Added stricter URL filtering to prevent DOM Based XSS when the tree view is enabled

8ba739ad · Dimitri van Heesch · 385b87e0 · 8ba739ad
Commit 8ba739ad authored Apr 19, 2014 by Dimitri van Heesch
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 18 deletions

navtree.js src/navtree.js +28 -18

No files found.
--- a/src/navtree.js
+++ b/src/navtree.js
-var SYNCONMSG = 'click to disable panel synchronisation';
-var SYNCOFFMSG = 'click to enable panel synchronisation';
 var navTreeSubIndices = new Array();
 function getData(varName)
@@ -22,6 +20,21 @@ function stripPath2(uri)
  return m ? uri.substring(i-6) : s;
 }
+function hashValue()
+{
+  return $(location).attr('hash').substring(1).replace(/[^\w\-]/g,'');
+}
+function hashUrl()
+{
+  return '#'+hashValue();
+}
+function pathName()
+{
+  return $(location).attr('pathname').replace(/[^-A-Za-z0-9+&@#/%?=~_|!:,.;\(\)]/g, '');
+}
 function localStorageSupported()
 {
  try {
@@ -44,7 +57,7 @@ function deleteLink()
 {
  if (localStorageSupported()) {
    window.localStorage.setItem('navpath','');
-  } 
+  }
 }
 function cachedLink()
@@ -180,7 +193,7 @@ function newNode(o, po, text, link, childrenData, lastNode)
    a.className = stripPath(link.replace('#',':'));
    if (link.indexOf('#')!=-1) {
      var aname = '#'+link.split('#')[1];
-      var srcPage = stripPath($(location).attr('pathname'));
+      var srcPage = stripPath(pathName());
      var targetPage = stripPath(link.split('#')[0]);
      a.href = srcPage!=targetPage ? url : "javascript:void(0)"; 
      a.onclick = function(){
@@ -274,11 +287,10 @@ function glowEffect(n,duration)
 function highlightAnchor()
 {
-  var aname = $(location).attr('hash');
+  var aname = hashUrl();
  var anchor = $(aname);
  if (anchor.parent().attr('class')=='memItemLeft'){
-    var rows = $('.memberdecls tr[class$="'+
+    var rows = $('.memberdecls tr[class$="'+hashValue()+'"]');
-               window.location.hash.substring(1).replace(/</g,'\\3c ')+'"]');
    glowEffect(rows.children(),300); // member without details
  } else if (anchor.parent().attr('class')=='fieldname'){
    glowEffect(anchor.parent().parent(),1000); // enum value
@@ -296,8 +308,8 @@ function selectAndHighlight(hash,n)
 {
  var a;
  if (hash) {
-    var link=stripPath($(location).attr('pathname'))+':'+hash.substring(1);
+    var link=stripPath(pathName())+':'+hash.substring(1);
-    a=$('.item a[class$="'+link.replace(/</g,'\\3c ')+'"]');
+    a=$('.item a[class$="'+link+'"]');
  }
  if (a && a.length) {
    a.parent().parent().addClass('selected');
@@ -407,14 +419,13 @@ function navTo(o,root,hash,relpath)
  if (link) {
    var parts = link.split('#');
    root = parts[0];
-    if (parts.length>1) hash = '#'+parts[1];
+    if (parts.length>1) hash = '#'+parts[1].replace(/[^\w\-]/g,'');
    else hash='';
  }
  if (hash.match(/^#l\d+$/)) {
    var anchor=$('a[name='+hash.substring(1)+']');
    glowEffect(anchor.parent(),1000); // line number
    hash=''; // strip line number anchors
-    //root=root.replace(/_source\./,'.'); // source link to doc link
  }
  var url=root+hash;
  var i=-1;
@@ -448,7 +459,7 @@ function toggleSyncButton(relpath)
  if (navSync.hasClass('sync')) {
    navSync.removeClass('sync');
    showSyncOff(navSync,relpath);
-    storeLink(stripPath2($(location).attr('pathname'))+$(location).attr('hash'));
+    storeLink(stripPath2(pathName())+hashUrl());
  } else {
    navSync.addClass('sync');
    showSyncOn(navSync,relpath);
@@ -488,7 +499,7 @@ function initNavTree(toroot,relpath)
  }
  $(window).load(function(){
-    navTo(o,toroot,window.location.hash,relpath);
+    navTo(o,toroot,hashUrl(),relpath);
    showRoot();
  });
@@ -496,21 +507,20 @@ function initNavTree(toroot,relpath)
     if (window.location.hash && window.location.hash.length>1){
       var a;
       if ($(location).attr('hash')){
-         var clslink=stripPath($(location).attr('pathname'))+':'+
+         var clslink=stripPath(pathName())+':'+hashValue();
-                               $(location).attr('hash').substring(1);
         a=$('.item a[class$="'+clslink.replace(/</g,'\\3c ')+'"]');
       }
       if (a==null || !$(a).parent().parent().hasClass('selected')){
         $('.item').removeClass('selected');
         $('.item').removeAttr('id');
       }
-       var link=stripPath2($(location).attr('pathname'));
+       var link=stripPath2(pathName());
-       navTo(o,link,$(location).attr('hash'),relpath);
+       navTo(o,link,hashUrl(),relpath);
     } else if (!animationInProgress) {
       $('#doc-content').scrollTop(0);
       $('.item').removeClass('selected');
       $('.item').removeAttr('id');
-       navTo(o,toroot,window.location.hash,relpath);
+       navTo(o,toroot,hashUrl(),relpath);
     }
  })
 }