From be051bcadc383fa65165c06cb057c21984ffa9fa Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@redmoonstudios.org>
Date: Thu, 2 Apr 2015 16:55:59 +0200
Subject: [PATCH] plain-reload.tt: Properly escape tail content.

We're just implicitly escaping the tail content by not using .load() but
explicitly setting the text content using .text(), so that escaping
isn't needed on our side.

This should get rid of a few formatting errors and possibly XSS if
someone manages to place JS code in the tail of a build and manages to
lurk a user to that tail output.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
---
 src/root/plain-reload.tt | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/root/plain-reload.tt b/src/root/plain-reload.tt
index f078b6aa..7448d8ff 100644
--- a/src/root/plain-reload.tt
+++ b/src/root/plain-reload.tt
@@ -9,11 +9,19 @@
 
 [% IF reload %]
 <script>
- $(document).ready(function() {
-     $("#contents").load("[% url %]");
-   var refreshId = setInterval(function() {
-      $("#contents").load("[% url %]");
-   }, 5000);
+function injectTail() {
+    $.ajax({
+        url: "[% url %]",
+        dataType: "text",
+        success: function (tail) {
+            $("#contents").text(tail);
+        }
+    });
+}
+
+$(document).ready(function() {
+    injectTail();
+    setInterval(injectTail, 5000);
 });
 </script>
 [% END %]