jshaver/walnut.js
1
0
Fork 0
forked from coolaj86/walnut.js
Code Issues Pull Requests Releases Wiki Activity

escape HTML on redirects

Browse Source
This commit is contained in:
AJ ONeal 2015-07-08 21:20:57 -06:00
parent e1e4d86941
commit 0d90255745
2 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/insecure-server.js
View File

@ -40,19 +40,21 @@ module.exports.create = function (securePort, insecurePort, redirects) {
); );
}); });
var escapeHtml = require('escapeHtml');
var newLocation = 'https://' var newLocation = 'https://'
+ host.replace(/:\d+/, ':' + securePort) + url + host.replace(/:\d+/, ':' + securePort) + url
; ;
var safeLocation = escapeHtml(newLocation);
var metaRedirect = '' var metaRedirect = ''
+ '<html>\n' + '<html>\n'
+ '<head>\n' + '<head>\n'
+ ' <style>* { background-color: white; color: white; text-decoration: none; }</style>\n' + ' <style>* { background-color: white; color: white; text-decoration: none; }</style>\n'
+ ' <META http-equiv="refresh" content="0;URL=' + newLocation + '">\n' + ' <META http-equiv="refresh" content="0;URL=' + safeLocation + '">\n'
+ '</head>\n' + '</head>\n'
+ '<body style="display: none;">\n' + '<body style="display: none;">\n'
+ ' <p>You requested an insecure resource. Please use this instead: \n' + ' <p>You requested an insecure resource. Please use this instead: \n'
+ ' <a href="' + newLocation + '">' + newLocation + '</a></p>\n' + ' <a href="' + safeLocation + '">' + safeLocation + '</a></p>\n'
+ '</body>\n' + '</body>\n'
+ '</html>\n' + '</html>\n'
; ;
@ -72,7 +74,7 @@ module.exports.create = function (securePort, insecurePort, redirects) {
// To minimize this, we give browser users a mostly optimal experience, // To minimize this, we give browser users a mostly optimal experience,
// but people experimenting with the API get a message letting them know // but people experimenting with the API get a message letting them know
// that they're doing it wrong and thus forces them to ensure they encrypt. // that they're doing it wrong and thus forces them to ensure they encrypt.
res.setHeader('Content-Type', 'text/html'); res.setHeader('Content-Type', 'text/html; charset=utf-8');
res.end(metaRedirect); res.end(metaRedirect);
} }

2
package.json
View File

@ -62,7 +62,7 @@
"ee-first": "^1.1.0", "ee-first": "^1.1.0",
"errorhandler": "1.x", "errorhandler": "1.x",
"es6-promise": "2.x", "es6-promise": "2.x",
"escape-html": "^1.0.1", "escape-html": "^1.0.2",
"escape-string-regexp": "1.x", "escape-string-regexp": "1.x",
"etag": "^1.5.1", "etag": "^1.5.1",
"express": "4.x", "express": "4.x",