# HG changeset patch # User Atul Varma # Date 1281589918 0 # Node ID f5e2b64dfbca94807999b9af566dabf8a2e41f0f # Parent 3282b41c3681160756f6bd1eb6a25c7d183edc02 html is now sanitized. diff -r 3282b41c3681 -r f5e2b64dfbca cache.manifest --- a/cache.manifest Wed Aug 11 21:53:39 2010 -0700 +++ b/cache.manifest Thu Aug 12 05:11:58 2010 +0000 @@ -1,7 +1,8 @@ CACHE MANIFEST -# v3 +# v6 daily-edition.css jquery.js +html-sanitizer-minified.js daily-edition.js NETWORK: diff -r 3282b41c3681 -r f5e2b64dfbca daily-edition.html --- a/daily-edition.html Wed Aug 11 21:53:39 2010 -0700 +++ b/daily-edition.html Thu Aug 12 05:11:58 2010 +0000 @@ -25,7 +25,8 @@

+ + + - - diff -r 3282b41c3681 -r f5e2b64dfbca daily-edition.js --- a/daily-edition.js Wed Aug 11 21:53:39 2010 -0700 +++ b/daily-edition.js Thu Aug 12 05:11:58 2010 +0000 @@ -1,3 +1,17 @@ +function isUrlSafe(url) { + if (typeof(url) != "string") + return false; + return (url.match("^https?://") != null); +} + +function safeHtml(html) { + return html_sanitize( + html, + function urlPolicy(url) { + return isUrlSafe(url) ? url : null; + }); +} + $(window).ready( function() { var req = new XMLHttpRequest(); @@ -33,7 +47,8 @@ function(article) { var div = $("#templates .article").clone(); var date = article.pubDate.join("."); - div.find(".title .link").html(article.title); + var title = safeHtml(article.title); + div.find(".title .link").html(title); div.find(".title .link").attr("href", article.url); div.find(".author").text(author); @@ -41,7 +56,7 @@ article.content.forEach( function(content) { if (content.type == "text/html") - html.push(content.value); + html.push(safeHtml(content.value)); }); if (html.length > 0) { @@ -52,9 +67,7 @@ // element, so do that to ensure it has some // padding from everything around it. content.html("

" + html[0] + "

"); - } else - console.warn("no html content for", article, - "by", author); + } div.find(".date").text(date); $("#articles").append(div); });