From 88946d331aad96ecbdf9d570853121e5a7eb07ab Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Fri, 20 Jan 2017 13:13:31 -0500 Subject: [PATCH] Replace all setTimeout strings with functions This fixes a cross-site scripting vulnerability. Signed-off-by: Anders Kaseorg --- js/feedlist.js | 2 +- js/functions.js | 4 ++-- js/prefs.js | 4 ++-- js/tt-rss.js | 6 +++--- js/viewfeed.js | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/js/feedlist.js b/js/feedlist.js index c98cfaab..e66a0c1b 100644 --- a/js/feedlist.js +++ b/js/feedlist.js @@ -198,7 +198,7 @@ function feedlist_init() { loading_set_progress(50); document.onkeydown = hotkey_handler; - setTimeout("hotkey_prefix_timeout()", 5*1000); + setTimeout(hotkey_prefix_timeout, 5*1000); if (!getActiveFeedId()) { viewfeed({feed: -3}); diff --git a/js/functions.js b/js/functions.js index 38438255..63ff4121 100755 --- a/js/functions.js +++ b/js/functions.js @@ -668,7 +668,7 @@ function hotkey_prefix_timeout() { Element.hide('cmdline'); } - setTimeout("hotkey_prefix_timeout()", 1000); + setTimeout(hotkey_prefix_timeout, 1000); } catch (e) { exception_error("hotkey_prefix_timeout", e); @@ -1325,7 +1325,7 @@ function unsubscribeFeed(feed_id, title) { updateFeedList(); } else { if (feed_id == getActiveFeedId()) - setTimeout("viewfeed({feed:-5})", 100); + setTimeout(function() { viewfeed({feed:-5}) }, 100); if (feed_id < 0) updateFeedList(); } diff --git a/js/prefs.js b/js/prefs.js index 69e779d4..23d43f36 100755 --- a/js/prefs.js +++ b/js/prefs.js @@ -901,10 +901,10 @@ function init_second_stage() { if (method == 'editFeed') { var param = getURLParam('methodparam'); - window.setTimeout('editFeed(' + param + ')', 100); + window.setTimeout(function() { editFeed(param) }, 100); } - setTimeout("hotkey_prefix_timeout()", 5*1000); + setTimeout(hotkey_prefix_timeout, 5*1000); } catch (e) { exception_error("init_second_stage", e); diff --git a/js/tt-rss.js b/js/tt-rss.js index 26982608..20e0fc5a 100644 --- a/js/tt-rss.js +++ b/js/tt-rss.js @@ -159,7 +159,7 @@ function viewCurrentFeed(method) { function timeout() { if (getInitParam("bw_limit") != "1") { request_counters(); - setTimeout("timeout()", 60*1000); + setTimeout(timeout, 60*1000); } } @@ -654,7 +654,7 @@ function init_second_stage() { if (getInitParam("simple_update")) { console.log("scheduling simple feed updater..."); - window.setTimeout("update_random_feed()", 30*1000); + window.setTimeout(update_random_feed, 30*1000); } } catch (e) { @@ -1130,7 +1130,7 @@ function update_random_feed() { parameters: "op=rpc&method=updateRandomFeed", onComplete: function(transport) { handle_rpc_json(transport, true); - window.setTimeout("update_random_feed()", 30*1000); + window.setTimeout(update_random_feed, 30*1000); } }); } catch (e) { diff --git a/js/viewfeed.js b/js/viewfeed.js index feb39715..007728a1 100755 --- a/js/viewfeed.js +++ b/js/viewfeed.js @@ -2315,7 +2315,7 @@ function updateFloatingTitle(unread_only) { function catchupCurrentBatchIfNeeded() { if (catchup_id_batch.length > 0) { window.clearTimeout(catchup_timeout_id); - catchup_timeout_id = window.setTimeout('catchupBatchedArticles()', 1000); + catchup_timeout_id = window.setTimeout(catchupBatchedArticles, 1000); if (catchup_id_batch.length >= 10) { catchupBatchedArticles(); -- 2.39.5