diff options
| author | Scott Main <smain@google.com> | 2011-05-11 20:14:42 -0700 |
|---|---|---|
| committer | Scott Main <smain@google.com> | 2011-05-11 20:14:42 -0700 |
| commit | 432fbcc55ff3e0900a50b70b9d5dbdab77a276f7 (patch) | |
| tree | b1559f65aaee5b57a5f8e8aa53c3771828010246 /docs | |
| parent | a45e4f4df59e4037408f6b9c0ddf4a7c57eaa273 (diff) | |
| download | frameworks_base-432fbcc55ff3e0900a50b70b9d5dbdab77a276f7.zip frameworks_base-432fbcc55ff3e0900a50b70b9d5dbdab77a276f7.tar.gz frameworks_base-432fbcc55ff3e0900a50b70b9d5dbdab77a276f7.tar.bz2 | |
docs: enforce alphanumeric strings for video id to prevent XSS
bug 4399806
Change-Id: Ie55a2b40687bb68e734012cecf22de62b4f4cf7e
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/html/videos/index.jd | 49 |
1 files changed, 33 insertions, 16 deletions
diff --git a/docs/html/videos/index.jd b/docs/html/videos/index.jd index 0274095..50bdb46 100644 --- a/docs/html/videos/index.jd +++ b/docs/html/videos/index.jd @@ -62,7 +62,7 @@ $(window).history(function(e, hash) { */ function loadVideo(id, title, autoplay) { if($("." + id).hasClass("noplay")) { - console.log("noplay"); + //console.log("noplay"); autoplay = false; $("." + id).removeClass("noplay"); } @@ -255,42 +255,59 @@ var clickVideoAttempts = 0; // Used with clickVideo() * @param videoId The ID of the video to click */ function clickVideo(videoId) { + if (!isAlphaNumeric(videoId)) { + clickDefaultVideo(); + return; + } + if ($("." + videoId).length != 0) { // if we find the video, click it and return - $("." + videoId).addClass("noplay"); // add class to indicate we should NOT autoplay (class removed by loadVideo) - $("." + videoId + ":first").click(); - return; + $("." + videoId).addClass("noplay"); // add class to indicate we should NOT autoplay (class removed by loadVideo) + $("." + videoId + ":first").click(); + return; } else { // if we don't find it, increment clickVideoAttempts - console.log("video NOT found: " + videoId); - clickVideoAttempts++; + console.log("video NOT found: " + videoId); + clickVideoAttempts++; } // if we don't find it after 20 attempts (2 seconds), click the first feature video if (clickVideoAttempts > 10) { - console.log("video never found, clicking default..."); + console.log("video never found, clicking default..."); clickVideoAttempts = 0; clickDefaultVideo(); } else { // try again after 100 milliseconds - setTimeout('clickVideo("'+videoId+'")', 100); + setTimeout('clickVideo("' + videoId + '")', 100); + } +} + +/* returns true if the provided text is alphanumeric, false otherwise + TODO: move this to the dev site js library */ +function isAlphaNumeric(text){ + var regex=/^[0-9A-Za-z]+$/; //^[a-zA-z]+$/ + if(regex.test(text)){ + return true; + } else { + console.log("Bogus video ID"); + return false; } } /* Click the default video that should be loaded on page load (the first video in the featured list) */ function clickDefaultVideo() { - if ($("#mainBodyRight .videoPreviews a:first").length != 0) { - var videoId = $("#mainBodyRight .videoPreviews a:first").attr("class"); + if ($("#mainBodyRight .videoPreviews a:first").length != 0) { + var videoId = $("#mainBodyRight .videoPreviews a:first").attr("class"); $("." + videoId).addClass("noplay"); // add class to indicate we should NOT autoplay (class removed by loadVideo) - $("." + videoId + ":first").click(); - return; + $("." + videoId + ":first").click(); + return; } else { // if we don't find it, increment clickVideoAttempts - console.log("default video NOT found"); - clickVideoAttempts++; + console.log("default video NOT found"); + clickVideoAttempts++; } // if we don't find it after 50 attempts (5 seconds), just fail if (clickVideoAttempts > 50) { - console.log("default video never found..."); + console.log("default video never found..."); } else { // try again after 100 milliseconds - setTimeout('clickDefaultVideo()', 100); + setTimeout('clickDefaultVideo()', 100); } } </script> |