[tor-commits] [pups/production] using .text() instead of .html() to prevent xss attacks
colin at torproject.org
colin at torproject.org
Fri Oct 24 03:44:56 UTC 2014
commit 1b5b3d614ee2fddfaf046ca02059db5441ff2a91
Author: Sherief Alaa <sheriefalaa.w at gmail.com>
Date: Tue Jun 17 13:44:43 2014 +0300
using .text() instead of .html() to prevent xss attacks
---
webchat/templates/tokens.html | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/webchat/templates/tokens.html b/webchat/templates/tokens.html
index db6ab73..a6f297f 100644
--- a/webchat/templates/tokens.html
+++ b/webchat/templates/tokens.html
@@ -9,15 +9,8 @@
<script type="text/javascript" src="/static/js/jquery.min.js"></script>
<script src="/static/js/bootstrap.min.js"></script>
<script type="text/javascript">
- $(document).ready (function (){
- $(".comment").html(function(){
- $(this).html($(this).text().substring(0,35)
- + ' <span data-toggle="modal" data-target="#comment-modal" style="color:blue; font-size:80%;"> Read more..</span>');
- });
- });
-
function full_comment(id){
- $(".comment-modal-body").html($("#full-comment-" + id).val());
+ $(".comment-modal-body").text($("#full-comment-" + id).val());
}
</script>
{% endblock script %}
@@ -54,7 +47,13 @@
<td><input name="selected_list" type="checkbox" value="{{token.token}}"></td>
<td>https://{{url}}/chat/{{token.token}}</td>
<td>{{token.expires_at|date:"Y-m-d G:i"}}</td>
- <td class="comment" onclick="full_comment({{token.t_id}});">{{token.comment}}</td>
+ <td class="comment" onclick="full_comment({{token.t_id}});">
+ {{token.comment|truncatechars:35}}
+
+ {% if token.comment|length > 35 %}
+ <span data-toggle="modal" data-target="#comment-modal" style="color:blue; font-size:80%;"> more</span>
+ {% endif %}
+ </td>
</tr>
<input id="full-comment-{{token.t_id}}" type="hidden" value="{{token.comment}}">
{% endfor %}
More information about the tor-commits
mailing list