This commit makes various changes to prevent servers from injecting
arbitrary JavaScript into the client. This prevents a variety of
possible exploits. The main changes in the client are as follows:
- Raw HTML from the server is now sanitised using caja to prevent
excution of JavaScript. See
https://code.google.com/p/google-caja/wiki/JsHtmlSanitizer
for details.
- The client now has a variety of CSS classes for possible chat
command messages that can be sent from the server, rather than the
server injecting arbitrary CSS `style` attributes into the client.
- check timestamp in index.php rather than sim.js to reduce the chance
of false positives caused by the user's internet connection being
slow or the user's clock being slightly wrong
- require timestamp logging to be a POST request
This commit adds support for 'config data' that begins with a ']'
character so that output from the upkeep page can be copied directly
without having to manually remove the ']' prefix.
