commit 10cae22c55accc7ce4843ac860cd1c9b7293e033
parent d80aa97ebd777ac8c1e9b4e495fd8375e82efd68
Author: Dan Stillman <dstillman@zotero.org>
Date: Fri, 22 Sep 2017 01:01:52 -0400
Restrict relation predicates to letters and colons for now
Diffstat:
2 files changed, 18 insertions(+), 0 deletions(-)
diff --git a/chrome/content/zotero/xpcom/data/dataObject.js b/chrome/content/zotero/xpcom/data/dataObject.js
@@ -404,6 +404,13 @@ Zotero.DataObject.prototype.setRelations = function (newRelations) {
var oldRelations = this._relations;
+ // Limit predicates to letters and colons for now
+ for (let p in newRelations) {
+ if (!/[a-z]+:[a-z]+/.test(p)) {
+ throw new Error(`Invalid relation predicate '${p}'`);
+ }
+ }
+
// Relations are stored internally as a flat array with individual predicate-object pairs,
// so convert the incoming relations to that
var newRelationsFlat = this.ObjectsClass.flattenRelations(newRelations);
diff --git a/test/tests/dataObjectTest.js b/test/tests/dataObjectTest.js
@@ -512,6 +512,17 @@ describe("Zotero.DataObject", function() {
})
})
+ describe("#setRelations()", function () {
+ it("shouldn't allow invalid 'relations' predicates", function* () {
+ var item = new Zotero.Item("book");
+ assert.throws(() => {
+ item.setRelations({
+ "0": ["http://example.com/foo"]
+ });
+ });
+ });
+ });
+
describe("#_getLinkedObject()", function () {
it("should return a linked object in another library", function* () {
var group = yield getGroup();
