Fixing html injection in data fileds

7 years ago · ff1d42defd
parent bbdeffed65
commit ff1d42defd
1 changed files with 93 additions and 67 deletions
--- a/static/script.js
+++ b/static/script.js
@ -188,77 +188,103 @@ function show_part_info(partID) {
 	});
 }

+function perform_query() {
+	var query = $('.search-bar').val();
+	var filter = 0;
+	if($('#type').is(':checked'))
+		filter += 1;
+	if($('#partno').is(':checked'))
+		filter += 2 + 4 + 8;
+	if($('#description').is(':checked'))
+		filter += 16;
+	if($('#notes').is(':checked'))
+		filter += 32;
+	$.getJSON('https://www.elab.kth.se/parts/query/' + filter  + '/' + query, function(data) {
+		var newResults = $('<div class="results"></div>');
+		for(var i = 0; i < data.length; i++) { // Create new view for results
+			var newRow = $('<div class="reults-row"></div>');
+			var newClicker = $('<a href="#" onclick="show_part_info(' + data[i].id + ')"></a>');
+
+			newClicker.append($('<div class="results-block"></div>').text(text_filter(data[i].block)));
+			newClicker.append($('<div class="results-type"></div>').text(text_filter(data[i].type)));
+			newClicker.append($('<div class="results-partno"></div>').text(text_filter(data[i].partno)));
+			newClicker.append($('<div class="results-description"></div>').text(text_filter(data[i].description)));
+			var notes = $('<div class="results-notes"></div>');
+			if (data[i].notes != null && data[i].notes.length > 0) {
+				var icon = $('<i class="fa fa-sticky-note"></i>');
+				var tooltipText = $('<div class="tooltiptext"');
+				var tooltip = $('<div class="tooltip"></div>');
+				tooltip.append(icon, tooltipText);
+				notes.append(tooltip);
+			}
+			newClicker.append(notes);
+			newClicker.append($('<div class="results-datasheet"></div>')
+												.html('<a href="https://www.elab.kth.se/parts/getfile/'
+												+ data[i].datasheet.substring(0, data[i].datasheet.length - 4)
+												+ '"><i class="fa fa-file-text" aria-hidden="true"></i></a>'));
+
+			newRow.append(newClicker);
+			newResults.append(newRow);
+			/*newResults += '<div class="results-datasheet">';
+			if (data[i].datasheet != null)
+			newResults += '<a href="https://www.elab.kth.se/parts/getfile/' + data[i].datasheet.substring(0, data[i].datasheet.length - 4) + '"><i class="fa fa-file-text" aria-hidden="true"></i></a>';
+			newResults += '</div>';*/
+
+
+			//newResults += '<div class="results-row">';
+			//newResults += '<a href=# onclick="show_part_info(' + data[i].id + ')">'
+
+			/*newResults += '<div class="results-block">';
+			if (data[i].block != null)
+				newResults += data[i].block;
+			newResults += '</div>';*/
+
+			/*newResults += '<div class="results-type">';
+			if (data[i].type != null)
+				newResults += data[i].type;
+			newResults += '</div>';*/
+
+			/*newResults += '<div class="results-partno">';
+			if (data[i].partno != null)
+				newResults += data[i].partno;
+			newResults += '</div>';*/
+
+			/*newResults += '<div class="results-description">';
+			if (data[i].description != null)
+				newResults += data[i].description;
+			newResults += '</div>';*/
+
+			/*newResults += '<div class="results-notes">';
+			if (data[i].notes != null && data[i].notes.length > 0)
+				newResults += '<div class="tooltip"><i class="fa fa-sticky-note"></i><span class="tooltiptext">' + data[i].notes + '</span></div>';
+				//newResults += data[i].notes;
+			newResults += '</div>';*/
+
+			//newResults += '</a>'
+			//newResults += '</div>';
+		}
+		//newResults += '</div>';
+		if(data.length == 0) {
+				newResults = '<div class="results">';
+				newResults += '<h3>No results.</h3>';
+				newResults += '</div>';
+		}
+		$('.results').replaceWith(newResults);
+	}).fail(function() {
+		var newResults = '<div class="results">';
+		newResults += '<h3>No results.</h3>';
+		newResults += '</div>';
+		$('.results').replaceWith(newResults);
+		console.log( "Query failed" );
+	});
+}
+
 $(document).ready(function() {
    $.ajaxSetup({ cache: false });
    $('.search-bar').on('keyup', function() {
-        var query = $('.search-bar').val();
-        var filter = 0;
-        if($('#type').is(':checked'))
-          filter += 1;
-        if($('#partno').is(':checked'))
-          filter += 2 + 4 + 8;
-        if($('#description').is(':checked'))
-          filter += 16;
-        if($('#notes').is(':checked'))
-          filter += 32;
-        $.getJSON('https://www.elab.kth.se/parts/query/' + filter  + '/' + query, function(data) {
-            var newResults = '<div class="results">';
-            for(var i = 0; i < data.length; i++) { // Create new view for results
-              newResults += '<div class="results-row">';
-              newResults += '<a href=# onclick="show_part_info(' + data[i].id + ')">'
-
-              newResults += '<div class="results-block">';
-              if (data[i].block != null)
-                newResults += data[i].block;
-              newResults += '</div>';
-
-              newResults += '<div class="results-type">';
-              if (data[i].type != null)
-                newResults += data[i].type;
-              newResults += '</div>';
-
-              newResults += '<div class="results-partno">';
-              if (data[i].partno != null)
-                newResults += data[i].partno;
-              newResults += '</div>';
-
-              newResults += '<div class="results-description">';
-              if (data[i].description != null)
-                newResults += data[i].description;
-              newResults += '</div>';
-
-              newResults += '<div class="results-notes">';
-              if (data[i].notes != null && data[i].notes.length > 0)
-                newResults += '<div class="tooltip"><i class="fa fa-sticky-note"></i><span class="tooltiptext">' + data[i].notes + '</span></div>';
-                //newResults += data[i].notes;
-              newResults += '</div>';
-
-              newResults += '<div class="results-datasheet">';
-              if (data[i].datasheet != null)
-                newResults += '<a href="https://www.elab.kth.se/parts/getfile/' + data[i].datasheet.substring(0, data[i].datasheet.length - 4) + '"><i class="fa fa-file-text" aria-hidden="true"></i></a>';
-              newResults += '</div>';
-              newResults += '</a>'
-              newResults += '</div>';
-            }
-            newResults += '</div>';
-            if(data.length == 0) {
-                newResults = '<div class="results">';
-                newResults += '<h3>No results.</h3>';
-                newResults += '</div>';
-            }
-            $('.results').replaceWith(newResults);
-        }).fail(function() {
-            var newResults = '<div class="results">';
-            newResults += '<h3>No results.</h3>';
-            newResults += '</div>';
-            $('.results').replaceWith(newResults);
-            console.log( "Query failed" );
-        });
+			perform_query();
    });
-
    $('.toggle-btn').on('change', function() {
-        // Re-perform query
+        perform_query();
    });
-
-    //$('.results-row').on('click', );
 });