|
17e33bc0
|
2016-11-20T12:52:54
|
|
Reduce risk of XSS (#1051)
* Skip non-own properties of env.attributes
Use `Object.keys` instead of a for-in loop to find optional attributes.
The former only grabs keys that are own properties, the latter also
includes inherit properties from `Object.prototype`.
This reduces the risk of XSS if an attacker somehow manages to
manipulate the prototype chain of the Object prototype.
* Fix root cause of XSS in autolinker plugin #1054
* command-line plugin: Safely encode attributes
If an attacker has control over the values of the attributes
"data-prompt", "data-user", or "data-host", then XSS was possible.
This fixes the issue, by encoding quotes as the `"` entity.
* show-language plugin: innerHTML -> textContent
There is no need for `innerHTML` here. At best nothing happens,
at worst XSS is possible (though the odds are negligible since
the attacker would have to control the detected language).
* toolbar plugin: innerHTML -> textContent
|
|
07b81ac7
|
2016-11-08T20:08:49
|
|
Plugins: Toolbar & Copy to Clipboard (#891)
* Add prism-toolbar plugin
This plugin exposes a `registerButton` method, which other
plugins can use to add buttons to the toolbar. Comes with
styles.
* Add demo file for toolbar plugin
Registers a "Hello World!" tag with the toolbar.
* Make `toolbar.registerButton` polymorphic
This allows developers to provide either a callback or an object
with a `text` string and an optional `onClick` function to create
a new button.
* Add Toolbar & Copy to Clipboard to components.js
* Add Copy to Clipboard plugin
* Switch `innerHTML` to `textContent`
This ensures additional HTML can't be passed to the toolbar
via the `text` property, ensuring a consistent display for the
buttons.
* Use `call` to bind `this` to the `onClick` method
This provides access to the clicked element, which is what `this`
is usually bound to on event listeners.
* Add hover animation to toolbar
* Add drop shadow to toolbar buttons
* Add `clipboard` to `optionalDependencies`
This will install Clipboard.js when installing from `npm`, but
won't fail the build if the installation of Clipboard.js fails.
* Load Clipboard.js from CDN if not present
* Display plugin code using data-src
* Recompile prism-toolbar
* Update Show Languages to be a Toolbar button
Show Languages now registers a callback with the toolbar
plugin to return an element with the language in it.
* Add basic HTML API & documentation
The Toolbar will now be able to read a `data-label` attribute
and add it to the code snippet.
* Switch a -> button when only providing onClick
Also adds a `url` property which creats an anchor tag and sets
the href. Adds some styles to override the button defaults.
* Add support for data-url to create anchor tag
This allows the HTML API to create links in the Toolbar.
* Update toolbar to allow order controlled via HTML
Uses a data-attribute on the `body` tag to update the order,
should the user choose to do so.
* Allow template element to provide content to label
This provides one of several options a user can implement in order to
get a custom button.
Also fixes some bugs in the documentation.
* Fix bug when combined with the autoloader plugin
The autoloader will rehighlight the element after the language arrives.
This means the complete hook can run multiple times. Without a check,
multiple toolbars can get added to an element.
|