commit 432fbcc55ff3e0900a50b70b9d5dbdab77a276f7
author Scott Main <smain@google.com> Wed May 11 20:14:42 2011 -0700
committer Scott Main <smain@google.com> Wed May 11 20:14:42 2011 -0700
tree b1559f65aaee5b57a5f8e8aa53c3771828010246
parent a45e4f4df59e4037408f6b9c0ddf4a7c57eaa273

docs: enforce alphanumeric strings for video id to prevent XSS
bug 4399806

Change-Id: Ie55a2b40687bb68e734012cecf22de62b4f4cf7e

docs/html/videos/index.jd

diff --git a/docs/html/videos/index.jd b/docs/html/videos/index.jd
index 0274095..50bdb46 100644
--- a/docs/html/videos/index.jd
+++ b/docs/html/videos/index.jd
@@ -62,7 +62,7 @@
  */
 function loadVideo(id, title, autoplay) {
   if($("." + id).hasClass("noplay")) {
-  	console.log("noplay");
+  	//console.log("noplay");
   	autoplay = false;
   	$("." + id).removeClass("noplay");
   }
@@ -255,42 +255,59 @@
  * @param videoId  The ID of the video to click
  */
 function clickVideo(videoId) {
+  if (!isAlphaNumeric(videoId)) {
+    clickDefaultVideo();
+    return;
+  }
+  
   if ($("." + videoId).length != 0) {  // if we find the video, click it and return
-   $("." + videoId).addClass("noplay"); // add class to indicate we should NOT autoplay (class removed by loadVideo)
-  	$("." + videoId + ":first").click();
-	 return;
+    $("." + videoId).addClass("noplay"); // add class to indicate we should NOT autoplay (class removed by loadVideo)
+    $("." + videoId + ":first").click();
+    return;
   } else { // if we don't find it, increment clickVideoAttempts
-	 console.log("video NOT found: " + videoId);
-	 clickVideoAttempts++;
+    console.log("video NOT found: " + videoId);
+    clickVideoAttempts++;
   }
 
   // if we don't find it after 20 attempts (2 seconds), click the first feature video
   if (clickVideoAttempts > 10) {
-	 console.log("video never found, clicking default...");
+    console.log("video never found, clicking default...");
     clickVideoAttempts = 0;
     clickDefaultVideo();
   } else { // try again after 100 milliseconds
-	 setTimeout('clickVideo("'+videoId+'")', 100);
+    setTimeout('clickVideo("' + videoId + '")', 100);
+  }
+}
+
+/* returns true if the provided text is alphanumeric, false otherwise 
+   TODO: move this to the dev site js library */
+function isAlphaNumeric(text){
+  var regex=/^[0-9A-Za-z]+$/; //^[a-zA-z]+$/
+  if(regex.test(text)){
+    return true;
+  } else {
+    console.log("Bogus video ID");
+    return false;
   }
 }
 
 /* Click the default video that should be loaded on page load (the first video in the featured list) */
 function clickDefaultVideo() {
-	if ($("#mainBodyRight .videoPreviews a:first").length != 0) {
-  	var videoId = $("#mainBodyRight .videoPreviews a:first").attr("class");
+  if ($("#mainBodyRight .videoPreviews a:first").length != 0) {
+    var videoId = $("#mainBodyRight .videoPreviews a:first").attr("class");
     $("." + videoId).addClass("noplay"); // add class to indicate we should NOT autoplay (class removed by loadVideo)
-  	$("." + videoId + ":first").click();
-  	return;
+    $("." + videoId + ":first").click();
+    return;
   } else { // if we don't find it, increment clickVideoAttempts
-	 console.log("default video NOT found");
-	 clickVideoAttempts++;
+    console.log("default video NOT found");
+    clickVideoAttempts++;
   }
 
   // if we don't find it after 50 attempts (5 seconds), just fail
   if (clickVideoAttempts > 50) {
-	  console.log("default video never found...");
+    console.log("default video never found...");
   } else { // try again after 100 milliseconds
-	 	setTimeout('clickDefaultVideo()', 100);
+    setTimeout('clickDefaultVideo()', 100);
   }
 }
 </script>