commit 1b5b3d614ee2fddfaf046ca02059db5441ff2a91 Author: Sherief Alaa sheriefalaa.w@gmail.com Date: Tue Jun 17 13:44:43 2014 +0300

using .text() instead of .html() to prevent xss attacks --- webchat/templates/tokens.html | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/webchat/templates/tokens.html b/webchat/templates/tokens.html index db6ab73..a6f297f 100644 --- a/webchat/templates/tokens.html +++ b/webchat/templates/tokens.html @@ -9,15 +9,8 @@ <script type="text/javascript" src="/static/js/jquery.min.js"></script> <script src="/static/js/bootstrap.min.js"></script> <script type="text/javascript"> - $(document).ready (function (){ - $(".comment").html(function(){ - $(this).html($(this).text().substring(0,35) - + ' <span data-toggle="modal" data-target="#comment-modal" style="color:blue; font-size:80%;"> Read more..</span>'); - }); - }); - function full_comment(id){ - $(".comment-modal-body").html($("#full-comment-" + id).val()); + $(".comment-modal-body").text($("#full-comment-" + id).val()); } </script> {% endblock script %} @@ -54,7 +47,13 @@ <td><input name="selected_list" type="checkbox" value="{{token.token}}"></td> <td>https://%7B%7Burl%7D%7D/chat/%7B%7Btoken.token%7D%7D</td> <td>{{token.expires_at|date:"Y-m-d G:i"}}</td> - <td class="comment" onclick="full_comment({{token.t_id}});">{{token.comment}}</td> + <td class="comment" onclick="full_comment({{token.t_id}});"> + {{token.comment|truncatechars:35}} + + {% if token.comment|length > 35 %} + <span data-toggle="modal" data-target="#comment-modal" style="color:blue; font-size:80%;"> more</span> + {% endif %} + </td> </tr> <input id="full-comment-{{token.t_id}}" type="hidden" value="{{token.comment}}"> {% endfor %}