Re: svn commit: r630344 - in /incubator/shindig/trunk/features: core/ opensocial-reference/

Fri, 22 Feb 2008 20:54:56 -0800 

On Fri, Feb 22, 2008 at 2:55 PM,  <[EMAIL PROTECTED]> wrote:
> Author: doll
>  Date: Fri Feb 22 14:55:21 2008
>  New Revision: 630344
>
>  URL: http://svn.apache.org/viewvc?rev=630344&view=rev
>  Log:
>  All getField calls now return escaped data. This prevents the doEvil flag 
> from doing real harm in the SocialHelloWorld. As long as gadgets don't use 
> unescape they should be safe from bad data.

Thanks for making this change! One comment below:

>  Changed the escapeString function to check if the passed in object is a 
> string (makes the opensocial code cleaner)
>
>
>
>  Modified:
>     incubator/shindig/trunk/features/core/util.js
>     incubator/shindig/trunk/features/opensocial-reference/activity.js
>     incubator/shindig/trunk/features/opensocial-reference/address.js
>     incubator/shindig/trunk/features/opensocial-reference/bodytype.js
>     incubator/shindig/trunk/features/opensocial-reference/email.js
>     incubator/shindig/trunk/features/opensocial-reference/message.js
>     incubator/shindig/trunk/features/opensocial-reference/name.js
>     incubator/shindig/trunk/features/opensocial-reference/organization.js
>     incubator/shindig/trunk/features/opensocial-reference/person.js
>     incubator/shindig/trunk/features/opensocial-reference/phone.js
>     incubator/shindig/trunk/features/opensocial-reference/url.js
>
>  Modified: incubator/shindig/trunk/features/core/util.js
>  URL: 
> http://svn.apache.org/viewvc/incubator/shindig/trunk/features/core/util.js?rev=630344&r1=630343&r2=630344&view=diff
>  
> ==============================================================================
>  --- incubator/shindig/trunk/features/core/util.js (original)
>  +++ incubator/shindig/trunk/features/core/util.js Fri Feb 22 14:55:21 2008
>  @@ -196,10 +196,14 @@
>       * @return {String} The escaped string
>       */
>      escapeString : function(str) {
>  -      return str.replace(/</g, "&lt;")
>  -                .replace(/>/g, "&gt;")
>  -                .replace(/"/g, "&quot;")
>  -                .replace(/'/g, "&#39;");
>  +      if (typeof str == "string") {
>  +        return str.replace(/</g, "&lt;")
>  +            .replace(/>/g, "&gt;")
>  +            .replace(/"/g, "&quot;")
>  +            .replace(/'/g, "&#39;");

Can you add '&' too:
+            .replace(/&/g, "&amp;")

if an ampersand isn't escaped, the browser may interpret it as the
beginning of an entity and not display it.

>  +      } else {
>  +        return str;
>  +      }

Reply via email to