GNOME.org
 

[epiphany/mcatanzaro/regressions: 2/2] output-encoding: remove JS encoding function


commit b48eddfd40ac44cbd2c2f312f5ef76e0dddb534b
Author: Michael Catanzaro <mcatanzaro redhat com>
Date:   Mon Dec 20 10:55:37 2021 -0600

    output-encoding: remove JS encoding function
    
    This is no longer required after #1665.

 lib/ephy-output-encoding.c | 19 +++----------------
 lib/ephy-output-encoding.h |  5 ++++-
 2 files changed, 7 insertions(+), 17 deletions(-)
---
diff --git a/lib/ephy-output-encoding.c b/lib/ephy-output-encoding.c
index 7256059ed..2a7c1d0a8 100644
--- a/lib/ephy-output-encoding.c
+++ b/lib/ephy-output-encoding.c
@@ -38,9 +38,8 @@ ephy_encode_for_html_entity (const char *input)
   return g_string_free (str, FALSE);
 }
 
-static char *
-encode_all_except_alnum (const char *input,
-                         const char *format)
+char *
+ephy_encode_for_html_attribute (const char *input)
 {
   GString *str;
   const char *c = input;
@@ -54,21 +53,9 @@ encode_all_except_alnum (const char *input,
     if (g_unichar_isalnum (u))
       g_string_append_unichar (str, u);
     else
-      g_string_append_printf (str, format, u);
+      g_string_append_printf (str, "&#x%02x;", u);
     c = g_utf8_next_char (c);
   } while (*c);
 
   return g_string_free (str, FALSE);
 }
-
-char *
-ephy_encode_for_html_attribute (const char *input)
-{
-  return encode_all_except_alnum (input, "&#x%02x;");
-}
-
-char *
-ephy_encode_for_javascript (const char *input)
-{
-  return encode_all_except_alnum (input, "\\u%04u;");
-}
diff --git a/lib/ephy-output-encoding.h b/lib/ephy-output-encoding.h
index 7ff6a33bd..7817e7a32 100644
--- a/lib/ephy-output-encoding.h
+++ b/lib/ephy-output-encoding.h
@@ -29,10 +29,13 @@ G_BEGIN_DECLS
  *
  * You must *carefully* read that document to safely inject untrusted data into
  * web content. Here be dragons.
+ *
+ * If tempted to inject untrusted content into JavaScript, then also review:
+ * https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html
+ * and consider not doing that.
  */
 
 char *ephy_encode_for_html_entity    (const char *input);
 char *ephy_encode_for_html_attribute (const char *input);
-char *ephy_encode_for_javascript     (const char *input);
 
 G_END_DECLS
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]