prefer wtvshared.escape over encodeURIComponent
This commit is contained in:
zefie
@@ -515,7 +515,7 @@ Content-Disposition: attachment; filename="${viewer_file.replace(".exe", ".zip")
|
||||
let update_str = "http://" + request_headers.host + request_headers.request_url.split('?')[0] + "?ssid=" + client_ssid;
|
||||
Object.keys(request_headers.query).forEach((k) => {
|
||||
if (k !== "random_ssid") {
|
||||
update_str += "&" + encodeURIComponent(k) + "=" + encodeURIComponent(request_headers.query[k]);
|
||||
update_str += "&" + wtvshared.escape(k) + "=" + wtvshared.escape(request_headers.query[k]);
|
||||
}
|
||||
});
|
||||
zip.addFile("update_url.txt", update_str);
|
||||
|
||||
@@ -1875,7 +1875,7 @@ ${cat.name}
|
||||
if (i % 4 === 0) data += `<tr>`;
|
||||
data += `
|
||||
<td border=1 width=64 align=center valign=middle
|
||||
href="wtv-author:/add-media-to-block?docName=${docName}&blockNum=${blockNum}&blockClass=23&mediaPath=clipart%2F${encodeURIComponent(cat.path + "/" + cat.images[i])}&thumbnailPath=clipart%2Ficons%2F${encodeURIComponent(cat.path + "/" + cat.images[i])}">
|
||||
href="wtv-author:/add-media-to-block?docName=${docName}&blockNum=${blockNum}&blockClass=23&mediaPath=clipart%2F${wtvshared.escape(cat.path + "/" + cat.images[i])}&thumbnailPath=clipart%2Ficons%2F${wtvshared.escape(cat.path + "/" + cat.images[i])}">
|
||||
<img src="clipart/icons/${cat.path}/${cat.images[i]}" width=64 height=64>
|
||||
</td>`;
|
||||
}
|
||||
|
||||
@@ -109,7 +109,7 @@ Would you like to:
|
||||
<tr>
|
||||
<td>
|
||||
<img src=wtv-author:/ROMCache/pointer.gif align=absmiddle width=13 height=22 hspace=0>
|
||||
<a href=wtv-setup:/appendto-mail-signature?appendstringURL=http%3A%2F%2F${encodeURIComponent(site)}%3A1640%2F${session_data.getSessionData("subscriber_username")}%2F${page.publishname}%2F&appendstring=${page.title}&alert=The%20address%20has%20been%20added%20to%20your%20mail%20signature.
|
||||
<a href=wtv-setup:/appendto-mail-signature?appendstringURL=http%3A%2F%2F${wtvshared.escape(site)}%3A1640%2F${session_data.getSessionData("subscriber_username")}%2F${page.publishname}%2F&appendstring=${page.title}&alert=The%20address%20has%20been%20added%20to%20your%20mail%20signature.
|
||||
><font effect=shadow><B>add its address to your mail signature?</B></font></a>
|
||||
<tr>
|
||||
<td>
|
||||
|
||||
@@ -39,7 +39,7 @@ if (!request_headers.query.mediaData && !request_headers.query.mediaPath) {
|
||||
'image': minisrv_config.config.service_logo,
|
||||
'message': "You are about to add an image to your scrapbook.<br><br>Do you wish to continue?",
|
||||
'buttonlabel1': "Continue",
|
||||
'buttonaction1': "wtv-author:/scrapbook-add?confirm=true&mediaPath=" + encodeURIComponent(request_headers.query.mediaPath || ''),
|
||||
'buttonaction1': "wtv-author:/scrapbook-add?confirm=true&mediaPath=" + wtvshared.escape(request_headers.query.mediaPath || ''),
|
||||
'buttonlabel2': "Cancel",
|
||||
'buttonaction2': "client:donothing"
|
||||
}).getURL();
|
||||
|
||||
@@ -118,13 +118,13 @@ vspace=0
|
||||
<tr>
|
||||
<td>
|
||||
<table cellspacing=0 cellpadding=0
|
||||
href="wtv-author:/styles?tmplClass=11&docName=${docName}&styleName=${encodeURIComponent(styleName)}&pageNum=${(page > 0) ? (page - 1) : (pages.length - 1)}#minus" id=minus><tr><td><img src="wtv-author:/ROMCache/minus_button.gif">
|
||||
