Mercurial > daily-edition

changeset 52:f5e2b64dfbca

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
html is now sanitized.
author Atul Varma <varmaa@toolness.com>
date Thu, 12 Aug 2010 05:11:58 +0000
parents 3282b41c3681
children 1addf1f91098
files cache.manifest daily-edition.html daily-edition.js
diffstat 3 files changed, 23 insertions(+), 8 deletions(-) [+]
line wrap: on
line diff
--- a/cache.manifest	Wed Aug 11 21:53:39 2010 -0700
+++ b/cache.manifest	Thu Aug 12 05:11:58 2010 +0000
@@ -1,7 +1,8 @@
 CACHE MANIFEST
-# v3
+# v6
 daily-edition.css
 jquery.js
+html-sanitizer-minified.js
 daily-edition.js
 
 NETWORK:
--- a/daily-edition.html	Wed Aug 11 21:53:39 2010 -0700
+++ b/daily-edition.html	Thu Aug 12 05:11:58 2010 +0000
@@ -25,7 +25,8 @@
     <div class="content"></div>
   </div>
 </div>
+<script src="jquery.js"></script>
+<script src="html-sanitizer-minified.js"></script>
+<script src="daily-edition.js"></script>
 </body>
-<script src="jquery.js"></script>
-<script src="daily-edition.js"></script>
 </html>
--- a/daily-edition.js	Wed Aug 11 21:53:39 2010 -0700
+++ b/daily-edition.js	Thu Aug 12 05:11:58 2010 +0000
@@ -1,3 +1,17 @@
+function isUrlSafe(url) {
+  if (typeof(url) != "string")
+    return false;
+  return (url.match("^https?://") != null);
+}
+
+function safeHtml(html) {
+  return html_sanitize(
+    html,
+    function urlPolicy(url) {
+      return isUrlSafe(url) ? url : null;
+    });
+}
+
 $(window).ready(
   function() {
     var req = new XMLHttpRequest();
@@ -33,7 +47,8 @@
                 function(article) {
                   var div = $("#templates .article").clone();
                   var date = article.pubDate.join(".");
-                  div.find(".title .link").html(article.title);
+                  var title = safeHtml(article.title);
+                  div.find(".title .link").html(title);
                   div.find(".title .link").attr("href", article.url);
                   div.find(".author").text(author);
 
@@ -41,7 +56,7 @@
                   article.content.forEach(
                     function(content) {
                       if (content.type == "text/html")
-                        html.push(content.value);
+                        html.push(safeHtml(content.value));
                     });
 
                   if (html.length > 0) {
@@ -52,9 +67,7 @@
                       // element, so do that to ensure it has some
                       // padding from everything around it.
                       content.html("<p>" + html[0] + "</p>");
-                  } else
-                    console.warn("no html content for", article,
-                                 "by", author);
+                  }
                   div.find(".date").text(date);
                   $("#articles").append(div);
                 });