Changeset 3325 for branches/2.2/jabberit_messenger
- Timestamp:
- 10/05/10 16:08:15 (14 years ago)
- Location:
- branches/2.2/jabberit_messenger/jmessenger/js
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/2.2/jabberit_messenger/jmessenger/js/trophyim.js
r3320 r3325 810 810 811 811 // Get Message 812 var _message = document.createElement("div"); 813 _message.innerHTML = Strophe.getText(elems[0]); 814 812 var _message = document.createElement("div"); 813 var _text = Strophe.getText( elems[0] ); 814 815 // Events Javascript 816 _text = _text.replace(/onblur/gi,"EVENT_DENY"); 817 818 _text = _text.replace(/onchange/gi,"EVENT_DENY"); 819 820 _text = _text.replace(/onclick/gi,"EVENT_DENY"); 821 822 _text = _text.replace(/ondblclick/gi,"EVENT_DENY"); 823 824 _text = _text.replace(/onerror/gi,"EVENT_DENY"); 825 826 _text = _text.replace(/onfocus/gi,"EVENT_DENY"); 827 828 _text = _text.replace(/onkeydown/gi,"EVENT_DENY"); 829 830 _text = _text.replace(/onkeypress/gi,"EVENT_DENY"); 831 832 _text = _text.replace(/onkeyup/gi,"EVENT_DENY"); 833 834 _text = _text.replace(/onmousedown/gi,"EVENT_DENY"); 835 836 _text = _text.replace(/onmousemove/gi,"EVENT_DENY"); 837 838 _text = _text.replace(/onmouseout/gi,"EVENT_DENY"); 839 840 _text = _text.replace(/onmouseover/gi,"EVENT_DENY"); 841 842 _text = _text.replace(/onmouseup/gi,"EVENT_DENY"); 843 844 _text = _text.replace(/onresize/gi,"EVENT_DENY"); 845 846 _text = _text.replace(/onselect/gi,"EVENT_DENY"); 847 848 _text = _text.replace(/onunload/gi,"EVENT_DENY"); 849 850 // Events CSS 851 _text = _text.replace(/style/gi,"EVENT_DENY"); 852 853 _message.innerHTML = _text; 854 855 ////////// BEGIN XSS ////////////////////////////////////////////////// 815 856 // Delete Tags <SCRIPT> 816 857 var scripts = _message.getElementsByTagName('script'); 817 818 for (var i = 0; i < scripts.length; i++) 819 _message.removeChild(scripts[i--]); 858 for (var i = 0; i < scripts.length; i++){ _message.removeChild(scripts[i--]); } 859 //////////////////////////////////////////////////// 820 860 821 861 // Delete Tags <IMG> 822 862 var _imgSrc = _message.getElementsByTagName('img'); 823 824 for (var i = 0; i < _imgSrc.length; i++) 825 _message.removeChild( _imgSrc[i--] ); 826 863 for (var i = 0; i < _imgSrc.length; i++){ _message.removeChild( _imgSrc[i--] ); } 864 //////////////////////////////////////////////////// 865 866 // Delete Tags <DIV> 867 var _Div = _message.getElementsByTagName('div'); 868 for (var i = 0; i < _Div.length; i++){ _message.removeChild( _Div[i--] ); } 869 //////////////////////////////////////////////////// 870 871 // Delete Tags <SPAN> 872 var _Span = _message.getElementsByTagName('span'); 873 for (var i = 0; i < _Span.length; i++){ _message.removeChild( _Span[i--] ); } 874 //////////////////////////////////////////////////// 875 876 // Delete Tags <IFRAME> 877 var _Iframe = _message.getElementsByTagName('iframe'); 878 for (var i = 0; i < _Iframe.length; i++){ _message.removeChild( _Iframe[i--] ); } 879 880 // Delete Tags <A HREF> 881 var _aHref = _message.getElementsByTagName('a'); 882 for (var i = 0; i < _aHref.length; i++){ _message.removeChild( _aHref[i--] ); } 883 884 827 885 _message.innerHTML = _message.innerHTML.replace(/^\s+|\s+$|^\n|\n$/g, ""); 886 ////////// END XSS ////////////////////////////////////////////////// 828 887 829 888 // Get Smiles -
