Important security fix

2 files changed, 30 insertions, 6 deletions

diff --git a/pluginManager.js b/pluginManager.js
index 8e520ec..f28590a 100644
--- a/pluginManager.js
+++ b/pluginManager.js
@@ -4,7 +4,7 @@ var PLUGIN_INFO =
 <description>Manage Vimperator Plugins</description>
 <description lang="ja">Vimpeatorプラグインの管理</description>
 <author mail="teramako@gmail.com" homepage="http://d.hatena.ne.jp/teramako/">teramako</author>
-<version>0.6.6</version>
+<version>0.6.7</version>
 <minVersion>2.3</minVersion>
 <maxVersion>2.4</maxVersion>
 <updateURL>https://github.com/vimpr/vimperator-plugins/raw/master/pluginManager.js</updateURL>
@@ -190,8 +190,19 @@ for (let it in Iterator(tags)){
     };
 }
 function makeLink(str, withLink){
-    var href = withLink ? '$&' : '#';
-    return XMLList(str.replace(/(?:https?:\/\/|mailto:)\S+/g, '<a href="' + href + '" highlight="URL">$&</a>'));
+    let s = str;
+    let result = XMLList();
+    while (s.length > 0) {
+        let m = s.match(/(?:https?:\/\/|mailto:)\S+/);
+        if (m) {
+            result += <>{s.slice(0, m.index)}<a href={withLink ? m[0] : '#'} highlight="URL">{m[0]}</a></>;
+            s = s.slice(m.index + m[0].length);
+        } else {
+            result += <>{s}</>;
+            break;
+        }
+    }
+    return result;
 }
 function fromUTF8Octets(octets){
     return decodeURIComponent(octets.replace(/[%\x80-\xFF]/g, function(c){
diff --git a/sbmcommentsviewer.js b/sbmcommentsviewer.js
index 40dcf74..c7d10f6 100644
--- a/sbmcommentsviewer.js
+++ b/sbmcommentsviewer.js
@@ -3,7 +3,7 @@ var PLUGIN_INFO =
     <name>SBM Comments Viewer</name>
     <description>List show Social Bookmark Comments</description>
     <description lang="ja">ソーシャル・ブックマーク・コメントを表示します</description>
-    <version>0.2.1</version>
+    <version>0.2.2</version>
     <minVersion>2.0pre</minVersion>
     <maxVersion>3.0</maxVersion>
     <updateURL>https://github.com/vimpr/vimperator-plugins/raw/master/sbmcommentsviewer.js</updateURL>
@@ -126,8 +126,21 @@ function SBMEntry(id, timestamp, comment, tags, extra){ //{{{
 } //}}}
 SBMEntry.prototype = { //{{{
     toHTML: function(format){
-        function makeLink(str)
-            XMLList(str.replace(/(?:https?:\/\/|mailto:)\S+/g, '<a href="$&" highlight="URL">$&</a>'));
+        function makeLink(str, withLink){
+            let s = str;
+            let result = XMLList();
+            while (s.length > 0) {
+                let m = s.match(/(?:https?:\/\/|mailto:)\S+/);
+                if (m) {
+                    result += <>{s.slice(0, m.index)}<a href={withLink ? m[0] : '#'} highlight="URL">{m[0]}</a></>;
+                    s = s.slice(m.index + m[0].length);
+                } else {
+                    result += <>{s}</>;
+                    break;
+                }
+            }
+            return result;
+        }
 
         var xml = <tr/>;
         var self = this;