From: Luigi Pinca Date: Tue, 17 Apr 2012 22:10:22 +0000 (+0200) Subject: fixed some problems related to HTML specials (& " < >) X-Git-Url: https://git.saalbach.dev/?a=commitdiff_plain;h=a549ec54a0e6a40da0eb24169fafd5ebb71ee338;p=binbsis50.git fixed some problems related to HTML specials (& " < >) --- diff --git a/package.json b/package.json index fc21ecd..e0b413a 100644 --- a/package.json +++ b/package.json @@ -1,15 +1,15 @@ { "name": "binb", "dependencies": { - "async": "latest", - "canvas": "latest", - "connect": "latest", - "connect-redis": "latest", - "express": "latest", - "express-form": "latest", - "jade": "latest", - "redis-url": "latest", - "socket.io": "latest" + "async": "0.1.x", + "canvas": "0.11.x", + "connect": "1.8.x", + "connect-redis": "1.3.x", + "express": "2.5.x", + "express-form": "0.6.x", + "jade": "0.24.x", + "redis-url": "0.1.x", + "socket.io": "0.9.x" }, "subdomain": "binb", "scripts": { @@ -18,5 +18,5 @@ "engines": { "node": "0.6.x" }, - "version": "0.3.0-1" + "version": "0.3.0-3" } \ No newline at end of file diff --git a/public/static/css/style.css b/public/static/css/style.css index e95c08f..ab0109e 100644 --- a/public/static/css/style.css +++ b/public/static/css/style.css @@ -384,6 +384,10 @@ input { #users li, #tracks li, #chat li { color: #404040; } +#users li { + height: 18px; + position: relative; +} #users .private { display: none; font-size: 9.75px; @@ -391,17 +395,10 @@ input { position: absolute; left: -19px; } -#users .private, #users .name, .gameover .name { - margin-right: 4px; -} -.registered, #users .round-rank { - display: inline-block; - vertical-align: middle; -} .registered, .round-rank { height: 16px; width: 16px; - margin-right:2px; + margin: 1px 2px 0px 0px; } .registered { background: url('/static/images/sprites.png') no-repeat 0px -16px; @@ -409,6 +406,9 @@ input { .registered:hover { background: url('/static/images/sprites.png') no-repeat -16px -16px; } +#users .name { + margin-right: 4px; +} #users .name, .registered { cursor: pointer; } @@ -429,7 +429,7 @@ input { } #users .guess-time { font-size: 11px; - line-height: 1px; + line-height: 18px; } #toggle-chat { position: absolute; @@ -550,7 +550,7 @@ input { background: -ms-linear-gradient(center top , #FBFBFB, #F5F5F5); background: linear-gradient(center top , #FBFBFB, #F5F5F5); } -#tracks img.artwork, #tracks .info, #tracks .round-rank, #tracks .round-points, #copy, #facebook-button, #twitter-button, #github-button { +.registered, #users .name, #users .points, .round-rank, .round-points, #users .guess-time, #tracks img.artwork, #tracks .info, #copy, #facebook-button, #twitter-button, #github-button { float:left; } #tracks img.artwork { diff --git a/public/static/js/room.js b/public/static/js/room.js index 0c6cb6e..aeee36f 100644 --- a/public/static/js/room.js +++ b/public/static/js/room.js @@ -21,10 +21,13 @@ 'Try again']; var DOM = {}; + String.prototype.encodeEntities = function() { + return this.replace(/&/g,'&').replace(//g,'>'); + }; + // Exact match version of jQuery :contains selector $.expr[":"].econtains = function(obj, index, meta, stack) { - return (obj.textContent || obj.innerText || - $(obj).text() || "").toLowerCase() === meta[3].toLowerCase(); + return $(obj).html() === meta[0].replace(/^[\s\S]+:econtains\(([\s\S]+)\)$/, "$1"); }; // Prompt for name and send it. @@ -199,7 +202,7 @@ var found = false; for (var i=0; i'); + var li = $('
  • '); var pvt = $('P'); var username = $('').text(user.nickname); var points = $('('+user.points+')'); @@ -208,7 +211,7 @@ var guesstime = $(''); li.append(pvt, username, points, roundrank, roundpointsel, guesstime); if (user.registered) { - var href = 'href="/user/'+username.text().replace(/"/g, """)+'"'; + var href = 'href="/user/'+encodeURI(username.html())+'"'; pvt.after(''); } DOM.users.append(li); @@ -266,7 +269,7 @@ var width = DOM.recipient.outerWidth(true) + 1; DOM.recipient.hide(); DOM.messagebox.animate({'width':'-='+width+'px'}, "fast", function() {DOM.recipient.show();}); - var el = $("span.name:econtains("+usrname+")"); + var el = $("span.name:econtains("+usrname.encodeEntities()+")"); el.prevAll(".private").show(); el.unbind('click'); el.click(clearPrivate); @@ -279,7 +282,7 @@ DOM.recipient.css('margin-right','0'); DOM.recipient.text(""); DOM.messagebox.animate({'width':'+='+width+'px'}, "fast"); - var el = $("span.name:econtains("+pvtmsgto+")"); + var el = $("span.name:econtains("+pvtmsgto.encodeEntities()+")"); el.prevAll(".private").hide(); el.unbind("click"); el.click(function() { @@ -429,8 +432,7 @@ html += ''; for(var i=0;i<3;i++) { if (data.users[i]) { - var playername = data.users[i].nickname.replace(//g, ">").replace(/"/g, """); + var playername = data.users[i].nickname.encodeEntities(); html += '
    '; html += ''+playername+''; html += ''+data.users[i].points+''; @@ -709,7 +711,7 @@ } }, swfPath: "/static/swf/", - solution: "flash, html", + //solution: "flash, html", supplied: "m4a", preload: "auto", volume: 1 diff --git a/server.js b/server.js index 2e851d2..ab49e0e 100644 --- a/server.js +++ b/server.js @@ -34,7 +34,7 @@ http.set('view engine', 'jade'); // Routes http.get("/", function(req, res) { if (req.session.user) { - res.local('loggedin', req.session.user); + res.local('loggedin', req.session.user.replace(/&/g, "&")); } res.render("index", {rooms:config.rooms}); }); @@ -220,7 +220,7 @@ http.get("/artworks", function(req, res) { http.get("/:room", function(req, res) { if (config.rooms.indexOf(req.params.room) !== -1) { if (req.session.user) { - res.local('loggedin', req.session.user); + res.local('loggedin', req.session.user.replace(/&/g, "&")); } res.render("room", {roomname:req.params.room,rooms:config.rooms}); } @@ -234,6 +234,7 @@ http.get("/user/*", function(req, res) { usersdb.exists(key, function(err, data) { if (data === 1) { usersdb.hgetall(key, function(e, obj) { + obj.username = obj.username.replace(/&/g, "&"); obj.bestguesstime = (obj.bestguesstime/1000).toFixed(1); obj.worstguesstime = (obj.worstguesstime/1000).toFixed(1); if (obj.guessed !== "0") {