href="wtv-author:/styles?tmplClass=11&docName=${docName}&styleName=${wtvshared.escape(styleName)}&pageNum=${(page > 0) ? (page - 1) : (pages.length - 1)}#minus" id=minus><tr><td><img src="wtv-author:/ROMCache/minus_button.gif">
|
||||
</table>
|
||||
</td>
|
||||
<td align=center><font color=D1D1D1><B>${page + 1} of ${pages.length}</B></font></td>
|
||||
<td>
|
||||
<table cellspacing=0 cellpadding=0
|
||||
href="wtv-author:/styles?tmplClass=11&docName=${docName}&styleName=${encodeURIComponent(styleName)}&pageNum=${(page+1 < pages.length) ? (page + 1) : 0}#plus" id=plus><tr><td><img src="wtv-author:/ROMCache/plus_button.gif">
|
||||
href="wtv-author:/styles?tmplClass=11&docName=${docName}&styleName=${wtvshared.escape(styleName)}&pageNum=${(page+1 < pages.length) ? (page + 1) : 0}#plus" id=plus><tr><td><img src="wtv-author:/ROMCache/plus_button.gif">
|
||||
</table>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
@@ -45,7 +45,7 @@ if (fail_url === null) fail_url = new clientShowAlert({
|
||||
let url;
|
||||
|
||||
if (request_headers.query.url) {
|
||||
url = encodeURIComponent(request_headers.query.url);
|
||||
url = wtvshared.escape(request_headers.query.url);
|
||||
} else {
|
||||
url = `wtv-disk:/sync`;
|
||||
if (request_headers.query.diskmap) url += `%3fdiskmap%3d${request_headers.query.diskmap}`;
|
||||
|
||||
@@ -15,7 +15,7 @@ if (request_headers.query.group) {
|
||||
const query = request_headers.query;
|
||||
query['url'] = 'wtv-disk:/delete-group';
|
||||
const queryString = Object.keys(query)
|
||||
.map(key => encodeURIComponent(key) + '=' + encodeURIComponent(query[key]))
|
||||
.map(key => wtvshared.escape(key) + '=' + wtvshared.escape(query[key]))
|
||||
.join('&');
|
||||
headers = "302 Found\nLocation: wtv-disk:/content/DownloadScreen.tmpl" + (queryString ? ("?" + queryString) : "");
|
||||
}
|
||||
@@ -47,7 +47,7 @@ if (request_headers.query.group) {
|
||||
state = `<a href="wtv-disk:/content/DownloadScreen.tmpl?group=${group}&diskmap=${group}&force=true">invalid</a>`;
|
||||
}
|
||||
const date = client_group_data[group]['last-checkup-time'] || "never";
|
||||
data += `<tr><td><a href="wtv-disk:/content/DownloadScreen.tmpl?url=${encodeURIComponent('wtv-disk:/delete-group?path='+path+'&group='+group)}">${group}</a></td><td>${path}</td><td>${state}</td><td>${date}</td></tr>\n`;
|
||||
data += `<tr><td><a href="wtv-disk:/content/DownloadScreen.tmpl?url=${wtvshared.escape('wtv-disk:/delete-group?path='+path+'&group='+group)}">${group}</a></td><td>${path}</td><td>${state}</td><td>${date}</td></tr>\n`;
|
||||
})
|
||||
}
|
||||
data += `
|
||||
|
||||
@@ -15,7 +15,7 @@ if (request_headers['wtv-request-type'] === "download") {
|
||||
query['success_url'] = 'wtv-disk:/delete-group';
|
||||
query['message'] = "Obtaining group data...";
|
||||
const queryString = Object.keys(query)
|
||||
.map(key => encodeURIComponent(key) + '=' + encodeURIComponent(query[key]))
|
||||
.map(key => wtvshared.escape(key) + '=' + wtvshared.escape(query[key]))
|
||||
.join('&');
|
||||
headers = "302 Found\nwtv-expire-all: wtv-disk:\nLocation: wtv-disk:/content/DownloadScreen.tmpl" + (queryString ? ("?" + queryString) : "");
|
||||
}
|
||||
@@ -85,7 +85,7 @@ if (request_headers['wtv-request-type'] === 'download') {
|
||||
case "GET":
|
||||
let get_url = service_name + ":/" + update_list[k].location + "?";
|
||||
