Use attr() on user-controlled data

See https://www.reddit.com/r/javascript/comments/8f57i1/psa_there_are_over_1000_people_in_the_us_named/dy0rib2/
2018-04-28 11:19:49 +03:00 · 2018-04-28 11:19:49 +03:00 · 14cc8b7827
commit 14cc8b7827
parent 2ea6446323
8 changed files with 26 additions and 26 deletions
--- a/client/js/contextMenu.js
+++ b/client/js/contextMenu.js
@ -27,8 +27,8 @@ module.exports = class ContextMenu {

 		contextMenu.find(".context-menu-item").on("click", function() {
 			const $this = $(this);
-			const itemData = $this.data("data");
-			const contextAction = $this.data("action");
+			const itemData = $this.attr("data-data");
+			const contextAction = $this.attr("data-action");
 			contextMenuActions.execute(contextAction, itemData);
 		});
 	}
--- a/client/js/contextMenuFactory.js
+++ b/client/js/contextMenuFactory.js
@ -20,7 +20,7 @@ addDefaultItems();
 * addContextMenuItem({
 * 		check: (target) => target.hasClass("user"),
 * 		className: "customItemName",
- * 	 	data: (target) => target.data("name"),
+ * 	 	data: (target) => target.attr("data-name"),
 * 	 	displayName: "Do something",
 * 	 	callback: (name) => console.log(name), // print the name of the user to console
 * });
@ -67,8 +67,8 @@ function addWhoisItem() {
 	addContextMenuItem({
 		check: (target) => target.hasClass("user"),
 		className: "user",
-		displayName: (target) => target.data("name"),
-		data: (target) => target.data("name"),
+		displayName: (target) => target.attr("data-name"),
+		data: (target) => target.attr("data-name"),
 		callback: whois,
 	});

@ -80,7 +80,7 @@ function addWhoisItem() {
 		check: (target) => target.hasClass("user"),
 		className: "action-whois",
 		displayName: "User information",
-		data: (target) => target.data("name"),
+		data: (target) => target.attr("data-name"),
 		callback: whois,
 	});
 }
@ -103,7 +103,7 @@ function addQueryItem() {
 		check: (target) => target.hasClass("user"),
 		className: "action-query",
 		displayName: "Direct messages",
-		data: (target) => target.data("name"),
+		data: (target) => target.attr("data-name"),
 		callback: query,
 	});
 }
@ -120,7 +120,7 @@ function addKickItem() {
 		check: (target) => utils.hasRoleInChannel(target.closest(".chan"), ["op"]) && target.closest(".chan").data("type") === "channel",
 		className: "action-kick",
 		displayName: "Kick",
-		data: (target) => target.data("name"),
+		data: (target) => target.attr("data-name"),
 		callback: kick,
 	});
 }
@ -136,10 +136,10 @@ function addOpItem() {
 	addContextMenuItem({
 		check: (target) =>
 			utils.hasRoleInChannel(target.closest(".chan"), ["op"]) &&
-			!utils.hasRoleInChannel(target.closest(".chan"), ["op"], target.data("name")),
+			!utils.hasRoleInChannel(target.closest(".chan"), ["op"], target.attr("data-name")),
 		className: "action-op",
 		displayName: "Give operator (+o)",
-		data: (target) => target.data("name"),
+		data: (target) => target.attr("data-name"),
 		callback: op,
 	});
 }
@ -155,10 +155,10 @@ function addDeopItem() {
 	addContextMenuItem({
 		check: (target) =>
 			utils.hasRoleInChannel(target.closest(".chan"), ["op"]) &&
-			utils.hasRoleInChannel(target.closest(".chan"), ["op"], target.data("name")),
+			utils.hasRoleInChannel(target.closest(".chan"), ["op"], target.attr("data-name")),
 		className: "action-op",
 		displayName: "Revoke operator (-o)",
-		data: (target) => target.data("name"),
+		data: (target) => target.attr("data-name"),
 		callback: deop,
 	});
 }
@ -174,10 +174,10 @@ function addVoiceItem() {
 	addContextMenuItem({
 		check: (target) =>
 			utils.hasRoleInChannel(target.closest(".chan"), ["op"]) &&
-			!utils.hasRoleInChannel(target.closest(".chan"), ["voice"], target.data("name")),
+			!utils.hasRoleInChannel(target.closest(".chan"), ["voice"], target.attr("data-name")),
 		className: "action-voice",
 		displayName: "Give voice (+v)",
-		data: (target) => target.data("name"),
+		data: (target) => target.attr("data-name"),
 		callback: voice,
 	});
 }
@ -193,10 +193,10 @@ function addDevoiceItem() {
 	addContextMenuItem({
 		check: (target) =>
 			utils.hasRoleInChannel(target.closest(".chan"), ["op"]) &&
-			utils.hasRoleInChannel(target.closest(".chan"), ["voice"], target.data("name")),
+			utils.hasRoleInChannel(target.closest(".chan"), ["voice"], target.attr("data-name")),
 		className: "action-voice",
 		displayName: "Revoke voice (-v)",
-		data: (target) => target.data("name"),
+		data: (target) => target.attr("data-name"),
 		callback: devoice,
 	});
 }
@ -220,7 +220,7 @@ function addFocusItem() {
 		check: (target) => target.hasClass("chan"),
 		className: getClass,
 		displayName: (target) => target.attr("aria-label"),
-		data: (target) => target.data("target"),
+		data: (target) => target.attr("data-target"),
 		callback: focusChan,
 	});

