attempt to insert script tags into all 
fields
+ * @return {opensocial.Person} the person object
+ */
+opensocial.SampleContainer.prototype.newPerson = function(opt_params,
+    opt_isOwner, opt_isViewer) {
+  opt_params = opt_params || {};
+  opt_params["id"] = this.makeEvilString(opt_params["id"]);
+
+  return new opensocial.Person(opt_params, opt_isOwner, opt_isViewer);
+};
+
+/**
+ * If the doEvil flag is set, will attempt to insert script tags into all 
fields
+ * @return {opensocial.Name} the name object
+ */
+opensocial.SampleContainer.prototype.newName = function(opt_params) {
+  opt_params = opt_params || {};
+  opt_params["unstructured"] = this.makeEvilString(opt_params["unstructured"]);
+  return new opensocial.Name(opt_params);
+};
+
+opensocial.SampleContainer.prototype.makeEvilString = function(string) {
+  var redefineNewDataRequest = "opensocial.newDataRequest = function("
+      + ") { alert('Ha! I attacked you!')}; ";
+  var makePageRed = "document.body.style.backgroundColor = 'red'; ";
+
+  var scriptPrefix = "<div onMouseOver=\"" + redefineNewDataRequest
+      + makePageRed + "\">";
+  var scriptSuffix = "</div>";
+
+  if (this.doEvil_) {
+    return scriptPrefix + string + scriptSuffix;
+  } else {
+    return string;
+  }
+};
+
+opensocial.SampleContainer.prototype.setEvilness = function(doEvil) {
+  this.doEvil_ = doEvil;
+};
\ No newline at end of file

Modified: 
incubator/shindig/trunk/features/opensocial-samplecontainer/statefileparser.js
URL: 
http://svn.apache.org/viewvc/incubator/shindig/trunk/features/opensocial-samplecontainer/statefileparser.js?rev=630328&r1=630327&r2=630328&view=diff
==============================================================================
--- 
incubator/shindig/trunk/features/opensocial-samplecontainer/statefileparser.js 
(original)
+++ 
incubator/shindig/trunk/features/opensocial-samplecontainer/statefileparser.js 
Fri Feb 22 13:34:32 2008
@@ -193,7 +193,7 @@
 StateFileParser.loadPerson = function(container, xmlNode, isOwner, isViewer) {
   var fields = {
     'id' : $(xmlNode).attr(opensocial.Person.Field.ID),
-    'name' : new opensocial.Name(
+    'name' : container.newName(
         {'unstructured' : $(xmlNode).attr(opensocial.Person.Field.NAME)}),
     'thumbnailUrl' : $(xmlNode).attr(opensocial.Person.Field.THUMBNAIL_URL),
     'profileUrl' : $(xmlNode).attr(opensocial.Person.Field.PROFILE_URL)};

Reply via email to