From 871e2617e32fb305b9a4e16e560e270a7ef84ffc Mon Sep 17 00:00:00 2001 From: Jan Lehnardt Date: Tue, 2 Nov 2010 22:16:18 +0000 Subject: Escape URL and cookie input. git-svn-id: https://svn.apache.org/repos/asf/couchdb/trunk@1030261 13f79535-47bb-0310-9956-ffa450edef68 --- share/www/database.html | 10 +++++----- share/www/document.html | 4 ++-- share/www/index.html | 2 +- share/www/script/couch_test_runner.js | 7 +++++++ share/www/script/futon.browse.js | 17 +++++++++++------ share/www/script/futon.format.js | 5 ++++- share/www/script/futon.js | 3 ++- share/www/session.html | 2 +- 8 files changed, 33 insertions(+), 17 deletions(-) (limited to 'share/www') diff --git a/share/www/database.html b/share/www/database.html index 39507398..f1d8dbd6 100644 --- a/share/www/database.html +++ b/share/www/database.html @@ -71,17 +71,17 @@ specific language governing permissions and limitations under the License. }); // Restore preferences/state - $("#documents thead th.key").toggleClass("desc", $.futon.storage.get("desc")); - var reduce = $.futon.storage.get("reduce"); + $("#documents thead th.key").toggleClass("desc", !!$.futon.storage.get("desc")); + var reduce = !!$.futon.storage.get("reduce"); $("#reduce :checkbox")[0].checked = reduce; - $("#grouplevel select").val($.futon.storage.get("group_level")); + $("#grouplevel select").val(parseInt($.futon.storage.get("group_level"))); $("#grouplevel").toggleClass("disabled", !reduce).find("select").each(function() { this.disabled = !reduce; }); - $("#perpage").val($.futon.storage.get("per_page")); + $("#perpage").val(parseInt($.futon.storage.get("per_page"))); - var staleViews = $.futon.storage.get("stale"); + var staleViews = !!$.futon.storage.get("stale"); $("#staleviews :checkbox")[0].checked = staleViews; page.populateViewsMenu(); diff --git a/share/www/document.html b/share/www/document.html index b6f42018..ee0f3475 100644 --- a/share/www/document.html +++ b/share/www/document.html @@ -42,9 +42,9 @@ specific language governing permissions and limitations under the License. }); $(function() { - $("h1 a.dbname").text(page.dbName) + $("h1 a.dbname").text(encodeURIComponent(page.dbName)) .attr("href", "database.html?" + encodeURIComponent(page.db.name)); - $("h1 strong").text(page.docId); + $("h1 strong").text(encodeURIComponent(page.docId)); $("h1 a.raw").attr("href", "/" + encodeURIComponent(page.db.name) + "/" + encodeURIComponent(page.docId)); page.updateFieldListing(); diff --git a/share/www/index.html b/share/www/index.html index e34dbde1..975f5986 100644 --- a/share/www/index.html +++ b/share/www/index.html @@ -34,7 +34,7 @@ specific language governing permissions and limitations under the License. this.updateSelection(location.pathname + "index.html"); }); } - var dbsPerPage = $.futon.storage.get("per_page"); + var dbsPerPage = parseInt($.futon.storage.get("per_page")); if (dbsPerPage) $("#perpage").val(dbsPerPage); $("#perpage").change(function() { page.updateDatabaseListing(); diff --git a/share/www/script/couch_test_runner.js b/share/www/script/couch_test_runner.js index 2eab9c16..56787e9a 100644 --- a/share/www/script/couch_test_runner.js +++ b/share/www/script/couch_test_runner.js @@ -14,6 +14,13 @@ function loadScript(url) { + // disallow loading remote URLs + if((url.substr(0, 7) == "http://") + || (url.substr(0, 2) == "//") + || (url.substr(0, 5) == "data:") + || (url.substr(0, 11) == "javsacript:")) { + throw "Not loading remote test