From: Anders Kaseorg <andersk@mit.edu>
Date: Fri, 20 Jan 2017 18:13:31 +0000 (-0500)
Subject: Replace all setTimeout strings with functions
X-Git-Tag: 17.1~4^2^2
X-Git-Url: https://git.wh0rd.org/?p=tt-rss.git;a=commitdiff_plain;h=88946d331aad96ecbdf9d570853121e5a7eb07ab

Replace all setTimeout strings with functions

This fixes a cross-site scripting vulnerability.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---

diff --git a/js/feedlist.js b/js/feedlist.js
index c98cfaab..e66a0c1b 100644
--- a/js/feedlist.js
+++ b/js/feedlist.js
@@ -198,7 +198,7 @@ function feedlist_init() {
 		loading_set_progress(50);
 
 		document.onkeydown = hotkey_handler;
-		setTimeout("hotkey_prefix_timeout()", 5*1000);
+		setTimeout(hotkey_prefix_timeout, 5*1000);
 
 		if (!getActiveFeedId()) {
 			viewfeed({feed: -3});
diff --git a/js/functions.js b/js/functions.js
index 38438255..63ff4121 100755
--- a/js/functions.js
+++ b/js/functions.js
@@ -668,7 +668,7 @@ function hotkey_prefix_timeout() {
 			Element.hide('cmdline');
 		}
 
-		setTimeout("hotkey_prefix_timeout()", 1000);
+		setTimeout(hotkey_prefix_timeout, 1000);
 
 	} catch  (e) {
 		exception_error("hotkey_prefix_timeout", e);
@@ -1325,7 +1325,7 @@ function unsubscribeFeed(feed_id, title) {
 						updateFeedList();
 					} else {
 						if (feed_id == getActiveFeedId())
-							setTimeout("viewfeed({feed:-5})", 100);
+							setTimeout(function() { viewfeed({feed:-5}) }, 100);
 
 						if (feed_id < 0) updateFeedList();
 					}
diff --git a/js/prefs.js b/js/prefs.js
index 69e779d4..23d43f36 100755
--- a/js/prefs.js
+++ b/js/prefs.js
@@ -901,10 +901,10 @@ function init_second_stage() {
 		if (method == 'editFeed') {
 			var param = getURLParam('methodparam');
 
-			window.setTimeout('editFeed(' + param + ')', 100);
+			window.setTimeout(function() { editFeed(param) }, 100);
 		}
 
-		setTimeout("hotkey_prefix_timeout()", 5*1000);
+		setTimeout(hotkey_prefix_timeout, 5*1000);
 
 	} catch (e) {
 		exception_error("init_second_stage", e);
diff --git a/js/tt-rss.js b/js/tt-rss.js
index 26982608..20e0fc5a 100644
--- a/js/tt-rss.js
+++ b/js/tt-rss.js
@@ -159,7 +159,7 @@ function viewCurrentFeed(method) {
 function timeout() {
 	if (getInitParam("bw_limit") != "1") {
 		request_counters();
-		setTimeout("timeout()", 60*1000);
+		setTimeout(timeout, 60*1000);
 	}
 }
 
@@ -654,7 +654,7 @@ function init_second_stage() {
 
 		if (getInitParam("simple_update")) {
 			console.log("scheduling simple feed updater...");
-			window.setTimeout("update_random_feed()", 30*1000);
+			window.setTimeout(update_random_feed, 30*1000);
 		}
 
 	} catch (e) {
@@ -1130,7 +1130,7 @@ function update_random_feed() {
 			parameters: "op=rpc&method=updateRandomFeed",
 			onComplete: function(transport) {
 				handle_rpc_json(transport, true);
-				window.setTimeout("update_random_feed()", 30*1000);
+				window.setTimeout(update_random_feed, 30*1000);
 			} });
 
 	} catch (e) {
diff --git a/js/viewfeed.js b/js/viewfeed.js
index feb39715..007728a1 100755
--- a/js/viewfeed.js
+++ b/js/viewfeed.js
@@ -2315,7 +2315,7 @@ function updateFloatingTitle(unread_only) {
 function catchupCurrentBatchIfNeeded() {
 	if (catchup_id_batch.length > 0) {
 		window.clearTimeout(catchup_timeout_id);
-		catchup_timeout_id = window.setTimeout('catchupBatchedArticles()', 1000);
+		catchup_timeout_id = window.setTimeout(catchupBatchedArticles, 1000);
 
 		if (catchup_id_batch.length >= 10) {
 			catchupBatchedArticles();