Skip to content
This repository was archived by the owner on Sep 30, 2020. It is now read-only.

Commit cf30d0f

Browse files
author
Sergio Benitez
committed
Text is now HTML escaped before being pushed onto the DOM.
1 parent 9853b4c commit cf30d0f

File tree

1 file changed

+17
-4
lines changed

1 file changed

+17
-4
lines changed

js/editor.js

Lines changed: 17 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@ if (typeof String.prototype.startsWith != 'function') {
55
};
66
}
77

8+
// Regex for finding new lines
9+
var newLineRegex = /(?:\r\n|\r|\n)/g;
10+
811
// Fetching DOM items
912
var activeCode = document.getElementById("active-code");
1013
var editorDiv = document.getElementById("editor");
@@ -56,6 +59,16 @@ function updateEditorHeight() {
5659
// Set initial size to match initial content
5760
updateEditorHeight();
5861

62+
function escapeHTML(unsafe) {
63+
return unsafe
64+
.replace(/&/g, "&")
65+
.replace(/</g, "&lt;")
66+
.replace(/>/g, "&gt;")
67+
.replace(/"/g, "&quot;")
68+
.replace(/'/g, "&#039;")
69+
.replace(newLineRegex, '<br />');
70+
}
71+
5972
// Dispatches a XMLHttpRequest to the Rust playpen, running the program, and
6073
// issues a callback to `callback` with the result (or null on error)
6174
function runProgram(program, callback) {
@@ -96,8 +109,6 @@ function runProgram(program, callback) {
96109

97110
// The callback to runProgram
98111
function handleResult(statusCode, message) {
99-
var message = message.replace(/(?:\r\n|\r|\n)/g, '<br />');
100-
101112
// Dispatch depending on result type
102113
if (result == null) {
103114
resultDiv.style.backgroundColor = errorColor;
@@ -114,7 +125,7 @@ function handleResult(statusCode, message) {
114125
// Called on successful program run
115126
function handleSuccess(message) {
116127
resultDiv.style.backgroundColor = successColor;
117-
resultDiv.innerHTML = message;
128+
resultDiv.innerHTML = escapeHTML(message);
118129
}
119130

120131
// Called when program run results in warning(s)
@@ -134,7 +145,7 @@ function handleError(message) {
134145
// in the code.
135146
function handleProblem(message, problem) {
136147
// Getting list of ranges with problems
137-
var lines = message.split("<br />");
148+
var lines = message.split(newLineRegex);
138149

139150
// Cleaning up the message: keeps only relevant problem output
140151
var cleanMessage = lines.map(function(line) {
@@ -149,6 +160,8 @@ function handleProblem(message, problem) {
149160
return line;
150161
}).filter(function(line) {
151162
return line !== "";
163+
}).map(function(line) {
164+
return escapeHTML(line);
152165
}).join("<br />");
153166

154167
// Setting message

0 commit comments

Comments
 (0)