summaryrefslogtreecommitdiff
path: root/frontend.js
diff options
context:
space:
mode:
authorBenjamin Kiessling <mittagessen@l.unchti.me>2012-01-21 22:29:35 +0100
committerBenjamin Kiessling <mittagessen@l.unchti.me>2012-01-21 22:29:35 +0100
commitc58b5ac054240f36e0bf96e6754bfe195f0a659a (patch)
tree5e812376b27d05ffdd2785f1ed7ccadfd90632ce /frontend.js
parent3f59dcaa616f88f0627957bedfcab1e4a5548045 (diff)
Sanitize user input
Diffstat (limited to 'frontend.js')
-rw-r--r--frontend.js17
1 files changed, 13 insertions, 4 deletions
diff --git a/frontend.js b/frontend.js
index 90fc67a..30b5457 100644
--- a/frontend.js
+++ b/frontend.js
@@ -1,5 +1,6 @@
var path = require('path');
var fs = require('fs');
+var sanitize =require('validator').sanitize;
var model;
@@ -19,13 +20,16 @@ exports.start = function(config) {
var slideStr = '';
for(var slide in slides['slides']) {
if(!slides['slides'].hasOwnProperty(slide)) { continue; }
+ var media = sanitize(slides['slides'][slide]['file']).entityEncode();
if(slides['slides'][slide]['type'] === 'image') {
- slideStr = slideStr +'<li><img src="/'+slides['slides'][slide]['file']+'">';
+ slideStr = slideStr +'<li><img src="/'+media+'">';
}
if(slides['slides'][slide]['head'].length > 0) {
- slideStr = slideStr+'<div class="slideDesc"><div class="slideHead">'+slides['slides'][slide]['head']+'</div>';
+ var head = sanitize(slides['slides'][slide]['head']).xss();
+ slideStr = slideStr+'<div class="slideDesc"><div class="slideHead">'+head+'</div>';
if(slides['slides'][slide]['text'].length > 0) {
- slideStr = slideStr+'<div class="slideText">'+slides['slides'][slide]['text']+'</div>';
+ var text = sanitize(slides['slides'][slide]['text']).xss();
+ slideStr = slideStr+'<div class="slideText">'+text+'</div>';
}
slideStr = slideStr + '</div>';
}
@@ -40,7 +44,12 @@ exports.start = function(config) {
eventStr = eventStr + '<li class="eventEl">';
for(var evF in slides['events'][date][ev]) {
if(!slides['events'][date][ev].hasOwnProperty(evF)) { continue; }
- eventStr = eventStr + '<div class="eventField ' + evF + '">' + slides['events'][date][ev][evF] + '</div>';
+ if(typeof slides['events'][date][ev][evF] == 'string') {
+ var evClass = evF;
+ var evField = sanitize(slides['events'][date][ev][evF]).entityEncode();
+ var evField = evField.replace(/\\n/g, '<br/>');
+ eventStr = eventStr + '<div class="eventField ' + evClass + '">' + evField + '</div>';
+ }
}
eventStr = eventStr + '</li>';
}