cleaned up some of the scrubbing of xss

2011-03-12 12:04:34 -05:00 · 2011-03-12 12:04:34 -05:00 · ae247f09bf
commit ae247f09bf
parent 2870f10968
2 changed files with 30 additions and 20 deletions
--- a/client/lib/jquery.jeditable.js
+++ b/client/lib/jquery.jeditable.js
@ -279,16 +279,16 @@
                } else if ('submit' == settings.onblur) {
                    input.blur(function(e) {
                        /* prevent double submit if submit was clicked */
-                        t = setTimeout(function() {
+                        //t = setTimeout(function() {
                            form.submit();
-                        }, 200);
+                        //}, 200);
                    });
 						//ali here: i hacked this in so that submit happens on mouseout too
 						input.mouseout(function(e) {
                        /* prevent double submit if submit was clicked */
-                        t = setTimeout(function() {
+                        //t = setTimeout(function() {
                            form.submit();
-                        }, 200);
+                        //}, 200);
                    });
                } else if ($.isFunction(settings.onblur)) {
                    input.blur(function(e) {
--- a/server.js
+++ b/server.js
@ -236,35 +236,47 @@ function scrub( text ) {
 				break;
 				
 			case 'updateColumns':				
-				//@TODO -- scrub each column
-				getRoom( client, function(room) {
-					setColumns( room, message.data );
-				});
+				var columns = message.data;
 				
-				broadcastToRoom( client, message );
+				if (!(columns instanceof Array))
+					break;
+				
+				var clean_columns = [];
+				
+				for (i in columns)
+				{
+					clean_columns[i] = scrub( columns[i] );
+				}
+				
+				setColumns( room, clean_columns );

+				broadcastToRoom( client, { action: 'updateColumns', data: clean_columns } );
+				
 				break;
 				
 			case 'changeTheme':
-				//@TODO -- scrub 
-				message.data = scrub(message.data);
+				var clean_message = {};
+				clean_message.data = scrub(message.data);
 				
 				getRoom( client, function(room) {
-					setTheme( room, message.data );
+					setTheme( room, clean_message.data );
 				});
 				
-				broadcastToRoom( client, message );
+				clean_message.action = 'changeTheme';
+				
+				broadcastToRoom( client, clean_message );
 				break;
 				
 			case 'setUserName':
-				//@TODO -- scrub 
-				name = scrub(message.data);
+				var clean_message = {};
 				
-				setUserName(client, name);
+				clean_message.data = scrub(message.data);
+				
+				setUserName(client, clean_message.data);
 				
 				var msg = {};
 				msg.action = 'nameChangeAnnounce';
-				msg.data = { sid: client.sessionId, user_name: name };
+				msg.data = { sid: client.sessionId, user_name: clean_message.data };
 				broadcastToRoom( client, msg );
 				break;
 				
@ -433,9 +445,7 @@ function setColumns ( room, columns ) {
 		async.forEachSeries(
 			columns,
 			function( item, callback ) {
-				//console.log('rpush: ' + REDIS_PREFIX + '-room:' + room + '-columns' + ' -- ' + item);
-				item = sanitizer.sanitize(item);
-				
+				//console.log('rpush: ' + REDIS_PREFIX + '-room:' + room + '-columns' + ' -- ' + item);				
 				redisClient.rpush(REDIS_PREFIX + '-room:' + room + '-columns', item, 
 					function (err, res) {
 						callback();