Apply some upstream patches

2015-01-26 23:51:28 +03:00 · 2015-01-26 23:51:28 +03:00 · f03a1a0edf
commit f03a1a0edf
parent 9ab0a0add5
4 changed files with 536 additions and 528 deletions
--- a/js/3rdparty/webodf/editor/widgets/fontPicker.js
+++ b/js/3rdparty/webodf/editor/widgets/fontPicker.js
@ -36,9 +36,10 @@
 */
 /*global define,require,document */
 define("webodf/editor/widgets/fontPicker", [
-    "dijit/form/Select"],
+    "dijit/form/Select",
+    "dojox/html/entities"],

-    function (Select) {
+    function (Select, htmlEntities) {
        "use strict";

        /**
@ -101,7 +102,7 @@ define("webodf/editor/widgets/fontPicker", [
                    name = documentFonts[i].name;
                    family = documentFonts[i].family || name;
                    selectionList.push({
-                        label: '<span style="font-family: ' + family + ';">' + name + '</span>',
+                        label: '<span style="font-family: ' + htmlEntities.encode(family) + ';">' + htmlEntities.encode(name) + '</span>',
                        value: name
                    });
                }
@ -114,7 +115,7 @@ define("webodf/editor/widgets/fontPicker", [
                // Lastly populate the fonts provided by the editor
                for (i = 0; i < editorFonts.length; i += 1) {
                    selectionList.push({
-                        label: '<span style="font-family: ' + editorFonts[i] + ';">' + editorFonts[i] + '</span>',
+                        label: '<span style="font-family: ' + htmlEntities.encode(editorFonts[i]) + ';">' + htmlEntities.encode(editorFonts[i]) + '</span>',
                        value: editorFonts[i]
                    });
                }
--- a/js/3rdparty/webodf/editor/widgets/paragraphStyles.js
+++ b/js/3rdparty/webodf/editor/widgets/paragraphStyles.js
@ -39,9 +39,12 @@
 /*global define,require */

 define("webodf/editor/widgets/paragraphStyles",
-       ["webodf/editor/EditorSession"],
+       [
+           "dojox/html/entities",
+           "webodf/editor/EditorSession"
+       ],

-    function (EditorSession) {
+    function (htmlEntities, EditorSession) {
    "use strict";
    /**
     * @constructor
@ -99,7 +102,7 @@ define("webodf/editor/widgets/paragraphStyles",

            for (i = 0; i < availableStyles.length; i += 1) {
                selectionList.push({
-                    label: availableStyles[i].displayName,
+                    label: htmlEntities.encode(availableStyles[i].displayName),
                    value: availableStyles[i].name
                });
            }
@ -120,7 +123,7 @@ define("webodf/editor/widgets/paragraphStyles",
            if (select) {
                select.addOption({
                    value: styleInfo.name,
-                    label: newStyleElement.getAttributeNS(stylens, 'display-name')
+                    label: htmlEntities.encode(newStyleElement.getAttributeNS(stylens, 'display-name'))
                });
            }

--- a/js/3rdparty/webodf/webodf-debug.js
+++ b/js/3rdparty/webodf/webodf-debug.js
@ -1,4 +1,4 @@
-var webodf_version = "0.4.2-2050-g8d8fc02";
+var webodf_version = "0.4.2-2050-g8d8fc02-dirty";
 function Runtime() {
 }
 Runtime.prototype.getVariable = function(name) {
@ -13549,7 +13549,11 @@ gui.HyperlinkClickHandler = function HyperlinkClickHandler(getRootNode) {
        bookmarks[0].scrollIntoView(true)
      }
    }else {
-      runtime.getWindow().open(url)
+      if(/^\s*(javascript|data):/.test(url)) {
+        runtime.log("WARN:", "potentially malicious URL ignored")
+      }else {
+        runtime.getWindow().open(url)
+      }
    }
    if(e.preventDefault) {
      e.preventDefault()
--- a/js/3rdparty/webodf/webodf.js
+++ b/js/3rdparty/webodf/webodf.js