search

oarevalo / BugLogHQ

BugLogHQ is a tool to centralize the handling of automated bug reports from multiple applications. BugLogHQ provides a unified view of error messages sent from any number of applications, allowing the developer to search, graph, forward, and explore the bug reports submitted by the applications.
http://www.bugloghq.com
154 stars 67 forks source link

Strip auto-generated JS from client service's CFDump #30

Closed michael-zock closed 11 years ago

michael-zock commented 11 years ago

Right now the composeFullMessage() in the client component uses plain tags to output the catch and extra details. This results in the tag's generated Javascript showing up in the error results unnecessarily, because the corresponding script tags get nuked.

Due to the greedy regular expression pattern this is only a workaround, because it doesn't differentiate between JS generated by the dump tags and JS inside one of those two arguments, but the following example would solve at least part of the problem:

<cffunction name="sanitizeDump" access="private" returntype="string" hint="Performs a sanitized dump, where JavaScript has been removed to minimize XSS risks">
    <cfargument name="dumpData" type="any" required="true">

    <cfsavecontent variable="LOCAL.result"><cfoutput><cfdump var="#ARGUMENTS.dumpData#"></cfoutput></cfsavecontent>

    <CFRETURN reReplaceNoCase(LOCAL.result, "<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>", "<b>(BugLogHQ: JavaScript removed to minimize XSS risks!)</b>","all")>
</cffunction>
oarevalo commented 11 years ago

That's a great idea! I added your code (modified a little bit) to the buglog client in 1.8