Diffstat (limited to 'frontend/beta/js/Clipperz/Base.js') (more/less context) (ignore whitespace changes)
-rw-r--r-- | frontend/beta/js/Clipperz/Base.js | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/frontend/beta/js/Clipperz/Base.js b/frontend/beta/js/Clipperz/Base.js index cf40314..1c6faa1 100644 --- a/frontend/beta/js/Clipperz/Base.js +++ b/frontend/beta/js/Clipperz/Base.js @@ -201,96 +201,124 @@ MochiKit.Base.update(Clipperz.Base, { return result; }, //------------------------------------------------------------------------- 'evalJSON': function(aString) { /* var result; // check for XSS injection if (/<script>/.test(aString)) { throw "error"; } if (/<iframe>/.test(aString)) { throw "error"; } result = MochiKit.Base.evalJSON(aString); return result; */ // return MochiKit.Base.evalJSON(aString); return JSON2.parse(aString); }, 'serializeJSON': function(anObject) { // return MochiKit.Base.serializeJSON(anObject); return JSON2.stringify(anObject); }, //------------------------------------------------------------------------- 'sanitizeString': function(aValue) { var result; if (Clipperz.Base.objectType(aValue) == 'string') { result = aValue; result = result.replace(/</img,"<"); result = result.replace(/>/img,">"); } else { result = aValue; } return result; }, + 'javascriptInjectionPattern': new RegExp("javascript:\/\/\"", "g"), + + 'sanitizeUrl': function(aValue) { + var result; + + if ((aValue != null) && this.javascriptInjectionPattern.test(aValue)) { + result = aValue.replace(this.javascriptInjectionPattern, ''); + console.log("sanitized url", aValue, result); + } else { + result = aValue; + } + + return result; + }, + + 'sanitizeFavicon': function(aValue) { + var result; + + if ((aValue != null) && this.javascriptInjectionPattern.test(aValue)) { + result = aValue.replace(this.javascriptInjectionPattern, ''); + console.log("sanitized favicon", aValue, result); + } else { + result = aValue; + } + + return result; + }, + //------------------------------------------------------------------------- 'exception': { 'AbstractMethod': new MochiKit.Base.NamedError("Clipperz.Base.exception.AbstractMethod"), 'UnknownType': new MochiKit.Base.NamedError("Clipperz.Base.exception.UnknownType"), 'VulnerabilityIssue': new MochiKit.Base.NamedError("Clipperz.Base.exception.VulnerabilityIssue") }, //------------------------------------------------------------------------- __syntaxFix__: "syntax fix" }); MochiKit.Base.registerComparator('Object dummy comparator', function(a, b) { return ((a.constructor == Object) && (b.constructor == Object)); }, function(a, b) { var result; var aKeys; var bKeys; //MochiKit.Logging.logDebug(">>> comparator"); //MochiKit.Logging.logDebug("- a: " + Clipperz.Base.serializeJSON(a)); //MochiKit.Logging.logDebug("- b: " + Clipperz.Base.serializeJSON(a)); aKeys = MochiKit.Base.keys(a).sort(); bKeys = MochiKit.Base.keys(b).sort(); result = MochiKit.Base.compare(aKeys, bKeys); //if (result != 0) { // MochiKit.Logging.logDebug("- comparator 'keys':"); // MochiKit.Logging.logDebug("- comparator aKeys: " + Clipperz.Base.serializeJSON(aKeys)); // MochiKit.Logging.logDebug("- comparator bKeys: " + Clipperz.Base.serializeJSON(bKeys)); //} if (result == 0) { var i, c; c = aKeys.length; for (i=0; (i<c) && (result == 0); i++) { result = MochiKit.Base.compare(a[aKeys[i]], b[bKeys[i]]); //if (result != 0) { // MochiKit.Logging.logDebug("- comparator 'values':"); // MochiKit.Logging.logDebug("- comparator a[aKeys[i]]: " + Clipperz.Base.serializeJSON(a[aKeys[i]])); // MochiKit.Logging.logDebug("- comparator b[bKeys[i]]: " + Clipperz.Base.serializeJSON(b[bKeys[i]])); //} } |