Escape markup when using innerHTML

2025-07-09 03:04:10 -04:00 · 2017-05-15 19:10:15 +05:30 · 2017-05-15 19:10:15 +05:30 · 8fe05d1e6c
commit 8fe05d1e6c
parent c651219654
5 changed files with 21 additions and 17 deletions
--- a/src/pyj/book_list/book_details.pyj
+++ b/src/pyj/book_list/book_details.pyj
@ -12,7 +12,7 @@ from modals import error_dialog, create_custom_dialog
 from widgets import create_spinner, create_button
 from date import format_date
 from session import get_interface_data
-from utils import fmt_sidx, parse_url_params, conditional_timeout
+from utils import fmt_sidx, parse_url_params, conditional_timeout, simple_markup

 from book_list.router import back, open_book, home
 from book_list.library_data import book_metadata, cover_url, set_book_metadata, current_library_id, library_data, download_url, load_status, current_virtual_library
@ -387,7 +387,7 @@ def metadata_fetched(container_id, book_id, end_type, xhr, event):
            _('Could not fetch metadata for book'),
            E.div(style='margin: 1ex 1em')
        ))
-        c.lastChild.lastChild.innerHTML = xhr.error_html
+        c.lastChild.lastChild.innerHTML = simple_markup(xhr.error_html)

 def fetch_metadata(container_id, book_id):
    nonlocal current_fetch
@ -432,7 +432,7 @@ def check_for_books_loaded():
    clear(container)
    if not load_status.ok:
        err = E.div()
-        err.innerHTML = load_status.error_html
+        err.innerHTML = simple_markup(load_status.error_html)
        container.appendChild(E.div(
            style='margin: 1ex 1em',
            E.div(_('Failed to load books from calibre library, with error:')),
--- a/src/pyj/book_list/main.pyj
+++ b/src/pyj/book_list/main.pyj
@ -10,6 +10,7 @@ from modals import create_modal_container, error_dialog
 from session import get_interface_data, UserSessionData, update_interface_data, get_translations
 from gettext import gettext as _, install
 from popups import install_event_filters
+from utils import simple_markup

 from book_list.constants import book_list_container_id, read_book_container_id
 from book_list.library_data import fetch_init_data, update_library_data, url_books_query
@ -87,9 +88,10 @@ def on_data_loaded(end_type, xhr, ev):
    else:
        p = E.p(style='color:red; font-weight: bold; font-size:1.5em')
        if xhr.status is 401:
-            p.innerHTML = _('You are not authorized to view this site')
+            msg = _('You are not authorized to view this site')
        else:
-            p.innerHTML = xhr.error_html
+            msg = xhr.error_html
+        p.innerHTML = simple_markup(msg)
        document.body.appendChild(p)


--- a/src/pyj/book_list/views.pyj
+++ b/src/pyj/book_list/views.pyj
@ -23,7 +23,7 @@ from book_list.library_data import (
    ensure_current_library_data, library_data, load_status, loaded_books_query,
    thumbnail_cache, url_books_query
 )
-from book_list.router import back, update_window_title, push_state, home
+from book_list.router import back, home, push_state, update_window_title
 from book_list.search import (
    init as init_search_panel, set_apply_search, tb_config_panel_handler
 )
@ -32,7 +32,7 @@ from book_list.ui import set_panel_handler, show_panel
 from dom import add_extra_css, build_rule, clear, ensure_id, set_css
 from modals import error_dialog
 from session import get_interface_data
-from utils import conditional_timeout, parse_url_params
+from utils import conditional_timeout, parse_url_params, simple_markup
 from widgets import create_button, create_spinner

 CLASS_NAME = 'book-list-container'
@ -272,7 +272,7 @@ def check_for_books_loaded():
    clear(container)
    if not load_status.ok:
        err = E.div()
-        err.innerHTML = load_status.error_html
+        err.innerHTML = simple_markup(load_status.error_html)
        container.appendChild(E.div(
            style='margin: 1ex 1em',
            E.div(_('Failed to load books from calibre library, with error:')),
--- a/src/pyj/modals.pyj
+++ b/src/pyj/modals.pyj
@ -2,12 +2,14 @@
 # License: GPL v3 Copyright: 2015, Kovid Goyal <kovid at kovidgoyal.net>
 from __python__ import hash_literals

-from ajax import ajax, ajax_send
 from elementmaker import E
-from dom import set_css, clear, build_rule, svgicon, add_extra_css
 from gettext import gettext as _
+
+from ajax import ajax, ajax_send
 from book_list.theme import get_color, get_font_size
+from dom import add_extra_css, build_rule, clear, set_css, svgicon
 from popups import MODAL_Z_INDEX
+from utils import simple_markup

 modal_container = None
 modal_count = 0
@ -145,10 +147,10 @@ def create_simple_dialog(title, msg, details, icon, prefix):
        is_html_msg = /<[a-zA-Z]/.test(msg)
        html_container = E.div()
        if is_html_msg:
-            html_container.innerHTML = msg
+            html_container.innerHTML = simple_markup(msg)
        details_container = E.span()
        if /<[a-zA-Z]/.test(details):
-            details_container.innerHTML = details
+            details_container.innerHTML = simple_markup(details)
        else:
            details_container.textContent = details
        parent.appendChild(
@ -193,7 +195,7 @@ def create_progress_dialog(msg, on_close):
    return {
        'close': def(): modal_container.hide_modal(modal_id);,
        'update_progress': def(amount, total): pbar.max, pbar.value = total, amount;,
-        'set_msg': def(new_msg): msg_div.innerHTML = new_msg;,
+        'set_msg': def(new_msg): msg_div.innerHTML = simple_markup(new_msg);,
    }

 # def test_progress():
--- a/src/pyj/read_book/overlay.pyj
+++ b/src/pyj/read_book/overlay.pyj
@ -11,7 +11,7 @@ from book_list.router import home
 from book_list.theme import get_color
 from dom import add_extra_css, build_rule, clear, set_css, svgicon, unique_id
 from modals import error_dialog
-from utils import full_screen_element, request_full_screen
+from utils import full_screen_element, request_full_screen, simple_markup
 from read_book.goto import create_goto_panel
 from read_book.prefs.font_size import create_font_size_panel
 from read_book.prefs.main import create_prefs_panel
@ -34,13 +34,13 @@ class LoadingMessage:  # {{{
                E.div(create_spinner('100px', '100px')),
                E.h2()
        ))
-        container.firstChild.lastChild.innerHTML = self.msg
+        container.firstChild.lastChild.innerHTML = simple_markup(self.msg)
        set_css(container.firstChild, position='relative', top='50%', transform='translateY(-50%)')

    def set_msg(self, msg):
        self.msg = msg
        container = document.getElementById(self.container_id)
-        container.firstChild.lastChild.innerHTML = self.msg
+        container.firstChild.lastChild.innerHTML = simple_markup(self.msg)

    def on_container_click(self, evt):
        pass  # Dont allow panel to be closed by a click
@ -79,7 +79,7 @@ class DeleteBook:  # {{{
                E.div(create_spinner('100px', '100px')),
                E.h2()
        ))
-        container.lastChild.lastChild.innerHTML = _('Deleting local book copy, please wait...')
+        container.lastChild.lastChild.innerHTML = simple_markup(_('Deleting local book copy, please wait...'))

    def on_container_click(self, evt):
        pass  # Dont allow panel to be closed by a click