Fix code injections and expiry date handling wrt #1 and #2

pyve · Nov 14, 2014 · b492f19 · b492f19
1 parent 0038bb7
commit b492f19
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 20 deletions.
diff --git a/app/index.html b/app/index.html
@@ -108,7 +108,7 @@ <h1>Cartelera de Empleos</h1>
 
     <script id="job_template" type="text/template">
       <article id="job_<%= id %>" data-id="<%= id %>" class="job-wrapper">
-        <% if (userId == firebase.getAuth().uid) { %>
+        <% if (firebase.getAuth() && userId == firebase.getAuth().uid) { %>
         <a class="job-delete text-danger pull-right" href="#"><small>Eliminar</small></a>
         <% } %>
         <header>
@@ -142,15 +142,23 @@ <h4>Descripción:</h4>
             <%= description %>
           </p>
         </section>
+        <% if (this.model.get('posted') || this.model.get('updated') || this.model.get('expires')) { %>
         <footer class="job-timestamps text-muted">
           <p>
+            <% if (this.model.get('posted')) { %>
             Publicado: <time datetime="<%= new Date(posted).toISOString() %>" published><%= _.isFunction(Date.toLocaleString) ? new Date(posted).toLocaleString() : new Date(posted).toString() %></time>.
-            <% if (posted !== updated) { %>
+            <% } %>
+            <% if (this.model.get('posted')) { %>
+            <% if (posted !== this.model.get('updated')) { %>
             Actualizado: <time datetime="<%= new Date(updated).toISOString() %>" updated><%= _.isFunction(Date.toLocaleString) ? new Date(updated).toLocaleString() : new Date(updated).toString() %></time>.
             <% } %>
+            <% } %>
+            <% if (this.model.get('expires')) { %>
             Expira: <time datetime="<%= new Date(expires).toISOString() %>"><%= _.isFunction(new Date().toLocaleDateString) ? new Date(expires).toLocaleDateString() : new Date(expires).toDateString() %></time>.
+            <% } %>
           </p>
         </footer>
+        <% } %>
       </article>
     </script>
     <!-- build:js(.) scripts/vendor.js -->

diff --git a/app/scripts/main.js b/app/scripts/main.js
@@ -17,6 +17,20 @@ $(function() {
     }
   });
 
+  var escapeObj = function(obj) {
+    return _.reduce(_.map(obj, function(value, key) {
+      var ret = {};
+      if (_.isString(value)) {
+        ret[key] = _.escape(value);
+      } else {
+        ret[key] = value;
+      }
+      return ret;
+    }), function(memo, item) {
+      return _.extend(memo, item);
+    }, {});
+  };
+
   /* Backbone forms customization */
   Backbone.Form.template = _.template('<form class="form-horizontal" role="form" data-fieldsets></form>');
   Backbone.Form.Fieldset.template = _.template('<fieldset data-fields><% if (legend) { %><legend><%= legend %></legend><% } %></fieldset>');
@@ -129,17 +143,7 @@ $(function() {
     }
   };
 
-  var JobDefaults = {
-    posted: Date.now().valueOf(),
-    updated: Date.now().valueOf(),
-    expires: Date.now().valueOf() + 1296015000, // now plus 15 days and 1 sec
-    remote: false,
-    workingTime: 'A convenir'
-  };
-
-  var Job = Backbone.Model.extend({
-    defaults: JobDefaults
-  });
+  var Job = Backbone.Model.extend({});
 
   var Jobs = Backbone.Firebase.Collection.extend({
     model: Job,
@@ -161,7 +165,8 @@ $(function() {
       this.listenTo(this.model, 'change', this.render);
     },
     render: function() {
-      this.$el.html(this.template(this.model.toJSON()));
+      var job = escapeObj(this.model.toJSON());
+      this.$el.html(this.template(job));
       return this;
     },
     remove: function(evt) {
@@ -224,16 +229,26 @@ $(function() {
     render: function() {
       this.form = new Backbone.Form({
         schema: JobSchema,
-        data: JobDefaults
+        data: {
+          expires: Date.now().valueOf() + 1296015000, // now plus 15 days and 1 sec
+          remote: false,
+          workingTime: 'A convenir'
+        }
       });
       this.$('.add-job-form').html(this.form.render().el);
     },
     addJob: function() {
-      var jobData, newJob;
-      if (!this.form.validate()) {
-        jobData = this.form.getValue();
-        newJob = _.extend(jobData, {
-          userId: this.jobs.firebase.getAuth().uid
+      var jobData, newJob, user, now;
+      if (!this.form.validate()) { // This means it's valid, meh.
+        jobData = escapeObj(this.form.getValue());
+        user = this.jobs.firebase.getAuth();
+        now = Date.now().valueOf();
+        jobData.expires = jobData.expires.valueOf();
+        newJob = _.defaults(jobData, {
+          userId: user ? user.uid : '',
+          posted: now,
+          updated: now,
+          expires: now + 1296015000
         });
         this.jobs.add(newJob);
         $('#add_job_modal').modal('hide');