From a50a2c7cca84fca9d555f07b263d13bd903fef9e Mon Sep 17 00:00:00 2001 From: Kovid Goyal Date: Mon, 15 May 2017 19:49:34 +0530 Subject: [PATCH] Be more explicit about setting innerHTML --- src/pyj/book_list/book_details.pyj | 6 +++--- src/pyj/book_list/main.pyj | 4 ++-- src/pyj/book_list/search.pyj | 4 ++-- src/pyj/book_list/views.pyj | 4 ++-- src/pyj/modals.pyj | 8 ++++---- src/pyj/read_book/overlay.pyj | 8 ++++---- src/pyj/utils.pyj | 4 ++++ 7 files changed, 21 insertions(+), 17 deletions(-) diff --git a/src/pyj/book_list/book_details.pyj b/src/pyj/book_list/book_details.pyj index aea0b66980..fb887ac0ea 100644 --- a/src/pyj/book_list/book_details.pyj +++ b/src/pyj/book_list/book_details.pyj @@ -12,7 +12,7 @@ from modals import error_dialog, create_custom_dialog from widgets import create_spinner, create_button from date import format_date from session import get_interface_data -from utils import fmt_sidx, parse_url_params, conditional_timeout, simple_markup +from utils import fmt_sidx, parse_url_params, conditional_timeout, safe_set_inner_html from book_list.router import back, open_book, home from book_list.library_data import book_metadata, cover_url, set_book_metadata, current_library_id, library_data, download_url, load_status, current_virtual_library @@ -387,7 +387,7 @@ def metadata_fetched(container_id, book_id, end_type, xhr, event): _('Could not fetch metadata for book'), E.div(style='margin: 1ex 1em') )) - c.lastChild.lastChild.innerHTML = simple_markup(xhr.error_html) + safe_set_inner_html(c.lastChild.lastChild, xhr.error_html) def fetch_metadata(container_id, book_id): nonlocal current_fetch @@ -432,7 +432,7 @@ def check_for_books_loaded(): clear(container) if not load_status.ok: err = E.div() - err.innerHTML = simple_markup(load_status.error_html) + safe_set_inner_html(err, load_status.error_html) container.appendChild(E.div( style='margin: 1ex 1em', E.div(_('Failed to load books from calibre library, with error:')), diff --git a/src/pyj/book_list/main.pyj b/src/pyj/book_list/main.pyj index 99139bd74b..bbf715eceb 100644 --- a/src/pyj/book_list/main.pyj +++ b/src/pyj/book_list/main.pyj @@ -10,7 +10,7 @@ from modals import create_modal_container, error_dialog from session import get_interface_data, UserSessionData, update_interface_data, get_translations from gettext import gettext as _, install from popups import install_event_filters -from utils import simple_markup +from utils import safe_set_inner_html from book_list.constants import book_list_container_id, read_book_container_id from book_list.library_data import fetch_init_data, update_library_data, url_books_query @@ -91,7 +91,7 @@ def on_data_loaded(end_type, xhr, ev): msg = _('You are not authorized to view this site') else: msg = xhr.error_html - p.innerHTML = simple_markup(msg) + safe_set_inner_html(p, msg) document.body.appendChild(p) diff --git a/src/pyj/book_list/search.pyj b/src/pyj/book_list/search.pyj index 82c5e4f4bb..fe3da1595d 100644 --- a/src/pyj/book_list/search.pyj +++ b/src/pyj/book_list/search.pyj @@ -9,7 +9,7 @@ from elementmaker import E from gettext import gettext as _ from widgets import create_button, create_spinner, Breadcrumbs from modals import show_modal -from utils import rating_to_stars +from utils import rating_to_stars, safe_set_inner_html from session import get_interface_data from book_list.library_data import library_data, current_library_id, current_virtual_library @@ -328,7 +328,7 @@ def on_data_fetched(end_type, xhr, ev): def show_error(error_html): ediv = E.div() container.appendChild(ediv) - ediv.innerHTML = '

' + _('Failed to load Tag browser data') + '

' + error_html + safe_set_inner_html(ediv, '

' + _('Failed to load Tag browser data') + '

