From ae247f09bf1821319e8dd3d347184f7cfd3fe03b Mon Sep 17 00:00:00 2001 From: ali asaria Date: Sat, 12 Mar 2011 12:04:34 -0500 Subject: [PATCH] cleaned up some of the scrubbing of xss --- client/lib/jquery.jeditable.js | 8 +++---- server.js | 42 +++++++++++++++++++++------------- 2 files changed, 30 insertions(+), 20 deletions(-) diff --git a/client/lib/jquery.jeditable.js b/client/lib/jquery.jeditable.js index 365d899..2d19b5a 100644 --- a/client/lib/jquery.jeditable.js +++ b/client/lib/jquery.jeditable.js @@ -279,16 +279,16 @@ } else if ('submit' == settings.onblur) { input.blur(function(e) { /* prevent double submit if submit was clicked */ - t = setTimeout(function() { + //t = setTimeout(function() { form.submit(); - }, 200); + //}, 200); }); //ali here: i hacked this in so that submit happens on mouseout too input.mouseout(function(e) { /* prevent double submit if submit was clicked */ - t = setTimeout(function() { + //t = setTimeout(function() { form.submit(); - }, 200); + //}, 200); }); } else if ($.isFunction(settings.onblur)) { input.blur(function(e) { diff --git a/server.js b/server.js index 8f1d679..016d573 100644 --- a/server.js +++ b/server.js @@ -236,35 +236,47 @@ function scrub( text ) { break; case 'updateColumns': - //@TODO -- scrub each column - getRoom( client, function(room) { - setColumns( room, message.data ); - }); + var columns = message.data; - broadcastToRoom( client, message ); + if (!(columns instanceof Array)) + break; + + var clean_columns = []; + + for (i in columns) + { + clean_columns[i] = scrub( columns[i] ); + } + + setColumns( room, clean_columns ); + broadcastToRoom( client, { action: 'updateColumns', data: clean_columns } ); + break; case 'changeTheme': - //@TODO -- scrub - message.data = scrub(message.data); + var clean_message = {}; + clean_message.data = scrub(message.data); getRoom( client, function(room) { - setTheme( room, message.data ); + setTheme( room, clean_message.data ); }); - broadcastToRoom( client, message ); + clean_message.action = 'changeTheme'; + + broadcastToRoom( client, clean_message ); break; case 'setUserName': - //@TODO -- scrub - name = scrub(message.data); + var clean_message = {}; - setUserName(client, name); + clean_message.data = scrub(message.data); + + setUserName(client, clean_message.data); var msg = {}; msg.action = 'nameChangeAnnounce'; - msg.data = { sid: client.sessionId, user_name: name }; + msg.data = { sid: client.sessionId, user_name: clean_message.data }; broadcastToRoom( client, msg ); break; @@ -433,9 +445,7 @@ function setColumns ( room, columns ) { async.forEachSeries( columns, function( item, callback ) { - //console.log('rpush: ' + REDIS_PREFIX + '-room:' + room + '-columns' + ' -- ' + item); - item = sanitizer.sanitize(item); - + //console.log('rpush: ' + REDIS_PREFIX + '-room:' + room + '-columns' + ' -- ' + item); redisClient.rpush(REDIS_PREFIX + '-room:' + room + '-columns', item, function (err, res) { callback();