If connecting to the server's main port fails, the client will
automatically attempt to connect on the alternative port. If connecting
on the alternative port is successful, this is recorded in localStorage
so that next time, the alternative port is used first.
This is mainly intended to be used by the main server, which has a
primary port of 8000 and a relatively little known alternative port
of 80.
This commit makes various changes to prevent servers from injecting
arbitrary JavaScript into the client. This prevents a variety of
possible exploits. The main changes in the client are as follows:
- Raw HTML from the server is now sanitised using caja to prevent
excution of JavaScript. See
https://code.google.com/p/google-caja/wiki/JsHtmlSanitizer
for details.
- The client now has a variety of CSS classes for possible chat
command messages that can be sent from the server, rather than the
server injecting arbitrary CSS `style` attributes into the client.
- check timestamp in index.php rather than sim.js to reduce the chance
of false positives caused by the user's internet connection being
slow or the user's clock being slightly wrong
- require timestamp logging to be a POST request
This commit adds support for 'config data' that begins with a ']'
character so that output from the upkeep page can be copied directly
without having to manually remove the ']' prefix.
