From 62043b0fd9c1c2cf8d371fe4d4f690c1ebdc2d5d Mon Sep 17 00:00:00 2001
From: Brian Warner <warner@lothar.com>
Date: Wed, 23 May 2012 11:45:20 -0700
Subject: [PATCH] strengthen email/URL validation: require the objects to be
 strings

---
 resources/static/dialog/controllers/dialog.js | 2 ++
 resources/static/shared/validation.js         | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/resources/static/dialog/controllers/dialog.js b/resources/static/dialog/controllers/dialog.js
index 25236e5db..62043fbc8 100644
--- a/resources/static/dialog/controllers/dialog.js
+++ b/resources/static/dialog/controllers/dialog.js
@@ -84,6 +84,8 @@ BrowserID.Modules.Dialog = (function() {
 
   function fixupURL(origin, url) {
     var u;
+    if (typeof(url) !== "string")
+      throw "urls must be strings: (" + url + ")";
     if (/^http(s)?:\/\//.test(url)) u = URLParse(url);
     else if (/^\//.test(url)) u = URLParse(origin + url);
     else throw "relative urls not allowed: (" + url + ")";
diff --git a/resources/static/shared/validation.js b/resources/static/shared/validation.js
index e103085a0..d49f82371 100644
--- a/resources/static/shared/validation.js
+++ b/resources/static/shared/validation.js
@@ -7,6 +7,8 @@ BrowserID.Validation = (function() {
       tooltip = bid.Tooltip;
 
   bid.verifyEmail = function(address) {
+    if (typeof(address) !== "string")
+      return false;
     // Original gotten from http://blog.gerv.net/2011/05/html5_email_address_regexp/
     // changed the requirement that there must be a ldh-str because BrowserID
     // is only used on internet based networks.
-- 
GitLab