Prevent link exploit
This commit is contained in:
Mattias Erming
parent
95df0ccec7
commit
0e7d3b93cd
2
client/js/libs.min.js
vendored
2
client/js/libs.min.js
vendored
File diff suppressed because one or more lines are too long
@ -1,9 +1,10 @@
|
|||||||
function escape(text) {
|
function escape(text) {
|
||||||
var e = {
|
var e = {
|
||||||
"<": "<",
|
"<": "<",
|
||||||
">": ">"
|
">": ">",
|
||||||
|
"'": """
|
||||||
};
|
};
|
||||||
return text.replace(/[<>]/g, function (c) {
|
return text.replace(/[<>']/g, function (c) {
|
||||||
return e[c];
|
return e[c];
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
@ -18,9 +19,12 @@ Handlebars.registerHelper(
|
|||||||
text = escape(text);
|
text = escape(text);
|
||||||
for (var i in urls) {
|
for (var i in urls) {
|
||||||
var url = escape(urls[i]);
|
var url = escape(urls[i]);
|
||||||
|
var replace = url;
|
||||||
|
if (url.indexOf("javascript:") !== 0) {
|
||||||
|
replace = "<a href='" + url.replace(/^www/, "//www") + "' target='_blank'>" + url + "</a>";
|
||||||
|
}
|
||||||
text = text.replace(
|
text = text.replace(
|
||||||
"$(" + i + ")",
|
"$(" + i + ")", replace
|
||||||
"<a href='" + url.replace(/^www/, "//www") + "' target='_blank'>" + url + "</a>"
|
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
return text;
|
return text;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user