plain-reload.tt: Properly escape tail content.

We're just implicitly escaping the tail content by not using .load() but explicitly setting the text content using .text(), so that escaping isn't needed on our side. This should get rid of a few formatting errors and possibly XSS if someone manages to place JS code in the tail of a build and manages to lurk a user to that tail output. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2015-04-02 16:55:59 +02:00 · 2015-04-02 16:55:59 +02:00 · be051bcadc
parent aec0a35114
commit be051bcadc
1 changed files with 13 additions and 5 deletions
--- a/src/root/plain-reload.tt
+++ b/src/root/plain-reload.tt
@ -9,11 +9,19 @@

 [% IF reload %]
 <script>
- $(document).ready(function() {
-     $("#contents").load("[% url %]");
-   var refreshId = setInterval(function() {
-      $("#contents").load("[% url %]");
-   }, 5000);
+function injectTail() {
+    $.ajax({
+        url: "[% url %]",
+        dataType: "text",
+        success: function (tail) {
+            $("#contents").text(tail);
+        }
+    });
+}
+
+$(document).ready(function() {
+    injectTail();
+    setInterval(injectTail, 5000);
 });
 </script>
 [% END %]