]> dev.renevier.net Git - syp.git/commitdiff
projects / syp.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 756e908)
avoid html injection in item title
authorarno <arenevier@fdn.fr>
Thu, 20 Aug 2009 10:14:05 +0000 (12:14 +0200)
committerarno <arenevier@fdn.fr>
Thu, 20 Aug 2009 12:17:26 +0000 (14:17 +0200)
js/syp.js patch | blob | history

diff --git a/js/syp.js b/js/syp.js
index a7586ca7d0fedc4232f1a85318f4bcc19dbba159..8ebc30237507f2c6a6af0985cb59194db5af3895 100644 (file)
--- a/js/syp.js
+++ b/js/syp.js
@@ -212,8 +212,9 @@ var SYP = {
         }
         var contentHTML;
         if (feature.cluster[0].attributes.name) {
         }
         var contentHTML;
         if (feature.cluster[0].attributes.name) {
+            // escaping name is necessary because it's not enclosed in another html tag.
             contentHTML = "<h2>" +
             contentHTML = "<h2>" +
-                          feature.cluster[0].attributes.name + 
+                          SYP.Utils.escapeHTML(feature.cluster[0].attributes.name) +
                           "</h2>" + 
                           feature.cluster[0].attributes.description;
         } else {
                           "</h2>" + 
                           feature.cluster[0].attributes.description;
         } else {
@@ -384,6 +385,18 @@ var SYP = {
             }
             div.style.display = "block";
             div.appendChild(textNode);
             }
             div.style.display = "block";
             div.appendChild(textNode);
+        },
+
+        escapeHTML: function (str) {
+            if (!str) {
+                return "";
+            }
+            return str.
+             replace(/&/gm, '&amp;').
+             replace(/'/gm, '&#39;').
+             replace(/"/gm, '&quot;').
+             replace(/>/gm, '&gt;').
+             replace(/</gm, '&lt;');
         }
     }
 };
         }
     }
 };
Show Your Places