' + error_html) def process_node(node, item_map): state.node_id_map[node.id] = node diff --git a/src/pyj/book_list/views.pyj b/src/pyj/book_list/views.pyj index d0d85b278a..79d88a7cf3 100644 --- a/src/pyj/book_list/views.pyj +++ b/src/pyj/book_list/views.pyj @@ -32,7 +32,7 @@ from book_list.ui import set_panel_handler, show_panel from dom import add_extra_css, build_rule, clear, ensure_id, set_css from modals import error_dialog from session import get_interface_data -from utils import conditional_timeout, parse_url_params, simple_markup +from utils import conditional_timeout, parse_url_params, safe_set_inner_html from widgets import create_button, create_spinner CLASS_NAME = 'book-list-container' @@ -272,7 +272,7 @@ def check_for_books_loaded(): clear(container) if not load_status.ok: err = E.div() - err.innerHTML = simple_markup(load_status.error_html) + safe_set_inner_html(err, load_status.error_html) container.appendChild(E.div( style='margin: 1ex 1em', E.div(_('Failed to load books from calibre library, with error:')), diff --git a/src/pyj/modals.pyj b/src/pyj/modals.pyj index b9509a6f18..58bd675840 100644 --- a/src/pyj/modals.pyj +++ b/src/pyj/modals.pyj @@ -9,7 +9,7 @@ from ajax import ajax, ajax_send from book_list.theme import get_color, get_font_size from dom import add_extra_css, build_rule, clear, set_css, svgicon from popups import MODAL_Z_INDEX -from utils import simple_markup +from utils import safe_set_inner_html modal_container = None modal_count = 0 @@ -147,10 +147,10 @@ def create_simple_dialog(title, msg, details, icon, prefix): is_html_msg = /<[a-zA-Z]/.test(msg) html_container = E.div() if is_html_msg: - html_container.innerHTML = simple_markup(msg) + safe_set_inner_html(html_container, msg) details_container = E.span() if /<[a-zA-Z]/.test(details): - details_container.innerHTML = simple_markup(details) + safe_set_inner_html(details_container, details) else: details_container.textContent = details parent.appendChild( @@ -195,7 +195,7 @@ def create_progress_dialog(msg, on_close): return { 'close': def(): modal_container.hide_modal(modal_id);, 'update_progress': def(amount, total): pbar.max, pbar.value = total, amount;, - 'set_msg': def(new_msg): msg_div.innerHTML = simple_markup(new_msg);, + 'set_msg': def(new_msg): safe_set_inner_html(msg_div, new_msg);, } # def test_progress(): diff --git a/src/pyj/read_book/overlay.pyj b/src/pyj/read_book/overlay.pyj index 82d80fcc0c..9a2d505b3c 100644 --- a/src/pyj/read_book/overlay.pyj +++ b/src/pyj/read_book/overlay.pyj @@ -11,7 +11,7 @@ from book_list.router import home from book_list.theme import get_color from dom import add_extra_css, build_rule, clear, set_css, svgicon, unique_id from modals import error_dialog -from utils import full_screen_element, request_full_screen, simple_markup +from utils import full_screen_element, request_full_screen, safe_set_inner_html from read_book.goto import create_goto_panel from read_book.prefs.font_size import create_font_size_panel from read_book.prefs.main import create_prefs_panel @@ -34,13 +34,13 @@ class LoadingMessage: # {{{ E.div(create_spinner('100px', '100px')), E.h2() )) - container.firstChild.lastChild.innerHTML = simple_markup(self.msg) + safe_set_inner_html(container.firstChild.lastChild, self.msg) set_css(container.firstChild, position='relative', top='50%', transform='translateY(-50%)') def set_msg(self, msg): self.msg = msg container = document.getElementById(self.container_id) - container.firstChild.lastChild.innerHTML = simple_markup(self.msg) + safe_set_inner_html(container.firstChild.lastChild, self.msg) def on_container_click(self, evt): pass # Dont allow panel to be closed by a click @@ -79,7 +79,7 @@ class DeleteBook: # {{{ E.div(create_spinner('100px', '100px')), E.h2() )) - container.lastChild.lastChild.innerHTML = simple_markup(_('Deleting local book copy, please wait...')) + safe_set_inner_html(container.lastChild.lastChild, _('Deleting local book copy, please wait...')) def on_container_click(self, evt): pass # Dont allow panel to be closed by a click diff --git a/src/pyj/utils.pyj b/src/pyj/utils.pyj index 4d56818240..deb08eddce 100644 --- a/src/pyj/utils.pyj +++ b/src/pyj/utils.pyj @@ -217,6 +217,10 @@ def simple_markup(html): simple_markup.allowed_tags = v"'b|i|br|h1|h2|h3|h4|h5|h6|div|em|strong|span'.split('|')" +def safe_set_inner_html(elem, html): + elem.innerHTML = simple_markup(html) + + if __name__ is '__main__': from pythonize import strings strings()