Replace all setTimeout strings with functions

This fixes a cross-site scripting vulnerability. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2017-01-20 13:13:31 -05:00 · 2017-01-20 13:13:31 -05:00 · 88946d331a
parent 0047f2578f
commit 88946d331a
5 changed files with 9 additions and 9 deletions
--- a/js/feedlist.js
+++ b/js/feedlist.js
@ -198,7 +198,7 @@ function feedlist_init() {
 		loading_set_progress(50);

 		document.onkeydown = hotkey_handler;
-		setTimeout("hotkey_prefix_timeout()", 5*1000);
+		setTimeout(hotkey_prefix_timeout, 5*1000);

 		if (!getActiveFeedId()) {
 			viewfeed({feed: -3});
--- a/js/functions.js
+++ b/js/functions.js
@ -668,7 +668,7 @@ function hotkey_prefix_timeout() {
 			Element.hide('cmdline');
 		}

-		setTimeout("hotkey_prefix_timeout()", 1000);
+		setTimeout(hotkey_prefix_timeout, 1000);

 	} catch  (e) {
 		exception_error("hotkey_prefix_timeout", e);
@ -1325,7 +1325,7 @@ function unsubscribeFeed(feed_id, title) {
 						updateFeedList();
 					} else {
 						if (feed_id == getActiveFeedId())
-							setTimeout("viewfeed({feed:-5})", 100);
+							setTimeout(function() { viewfeed({feed:-5}) }, 100);

 						if (feed_id < 0) updateFeedList();
 					}
--- a/js/prefs.js
+++ b/js/prefs.js
@ -901,10 +901,10 @@ function init_second_stage() {
 		if (method == 'editFeed') {
 			var param = getURLParam('methodparam');

-			window.setTimeout('editFeed(' + param + ')', 100);
+			window.setTimeout(function() { editFeed(param) }, 100);
 		}

-		setTimeout("hotkey_prefix_timeout()", 5*1000);
+		setTimeout(hotkey_prefix_timeout, 5*1000);

 	} catch (e) {
 		exception_error("init_second_stage", e);
--- a/js/tt-rss.js
+++ b/js/tt-rss.js
@ -159,7 +159,7 @@ function viewCurrentFeed(method) {
 function timeout() {
 	if (getInitParam("bw_limit") != "1") {
 		request_counters();
-		setTimeout("timeout()", 60*1000);
+		setTimeout(timeout, 60*1000);
 	}
 }

@ -654,7 +654,7 @@ function init_second_stage() {

 		if (getInitParam("simple_update")) {
 			console.log("scheduling simple feed updater...");
-			window.setTimeout("update_random_feed()", 30*1000);
+			window.setTimeout(update_random_feed, 30*1000);
 		}

 	} catch (e) {
@ -1130,7 +1130,7 @@ function update_random_feed() {
 			parameters: "op=rpc&method=updateRandomFeed",
 			onComplete: function(transport) {
 				handle_rpc_json(transport, true);
-				window.setTimeout("update_random_feed()", 30*1000);
+				window.setTimeout(update_random_feed, 30*1000);
 			} });

 	} catch (e) {
--- a/js/viewfeed.js
+++ b/js/viewfeed.js
@ -2315,7 +2315,7 @@ function updateFloatingTitle(unread_only) {
 function catchupCurrentBatchIfNeeded() {
 	if (catchup_id_batch.length > 0) {
 		window.clearTimeout(catchup_timeout_id);
-		catchup_timeout_id = window.setTimeout('catchupBatchedArticles()', 1000);
+		catchup_timeout_id = window.setTimeout(catchupBatchedArticles, 1000);

 		if (catchup_id_batch.length >= 10) {
 			catchupBatchedArticles();