From 14cc8b7827c4fd9292650d2e2f205094b9db96fb Mon Sep 17 00:00:00 2001
From: Pavel Djundik <github@xpaw.me>
Date: Sat, 28 Apr 2018 11:19:49 +0300
Subject: [PATCH] Use attr() on user-controlled data

See https://www.reddit.com/r/javascript/comments/8f57i1/psa_there_are_over_1000_people_in_the_us_named/dy0rib2/
---
 client/js/contextMenu.js        |  4 ++--
 client/js/contextMenuFactory.js | 30 +++++++++++++++---------------
 client/js/lounge.js             |  8 ++++----
 client/js/options.js            |  2 +-
 client/js/render.js             |  2 +-
 client/js/socket-events/nick.js |  2 +-
 client/js/socket-events/quit.js |  2 +-
 client/js/utils.js              |  2 +-
 8 files changed, 26 insertions(+), 26 deletions(-)

diff --git a/client/js/contextMenu.js b/client/js/contextMenu.js
index 229c6e02..b5008f75 100644
--- a/client/js/contextMenu.js
+++ b/client/js/contextMenu.js
@@ -27,8 +27,8 @@ module.exports = class ContextMenu {
 
 		contextMenu.find(".context-menu-item").on("click", function() {
 			const $this = $(this);
-			const itemData = $this.data("data");
-			const contextAction = $this.data("action");
+			const itemData = $this.attr("data-data");
+			const contextAction = $this.attr("data-action");
 			contextMenuActions.execute(contextAction, itemData);
 		});
 	}
diff --git a/client/js/contextMenuFactory.js b/client/js/contextMenuFactory.js
index ed0e3389..10cf0ec0 100644
--- a/client/js/contextMenuFactory.js
+++ b/client/js/contextMenuFactory.js
@@ -20,7 +20,7 @@ addDefaultItems();
  * addContextMenuItem({
  * 		check: (target) => target.hasClass("user"),
  * 		className: "customItemName",
- * 	 	data: (target) => target.data("name"),
+ * 	 	data: (target) => target.attr("data-name"),
  * 	 	displayName: "Do something",
  * 	 	callback: (name) => console.log(name), // print the name of the user to console
  * });
@@ -67,8 +67,8 @@ function addWhoisItem() {
 	addContextMenuItem({
 		check: (target) => target.hasClass("user"),
 		className: "user",
-		displayName: (target) => target.data("name"),
-		data: (target) => target.data("name"),
+		displayName: (target) => target.attr("data-name"),
+		data: (target) => target.attr("data-name"),
 		callback: whois,
 	});
 
@@ -80,7 +80,7 @@ function addWhoisItem() {
 		check: (target) => target.hasClass("user"),
 		className: "action-whois",
 		displayName: "User information",
-		data: (target) => target.data("name"),
+		data: (target) => target.attr("data-name"),
 		callback: whois,
 	});
 }
@@ -103,7 +103,7 @@ function addQueryItem() {
 		check: (target) => target.hasClass("user"),
 		className: "action-query",
 		displayName: "Direct messages",
-		data: (target) => target.data("name"),
+		data: (target) => target.attr("data-name"),
 		callback: query,
 	});
 }
@@ -120,7 +120,7 @@ function addKickItem() {
 		check: (target) => utils.hasRoleInChannel(target.closest(".chan"), ["op"]) && target.closest(".chan").data("type") === "channel",
 		className: "action-kick",
 		displayName: "Kick",
-		data: (target) => target.data("name"),
+		data: (target) => target.attr("data-name"),
 		callback: kick,
 	});
 }
@@ -136,10 +136,10 @@ function addOpItem() {
 	addContextMenuItem({
 		check: (target) =>
 			utils.hasRoleInChannel(target.closest(".chan"), ["op"]) &&
-			!utils.hasRoleInChannel(target.closest(".chan"), ["op"], target.data("name")),
+			!utils.hasRoleInChannel(target.closest(".chan"), ["op"], target.attr("data-name")),
 		className: "action-op",
 		displayName: "Give operator (+o)",
-		data: (target) => target.data("name"),
+		data: (target) => target.attr("data-name"),
 		callback: op,
 	});
 }
@@ -155,10 +155,10 @@ function addDeopItem() {
 	addContextMenuItem({
 		check: (target) =>
 			utils.hasRoleInChannel(target.closest(".chan"), ["op"]) &&
-			utils.hasRoleInChannel(target.closest(".chan"), ["op"], target.data("name")),
+			utils.hasRoleInChannel(target.closest(".chan"), ["op"], target.attr("data-name")),
 		className: "action-op",
 		displayName: "Revoke operator (-o)",
-		data: (target) => target.data("name"),
+		data: (target) => target.attr("data-name"),
 		callback: deop,
 	});
 }
@@ -174,10 +174,10 @@ function addVoiceItem() {
 	addContextMenuItem({
 		check: (target) =>
 			utils.hasRoleInChannel(target.closest(".chan"), ["op"]) &&
-			!utils.hasRoleInChannel(target.closest(".chan"), ["voice"], target.data("name")),
+			!utils.hasRoleInChannel(target.closest(".chan"), ["voice"], target.attr("data-name")),
 		className: "action-voice",
 		displayName: "Give voice (+v)",
-		data: (target) => target.data("name"),
+		data: (target) => target.attr("data-name"),
 		callback: voice,
 	});
 }
@@ -193,10 +193,10 @@ function addDevoiceItem() {
 	addContextMenuItem({
 		check: (target) =>
 			utils.hasRoleInChannel(target.closest(".chan"), ["op"]) &&
-			utils.hasRoleInChannel(target.closest(".chan"), ["voice"], target.data("name")),
+			utils.hasRoleInChannel(target.closest(".chan"), ["voice"], target.attr("data-name")),
 		className: "action-voice",
 		displayName: "Revoke voice (-v)",
-		data: (target) => target.data("name"),
+		data: (target) => target.attr("data-name"),
 		callback: devoice,
 	});
 }
@@ -220,7 +220,7 @@ function addFocusItem() {
 		check: (target) => target.hasClass("chan"),
 		className: getClass,
 		displayName: (target) => target.attr("aria-label"),
-		data: (target) => target.data("target"),
+		data: (target) => target.attr("data-target"),
 		callback: focusChan,
 	});
 
