[tor-commits] [pups/master] using .text() instead of .html() to prevent xss attacks

[lunar at torproject.org]

commit 1b5b3d614ee2fddfaf046ca02059db5441ff2a91
Author: Sherief Alaa <sheriefalaa.w at gmail.com>
Date:   Tue Jun 17 13:44:43 2014 +0300

    using .text() instead of .html() to prevent xss attacks
---
 webchat/templates/tokens.html |   17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/webchat/templates/tokens.html b/webchat/templates/tokens.html
index db6ab73..a6f297f 100644
--- a/webchat/templates/tokens.html
+++ b/webchat/templates/tokens.html
@@ -9,15 +9,8 @@
   <script type="text/javascript" src="/static/js/jquery.min.js"></script>
   <script src="/static/js/bootstrap.min.js"></script>
   <script type="text/javascript">
-  $(document).ready (function (){
-    $(".comment").html(function(){
-      $(this).html($(this).text().substring(0,35) 
-        + ' <span data-toggle="modal" data-target="#comment-modal" style="color:blue; font-size:80%;"> Read more..</span>');
-    });
-  });
-
     function full_comment(id){
-      $(".comment-modal-body").html($("#full-comment-" + id).val());
+      $(".comment-modal-body").text($("#full-comment-" + id).val());
     }
   </script>
 {% endblock script %}
@@ -54,7 +47,13 @@
       <td><input name="selected_list" type="checkbox" value="{{token.token}}"></td>
       <td>https://{{url}}/chat/{{token.token}}</td>
       <td>{{token.expires_at|date:"Y-m-d G:i"}}</td>
-      <td class="comment" onclick="full_comment({{token.t_id}});">{{token.comment}}</td>
+      <td class="comment" onclick="full_comment({{token.t_id}});">
+        {{token.comment|truncatechars:35}}
+
+        {% if token.comment|length > 35 %}
+          <span data-toggle="modal" data-target="#comment-modal" style="color:blue; font-size:80%;"> more</span>
+        {% endif %}
+      </td>
     </tr>
     <input id="full-comment-{{token.t_id}}" type="hidden" value="{{token.comment}}">
  {% endfor %}