branches/2.2/jabberit_messenger/jmessenger/js/trophyim.mini.js
r3320 r3325 130 130 {state="";chatStateOnOff=document.getElementById(jid_lower+"__chatStateOnOff");if(active.length>0&chatStateOnOff!=null) 131 131 {chatStateOnOff.value='on';} 132 var _message=document.createElement("div");_message.innerHTML=Strophe.getText(elems[0]);var scripts=_message.getElementsByTagName('script');for(var i=0;i<scripts.length;i++) 133 _message.removeChild(scripts[i--]);var _imgSrc=_message.getElementsByTagName('img');for(var i=0;i<_imgSrc.length;i++) 134 _message.removeChild(_imgSrc[i--]);_message.innerHTML=_message.innerHTML.replace(/^\s+|\s+$|^\n|\n$/g,"");_message.innerHTML=loadscript.getSmiles(_message.innerHTML);if(type=='chat'||type=='normal') 132 var _message=document.createElement("div");var _text=Strophe.getText(elems[0]);_text=_text.replace(/onblur/gi,"EVENT_DENY");_text=_text.replace(/onchange/gi,"EVENT_DENY");_text=_text.replace(/onclick/gi,"EVENT_DENY");_text=_text.replace(/ondblclick/gi,"EVENT_DENY");_text=_text.replace(/onerror/gi,"EVENT_DENY");_text=_text.replace(/onfocus/gi,"EVENT_DENY");_text=_text.replace(/onkeydown/gi,"EVENT_DENY");_text=_text.replace(/onkeypress/gi,"EVENT_DENY");_text=_text.replace(/onkeyup/gi,"EVENT_DENY");_text=_text.replace(/onmousedown/gi,"EVENT_DENY");_text=_text.replace(/onmousemove/gi,"EVENT_DENY");_text=_text.replace(/onmouseout/gi,"EVENT_DENY");_text=_text.replace(/onmouseover/gi,"EVENT_DENY");_text=_text.replace(/onmouseup/gi,"EVENT_DENY");_text=_text.replace(/onresize/gi,"EVENT_DENY");_text=_text.replace(/onselect/gi,"EVENT_DENY");_text=_text.replace(/onunload/gi,"EVENT_DENY");_text=_text.replace(/style/gi,"EVENT_DENY");_message.innerHTML=_text;var scripts=_message.getElementsByTagName('script');for(var i=0;i<scripts.length;i++){_message.removeChild(scripts[i--]);} 133 var _imgSrc=_message.getElementsByTagName('img');for(var i=0;i<_imgSrc.length;i++){_message.removeChild(_imgSrc[i--]);} 134 var _Div=_message.getElementsByTagName('div');for(var i=0;i<_Div.length;i++){_message.removeChild(_Div[i--]);} 135 var _Span=_message.getElementsByTagName('span');for(var i=0;i<_Span.length;i++){_message.removeChild(_Span[i--]);} 136 var _Iframe=_message.getElementsByTagName('iframe');for(var i=0;i<_Iframe.length;i++){_message.removeChild(_Iframe[i--]);} 137 var _aHref=_message.getElementsByTagName('a');for(var i=0;i<_aHref.length;i++){_message.removeChild(_aHref[i--]);} 138 _message.innerHTML=_message.innerHTML.replace(/^\s+|\s+$|^\n|\n$/g,"");_message.innerHTML=loadscript.getSmiles(_message.innerHTML);if(type=='chat'||type=='normal') 135 139 {if(_message.hasChildNodes()) 136 140 {var message={contact:"["+stamp+"] <font style='font-weight:bold; color:black;'>"+contact+"</font>",msg:"</br>"+_message.innerHTML};TrophyIM.addMessage(TrophyIM.makeChat(from),jid_lower,message);}}
Note: See TracChangeset
for help on using the changeset viewer.