diff options
author | Costa Tsaousis (ktsaou) <costa@tsaousis.gr> | 2018-01-30 23:05:12 +0200 |
---|---|---|
committer | Costa Tsaousis (ktsaou) <costa@tsaousis.gr> | 2018-01-30 23:05:12 +0200 |
commit | 229a733ac9766c9a1267716665eba6368ac4cf1e (patch) | |
tree | 955f5827089445035e8df4462c7f34175aaeaaea /web | |
parent | 7734abbb94a3a65d44ca927d7ed728fef96d74ac (diff) |
optimize xss checks for speed
Diffstat (limited to 'web')
-rw-r--r-- | web/dashboard.js | 68 | ||||
-rw-r--r-- | web/index.html | 1 |
2 files changed, 31 insertions, 38 deletions
diff --git a/web/dashboard.js b/web/dashboard.js index fb484f275d..039e3259e9 100644 --- a/web/dashboard.js +++ b/web/dashboard.js @@ -109,56 +109,48 @@ var NETDATA = window.NETDATA || {}; enabled_for_data: (typeof netdataCheckXSS === 'undefined')?false:netdataCheckXSS, string: function (s) { - if (typeof s === 'string' || typeof s === 'number' || typeof s === 'boolean') - return s.toString() - .replace(/</g, '<') - .replace(/>/g, '>') - .replace(/"/g, '"') - .replace(/'/g, '#27;'); - - return ''; + return s.toString() + .replace(/</g, '<') + .replace(/>/g, '>') + .replace(/"/g, '"') + .replace(/'/g, '#27;'); }, object: function(name, obj, ignore_regex) { - if(obj === null) return obj; - - var type = typeof(obj); - if(type === 'undefined' || type === 'number') return obj; - - if(typeof ignore_regex !== 'undefined') { - if(ignore_regex.test(name) === true) { - // console.log('XSS: ignoring "' + name + '"'); - return obj; - } + if(typeof ignore_regex !== 'undefined' && ignore_regex.test(name) === true) { + // console.log('XSS: ignoring "' + name + '"'); + return obj; } - if(type === 'object' && Array.isArray(obj)) - type = 'array'; - - var ret, i, len; - switch (type) { + switch (typeof(obj)) { case 'string': - ret = this.string(obj); + var ret = this.string(obj); if(ret !== obj) console.log('XSS protection changed string ' + name + ' from "' + obj + '" to "' + ret + '"'); return ret; case 'object': - for(i in obj) { - if(obj.hasOwnProperty(i) === false) continue; - if(this.string(i) !== i) { - console.log('XSS protection removed invalid object member "' + name + '.' + i + '"'); - delete obj[i]; - } - else - obj[i] = this.object(name + '.' + i, obj[i], ignore_regex); - } - return obj; + if(obj === null) return obj; + + if(Array.isArray(obj) === true) { + // console.log('checking array "' + name + '"'); - case 'array': - len = obj.length; - while(len--) - obj[len] = this.object(name + '[' + len + ']', obj[len], ignore_regex); + var len = obj.length; + while(len--) + obj[len] = this.object(name + '[' + len + ']', obj[len], ignore_regex); + } + else { + // console.log('checking object "' + name + '"'); + for(var i in obj) { + if(obj.hasOwnProperty(i) === false) continue; + if(this.string(i) !== i) { + console.log('XSS protection removed invalid object member "' + name + '.' + i + '"'); + delete obj[i]; + } + else + obj[i] = this.object(name + '.' + i, obj[i], ignore_regex); + } + } return obj; default: diff --git a/web/index.html b/web/index.html index f0d50cf3b5..281f778b4c 100644 --- a/web/index.html +++ b/web/index.html @@ -3386,6 +3386,7 @@ document.getElementById('loadSnapshotInfo').innerHTML = ''; document.getElementById('loadSnapshotTimeRange').innerHTML = ''; document.getElementById('loadSnapshotComments').innerHTML = ''; + loadSnapshotModalLog('success', 'Browse for a snapshot file (or drag it and drop it here), then click <b>Import</b> to render it.'); $('#loadSnapshotImport').addClass('disabled'); }; |