From de5a116d784cffcbca53b4ed35f3523de6c9bd01 Mon Sep 17 00:00:00 2001 From: cel Date: Thu, 17 May 2018 21:39:39 -0400 Subject: Sanitize strings --- lib/render-msg.js | 112 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 58 insertions(+), 54 deletions(-) (limited to 'lib/render-msg.js') diff --git a/lib/render-msg.js b/lib/render-msg.js index 98f86e0..e7de9e3 100644 --- a/lib/render-msg.js +++ b/lib/render-msg.js @@ -351,7 +351,7 @@ RenderMsg.prototype.vote = function (cb) { self.wrapMini([ v.value > 0 ? 'dug' : v.value < 0 ? 'downvoted' : 'undug', ' ', a, - v.reason ? [' as ', h('q', v.reason)] : '' + v.reason ? [' as ', h('q', String(v.reason))] : '' ], cb) }) } @@ -514,7 +514,7 @@ RenderMsg.prototype.about = function (cb) { isSelf ? 'self-identifies as ' : ['identifies ', h('a', {href: this.toUrl(this.c.about)}, truncate(this.c.about, 10)), ' as '], - h('ins', this.c.name) + h('ins', String(this.c.name)) ], cb) } @@ -570,10 +570,10 @@ RenderMsg.prototype.about = function (cb) { : h('a', {href: this.toUrl(this.c.about)}, truncate(this.c.about, 10)), ' as ' ], - this.c.name ? [h('ins', this.c.name), ' '] : '', + this.c.name ? [h('ins', String(this.c.name)), ' '] : '', this.c.description ? h('div', {innerHTML: this.render.markdown(this.c.description)}) : '', - this.c.title ? h('h3', this.c.title) : '', + this.c.title ? h('h3', String(this.c.title)) : '', this.c.attendee ? h('div', this.link1(this.c.attendee.link, done()), this.c.attendee.remove ? ' is not attending' : ' is attending' @@ -582,7 +582,7 @@ RenderMsg.prototype.about = function (cb) { 'starting at ', dateTime(this.c.startDateTime)) : '', this.c.endDateTime ? h('div', 'ending at ', dateTime(this.c.endDateTime)) : '', - this.c.location ? h('div', 'at ', this.c.location) : '', + this.c.location ? h('div', 'at ', String(this.c.location)) : '', img ? h('a', {href: this.toUrl(img)}, h('img.ssb-avatar-image', { src: this.render.imageUrl(img), @@ -632,9 +632,11 @@ RenderMsg.prototype.contact = function (cb) { ' ', a, self.c.note ? [ ' from ', - h('code', self.c.note) + h('code', String(self.c.note)) ] : '', - self.c.reason ? [' because ', h('q', self.c.reason)] : '' + self.c.reason ? [' because ', + h('q', String(self.c.reason)) + ] : '' ], cb) }) } @@ -691,7 +693,7 @@ RenderMsg.prototype.gitUpdate = function (cb) { 'git push ', a, ' ', !isNaN(size) ? [self.render.formatSize(size), ' '] : '', self.c.refs ? h('ul', Object.keys(self.c.refs).map(function (ref) { - var id = self.c.refs[ref] + var id = String(self.c.refs[ref]) var type = /^refs\/tags/.test(ref) ? 'tag' : 'commit' var path = id && ('/git/' + type + '/' + encodeURIComponent(id) + '?msg=' + encodeURIComponent(self.msg.key)) @@ -744,9 +746,9 @@ RenderMsg.prototype.gitPullRequest = function (cb) { if (err) return cb(err) self.wrap(h('div.ssb-pull-request', 'pull request ', - 'to ', baseRepoLink, ':', self.c.branch, ' ', - 'from ', headRepoLink, ':', self.c.head_branch, - self.c.title ? h('h4', self.c.title) : '', + 'to ', baseRepoLink, ':', String(self.c.branch), ' ', + 'from ', headRepoLink, ':', String(self.c.head_branch), + self.c.title ? h('h4', String(self.c.title)) : '', h('div', {innerHTML: self.markdown()})), cb) }) } @@ -757,7 +759,7 @@ RenderMsg.prototype.issue = function (cb) { if (err) return cb(err) self.wrap(h('div.ssb-issue', 'issue on ', projectLink, - self.c.title ? h('h4', self.c.title) : '', + self.c.title ? h('h4', String(self.c.title)) : '', h('div', {innerHTML: self.markdown()})), cb) }) } @@ -796,7 +798,7 @@ RenderMsg.prototype.valueTable = function (val, depth, cb) { ) } else if (isContent && key === 'type') { // TODO: also link to images by type, using links2 - var type = val.type + var type = String(val.type) return h('tr', h('td', h('strong', 'type')), h('td', h('a', {href: self.toUrl('/type/' + type)}, type)) @@ -843,8 +845,8 @@ RenderMsg.prototype.issues = function (cb) { } var els = issues.map(function (issue) { var commit = issue.object || issue.label ? [ - issue.object ? h('code', issue.object) : '', ' ', - issue.label ? h('q', issue.label) : ''] : '' + issue.object ? h('code', String(issue.object)) : '', ' ', + issue.label ? h('q', String(issue.label)) : ''] : '' if (issue.merged === true) return h('div', 'merged ', self.link1(issue, done())) @@ -856,7 +858,7 @@ RenderMsg.prototype.issues = function (cb) { 'reopened ', self.link1(issue, done())) if (typeof issue.title === 'string') return h('div', - 'renamed ', self.link1(issue, done()), ' to ', h('ins', issue.title)) + 'renamed ', self.link1(issue, done()), ' to ', h('ins', String(issue.title))) }) done(cb) return els.length > 0 ? [els, h('br')] : '' @@ -890,7 +892,7 @@ RenderMsg.prototype.update = function (cb) { this.wrapMini([ h('div', 'updated ', h('code.ssb-id', h('a', {href: this.render.toUrl(id)}, id))), - this.c.title ? h('h4.msg-title', this.c.title) : '', + this.c.title ? h('h4.msg-title', String(this.c.title)) : '', this.c.description ? h('div', {innerHTML: this.render.markdown(this.c.description)}) : '' ], cb) @@ -913,7 +915,8 @@ RenderMsg.prototype.audio = function (cb) { })) : ''), h('td', - h('a', {href: this.render.toUrl(this.c.audioSrc)}, this.c.title), + h('a', {href: this.render.toUrl(this.c.audioSrc)}, + String(this.c.title)), isFinite(this.c.duration) ? ' (' + formatDuration(this.c.duration) + ')' : '', @@ -937,7 +940,7 @@ RenderMsg.prototype.musicRelease = function (cb) { })) : ''), h('td', - h('h4.msg-title', this.c.title), + h('h4.msg-title', String(this.c.title)), this.c.text ? h('div', {innerHTML: this.render.markdown(this.c.text)}) : '' @@ -945,7 +948,8 @@ RenderMsg.prototype.musicRelease = function (cb) { )), h('ul', u.toArray(this.c.tracks).filter(Boolean).map(function (track) { return h('li', - h('a', {href: self.render.toUrl(track.link)}, track.fname)) + h('a', {href: self.render.toUrl(track.link)}, + String(track.fname))) })) ], cb) } @@ -958,10 +962,10 @@ RenderMsg.prototype.dns = function (cb) { self.wrap([ h('div', h('p', - h('ins', {title: 'name'}, record.name), ' ', - h('span', {title: 'ttl'}, record.ttl), ' ', - h('span', {title: 'class'}, record.class), ' ', - h('span', {title: 'type'}, record.type) + h('ins', {title: 'name'}, String(record.name)), ' ', + h('span', {title: 'ttl'}, String(record.ttl)), ' ', + h('span', {title: 'class'}, String(record.class)), ' ', + h('span', {title: 'type'}, String(record.type)) ), h('pre', {title: 