fuwafuwa
/
etherpad-lite
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

The value of all href attributes is escaped.

This commit is contained in:
Chad Weider 2012-01-14 14:50:23 -08:00
parent 6e36b59a59
commit 387dd4a48b
4 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
node/utils/ExportHtml.js
View File

@ -292,7 +292,7 @@ function getHTMLFromAtext(pad, atext)
var url = urlData[1];
var urlLength = url.length;
processNextChars(startIndex - idx);
assem.append('<a href="' + url.replace(/\"/g, '&quot;') + '">');
assem.append('<a href="' + _escapeHTML(url) + '">');
processNextChars(urlLength);
assem.append('</a>');
});

2
static/js/domline.js
View File

@ -162,7 +162,7 @@ domline.createDomLine = function(nonEmpty, doesWrap, optBrowser, optDocument)
{
href = "http://"+href;
}
extraOpenTags = extraOpenTags + '<a href="' + href.replace(/\"/g, '&quot;') + '">';
extraOpenTags = extraOpenTags + '<a href="' + domline.escapeHTML(href) + '">';
extraCloseTags = '</a>' + extraCloseTags;
}
if (simpleTags)

2
static/js/domline_client.js
View File

@ -158,7 +158,7 @@ domline.createDomLine = function(nonEmpty, doesWrap, optBrowser, optDocument)
{
if (href)
{
extraOpenTags = extraOpenTags + '<a href="' + href.replace(/\"/g, '&quot;') + '">';
extraOpenTags = extraOpenTags + '<a href="' + domline.escapeHTML(href) + '">';
extraCloseTags = '</a>' + extraCloseTags;
}
if (simpleTags)

2
static/js/pad_utils.js
View File

@ -187,7 +187,7 @@ var padutils = {
var startIndex = urls[j][0];
var href = urls[j][1];
advanceTo(startIndex);
pieces.push('<a ', (target ? 'target="' + target + '" ' : ''), 'href="', href.replace(/\"/g, '&quot;'), '">');
pieces.push('<a ', (target ? 'target="' + target + '" ' : ''), 'href="', padutils.escapeHtml(href), '">');
advanceTo(startIndex + href.length);
pieces.push('</a>');
}