if (update_list[k].compress === false) get_url += "dont_compress=true&";
|
||||
if (update_list[k].type) get_url += "content_type=" + encodeURIComponent(update_list[k].type) + "&";
|
||||
if (update_list[k].type) get_url += "content_type=" + wtvshared.escape(update_list[k].type) + "&";
|
||||
wtvdl.get(update_list[k].file.replace(diskmap_group_data.base, ""), update_list[k].file, get_url, diskmap_group_name, update_list[k].checksum, update_list[k].uncompressed_size || null, update_list[k].original_filename)
|
||||
break;
|
||||
}
|
||||
@@ -317,7 +317,7 @@ if (request_headers['wtv-request-type'] === 'download') {
|
||||
}
|
||||
} else {
|
||||
const queryString = Object.keys(request_headers.query)
|
||||
.map(key => encodeURIComponent(key) + '=' + encodeURIComponent(request_headers.query[key]))
|
||||
.map(key => wtvshared.escape(key) + '=' + wtvshared.escape(request_headers.query[key]))
|
||||
.join('&');
|
||||
headers = "302 Found\nLocation: wtv-disk:/content/DownloadScreen.tmpl" + (queryString ? ("?" + queryString) : "");
|
||||
data = "";
|
||||
|
||||
@@ -42,7 +42,7 @@ async function processLC2DownloadPage(flashrom_info, headers, numparts = null) {
|
||||
}
|
||||
|
||||
if (!flashrom_info.is_last_part) {
|
||||
flashrom_info.next_rompath = service_name + ":/get-lc2-page?path=" + encodeURIComponent(flashrom_info.next_rompath.replace(service_name + ":/", ""));
|
||||
flashrom_info.next_rompath = service_name + ":/get-lc2-page?path=" + wtvshared.escape(flashrom_info.next_rompath.replace(service_name + ":/", ""));
|
||||
}
|
||||
|
||||
console.log(flashrom_info.next_rompath);
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
const minisrv_service_file = true;
|
||||
|
||||
if (request_headers.query.path) {
|
||||
let url = service_name + ":/get-lc2-page?path=" + encodeURIComponent(request_headers.query.path);
|
||||
let url = service_name + ":/get-lc2-page?path=" + wtvshared.escape(request_headers.query.path);
|
||||
const romtype = session_data.get("wtv-client-rom-type");
|
||||
if (romtype === "bf0app") {
|
||||
url = "client:updateflash?ipaddr=" + minisrv_config.services[service_name].host + "&port=" + minisrv_config.services[service_name].port + "&path=" + encodeURIComponent(service_name + ":/" + request_headers.query.path);
|
||||
if (request_headers.query.numparts) url += encodeURIComponent("?numparts=" + request_headers.query.numparts);
|
||||
url = "client:updateflash?ipaddr=" + minisrv_config.services[service_name].host + "&port=" + minisrv_config.services[service_name].port + "&path=" + wtvshared.escape(service_name + ":/" + request_headers.query.path);
|
||||
if (request_headers.query.numparts) url += wtvshared.escape("?numparts=" + request_headers.query.numparts);
|
||||
} else {
|
||||
if (request_headers.query.numparts) url += "&numparts=" + request_headers.query.numparts;
|
||||
}
|
||||
|
||||
@@ -11,7 +11,7 @@ if (request_headers.query.vflash) delete request_headers.query.vflash;
|
||||
if (request_headers.query.pflash) delete request_headers.query.pflash;
|
||||
|
||||
for (const [key, value] of Object.entries(request_headers.query)) {
|
||||
proxy_query += "&" + key + "=" + encodeURIComponent(value);
|
||||
proxy_query += "&" + key + "=" + wtvshared.escape(value);
|
||||
}
|
||||
|
||||
if (!minisrv_config.services[service_name].use_zefie_server) {
|
||||
