From fd29d7836f841bba4a0b7eda3986418c8fa664e5 Mon Sep 17 00:00:00 2001 From: Leo Date: Thu, 4 May 2017 09:44:55 -0400 Subject: [PATCH] Improve HTML Sanitation --- src/freebusy.html | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/src/freebusy.html b/src/freebusy.html index b74eec9..8b28b9e 100644 --- a/src/freebusy.html +++ b/src/freebusy.html @@ -136,7 +136,7 @@ } - // this block looks to see if the name or location of the event is "available" (but not "unavailable") + // this block looks to see if the name or location of the event is 'available' (but not 'unavailable') // if it is, change their name back to green var nameClass = "text-danger"; if ((eventName && (eventName.toLowerCase().includes("free") || (eventName.toLowerCase().includes("available") && !eventName.toLowerCase().includes("unavailable")))) || @@ -176,7 +176,7 @@ } // if the event is named or located at 'church', 'chapel', or 'dimnent', mark an icon next to their name else if ((eventName && (eventName.toLowerCase().includes("church") || eventName.toLowerCase().includes("chapel") || eventName.toLowerCase().includes("dimnent"))) || - (eventLocation && (eventLocation.toLowerCase().includes("church") || eventLocation.toLowerCase().includes("chapel") || eventLocation.toLowerCase().includes("dimnent")))) { + (eventLocation && (eventName.toLowerCase().includes("church") || eventLocation.toLowerCase().includes("chapel") || eventLocation.toLowerCase().includes("dimnent")))) { personsName = "⛪ " + personsName; } // if the event is named or located at 'breakfast', 'lunch', 'dinner', 'food', or 'eat', mark an icon next to their name @@ -227,17 +227,14 @@ (eventLocation && (eventLocation.toLowerCase().includes("workout") || eventLocation.toLowerCase().includes("gym") || eventLocation.toLowerCase().includes("sport")))) { personsName = "🏋 " + personsName; } - + if (!eventLocation) { eventLocation = eventName; } - // HTML-ize the string + // sanitize the string if (eventLocation) { - eventLocation = eventLocation.replace("&", "&"); - eventLocation = eventLocation.replace('"', """); - eventLocation = eventLocation.replace("<", "<"); - eventLocation = eventLocation.replace(">", ">"); + eventLocation = sanitizeHTML(eventLocation); } // if the event details haven't changed from the last check to now, finish this line and move on @@ -262,4 +259,12 @@ } +// http://stackoverflow.com/a/12034334 +function sanitizeHTML(string) { + var entityMap = {'&': '&', '<': '<', '>': '>', '"': '"', "'": ''', '/': '/', '`': '`', '=': '='}; + return String(string).replace(/[&<>"'`=\/]/g, function (s) { + return entityMap[s]; + }); +} +