--- a/client/js/lounge.js
+++ b/client/js/lounge.js
@ -142,7 +142,7 @@ $(function() {
 	});

 	chat.on("click", ".inline-channel", function() {
-		const name = $(this).data("chan");
+		const name = $(this).attr("data-chan");
 		const chan = utils.findCurrentNetworkChan(name);

 		if (chan.length) {
@ -161,7 +161,7 @@ $(function() {

 	const openWindow = function openWindow(e, {keepSidebarOpen, pushState, replaceHistory} = {}) {
 		const self = $(this);
-		const target = self.data("target");
+		const target = self.attr("data-target");

 		if (!target) {
 			return false;
@ -248,7 +248,7 @@ $(function() {

 		if (self.hasClass("chan")) {
 			$("#chat-container").addClass("active");
-			$("#nick").text(self.closest(".network").data("nick"));
+			$("#nick").text(self.closest(".network").attr("data-nick"));
 		}

 		const chanChat = chan.find(".chat");
@ -342,7 +342,7 @@ $(function() {
 		check: (target) => target.hasClass("chan"),
 		className: "close",
 		displayName: getCloseDisplay,
-		data: (target) => target.data("target"),
+		data: (target) => target.attr("data-target"),
 		callback: (itemData) => closeChan($(`.networks .chan[data-target="${itemData}"]`)),
 	});

--- a/client/js/options.js
+++ b/client/js/options.js
@ -37,7 +37,7 @@ const settings = {
 	notifyAllMessages: false,
 	showSeconds: false,
 	statusMessages: "condensed",
-	theme: $("#theme").data("server-theme"),
+	theme: $("#theme").attr("data-server-theme"),
 	media: true,
 	userStyles: "",
 };
--- a/client/js/render.js
+++ b/client/js/render.js
@ -189,7 +189,7 @@ function renderChannelUsers(data) {
 		// We need to un-highlight everything first because triggering `input` with
 		// a value highlights the first entry.
 		users.find(".user").removeClass("active");
-		users.find(`.user[data-name="${previouslyActive.data("name")}"]`).addClass("active");
+		users.find(`.user[data-name="${previouslyActive.attr("data-name")}"]`).addClass("active");
 	}

 	return users;
--- a/client/js/socket-events/nick.js
+++ b/client/js/socket-events/nick.js
@ -6,7 +6,7 @@ const socket = require("../socket");
 socket.on("nick", function(data) {
 	const id = data.network;
 	const nick = data.nick;
-	const network = $(`#sidebar .network[data-uuid="${id}"]`).data("nick", nick);
+	const network = $(`#sidebar .network[data-uuid="${id}"]`).attr("data-nick", nick);

 	if (network.find(".active").length) {
 		$("#nick").text(nick);
--- a/client/js/socket-events/quit.js
+++ b/client/js/socket-events/quit.js
@ -11,7 +11,7 @@ socket.on("quit", function(data) {

 	network.children(".chan").each(function() {
 		// this = child
-		chat.find($(this).data("target")).remove();
+		chat.find($(this).attr("data-target")).remove();
 	});

 	network.remove();
--- a/client/js/utils.js
+++ b/client/js/utils.js
@ -48,7 +48,7 @@ function hasRoleInChannel(channel, roles, nick) {

 	const channelID = channel.data("id");
 	const network = $("#sidebar .network").has(`.chan[data-id="${channelID}"]`);
-	const target = nick || network.data("nick");
+	const target = nick || network.attr("data-nick");
 	const user = channel.find(`.names-original .user[data-name="${escape(target)}"]`).first();
 	return user.parent().is("." + roles.join(", ."));
 }