@@ -20,7 +20,7 @@ if (!minisrv_config.services[service_name].use_zefie_server) {
|
||||
|
||||
const options = {
|
||||
host: "roms.minisrv.dev",
|
||||
path: "/?minisrv=true&service_name="+encodeURIComponent(service_name)+"&pflash=" + session_data.get("wtv-client-rom-type") + proxy_query,
|
||||
path: "/?minisrv=true&service_name="+wtvshared.escape(service_name)+"&pflash=" + session_data.get("wtv-client-rom-type") + proxy_query,
|
||||
timeout: 5000,
|
||||
method: 'GET'
|
||||
}
|
||||
|
||||
@@ -244,7 +244,7 @@ From:
|
||||
<td width=10>
|
||||
<td>`;
|
||||
if (message.from_name !== message.from_addr) {
|
||||
data += `${wtvshared.htmlEntitize(message.from_addr)} <a href="client:showalert?sound=none&message=To%20add%20%3Cblackface%3E${encodeURIComponent(encodeURIComponent(message.from_name))}%3C%2Fblackface%3E%20to%20your%20Address%20book,%20choose%20%3Cb%3EAdd%3C%2Fb%3E.&buttonlabel2=Cancel&buttonaction2=client:donothing&buttonlabel1=Add&buttonaction1=wtv-mail:/addressbook%3Faction%3Deditfromheader%26noresponse%3Dtrue%26nickname%3D${encodeURIComponent(encodeURIComponent(message.from_name))}%26address%3D${encodeURIComponent(encodeURIComponent(message.from_addr))}%26new_address%3Dtrue">(${wtvshared.htmlEntitize(message.from_name)})</a>`;
|
||||
data += `${wtvshared.htmlEntitize(message.from_addr)} <a href="client:showalert?sound=none&message=To%20add%20%3Cblackface%3E${wtvshared.escape(wtvshared.escape(message.from_name))}%3C%2Fblackface%3E%20to%20your%20Address%20book,%20choose%20%3Cb%3EAdd%3C%2Fb%3E.&buttonlabel2=Cancel&buttonaction2=client:donothing&buttonlabel1=Add&buttonaction1=wtv-mail:/addressbook%3Faction%3Deditfromheader%26noresponse%3Dtrue%26nickname%3D${wtvshared.escape(wtvshared.escape(message.from_name))}%26address%3D${wtvshared.escape(wtvshared.escape(message.from_addr))}%26new_address%3Dtrue">(${wtvshared.htmlEntitize(message.from_name)})</a>`;
|
||||
} else {
|
||||
data += `${wtvshared.htmlEntitize(message.from_addr)}`;
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ let message_voicemail_data = null;
|
||||
const intro_seen = session_data.mailstore.checkMailIntroSeen();
|
||||
if (!intro_seen && !request_headers.query.intro_seen) {
|
||||
// user is trying to bypass the intro screen
|
||||
headers = "300 OK\nLocation: wtv-mail:/DiplomaMail?came-from=" + encodeURIComponent(request_headers.request_url);
|
||||
headers = "300 OK\nLocation: wtv-mail:/DiplomaMail?came-from=" + wtvshared.escape(request_headers.request_url);
|
||||
} else if (request_headers.query.clear === "true") {
|
||||
let gourl;
|
||||
if (request_headers.Referer)
|
||||
|
||||
@@ -592,7 +592,7 @@ ${strftime("%a, %b %e, %Y, %I:%M%P", new Date(Date.parse(response.article.header
|
||||
From:
|
||||
<td>`;
|
||||
if (message.from_name !== message.from_addr) {
|
||||
data += `<a href="client:showalert?sound=none&message=Would%20you%20like%20to%20add%20%3Cblackface%3E${wtvshared.htmlEntitize(message.from_name)}%3C%2Fblackface%3E%20to%20your%20address%20list%3F&buttonlabel2=No&buttonaction2=client:donothing&buttonlabel1=Yes&buttonaction1=wtv-mail:/addressbook%3Faction%3Deditfromheader%26noresponse%3Dtrue%26nickname%3D${encodeURIComponent(encodeURIComponent(message.from_name))}%26address%3D${encodeURIComponent(encodeURIComponent(message.from_addr))}%26new_address%3Dtrue">${wtvshared.htmlEntitize(message.from_addr)} </a>`;
|
||||
