Skip to content

Commit 44500a2

Browse files
xssfoxxssfox
committed
more xss fixes
1 parent 062df3c commit 44500a2

File tree

2 files changed

+16
-10
lines changed

2 files changed

+16
-10
lines changed

js/app.js

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -495,7 +495,9 @@ var format_coordinates = function(lat, lon, name) {
495495
} else if(ua.indexOf('android') > -1) {
496496
a.href = 'geo:'+lat+','+lon+'?q='+lat+','+lon+'('+name+')'
497497
} else {
498-
a.href = 'https://www.google.com/maps/search/?api=1&query='+lat+','+lon+'" target="_blank" rel="noopener noreferrer">'
498+
a.href = 'https://www.google.com/maps/search/?api=1&query='+lat+','+lon
499+
a.target="_blank"
500+
a.rel="noopener noreferrer"
499501
}
500502
a.innerText = roundNumber(lat, 5) + ', ' + roundNumber(lon, 5)
501503

js/sondehub.js

Lines changed: 13 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -4835,22 +4835,26 @@ function updateRecoveryMarker(recovery) {
48354835
}
48364836

48374837
html = "<div style='line-height:16px;position:relative;'>";
4838-
html += "<div><b>"+recovery.serial+_recovered_text+"</b></div>";
4838+
html += "<div><b class='recovery_text'></b></div>";
48394839
html += "<hr style='margin:5px 0px'>";
48404840
html += "<div style='margin-bottom:5px;'><b><i class='icon-location'></i>&nbsp;</b>"+format_coordinates(recovery.lat, recovery.lon, recovery.serial)+"</div>";
48414841

4842-
var imp = offline.get('opt_imperial');
4843-
var text_alt = Number((imp) ? Math.floor(3.2808399 * parseInt(recovery.alt)) : parseInt(recovery.alt)).toLocaleString("us");
4844-
text_alt += "&nbsp;" + ((imp) ? 'ft':'m');
4845-
4846-
html += "<div><b>Time:&nbsp;</b>"+formatDate(stringToDateUTC(recovery.datetime))+"</div>";
4847-
html += "<div><b>Reported by:&nbsp;</b>"+recovery.recovered_by+"</div>";
4848-
html += "<div><b>Notes:&nbsp;</b>"+$('<div>').text(recovery.description).html()+"</div>";
4849-
html += "<div><b>Flight Path:&nbsp;</b><a href=\"javascript:showRecoveredMap('" + recovery.serial + "')\">"+recovery.serial+"</a></div>";
4842+
html += "<div><b>Time:&nbsp;</b><span class='recovery_time'></span></div>";
4843+
html += "<div><b>Reported by:&nbsp;</b><span class='recovery_by'></span></div>";
4844+
html += "<div><b>Notes:&nbsp;</b><span class='recovery_desc'></span></div>";
4845+
html += "<div><b>Flight Path:&nbsp;</b><a href='#' class='recovery_path'></a></div>";
48504846

48514847
html += "</div>";
48524848

48534849
div.innerHTML = html;
4850+
div.getElementsByClassName("recovery_text")[0].textContent = recovery.serial+_recovered_text
4851+
div.getElementsByClassName("recovery_time")[0].textContent = formatDate(stringToDateUTC(recovery.datetime))
4852+
div.getElementsByClassName("recovery_by")[0].textContent = recovery.recovered_by
4853+
div.getElementsByClassName("recovery_desc")[0].textContent = recovery.description
4854+
div.getElementsByClassName("recovery_path")[0].textContent = recovery.serial
4855+
div.getElementsByClassName("recovery_path")[0].onclick = function(){
4856+
showRecoveredMap(recovery.serial)
4857+
}
48544858

48554859
recovery.infobox.setContent(div);
48564860

0 commit comments

Comments
 (0)