scripts"; + } if (typeof document != "undefined") document.write(''); }; diff --git a/share/www/script/futon.browse.js b/share/www/script/futon.browse.js index 5f687941..65acbdeb 100644 --- a/share/www/script/futon.browse.js +++ b/share/www/script/futon.browse.js @@ -97,7 +97,10 @@ // Page class for browse/database.html CouchDatabasePage: function() { var urlParts = location.search.substr(1).split("/"); - var dbName = decodeURIComponent(urlParts.shift()); + var dbName = decodeURIComponent(urlParts.shift()) + + var dbNameRegExp = new RegExp("[^a-z0-9\_\$\(\)\+\/\-]", "g"); + dbName = dbName.replace(dbNameRegExp, ""); $.futon.storage.declareWithPrefix(dbName + ".", { desc: {}, @@ -119,7 +122,7 @@ if (viewName) { this.redirecting = true; location.href = "database.html?" + encodeURIComponent(dbName) + - "/" + viewName; + "/" + encodeURIComponent(viewName); } } var db = $.couch.db(dbName); @@ -372,7 +375,8 @@ var path = $.couch.encodeDocId(doc._id) + "/_view/" + encodeURIComponent(viewNames[j]); var option = $(document.createElement("option")) - .attr("value", path).text(viewNames[j]).appendTo(optGroup); + .attr("value", path).text(encodeURIComponent(viewNames[j])) + .appendTo(optGroup); if (path == viewName) { option[0].selected = true; } @@ -408,7 +412,7 @@ } var viewCode = resp.views[localViewName]; page.viewLanguage = resp.language || "javascript"; - $("#language").val(page.viewLanguage); + $("#language").val(encodeURIComponent(page.viewLanguage)); page.updateViewEditor(viewCode.map, viewCode.reduce || ""); $("#viewcode button.revert, #viewcode button.save").attr("disabled", "disabled"); page.storedViewCode = viewCode; @@ -420,7 +424,7 @@ page.updateViewEditor(page.storedViewCode.map, page.storedViewCode.reduce || ""); page.viewLanguage = page.storedViewLanguage; - $("#language").val(page.viewLanguage); + $("#language").val(encodeURIComponent(page.viewLanguage)); $("#viewcode button.revert, #viewcode button.save").attr("disabled", "disabled"); page.isDirty = false; if (callback) callback(); @@ -504,7 +508,8 @@ callback({ docid: "Cannot save to " + data.docid + " because its language is \"" + doc.language + - "\", not \"" + page.viewLanguage + "\"." + "\", not \"" + + encodeURIComponent(page.viewLanguage) + "\"." }); return; } diff --git a/share/www/script/futon.format.js b/share/www/script/futon.format.js index 0d536e36..31880764 100644 --- a/share/www/script/futon.format.js +++ b/share/www/script/futon.format.js @@ -16,7 +16,10 @@ escape: function(string) { return string.replace(/&/g, "&") .replace(//g, ">"); + .replace(/>/g, ">") + .replace(/"/, """) + .replace(/'/, "';") + ; }, // JSON pretty printing diff --git a/share/www/script/futon.js b/share/www/script/futon.js index 200d6ec5..c4647ed1 100644 --- a/share/www/script/futon.js +++ b/share/www/script/futon.js @@ -215,9 +215,10 @@ function $$(node) { recentDbs.sort(); $.each(recentDbs, function(idx, name) { if (name) { + name = encodeURIComponent(name); $("#dbs").append("
  • " + "" + - "" + name + + "" + name + "
    • "); } }); diff --git a/share/www/session.html b/share/www/session.html index 581640b0..0ebd943d 100644 --- a/share/www/session.html +++ b/share/www/session.html @@ -36,7 +36,7 @@ specific language governing permissions and limitations under the License. } m = qp.match(/reason=(.*)/); if (m) { - reason = decodeURIComponent(m[1]); + reason = $.futon.escape(decodeURIComponent(m[1])); } }); if (reason) { -- cgit v1.2.3