data += `<a href="client:showalert?sound=none&message=Would%20you%20like%20to%20add%20%3Cblackface%3E${wtvshared.htmlEntitize(message.from_name)}%3C%2Fblackface%3E%20to%20your%20address%20list%3F&buttonlabel2=No&buttonaction2=client:donothing&buttonlabel1=Yes&buttonaction1=wtv-mail:/addressbook%3Faction%3Deditfromheader%26noresponse%3Dtrue%26nickname%3D${wtvshared.escape(wtvshared.escape(message.from_name))}%26address%3D${wtvshared.escape(wtvshared.escape(message.from_addr))}%26new_address%3Dtrue">${wtvshared.htmlEntitize(message.from_addr)} </a>`;
|
||||
} else {
|
||||
data += `${wtvshared.htmlEntitize(response.article.headers.FROM)}`;
|
||||
}
|
||||
@@ -642,7 +642,7 @@ From:
|
||||
if (v.content_type.match(supported_images))
|
||||
attachment_data += `<img border=2 src="wtv-news:/get-attachment?group=${group}&article=${article}&attachment_id=${k}&wtv-title=Video%20Snapshot"><br><br>`;
|
||||
else if (v.content_type.match(supported_audio))
|
||||
attachment_data += `<table href="wtv-news:/get-attachment?group=${group}&article=${article}&attachment_id=${k}&wtv-title=${(v.filename) ? encodeURIComponent(v.filename) : "Audio%20file"}" width=386 cellspacing=0 cellpadding=0>
|
||||
attachment_data += `<table href="wtv-news:/get-attachment?group=${group}&article=${article}&attachment_id=${k}&wtv-title=${(v.filename) ? wtvshared.escape(v.filename) : "Audio%20file"}" width=386 cellspacing=0 cellpadding=0>
|
||||
<td align=left valign=middle><img src="wtv-news:/ROMCache/FileSound.gif" align=absmiddle><font color="#189CD6"> ${(v.filename) ? (v.filename) : "Audio file"} (${v.content_type.split('/')[1]} attachment)</font>
|
||||
<td align=right valign=middle>
|
||||
</table><br><br>`;
|
||||
|
||||
@@ -31,7 +31,7 @@ if (messenger_email && messenger_password) {
|
||||
request.end();
|
||||
const options = {
|
||||
method: 'GET',
|
||||
headers: { "Authorization": "Passport1.4 OrgVerb=GET,OrgURL=http%3A%2F%2Fmessenger%2Emsn%2Ecom,sign-in=" + email + ",pwd=" + encodeURIComponent(password) + "," + challenge }
|
||||
headers: { "Authorization": "Passport1.4 OrgVerb=GET,OrgURL=http%3A%2F%2Fmessenger%2Emsn%2Ecom,sign-in=" + email + ",pwd=" + wtvshared.escape(password) + "," + challenge }
|
||||
}
|
||||
const request2 = https.get(passporturls, options, (response) => {
|
||||
let req_data = '';
|
||||
|
||||
@@ -54,12 +54,12 @@ lib.get(targetUrl, (res) => {
|
||||
if (urlInputMatch) {
|
||||
pageUrl = urlInputMatch[1];
|
||||
}
|
||||
const redirectUrl = `${service_name}:/proxy?id=${proxy_id}&t=${imgExt}&url=${encodeURIComponent(pageUrl)}`;
|
||||
const redirectUrl = `${service_name}:/proxy?id=${proxy_id}&t=${imgExt}&url=${wtvshared.escape(pageUrl)}`;
|
||||
sendToClient(socket, {'Status': 302, 'Location': redirectUrl}, '');
|
||||
} else {
|
||||
const idx = data.indexOf('<BR>');
|
||||
data = data.slice(0, idx);
|
||||
const redirectUrl = `${service_name}:/proxy?err=${encodeURIComponent(data)}`;
|
||||
const redirectUrl = `${service_name}:/proxy?err=${wtvshared.escape(data)}`;
|
||||
sendToClient(socket, {'Status': 302, 'Location': redirectUrl}, '');
|
||||
}
|
||||
});
|
||||
|
||||
@@ -15,8 +15,8 @@ if (!request_headers.query.registering ||
|
||||
data = errpage[1];
|
||||
} else {
|
||||
if (request_headers.query['Change']) {
|
||||
let changeUrl = "wtv-register:/ValidateAgreement?registering=" + encodeURIComponent(request_headers.query.registering) + "&subscriber_name=" + encodeURIComponent(request_headers.query.subscriber_name);
