Преглед на файлове

Escape special characters

Neal Wilson преди 6 години
родител
ревизия
0add093edf
Signed by: Neal Wilson <neal@typica.us> GPG Key ID: 2A0BDDE701E66EB9
променени са 1 файла, в които са добавени 19 реда и са изтрити 19 реда
  1. 19
    19
      config/Reports/auco.xml

+ 19
- 19
config/Reports/auco.xml Целия файл

@@ -151,17 +151,12 @@
151 151
                     output.writeAttribute("href", "typica://script/r" + rowIndex);
152 152
                     rowIndex++;
153 153
                     rowData.push(query.value(0));
154
-                    output.writeCharacters(query.value(0));
154
+                    output.writeCharacters(sanitize(query.value(0)));
155 155
                     output.writeEndElement();
156 156
                     output.writeEndElement();
157
-                    output.writeTextElement("td", query.value(1));
158
-                    output.writeTextElement("td", query.value(2));
159
-                    output.writeTextElement("td", query.value(3));
160
-                    output.writeTextElement("td", query.value(4));
161
-                    output.writeTextElement("td", query.value(5));
162
-                    output.writeTextElement("td", query.value(6));
163
-                    output.writeTextElement("td", query.value(7));
164
-                    output.writeTextElement("td", query.value(8));
157
+                    for(var i = 1; i < 9; i++) {
158
+                        output.writeTextElement("td", query.value(i));
159
+                    }
165 160
                     output.writeEndElement();
166 161
                 }
167 162
                 output.writeStartElement("tr");
@@ -187,17 +182,12 @@
187 182
                     output.writeAttribute("href", "typica://script/d" + rowIndex);
188 183
                     rowIndex++;
189 184
                     rowData.push(query.value(0));
190
-                    output.writeCharacters(query.value(0));
185
+                    output.writeCharacters(sanitize(query.value(0)));
191 186
                     output.writeEndElement();
192 187
                     output.writeEndElement();
193
-                    output.writeTextElement("td", query.value(1));
194
-                    output.writeTextElement("td", query.value(2));
195
-                    output.writeTextElement("td", query.value(3));
196
-                    output.writeTextElement("td", query.value(4));
197
-                    output.writeTextElement("td", query.value(5));
198
-                    output.writeTextElement("td", query.value(6));
199
-                    output.writeTextElement("td", query.value(7));
200
-                    output.writeTextElement("td", query.value(8));
188
+                    for(var i = 1; i < 9; i++) {
189
+                        output.writeTextElement("td", query.value(i));
190
+                    }
201 191
                     output.writeEndElement();
202 192
                 }
203 193
                 query = query.invalidate();
@@ -264,7 +254,7 @@
264 254
                     details += "<tr>";
265 255
                     details += '<td><a href="typica://script/i' + query.value(0) + '">' + query.value(0) + "</a></td>";
266 256
                     for(var i = 1; i < 7; i++) {
267
-                        details += "<td>" + query.value(i) + "</td>";
257
+                        details += "<td>" + sanitize(query.value(i)) + "</td>";
268 258
                     }
269 259
                     details += "</tr>";
270 260
                 }
@@ -272,6 +262,16 @@
272 262
                 details += "</table></td></tr>";
273 263
                 element.appendOutside(details);
274 264
             });
265
+            function sanitize(value) {
266
+                var replacement_chars = {
267
+                    "&": "&amp;",
268
+                    "<": "&lt;",
269
+                    ">": "&gt;",
270
+                    "\"": "&quot;",
271
+                    "'": "&#39;"
272
+                };
273
+                return value.replace(/[&<>"']/g, function(m) { return replacement_chars[m]; });
274
+            }
275 275
         ]]>
276 276
     </program>
277 277
 </window>

Loading…
Отказ
Запис