Fixed issues reported by cure53.de

Fixed issues CLP-01-014 and CLP-01-015

frontend/beta/js/Clipperz/Base.js

@@ -246,6 +246,34 @@ MochiKit.Base.update(Clipperz.Base, {
 		return result;
 	},
 
+	'javascriptInjectionPattern': new RegExp("javascript:\/\/\"", "g"),
+	
+	'sanitizeUrl': function(aValue) {
+		var	result;
+		
+		if ((aValue != null) && this.javascriptInjectionPattern.test(aValue)) {
+			result = aValue.replace(this.javascriptInjectionPattern, '');
+			console.log("sanitized url", aValue, result);
+		} else {
+			result = aValue;
+		}
+
+		return result;
+	},
+
+	'sanitizeFavicon': function(aValue) {
+		var	result;
+		
+		if ((aValue != null) && this.javascriptInjectionPattern.test(aValue)) {
+			result = aValue.replace(this.javascriptInjectionPattern, '');
+			console.log("sanitized favicon", aValue, result);
+		} else {
+			result = aValue;
+		}
+
+		return result;
+	},
+
 	//-------------------------------------------------------------------------
 
 	'exception': {

frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js

@@ -138,7 +138,7 @@ Clipperz.PM.BookmarkletProcessor.prototype = MochiKit.Base.update(null, {
 		if (this._hostname == null) {
 			var actionUrl;
 			
-			actionUrl = this.configuration()['form']['attributes']['action'];
+			actionUrl = Clipperz.Base.sanitizeUrl(this.configuration()['form']['attributes']['action']);
 //MochiKit.Logging.logDebug("+++ actionUrl: " + actionUrl);
 			this._hostname = actionUrl.replace(/^https?:\/\/([^\/]*)\/.*/, '$1');
 		}

frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js

@@ -100,7 +100,7 @@ YAHOO.extendX(Clipperz.PM.Components.RecordDetail.DirectLoginBindingComponent, C
 		result.push(option);
 		for (recordFieldKey in recordFields) {
 //	TODO: remove the value: field and replace it with element.dom.value = <some value>
-			option = {tag:'option', value:recordFieldKey, html:recordFields[recordFieldKey].label()}
+			option = {tag:'option', value:recordFieldKey, html:Clipperz.Base.sanitizeString(recordFields[recordFieldKey].label())}
 			if (recordFieldKey == this.directLoginBinding().fieldKey()) {
 				option['selected'] = true;
 			}
@@ -150,7 +150,7 @@ YAHOO.extendX(Clipperz.PM.Components.RecordDetail.DirectLoginBindingComponent, C
 		this.getElement('editModeBox').hide();
 		this.getElement('viewModeBox').show();
 
-		this.getElement('viewValue').update(this.directLoginBinding().field().label());
+		this.getElement('viewValue').update(Clipperz.Base.sanitizeString(this.directLoginBinding().field().label()));
 //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.updateViewMode");
 	},
 

frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js

@@ -38,7 +38,7 @@ Clipperz.PM.DataModel.DirectLogin = function(args) {
 	this._record = args.record || null;
 	this._label = args.label || "unnamed record"
 	this._reference = args.reference || Clipperz.PM.Crypto.randomKey();
-	this._favicon = args.favicon || null;
+	this._favicon = Clipperz.Base.sanitizeFavicon(args.favicon) || null;
 	this._bookmarkletVersion = args.bookmarkletVersion || "0.1";
 
 	this._directLoginInputs = null;
@@ -102,9 +102,9 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, {
 			var	actionUrl;
 			var hostname;
 			
-			actionUrl = this.formData()['attributes']['action'];
+			actionUrl = this.action();
 			hostname = actionUrl.replace(/^https?:\/\/([^\/]*)\/.*/, '$1');
-			this._favicon = "http://" + hostname + "/favicon.ico";
+			this._favicon = Clipperz.Base.sanitizeFavicon("http://" + hostname + "/favicon.ico");
 		}
 
 		return this._favicon;
@@ -137,6 +137,14 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, {
 		this._fixedFavicon = aValue;
 	},
 	
+	'action': function () {
+		var	result;
+		
+		result = Clipperz.Base.sanitizeUrl(this.formData()['attributes']['action']);
+		
+		return result;
+	},
+	
 	//-------------------------------------------------------------------------
 
 	'bookmarkletVersion': function() {
@@ -442,7 +450,7 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, {
 //MochiKit.Logging.logDebug("### runDirectLogin - 4");
 //console.log(this.formData()['attributes']);
 			formElement = MochiKit.DOM.FORM(MochiKit.Base.update({id:'directLoginForm'}, {	'method':this.formData()['attributes']['method'],
-																							'action':this.formData()['attributes']['action']}));
+																							'action': this.action()}));
 //MochiKit.Logging.logDebug("### runDirectLogin - 5");
 			formSubmitFunction = MochiKit.Base.method(formElement, 'submit');
 //MochiKit.Logging.logDebug("### runDirectLogin - 6");
@@ -487,9 +495,9 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, {
 
 //console.log("formData.attributes", this.formData()['attributes']);
 //		if (/^javascript/.test(this.formData()['attributes']['action'])) {
-		if ((/^(https?|webdav|ftp)\:/.test(this.formData()['attributes']['action']) == false) &&
-			(this.formData()['attributes']['type'] != 'http_auth'))
-		{
+		if ((/^(https?|webdav|ftp)\:/.test(this.action()) == false) &&
+			(this.formData()['attributes']['type'] != 'http_auth')
+		) {
 			var messageBoxConfiguration;
 
 			if (typeof(aNewWindow) != 'undefined') {

frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js

@@ -47,7 +47,7 @@ Clipperz.PM.DataModel.DirectLoginReference = function(args) {
 		this._reference = args.reference;
 		this._recordReference = args.record;
 		this._label = args.label;
-		this._favicon = args.favicon || null;
+		this._favicon = Clipperz.Base.sanitizeFavicon(args.favicon) || null;
 	
 		this._directLogin = null;
 		this._record = null;