diff --git a/client/js/lounge.js b/client/js/lounge.js
index c989a0e4..d73baa74 100644
--- a/client/js/lounge.js
+++ b/client/js/lounge.js
@@ -142,7 +142,7 @@ $(function() {
 	});
 
 	chat.on("click", ".inline-channel", function() {
-		const name = $(this).data("chan");
+		const name = $(this).attr("data-chan");
 		const chan = utils.findCurrentNetworkChan(name);
 
 		if (chan.length) {
@@ -161,7 +161,7 @@ $(function() {
 
 	const openWindow = function openWindow(e, {keepSidebarOpen, pushState, replaceHistory} = {}) {
 		const self = $(this);
-		const target = self.data("target");
+		const target = self.attr("data-target");
 
 		if (!target) {
 			return false;
@@ -248,7 +248,7 @@ $(function() {
 
 		if (self.hasClass("chan")) {
 			$("#chat-container").addClass("active");
-			$("#nick").text(self.closest(".network").data("nick"));
+			$("#nick").text(self.closest(".network").attr("data-nick"));
 		}
 
 		const chanChat = chan.find(".chat");
@@ -342,7 +342,7 @@ $(function() {
 		check: (target) => target.hasClass("chan"),
 		className: "close",
 		displayName: getCloseDisplay,
-		data: (target) => target.data("target"),
+		data: (target) => target.attr("data-target"),
 		callback: (itemData) => closeChan($(`.networks .chan[data-target="${itemData}"]`)),
 	});
 
diff --git a/client/js/options.js b/client/js/options.js
index 4acff12e..02b3676a 100644
--- a/client/js/options.js
+++ b/client/js/options.js
@@ -37,7 +37,7 @@ const settings = {
 	notifyAllMessages: false,
 	showSeconds: false,
 	statusMessages: "condensed",
-	theme: $("#theme").data("server-theme"),
+	theme: $("#theme").attr("data-server-theme"),
 	media: true,
 	userStyles: "",
 };
diff --git a/client/js/render.js b/client/js/render.js
index 6986a8b5..a8363382 100644
--- a/client/js/render.js
+++ b/client/js/render.js
@@ -189,7 +189,7 @@ function renderChannelUsers(data) {
 		// We need to un-highlight everything first because triggering `input` with
 		// a value highlights the first entry.
 		users.find(".user").removeClass("active");
-		users.find(`.user[data-name="${previouslyActive.data("name")}"]`).addClass("active");
+		users.find(`.user[data-name="${previouslyActive.attr("data-name")}"]`).addClass("active");
 	}
 
 	return users;
diff --git a/client/js/socket-events/nick.js b/client/js/socket-events/nick.js
index 71ac1f65..bb3b1ae5 100644
--- a/client/js/socket-events/nick.js
+++ b/client/js/socket-events/nick.js
@@ -6,7 +6,7 @@ const socket = require("../socket");
 socket.on("nick", function(data) {
 	const id = data.network;
 	const nick = data.nick;
-	const network = $(`#sidebar .network[data-uuid="${id}"]`).data("nick", nick);
+	const network = $(`#sidebar .network[data-uuid="${id}"]`).attr("data-nick", nick);
 
 	if (network.find(".active").length) {
 		$("#nick").text(nick);
diff --git a/client/js/socket-events/quit.js b/client/js/socket-events/quit.js
index df98b399..18365448 100644
--- a/client/js/socket-events/quit.js
+++ b/client/js/socket-events/quit.js
@@ -11,7 +11,7 @@ socket.on("quit", function(data) {
 
 	network.children(".chan").each(function() {
 		// this = child
-		chat.find($(this).data("target")).remove();
+		chat.find($(this).attr("data-target")).remove();
 	});
 
 	network.remove();
diff --git a/client/js/utils.js b/client/js/utils.js
index 5c63891d..ceecb05b 100644
--- a/client/js/utils.js
+++ b/client/js/utils.js
@@ -48,7 +48,7 @@ function hasRoleInChannel(channel, roles, nick) {
 
 	const channelID = channel.data("id");
 	const network = $("#sidebar .network").has(`.chan[data-id="${channelID}"]`);
-	const target = nick || network.data("nick");
+	const target = nick || network.attr("data-nick");
 	const user = channel.find(`.names-original .user[data-name="${escape(target)}"]`).first();
 	return user.parent().is("." + roles.join(", ."));
 }