Mibew/mibew
1
0
Fork 0
mirror of https://github.com/Mibew/mibew.git synced 2025-01-31 05:20:30 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix XSS in vex messages

Browse Source
This commit is contained in:
Fedor A. Fetisov 2020-07-09 12:45:04 +03:00
parent 84f5bca0a9
commit 2336e406f4
1 changed files with 18 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/mibew/js/source/default/utils.js
View File

@ -172,6 +172,21 @@
return (vex.getAllVexes().length > 0);
};
/**
* Sanitize message used in Vex dialog
* @type {Function}
* @param {String} message A message to sanitize.
* @returns {String}
*/
var sanitizeMessage = function(message) {
return message.replace(/&/g, "&")
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;")
.replace(/"/g, "&quot;")
.replace(/'/g, "&#039;");
};
/**
* Alerts a message.
* @param {String} message A message that should be displayed.
@ -182,7 +197,7 @@
// Do not open alert if one already opened.
return;
}
vex.dialog.alert({message: message});
vex.dialog.alert({message: sanitizeMessage(message)});
};
/**
@ -195,7 +210,7 @@
Mibew.Utils.confirm = function(message, callback) {
setVexDefaults();
vex.dialog.confirm({
message: message,
message: sanitizeMessage(message),
callback: callback
});
};
@ -210,7 +225,7 @@
Mibew.Utils.prompt = function(message, callback) {
setVexDefaults();
vex.dialog.prompt({
message: message,
message: sanitizeMessage(message),
callback: callback
});
};