Bug 270302 - Escape single and double quotes in safeHTML, and use for making XML and HTML reports safe.

Venkman only. r=timeless
2025-01-01 05:43:46 +00:00 · 2006-05-16 19:28:32 +00:00 · 2006-05-16 19:28:32 +00:00 · 2607a65d20
commit 2607a65d20
parent f821f4f96f
3 changed files with 39 additions and 16 deletions
--- a/extensions/venkman/js/venkman-service.js
+++ b/extensions/venkman/js/venkman-service.js
@ -106,12 +106,18 @@ function safeHTML(str)
                    
            case "&":
                return "&amp;";
+                    
+            case "'":
+                return "&#39;";
+                    
+            case '"':
+                return "&quot;";
        }

        return "?";
    };
        
-    return String(str).replace(/[<>&]/g, replaceChars);
+    return String(str).replace(/[<>&"']/g, replaceChars);
 }

 /* Command Line handler service */
--- a/extensions/venkman/resources/content/venkman-profiler.js
+++ b/extensions/venkman/resources/content/venkman-profiler.js
@ -59,6 +59,12 @@ function ProfileReport (reportTemplate, file, rangeList, scriptInstanceList)
    this.rangeList = rangeList;
    this.scriptInstanceList = scriptInstanceList;
    this.key = "total";
+
+    // Escape bad characters for HTML and XML profiles.
+    if (/\.(html|xml)\.tpl$/.test(this.reportTemplate.__url__))
+        this.escape = safeHTML;
+    else
+        this.escape = function _nop_escape(s) { return s };
 }

 console.profiler = new Object();
@ -205,6 +211,7 @@ function pro_rptinst (profileReport, scriptInstance, sectionData)
    var rangeIndex = 0;
    var K = 1;
    var i;
+    var esc = profileReport.escape;
    
    if (typeof summaryList[0].key == "number")
    {
@ -267,8 +274,8 @@ function pro_rptinst (profileReport, scriptInstance, sectionData)
            "\\$item-number-next": i + 1,
            "\\$item-number-prev": i - 1,
            "\\$item-number"     : i,
-            "\\$item-name"       : summary.url,
-            "\\$item-summary"    : fromUnicode(summary.str, MSG_REPORT_CHARSET),
+            "\\$item-name"       : esc(summary.url),
+            "\\$item-summary"    : esc(fromUnicode(summary.str, MSG_REPORT_CHARSET)),
            "\\$item-min-pct"    : scale(K, summary.min),
            "\\$item-below-pct"  : scale(K, summary.avg - summary.min),
            "\\$item-above-pct"  : scale(K, summary.max - summary.avg),
@ -276,13 +283,13 @@ function pro_rptinst (profileReport, scriptInstance, sectionData)
            "\\$min-time"        : summary.min,
            "\\$avg-time"        : summary.avg,
            "\\$total-time"      : summary.total,
-            "\\$own-max-time"   : summary.own_max,
-            "\\$own-min-time"   : summary.own_min,
-            "\\$own-avg-time"   : summary.own_avg,
-            "\\$own-total-time" : summary.own_total,
+            "\\$own-max-time"    : summary.own_max,
+            "\\$own-min-time"    : summary.own_min,
+            "\\$own-avg-time"    : summary.own_avg,
+            "\\$own-total-time"  : summary.own_total,
            "\\$call-count"      : summary.ccount,
            "\\$recurse-depth"   : summary.recurse,
-            "\\$function-name"   : fromUnicode(summary.fun, MSG_REPORT_CHARSET),
+            "\\$function-name"   : esc(fromUnicode(summary.fun, MSG_REPORT_CHARSET)),
            "\\$start-line"      : summary.base,
            "\\$end-line"        : summary.end,
            "__proto__"          : rangeData
@ -313,6 +320,7 @@ function pro_rptall (profileReport)
 {
    var profiler = this;
    var sectionCount = 0;
+    var esc = profileReport.escape;
    
    function generateReportChunk (i)
    {
@ -321,14 +329,16 @@ function pro_rptall (profileReport)
        var scriptInstance = profileReport.scriptInstanceList[i];
        var url = scriptInstance.url;
        
+        var sectionLink = url ? "<a class='section-link' href='" +
+                                esc(url) + "'>" + esc(url) + "</a>"
+                              : MSG_VAL_NA;
        var sectionData = {
            "\\$section-number-prev": (sectionCount > 0) ? sectionCount - 1 : 0,
            "\\$section-number-next": sectionCount + 1,
            "\\$section-number"     : sectionCount,
-            "\\$section-link"       : (url ? "<a class='section-link' href='" +
-                                       url + "'>" + url + "</a>" : MSG_VAL_NA),
-            "\\$full-url"           : url,
-            "\\$file-name"          : getFileFromPath(url),
+            "\\$section-link"       : sectionLink,
+            "\\$full-url"           : esc(url),
+            "\\$file-name"          : esc(getFileFromPath(url)),
            "__proto__"             : reportData
        };
        
@ -361,9 +371,9 @@ function pro_rptall (profileReport)
    var reportData = {
        "\\$report-charset": MSG_REPORT_CHARSET,
        "\\$full-date"     : String(Date()),
-        "\\$user-agent"    : navigator.userAgent,
-        "\\$venkman-agent" : console.userAgent,
-        "\\$sort-key"      : profileReport.key
+        "\\$user-agent"    : esc(navigator.userAgent),
+        "\\$venkman-agent" : esc(console.userAgent),
+        "\\$sort-key"      : esc(profileReport.key)
    };

    var reportTemplate = profileReport.reportTemplate;
@ -396,6 +406,7 @@ function pro_load (url)
    };

    var reportTemplate = parseSections (lines, sections);
+    reportTemplate.__url__ = url;
    
    //dd(dumpObjectTree (reportTemplate));
    return reportTemplate;
--- a/extensions/venkman/resources/content/venkman-utils.js
+++ b/extensions/venkman/resources/content/venkman-utils.js
@ -229,12 +229,18 @@ function safeHTML(str)
                    
            case "&":
                return "&amp;";
+                    
+            case "'":
+                return "&#39;";
+                    
+            case '"':
+                return "&quot;";
        }

        return "?";
    };
        
-    return String(str).replace(/[<>&]/g, replaceChars);
+    return String(str).replace(/[<>&"']/g, replaceChars);
 }

 function alert(msg, parent, title)