kmx git

Commit	Date	Message
17e33bc0	2016-11-20T12:52:54	Reduce risk of XSS (#1051) * Skip non-own properties of env.attributes Use `Object.keys` instead of a for-in loop to find optional attributes. The former only grabs keys that are own properties, the latter also includes inherit properties from `Object.prototype`. This reduces the risk of XSS if an attacker somehow manages to manipulate the prototype chain of the Object prototype. * Fix root cause of XSS in autolinker plugin #1054 * command-line plugin: Safely encode attributes If an attacker has control over the values of the attributes "data-prompt", "data-user", or "data-host", then XSS was possible. This fixes the issue, by encoding quotes as the `"` entity. * show-language plugin: innerHTML -> textContent There is no need for `innerHTML` here. At best nothing happens, at worst XSS is possible (though the odds are negligible since the attacker would have to control the detected language). * toolbar plugin: innerHTML -> textContent
02514710	2016-11-19T12:18:05	Run gulp
07b81ac7	2016-11-08T20:08:49	Plugins: Toolbar & Copy to Clipboard (#891) * Add prism-toolbar plugin This plugin exposes a `registerButton` method, which other plugins can use to add buttons to the toolbar. Comes with styles. * Add demo file for toolbar plugin Registers a "Hello World!" tag with the toolbar. * Make `toolbar.registerButton` polymorphic This allows developers to provide either a callback or an object with a `text` string and an optional `onClick` function to create a new button. * Add Toolbar & Copy to Clipboard to components.js * Add Copy to Clipboard plugin * Switch `innerHTML` to `textContent` This ensures additional HTML can't be passed to the toolbar via the `text` property, ensuring a consistent display for the buttons. * Use `call` to bind `this` to the `onClick` method This provides access to the clicked element, which is what `this` is usually bound to on event listeners. * Add hover animation to toolbar * Add drop shadow to toolbar buttons * Add `clipboard` to `optionalDependencies` This will install Clipboard.js when installing from `npm`, but won't fail the build if the installation of Clipboard.js fails. * Load Clipboard.js from CDN if not present * Display plugin code using data-src * Recompile prism-toolbar * Update Show Languages to be a Toolbar button Show Languages now registers a callback with the toolbar plugin to return an element with the language in it. * Add basic HTML API & documentation The Toolbar will now be able to read a `data-label` attribute and add it to the code snippet. * Switch a -> button when only providing onClick Also adds a `url` property which creats an anchor tag and sets the href. Adds some styles to override the button defaults. * Add support for data-url to create anchor tag This allows the HTML API to create links in the Toolbar. * Update toolbar to allow order controlled via HTML Uses a data-attribute on the `body` tag to update the order, should the user choose to do so. * Allow template element to provide content to label This provides one of several options a user can implement in order to get a custom button. Also fixes some bugs in the documentation. * Fix bug when combined with the autoloader plugin The autoloader will rehighlight the element after the language arrives. This means the complete hook can run multiple times. Without a check, multiple toolbars can get added to an element.

17e33bc0

2016-11-20T12:52:54

Reduce risk of XSS (#1051) * Skip non-own properties of env.attributes Use `Object.keys` instead of a for-in loop to find optional attributes. The former only grabs keys that are own properties, the latter also includes inherit properties from `Object.prototype`. This reduces the risk of XSS if an attacker somehow manages to manipulate the prototype chain of the Object prototype. * Fix root cause of XSS in autolinker plugin #1054 * command-line plugin: Safely encode attributes If an attacker has control over the values of the attributes "data-prompt", "data-user", or "data-host", then XSS was possible. This fixes the issue, by encoding quotes as the `"` entity. * show-language plugin: innerHTML -> textContent There is no need for `innerHTML` here. At best nothing happens, at worst XSS is possible (though the odds are negligible since the attacker would have to control the detected language). * toolbar plugin: innerHTML -> textContent

02514710

2016-11-19T12:18:05

Run gulp

07b81ac7

2016-11-08T20:08:49

Plugins: Toolbar & Copy to Clipboard (#891) * Add prism-toolbar plugin This plugin exposes a `registerButton` method, which other plugins can use to add buttons to the toolbar. Comes with styles. * Add demo file for toolbar plugin Registers a "Hello World!" tag with the toolbar. * Make `toolbar.registerButton` polymorphic This allows developers to provide either a callback or an object with a `text` string and an optional `onClick` function to create a new button. * Add Toolbar & Copy to Clipboard to components.js * Add Copy to Clipboard plugin * Switch `innerHTML` to `textContent` This ensures additional HTML can't be passed to the toolbar via the `text` property, ensuring a consistent display for the buttons. * Use `call` to bind `this` to the `onClick` method This provides access to the clicked element, which is what `this` is usually bound to on event listeners. * Add hover animation to toolbar * Add drop shadow to toolbar buttons * Add `clipboard` to `optionalDependencies` This will install Clipboard.js when installing from `npm`, but won't fail the build if the installation of Clipboard.js fails. * Load Clipboard.js from CDN if not present * Display plugin code using data-src * Recompile prism-toolbar * Update Show Languages to be a Toolbar button Show Languages now registers a callback with the toolbar plugin to return an element with the language in it. * Add basic HTML API & documentation The Toolbar will now be able to read a `data-label` attribute and add it to the code snippet. * Switch a -> button when only providing onClick Also adds a `url` property which creats an anchor tag and sets the href. Adds some styles to override the button defaults. * Add support for data-url to create anchor tag This allows the HTML API to create links in the Toolbar. * Update toolbar to allow order controlled via HTML Uses a data-attribute on the `body` tag to update the order, should the user choose to do so. * Allow template element to provide content to label This provides one of several options a user can implement in order to get a custom button. Also fixes some bugs in the documentation. * Fix bug when combined with the autoloader plugin The autoloader will rehighlight the element after the language arrives. This means the complete hook can run multiple times. Without a check, multiple toolbars can get added to an element.

kmx.io/prism.js/plugins/toolbar

plugins/toolbar

Log