fix #2: escape name field

2020-05-12 22:07:40 +02:00 · 2020-05-12 22:07:40 +02:00 · f3ceb3aad4
commit f3ceb3aad4
parent 60c500d219
2 changed files with 24 additions and 5 deletions
--- a/coinmanager/coinc/static/coinc/main.js
+++ b/coinmanager/coinc/static/coinc/main.js
@ -31,11 +31,29 @@ let settings = {
    exists:       true
 }

+
 //
 // Functions
 //

-// return a datetime YYYY.MM.DD
+/* return escaped html */
+function escape_html (string) {
+    let entity_map = {
+        '&': '&amp;',
+        '<': '&lt;',
+        '>': '&gt;',
+        '"': '&quot;',
+        "'": '&#39;',
+        '/': '&#x2F;',
+        '`': '&#x60;',
+        '=': '&#x3D;'
+    };
+    return String(string).replace(/[&<>"'`=\/]/g, function (s) {
+        return entity_map[s];
+    });
+}
+
+/* return a datetime YYYY.MM.DD */
 function get_datetime() {
    let datetime = new Date();
    return ('0' +  datetime.getDate()).slice(-2)       + '.' +
@ -132,12 +150,13 @@ function render_response(data, td, set) {

        /* add/update name */
        if ('name' in data) {
+            let name = escape_html(data['name']);
            let c = String(value).substring(2,3);
            let div_special_name = $(td).find('div.special' + c + '_name');
            if (div_special_name.length == 0) {
-                $(td).append('<div class="special' + c + '_name three_lines">' + data['name'] + '</div>');
+                $(td).append('<div class="special' + c + '_name three_lines">' + name + '</div>');
            } else if (div_special_name.length == 1) {
-                div_special_name.html(data['name']);
+                div_special_name.html(name);
            }
        }
    }
@ -250,7 +269,7 @@ $(document).ready(function() {
                    let data = args['data'];
                    let td = args['td'];
                    if (response) {
-                        data['name'] = response['name'];
+                        data['name'] = response['name'].trim().substring(0, 79);
                    }
                    $.ajax({
                        type:     'POST',
--- a/coinmanager/coinc/static/coinc/styles.css
+++ b/coinmanager/coinc/static/coinc/styles.css
@ -145,7 +145,7 @@ div.two_lines {
 div.special1_name, div.special2_name, div.special3_name {
  display:     none;
  height:      40px;
-  width:       150px;
+  width:       146px;
  font-size:   1rem;
  font-weight: 400;
  line-height: 40px;