delroth/hydra
0
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

plain-reload.tt: Properly escape tail content.

Browse source 
We're just implicitly escaping the tail content by not using .load() but
explicitly setting the text content using .text(), so that escaping
isn't needed on our side.

This should get rid of a few formatting errors and possibly XSS if
someone manages to place JS code in the tail of a build and manages to
lurk a user to that tail output.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
aszlig 2015-04-02 16:55:59 +02:00
parent aec0a35114
commit be051bcadc
No known key found for this signature in database
GPG key ID: D0EBD0EC8C2DC961
1 changed files with 13 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
src/root/plain-reload.tt
View file

@ -9,11 +9,19 @@
[% IF reload %]
<script>
function injectTail() {
$.ajax({
url: "[% url %]",
dataType: "text",
success: function (tail) {
$("#contents").text(tail);
}
});
}
$(document).ready(function() {
$("#contents").load("[% url %]");
var refreshId = setInterval(function() {
$("#contents").load("[% url %]");
}, 5000);
injectTail();
setInterval(injectTail, 5000);
});
</script>
[% END %]