sanitizing added

12 years ago · 1800397fcf
2 changed files with 12 additions and 4 deletions
--- a/resources/public/js/main.js
+++ b/resources/public/js/main.js
@ -51,8 +51,10 @@ function onLoad() {
				@@ -51,8 +51,10 @@ function onLoad() {

  if(window.innerHeight >= document.body.clientHeight) {
    var links = $("links");
-    links.style.position = "fixed";
-    links.style.bottom = 0;
+    if(links) {
+      links.style.position = "fixed";
+      links.style.bottom = 0;
+    }
  }

 }
--- a/src/NoteHub/views/pages.clj
+++ b/src/NoteHub/views/pages.clj
@ -40,6 +40,11 @@
				@@ -40,6 +40,11 @@
    (if-not (get-setting :dev-mode) (include-js "/js/google-analytics.js"))]
   [:body {:onload "onLoad()"} content]))

+(defn sanitize
+  "Breakes all usages of <script> & <iframe>"
+  [input]
+  (sreplace input #"(</?(iframe|script).*?>|javascript:)" ""))
+
 ; Sets a custom message for each needed HTTP status.
 ; The message to be assigned is extracted with a dynamically generated key
 (doseq [code [400 403 404 500]]
@ -102,9 +107,10 @@
				@@ -102,9 +107,10 @@
 (defpage "/:year/:month/:day/:title" {:keys [year month day title] :as params}
  (let [noteID (api/build-key [year month day] title)]
    (when (storage/note-exists? noteID)
-      (let [note (api/get-note noteID)]
+      (let [note (api/get-note noteID)
+            sanitized-note (sanitize (:note note))]
        (layout (:title note)
-                (md-node :article.bottom-space (:note note))
+                (md-node :article.bottom-space sanitized-note)
                (let [urls {:short-url (api/url (storage/create-short-url noteID params))
                            :notehub "/"}
                      links (map #(link-to