|
||||
changeUrl += "&subscriber_username=" + encodeURIComponent(request_headers.query.subscriber_username) + "&subscriber_contact=" + encodeURIComponent(request_headers.query.subscriber_contact) + "&subscriber_contact_method=" + encodeURIComponent(request_headers.query.subscriber_contact_method);
|
||||
let changeUrl = "wtv-register:/ValidateAgreement?registering=" + wtvshared.escape(request_headers.query.registering) + "&subscriber_name=" + wtvshared.escape(request_headers.query.subscriber_name);
|
||||
changeUrl += "&subscriber_username=" + wtvshared.escape(request_headers.query.subscriber_username) + "&subscriber_contact=" + wtvshared.escape(request_headers.query.subscriber_contact) + "&subscriber_contact_method=" + wtvshared.escape(request_headers.query.subscriber_contact_method);
|
||||
const errpage = wtvshared.doRedirect(changeUrl);
|
||||
headers = errpage[0];
|
||||
data = errpage[1];
|
||||
|
||||
@@ -94,9 +94,9 @@ function process(data) {
|
||||
if (result.description) {
|
||||
result.description = result.description.replace(/\</g, '<').replace(/\>/g, '>');
|
||||
}
|
||||
result.encodedurl = encodeURIComponent(result.url);
|
||||
result.encodedurl = wtvshared.escape(result.url);
|
||||
if (result.thumbnail_src) {
|
||||
result.thumbnail_src = service_name + "/imgproxy?url=" + encodeURIComponent(result.thumbnail_src);
|
||||
result.thumbnail_src = service_name + "/imgproxy?url=" + wtvshared.escape(result.thumbnail_src);
|
||||
}
|
||||
|
||||
content.push(result);
|
||||
|
||||
@@ -46,7 +46,7 @@ Content-Type: text/html`;
|
||||
data = "";
|
||||
|
||||
Object.keys(settings_obj).forEach(function (k, v) {
|
||||
data += k + "=" + encodeURIComponent(settings_obj[k]) + "&";
|
||||
data += k + "=" + wtvshared.escape(settings_obj[k]) + "&";
|
||||
});
|
||||
|
||||
data = data.slice(0, (data.length - 1));
|
||||
|
||||
@@ -110,7 +110,7 @@ Choose the songs that you'd like to include.
|
||||
let songTitle = musicList[k]['title'];
|
||||
if (songTitle.length > strLenLimit) songTitle = musicList[k]['title'].slice(0, strLenLimit - 3) + "...";
|
||||
if (musicList.length > 14) data += '<font size="-2">';
|
||||
data += `<a href="${musicList[k]['url']}?wtv-title=${encodeURIComponent(musicList[k]['title'])}" onmouseout="clearTitle()" onmouseover="showTitle('${musicList[k]['title'].replace(/\'/g, "\\'")}')">${songTitle}</a>
|
||||
data += `<a href="${musicList[k]['url']}?wtv-title=${wtvshared.escape(musicList[k]['title'])}" onmouseout="clearTitle()" onmouseover="showTitle('${musicList[k]['title'].replace(/\'/g, "\\'")}')">${songTitle}</a>
|
||||
</td></tr></tbody></table>`;
|
||||
if (musicList.length > 14) data += '</font>';
|
||||
songsListed++;
|
||||
|
||||
@@ -11,6 +11,6 @@ if (!request_headers.query.url && !request_headers.query.mediaPath) {
|
||||
handleError('No URL provided');
|
||||
} else {
|
||||
const mediaURL = request_headers.query.url || request_headers.query.mediaPath;
|
||||
const targetURL = 'wtv-author:/scrapbook-add?mediaPath=' + encodeURIComponent(mediaURL);
|
||||
const targetURL = 'wtv-author:/scrapbook-add?mediaPath=' + wtvshared.escape(mediaURL);
|
||||
sendToClient(socket, {'Status': 302, 'Location': targetURL, 'wtv-visit': targetURL}, '');
|
||||
}
|
||||
Reference in New Issue
Block a user