From ae24b544f3730d7f44d4b040658959c5c3e1ce5b Mon Sep 17 00:00:00 2001
From: Neil Fraser <fraser@google.com>
Date: Thu, 1 Aug 2019 16:36:56 -0700
Subject: [PATCH] Fix injection vulnerability in Block Factories.

Fixes issue #756.
---
 demos/blockfactory/factory_utils.js | 6 +++---
 demos/blockfactory/index.html       | 8 ++++----
 demos/blockfactory_old/factory.js   | 6 +++---
 demos/blockfactory_old/index.html   | 4 ++--
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/demos/blockfactory/factory_utils.js b/demos/blockfactory/factory_utils.js
index 3e63006c7..b02bfa034 100644
--- a/demos/blockfactory/factory_utils.js
+++ b/demos/blockfactory/factory_utils.js
@@ -902,9 +902,9 @@ FactoryUtils.defineAndGetBlockTypes = function(blockDefsString, format) {
 FactoryUtils.injectCode = function(code, id) {
   var pre = document.getElementById(id);
   pre.textContent = code;
-  code = pre.textContent;
-  code = PR.prettyPrintOne(code, 'js');
-  pre.innerHTML = code;
+  // Remove the 'prettyprinted' class, so that Prettify will recalculate.
+  pre.className = pre.className.replace('prettyprinted', '');
+  PR.prettyPrint();
 };
 
 /**
diff --git a/demos/blockfactory/index.html b/demos/blockfactory/index.html
index 868d20542..0c1fc87b9 100644
--- a/demos/blockfactory/index.html
+++ b/demos/blockfactory/index.html
@@ -124,11 +124,11 @@
       <h3>Export Preview</h3>
       <div id="blockDefs" class="exportPreviewTextArea">
         <p id="blockDefs_label">Block Definitions:</p>
-        <pre id="blockDefs_textArea"></pre>
+        <pre id="blockDefs_textArea" class="prettyprint lang-js"></pre>
       </div>
       <div id="genStubs" class="exportPreviewTextArea">
         <p id="genStubs_label">Generator Stubs:</p>
-        <pre id="genStubs_textArea"></pre>
+        <pre id="genStubs_textArea" class="prettyprint lang-js"></pre>
       </div>
     </div>
   </div>
@@ -378,7 +378,7 @@
           </tr>
           <tr>
             <td height="30%">
-              <pre id="languagePre"></pre>
+              <pre id="languagePre" class="prettyprint lang-js"></pre>
               <textarea id="languageTA"></textarea>
             </td>
           </tr>
@@ -397,7 +397,7 @@
           </tr>
           <tr>
             <td height="30%">
-              <pre id="generatorPre"></pre>
+              <pre id="generatorPre" class="prettyprint lang-js"></pre>
             </td>
           </tr>
         </table>
diff --git a/demos/blockfactory_old/factory.js b/demos/blockfactory_old/factory.js
index b40a43e98..28e508b95 100644
--- a/demos/blockfactory_old/factory.js
+++ b/demos/blockfactory_old/factory.js
@@ -748,9 +748,9 @@ function updatePreview() {
 function injectCode(code, id) {
   var pre = document.getElementById(id);
   pre.textContent = code;
-  code = pre.textContent;
-  code = PR.prettyPrintOne(code, 'js');
-  pre.innerHTML = code;
+  // Remove the 'prettyprinted' class, so that Prettify will recalculate.
+  pre.className = pre.className.replace('prettyprinted', '');
+  PR.prettyPrint();
 }
 
 /**
diff --git a/demos/blockfactory_old/index.html b/demos/blockfactory_old/index.html
index 98029d48a..a3d733735 100644
--- a/demos/blockfactory_old/index.html
+++ b/demos/blockfactory_old/index.html
@@ -148,7 +148,7 @@
           </tr>
           <tr>
             <td height="30%">
-              <pre id="languagePre"></pre>
+              <pre id="languagePre" class="prettyprint lang-js"></pre>
               <textarea id="languageTA"></textarea>
             </td>
           </tr>
@@ -167,7 +167,7 @@
           </tr>
           <tr>
             <td height="30%">
-              <pre id="generatorPre"></pre>
+              <pre id="generatorPre" class="prettyprint lang-js"></pre>
             </td>
           </tr>
         </table>