diff options
| author | Christoph (Sheogorath) Kern | 2019-04-16 14:17:10 +0200 |
|---|---|---|
| committer | GitHub | 2019-04-16 14:17:10 +0200 |
| commit | 2df474b63e8d127fa72bba7738c27511ad06182d (patch) | |
| tree | 814c2794da5a6e95ed21ab019dcd3f3c0ea10115 /public | |
| parent | 074198f941ec7559d3555ed70ee6b42f6f56512f (diff) | |
| parent | fb399ebe73950bec5403a4060a91ab9cfd90eb1a (diff) | |
Merge pull request #48 from SISheogorath/fix/graphvizXSS
Fix stored XSS in the graphviz error message rendering
Diffstat (limited to 'public')
| -rw-r--r-- | public/js/extra.js | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/public/js/extra.js b/public/js/extra.js index b80290d1..011e2143 100644 --- a/public/js/extra.js +++ b/public/js/extra.js @@ -15,6 +15,7 @@ import hljs from 'highlight.js' import PDFObject from 'pdfobject' import S from 'string' import { saveAs } from 'file-saver' +import escapeHTML from 'escape-html' require('./lib/common/login') require('../vendor/md-toc') @@ -323,7 +324,7 @@ export function finishView (view) { svg[0].setAttribute('preserveAspectRatio', 'xMidYMid meet') } catch (err) { $value.unwrap() - $value.parent().append('<div class="alert alert-warning">' + err + '</div>') + $value.parent().append(`<div class="alert alert-warning">${escapeHTML(err)}</div>`) console.warn(err) } }) @@ -347,7 +348,7 @@ export function finishView (view) { $value.children().unwrap().unwrap() } catch (err) { $value.unwrap() - $value.parent().append('<div class="alert alert-warning">' + err + '</div>') + $value.parent().append(`<div class="alert alert-warning">${escapeHTML(err)}</div>`) console.warn(err) } }) @@ -366,7 +367,7 @@ export function finishView (view) { $value.children().unwrap().unwrap() } catch (err) { $value.unwrap() - $value.parent().append('<div class="alert alert-warning">' + err + '</div>') + $value.parent().append(`<div class="alert alert-warning">${escapeHTML(err)}</div>`) console.warn(err) } }) @@ -388,7 +389,7 @@ export function finishView (view) { } $value.unwrap() - $value.parent().append('<div class="alert alert-warning">' + errormessage + '</div>') + $value.parent().append(`<div class="alert alert-warning">${escapeHTML(errormessage)}</div>`) console.warn(errormessage) } }) @@ -408,7 +409,7 @@ export function finishView (view) { svg[0].setAttribute('preserveAspectRatio', 'xMidYMid meet') } catch (err) { $value.unwrap() - $value.parent().append('<div class="alert alert-warning">' + err + '</div>') + $value.parent().append(`<div class="alert alert-warning">${escapeHTML(err)}</div>`) console.warn(err) } }) @@ -568,7 +569,7 @@ export function postProcess (code) { if (warning && warning.length > 0) { warning.text(md.metaError) } else { - warning = $('<div id="meta-error" class="alert alert-warning">' + md.metaError + '</div>') + warning = $(`<div id="meta-error" class="alert alert-warning">${escapeHTML(md.metaError)}</div>`) result.prepend(warning) } } |