valvin
/
ttrss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Replace all setTimeout strings with functions 

This fixes a cross-site scripting vulnerability.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
This commit is contained in:
Anders Kaseorg 2017-01-20 13:13:31 -05:00
parent 0047f2578f
commit 88946d331a
5 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
js/feedlist.js
View File

@ -198,7 +198,7 @@ function feedlist_init() {
loading_set_progress(50); loading_set_progress(50);
document.onkeydown = hotkey_handler; document.onkeydown = hotkey_handler;
setTimeout("hotkey_prefix_timeout()", 5*1000); setTimeout(hotkey_prefix_timeout, 5*1000);
if (!getActiveFeedId()) { if (!getActiveFeedId()) {
viewfeed({feed: -3}); viewfeed({feed: -3});

4
js/functions.js
View File

@ -668,7 +668,7 @@ function hotkey_prefix_timeout() {
Element.hide('cmdline'); Element.hide('cmdline');
} }
setTimeout("hotkey_prefix_timeout()", 1000); setTimeout(hotkey_prefix_timeout, 1000);
} catch (e) { } catch (e) {
exception_error("hotkey_prefix_timeout", e); exception_error("hotkey_prefix_timeout", e);
@ -1325,7 +1325,7 @@ function unsubscribeFeed(feed_id, title) {
updateFeedList(); updateFeedList();
} else { } else {
if (feed_id == getActiveFeedId()) if (feed_id == getActiveFeedId())
setTimeout("viewfeed({feed:-5})", 100); setTimeout(function() { viewfeed({feed:-5}) }, 100);
if (feed_id < 0) updateFeedList(); if (feed_id < 0) updateFeedList();
} }

4
js/prefs.js
View File

@ -901,10 +901,10 @@ function init_second_stage() {
if (method == 'editFeed') { if (method == 'editFeed') {
var param = getURLParam('methodparam'); var param = getURLParam('methodparam');
window.setTimeout('editFeed(' + param + ')', 100); window.setTimeout(function() { editFeed(param) }, 100);
} }
setTimeout("hotkey_prefix_timeout()", 5*1000); setTimeout(hotkey_prefix_timeout, 5*1000);
} catch (e) { } catch (e) {
exception_error("init_second_stage", e); exception_error("init_second_stage", e);

6
js/tt-rss.js
View File

@ -159,7 +159,7 @@ function viewCurrentFeed(method) {
function timeout() { function timeout() {
if (getInitParam("bw_limit") != "1") { if (getInitParam("bw_limit") != "1") {
request_counters(); request_counters();
setTimeout("timeout()", 60*1000); setTimeout(timeout, 60*1000);
} }
} }
@ -654,7 +654,7 @@ function init_second_stage() {
if (getInitParam("simple_update")) { if (getInitParam("simple_update")) {
console.log("scheduling simple feed updater..."); console.log("scheduling simple feed updater...");
window.setTimeout("update_random_feed()", 30*1000); window.setTimeout(update_random_feed, 30*1000);
} }
} catch (e) { } catch (e) {
@ -1130,7 +1130,7 @@ function update_random_feed() {
parameters: "op=rpc&method=updateRandomFeed", parameters: "op=rpc&method=updateRandomFeed",
onComplete: function(transport) { onComplete: function(transport) {
handle_rpc_json(transport, true); handle_rpc_json(transport, true);
window.setTimeout("update_random_feed()", 30*1000); window.setTimeout(update_random_feed, 30*1000);
} }); } });
} catch (e) { } catch (e) {

2
js/viewfeed.js
View File

@ -2315,7 +2315,7 @@ function updateFloatingTitle(unread_only) {
function catchupCurrentBatchIfNeeded() { function catchupCurrentBatchIfNeeded() {
if (catchup_id_batch.length > 0) { if (catchup_id_batch.length > 0) {
window.clearTimeout(catchup_timeout_id); window.clearTimeout(catchup_timeout_id);
catchup_timeout_id = window.setTimeout('catchupBatchedArticles()', 1000); catchup_timeout_id = window.setTimeout(catchupBatchedArticles, 1000);
if (catchup_id_batch.length >= 10) { if (catchup_id_batch.length >= 10) {
catchupBatchedArticles(); catchupBatchedArticles();