fu: Close-up of Fu, bringing a scoop of water to her mouth (Default)
fu ([personal profile] fu) wrote in [site community profile] changelog2011-08-22 08:30 am
  • Add Memory
  • Share This Entry

[dw-free] Class names with "eval" unusable in CSS

[commit: http://hg.dwscoalition.org/dw-free/rev/fc856c03f49d]

http://bugs.dwscoalition.org/show_bug.cgi?id=2133

Add another class for posters / journals with "eval" in their username.
Example: class="poster-medieval" becomes class="poster-medievalb poster-
mediev-l", so that the element can still be targetted without causing the
CSS cleaner to choke on suspect CSS (that looks like Javascript)

Patch by [personal profile] rb.

Files modified:
  • bin/upgrading/s2layers/core2.s2
  • cgi-bin/LJ/S2.pm
--------------------------------------------------------------------------------
diff -r 8de9897c370d -r fc856c03f49d bin/upgrading/s2layers/core2.s2
--- a/bin/upgrading/s2layers/core2.s2	Mon Aug 22 16:16:02 2011 +0800
+++ b/bin/upgrading/s2layers/core2.s2	Mon Aug 22 16:26:01 2011 +0800
@@ -928,6 +928,9 @@
 function builtin pageview_unique_string () : string
 "Returns a unique string for the remote user.";
 
+function builtin clean_css_classname (string classname) : string
+"Provide a version of a string that's always suitable for classnames, with potentially suspicious words present in original and modified forms.";
+
 function builtin alternate (string a, string b) : string
 "With each call, this function will alternate between the two values and return one of them.
 Useful for making tables whose rows alternate in background color.";
@@ -4787,8 +4790,8 @@
     var string poster;
     var string journal;
     if ($this.journal.journal_type != "I") {
-        $poster = "poster-$this.poster.username";
-        $journal = "journal-$this.journal.username";
+        $poster = clean_css_classname( "poster-$this.poster.username" );
+        $journal = clean_css_classname( "journal-$this.journal.username" );
     }
     var string userpic = $this.userpic ? "has-userpic" : "no-userpic";
 
diff -r 8de9897c370d -r fc856c03f49d cgi-bin/LJ/S2.pm
--- a/cgi-bin/LJ/S2.pm	Mon Aug 22 16:16:02 2011 +0800
+++ b/cgi-bin/LJ/S2.pm	Mon Aug 22 16:26:01 2011 +0800
@@ -2579,6 +2579,21 @@
     return $scratch->{alternate}{"$one\0$two"} ? $one : $two;
 }
 
+sub clean_css_classname
+{
+    my ($ctx, $classname) = @_;
+    my $clean_classname;
+
+    if ($classname =~ /eval/) {
+        $clean_classname = $classname . " ";
+        $classname =~ s/eval/ev-l/g;
+        $clean_classname .= $classname;
+    } else {
+        $clean_classname = $classname;
+    }
+    return $clean_classname;
+}
+
 sub set_content_type
 {
     my ($ctx, $type) = @_;
--------------------------------------------------------------------------------
Threaded | Flat
jeshyr: Blessed are the broken. Harry Potter. (Default)

[personal profile] jeshyr 2011-08-22 11:18 am (UTC)(link)
This is the bit where I do the embarrassing happy dance \o/
pne: A picture of a plush toy, halfway between a duck and a platypus, with a green body and a yellow bill and feet. (Default)

[personal profile] pne 2011-08-25 09:26 am (UTC)(link)
Hm, is "eval" the only thing that gets stripped by the CSS cleaner?

A quick google brought up this snippet which also checks for (among others), "behavior", "behaviour", and "expression", which also vaguely ring a bell for "active code in CSS" for me. (See lines 33-34 for more ideas - check against CSS cleaner.)

If those are also stripped, then poor users like "expression" or "badbehavior" will also have problems with CSS classes and will require a similar workaround/fix.
Threaded | Flat