[mashup-dev] svn commit r18597 - in trunk/mashup/java/modules/www: . js

channa at wso2.com channa at wso2.com
Tue Jun 24 04:17:02 PDT 2008


Author: channa
Date: Tue Jun 24 04:17:02 2008
New Revision: 18597
URL: http://wso2.org/svn/browse/wso2?view=rev&revision=18597

Log:
Sanitizing HTML in bio and comment fields, allowing only bold, underline and italics. MASHUP-660.


Modified:
   trunk/mashup/java/modules/www/js/common.js
   trunk/mashup/java/modules/www/mashup.jsp
   trunk/mashup/java/modules/www/user.jsp

Modified: trunk/mashup/java/modules/www/js/common.js
URL: http://wso2.org/svn/browse/wso2/trunk/mashup/java/modules/www/js/common.js?rev=18597&r1=18596&r2=18597&view=diff
==============================================================================
--- trunk/mashup/java/modules/www/js/common.js	(original)
+++ trunk/mashup/java/modules/www/js/common.js	Tue Jun 24 04:17:02 2008
@@ -145,3 +145,31 @@
         return node;
     }
 }
+
+/*
+ * Sanitizes a given HTML string, limiting it to whitelisted formatting HTML only.
+ * Currently allows bold, italic and underline and used in formattable text areas.
+ */
+function sanitizeHtml(rawHtml) {
+    // first strip all the HTML tags from the code.
+    var safeHtml = escapeHtml(rawHtml);
+
+    // Then allow only what we've whitelisted.
+    safeHtml = safeHtml.replace(/&lt;b&gt;/g, "<b>");
+    safeHtml = safeHtml.replace(/&lt;\/b&gt;/g, "</b>");
+    safeHtml = safeHtml.replace(/&lt;i&gt;/g, "<i>");
+    safeHtml = safeHtml.replace(/&lt;\/i&gt;/g, "</i>");
+    safeHtml = safeHtml.replace(/&lt;u&gt;/g, "<u>");
+    safeHtml = safeHtml.replace(/&lt;\/u&gt;/g, "</u>");
+
+    return safeHtml;
+}
+
+/*
+ * Globally escape all HTML tags.
+ */
+function escapeHtml (rawHtml)
+{
+    var safeHtml = rawHtml.replace(/</g, "&lt;");
+    return safeHtml.replace(/>/g, "&gt;");
+};

Modified: trunk/mashup/java/modules/www/mashup.jsp
URL: http://wso2.org/svn/browse/wso2/trunk/mashup/java/modules/www/mashup.jsp?rev=18597&r1=18596&r2=18597&view=diff
==============================================================================
--- trunk/mashup/java/modules/www/mashup.jsp	(original)
+++ trunk/mashup/java/modules/www/mashup.jsp	Tue Jun 24 04:17:02 2008
@@ -215,6 +215,7 @@
 
     function addComment() {
         var newValue = $("Comment_commentText").value;
+        newValue = sanitizeHtml(newValue);
         if (newValue == "") return;
         var path = $('Comment_path').value;
         var commenter = $('Comment_commenter').value;

Modified: trunk/mashup/java/modules/www/user.jsp
URL: http://wso2.org/svn/browse/wso2/trunk/mashup/java/modules/www/user.jsp?rev=18597&r1=18596&r2=18597&view=diff
==============================================================================
--- trunk/mashup/java/modules/www/user.jsp	(original)
+++ trunk/mashup/java/modules/www/user.jsp	Tue Jun 24 04:17:02 2008
@@ -120,6 +120,10 @@
 
         function saveEditable(field, fieldtype, user) {
             var newValue = $(field + "_input_text").value;
+            if (fieldtype == "bio") {                
+                newValue = sanitizeHtml(newValue);
+            }
+
             $(field + "_value").update(newValue);
             cancelEditable(field);
 



More information about the Mashup-dev mailing list