From 681b28f167781f8a81e4d029e80d5e9f5d59abbd Mon Sep 17 00:00:00 2001
From: freginold <freginold@users.noreply.github.com>
Date: Fri, 17 Feb 2017 09:59:11 -0500
Subject: [PATCH] v3.2.2:

   - escaped HTML characters to prevent code from potentially being executed from status bar, using OWASP Prevention Rule #1
   - animated version and license info
---
 _note.css |  3 ++-
 _note.js  | 53 ++++++++++++++++++++++++++++++++++++++++++++++-------
 _note.vbs |  2 +-
 note.hta  |  4 ++--
 4 files changed, 51 insertions(+), 11 deletions(-)

diff --git a/_note.css b/_note.css
index 939248c..0e36602 100644
--- a/_note.css
+++ b/_note.css
@@ -1,4 +1,4 @@
-body {
+html {
   font-size: 1em;
   font-family: serif;
   color: black;
@@ -197,6 +197,7 @@ button[disabled]:hover {
 #aboutDiv {
   padding-left: 10px;
   margin-left: 25px;
+  vert-align: middle;
 }
 #backupButton {
   margin-top: 1px;
diff --git a/_note.js b/_note.js
index d0db3f1..76414fe 100644
--- a/_note.js
+++ b/_note.js
@@ -79,15 +79,19 @@ var fgColor = 'black';
 var firstCoordCheck = true;
 var selectedFlag = [false, false, false, false];
 var uneditedString = '';
-var currentVer = 'Note v' + Note.version + '\nPublic Domain';
+var currentVer = 'Note v' + Note.version;
+var license = 'Public Domain';
 var timer = 0;
 var lastScrollPos = 0;
 var firstCall = true;
 var small = 0.8;
 var medium = 1;
 var large = 1.3;
+var aboutInterval = false;
+var flip = false;
+var defTextSize = 1;
 var currentNote, dummyVar, bgColor, i, currentX, currentY, oldX, oldY, offsetX, offsetY;
-var lastLine, itemToEdit, itemTotal, statusTimer, prevNote;
+var lastLine, itemToEdit, itemTotal, statusTimer, prevNote, aboutCounter;
 
 
 // ------- declare functions ----------
@@ -394,10 +398,7 @@ function getLines(thisNote) {
       lastLine = noteNum;
     }
     else if (currentLine != "") {
-      // check input string for < or >, repl w/ &gt; or &lt;
-      currentLine = currentLine.replace(/</g, "&lt;");
-      currentLine = currentLine.replace(/>/g, "&gt;");
-      noteBody.innerHTML = noteBody.innerHTML + "<tr class='" + currentClasses + "' id='item" + noteNum + "'" + localFontHTML + "><td>" + xElBeg + noteNum + xElEnd + "&nbsp;&nbsp;" + moveButtonsHTMLBeg + noteNum + moveButtonsHTMLMid + noteNum + moveButtonsHTMLEnd + lineStartHTML + "</td><td id='text" + noteNum + "' ondblclick='goEdit(this);'>" + currentLine + "</td></tr>";
+      noteBody.innerHTML = noteBody.innerHTML + "<tr class='" + currentClasses + "' id='item" + noteNum + "'" + localFontHTML + "><td>" + xElBeg + noteNum + xElEnd + "&nbsp;&nbsp;" + moveButtonsHTMLBeg + noteNum + moveButtonsHTMLMid + noteNum + moveButtonsHTMLEnd + lineStartHTML + "</td><td id='text" + noteNum + "' ondblclick='goEdit(this);'>" + remHTML(currentLine) + "</td></tr>";
 	  checkOverflow("item" + noteNum);
       noteNum++;
     }
@@ -507,7 +508,33 @@ function displayAbout() {
   noteBody.style.display='none';
   noteTitle.innerText = "About Note";
   aboutDiv.style.display = 'block';
-  document.getElementById('versionInfo').innerText = currentVer;
+  document.getElementById('versionInfo').innerHTML = "<span id='line1'>" + currentVer + "</span><br><span id='line2'>" + license + "</span>";
+  if (!aboutInterval) {
+      aboutCounter = 0;
+	  setTimeout(function() {
+	    aboutInterval = setInterval(aboutChangeSize, 4);
+	  }, 160);
+  }
+}
+
+function aboutChangeSize() {
+  // change text size in About div
+  if (flip) { aboutCounter = aboutCounter - 0.01; }
+  else { aboutCounter = aboutCounter + 0.01; }    
+  document.getElementById('line1').style.fontSize = (defTextSize + aboutCounter) + "em";
+  document.getElementById('line2').style.fontSize = (defTextSize - aboutCounter) + "em";
+  if (aboutCounter > 0.57) {
+    flip = true;
+  }
+  if (aboutCounter < -0.57) {
+    flip = false;
+  }
+  if (aboutDiv.style.display == "none") {
+    clearInterval(aboutInterval);
+	aboutInterval = false;
+	flip = false;
+	aboutDiv.style.fontSize = defTextSize + "em";
+  }
 }
 
 function checkCoords() {
@@ -639,6 +666,18 @@ function clearStatus() {
   statusTimer = 0;
 }
 
+function remHTML(str) {
+  // remove characters that could execute code
+  // repl < or > w/ &gt; or &lt;
+  str = str.replace(/&/g, "&amp;");
+  str = str.replace(/</g, "&lt;");
+  str = str.replace(/>/g, "&gt;");
+  str = str.replace(/"/g, "&quot;");
+  str = str.replace(/'/g, "&#x27;");
+  str = str.replace(/\//g, "&#x2F;");        
+  return str;
+}
+
 function focusInput() {
   // call from VBS file to refocus on inputBox after a status msg display
   inputBox.focus();
diff --git a/_note.vbs b/_note.vbs
index 8864e43..88266a6 100644
--- a/_note.vbs
+++ b/_note.vbs
@@ -579,7 +579,7 @@ End Sub
 Function AbbrevText(AbbrStr)
   ' abbreviate note text for status bar, add quotes and apply non-italic class
   if len(AbbrStr) > 30 then AbbrStr = mid(AbbrStr, 1, 27) & "..."
-  AbbrevText = "<span class='nonItalic'>'" & AbbrStr & "'</span>"
+  AbbrevText = "<span class='nonItalic'>'" & remHTML(AbbrStr) & "'</span>"
 End Function
 
 Sub ChangeBackup
diff --git a/note.hta b/note.hta
index 445be31..0073e80 100644
--- a/note.hta
+++ b/note.hta
@@ -9,7 +9,7 @@
   Scroll = no
   Icon = "note_icon.ico"
   navigable = no
-  version = "3.2.1"
+  version = "3.2.2"
 >
 <title>Note</title>
 <link href='_note.css' rel='stylesheet' type='text/css'>
@@ -139,7 +139,7 @@
   <br /><br />
   <label id='header05'><h3><span id='symbol05'>&#10134;</span> <span class='uline'>Backup / Restore</span></h3></label>
   <div id='section05' class='optionSections'>
-  <button class='optButton' id='undeleteButton' onclick='Undelete()' disabled=true>Restore last deleted item</button><br />
+  <button class='optButton' id='undeleteButton' onclick='Undelete()' disabled=true>Restore Last Deleted Item</button><br />
   <button class='optButton' id='backupButton' onclick='dispBackupDiv();'>Backup...</button><br />
   <button class='optButton' id='defaultButton' onclick='resetDefault();'>Restore All Default Settings</button>
   </div>