'data'}, JSON.stringify(record.data || record.value, null, 2)), @@ -996,11 +1000,11 @@ RenderMsg.prototype.mutualCredit = function (cb) { if (err) return cb(err) self.wrapMini([ 'credits ', a || '?', ' ', - h('code', self.c.amount), ' ', + h('code', String(self.c.amount)), ' ', currency[0] === '#' ? h('a', {href: self.toUrl(currency)}, currency) : h('ins', currency), - self.c.memo ? [' for ', h('q', self.c.memo)] : '' + self.c.memo ? [' for ', h('q', String(self.c.memo))] : '' ], cb) }) } @@ -1068,7 +1072,7 @@ RenderMsg.prototype.npmPublish = function (cb) { self.wrap([ h('div', 'published ', - h('u', pkg.name), ' ', + h('u', String(pkg.name)), ' ', hJoin(versions.map(function (version) { var distTag = distTagged[version] return [h('b', version), distTag ? [' (', h('i', distTag), ')'] : ''] @@ -1272,9 +1276,9 @@ RenderMsg.prototype.chessMove = function (cb) { h('div', h('small', '> ', rootLink)), h('p', // 'player ', (c.ply || ''), ' ', - 'moved ', (piece ? renderChessSymbol(piece) : ''), ' ', - 'from ', c.orig, ' ', - 'to ', c.dest + 'moved ' + (piece ? renderChessSymbol(piece) + ' ' : ''), + 'from ' + c.orig, ' ', + 'to ' + c.dest ), self.chessBoard(game.board) ], cb) @@ -1339,9 +1343,9 @@ RenderMsg.prototype.chessGameEnd = function (cb) { self.wrap([ h('div', h('small', '> ', rootLink)), h('p', - 'moved ', (piece ? renderChessSymbol(piece) : ''), ' ', - 'from ', c.orig, ' ', - 'to ', c.dest + 'moved ' + (piece ? renderChessSymbol(piece) + ' ' : ''), + 'from ' + c.orig, ' ', + 'to ' + c.dest ), h('p', h('strong', self.c.status), '. winner: ', h('strong', winnerLink)), @@ -1356,7 +1360,7 @@ RenderMsg.prototype.chessChat = function (cb) { if (err) return cb(err) self.wrap([ h('div', h('small', '> ', rootLink)), - h('p', self.c.msg) + h('p', String(self.c.msg)) ], cb) }) } @@ -1378,9 +1382,9 @@ RenderMsg.prototype.chessMoveFull = function (cb) { h('div', h('small', '> ', rootLink)), h('p', // 'player ', (c.ply || ''), ' ', - 'moved ', (piece ? renderChessSymbol(piece) : ''), ' ', - 'from ', c.orig, ' ', - 'to ', c.dest + 'moved ' + (piece ? renderChessSymbol(piece) + ' ' : '') + 'from ' + c.orig, ' ', + 'to ' + c.dest ), self.chessBoard(game.board) ], cb) @@ -1397,7 +1401,7 @@ RenderMsg.prototype.chessMoveMini = function (cb) { if (err) return cb(err) self.wrapMini([ 'moved ', chessPieceName(piece), ' ', - 'to ', c.dest + 'to ' + c.dest ], cb) }) } @@ -1406,12 +1410,12 @@ RenderMsg.prototype.acmeChallengesHttp01 = function (cb) { var self = this self.wrapMini(h('span', 'serves ', - hJoin(u.toArray(self.c.challenges).map(function (challenge) { + hJoin(u.toArray(self.c.challenges).filter(Boolean).map(function (challenge) { return h('a', { href: 'http://' + challenge.domain + '/.well-known/acme-challenge/' + challenge.token, title: challenge.keyAuthorization, - }, challenge.domain) + }, String(challenge.domain)) }), ', ', ', and ') ), cb) } @@ -1430,9 +1434,9 @@ RenderMsg.prototype.bookclub = function (cb) { })) })), h('td', - h('h4', props.title), + h('h4', String(props.title)), props.authors ? - h('p', h('em', props.authors)) + h('p', h('em', String(props.authors))) : '', props.description ? h('div', {innerHTML: self.render.markdown(props.description)}) @@ -1470,7 +1474,7 @@ RenderMsg.prototype.sombrioScore = function (cb) { var self = this self.wrapMini(h('span', 'scored ', - h('ins', self.c.score) + h('ins', String(self.c.score)) ), cb) } @@ -1491,8 +1495,8 @@ RenderMsg.prototype.blog = function (cb) { }) : 'blog'), h('td', blogId ? h('h3', h('a', {href: self.render.toUrl('/markdown/' + blogId)}, - self.c.title || self.msg.key)) : '', - self.c.summary || '') + String(self.c.title || self.msg.key))) : '', + String(self.c.summary || '')) )), cb) } @@ -1526,7 +1530,7 @@ RenderMsg.prototype.skillCreate = function (cb) { var self = this self.wrapMini(h('span', ' created skill ', - h('ins', self.c.name) + h('ins', String(self.c.name)) ), cb) } @@ -1558,7 +1562,7 @@ RenderMsg.prototype.identitySkillAssign = function (cb) { self.wrapMini(h('span', self.c.action === 'assign' ? 'assigns ' : self.c.action === 'unassign' ? 'unassigns ' - : h('code', self.c.action), ' ', + : h('code', String(self.c.action)), ' ', 'skill ', a ), cb) }) @@ -1573,7 +1577,7 @@ RenderMsg.prototype.ideaSkillAssign = function (cb) { self.wrapMini(h('span', self.c.action === 'assign' ? 'assigns ' : self.c.action === 'unassign' ? 'unassigns ' - : h('code', self.c.action), ' ', + : h('code', String(self.c.action)), ' ', 'skill ', skillA, ' to idea ', ideaA @@ -1587,7 +1591,7 @@ RenderMsg.prototype.ideaAssocate = function (cb) { self.wrapMini(h('span', self.c.action === 'associate' ? 'associates with ' : self.c.action === 'disassociate' ? 'disassociates with ' - : h('code', self.c.action), ' ', + : h('code', String(self.c.action)), ' ', 'idea ', a ), cb) }) @@ -1599,7 +1603,7 @@ RenderMsg.prototype.ideaHat = function (cb) { self.wrapMini(h('span', self.c.action === 'take' ? 'takes ' : self.c.action === 'discard' ? 'discards ' - : h('code', self.c.action), ' ', + : h('code', String(self.c.action)), ' ', 'idea ', a ), cb) }) @@ -1619,7 +1623,7 @@ RenderMsg.prototype.ideaUpdate = function (cb) { if (keys === 'title') { return self.wrapMini(h('span', 'titles idea ', - h('a', {href: self.toUrl(self.c.ideaKey)}, props.title) + h('a', {href: self.toUrl(self.c.ideaKey)}, String(props.title)) ), cb) } @@ -1635,7 +1639,7 @@ RenderMsg.prototype.ideaUpdate = function (cb) { if (keys === 'description,title') { return self.wrap(h('div', 'describes idea ', - h('a', {href: self.toUrl(self.c.ideaKey)}, props.title), + h('a', {href: self.toUrl(self.c.ideaKey)}, String(props.title)), ':', h('blockquote', {innerHTML: self.render.markdown(props.description)}) ), cb) @@ -1671,7 +1675,7 @@ RenderMsg.prototype.aboutResource = function (cb) { var self = this return self.wrap(h('div', 'describes resource ', - h('a', {href: self.toUrl(self.c.about)}, self.c.name), + h('a', {href: self.toUrl(self.c.about)}, String(self.c.name)), ':', h('blockquote', {innerHTML: self.render.markdown(self.c.description)}) ), cb) @@ -1778,7 +1782,7 @@ RenderMsg.prototype.pollPosition = function (cb) { }), h('p', 'picked ', - choice ? h('q', choice) : ['choice ', details.choice || '?'] + choice ? h('q', choice) : ['choice ', String(details.choice || '?')] ), reason ? h('div', {innerHTML: self.render.markdown(reason, self.c.mentions)}) : '' ), cb) -- cgit v1.2.3