Mibew/mibew
1
0
Fork 0
mirror of https://github.com/Mibew/mibew.git synced 2025-04-25 15:56:07 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix XSS in vex messages

Browse Source
This commit is contained in:
Fedor A. Fetisov 2020-07-09 12:45:04 +03:00
parent 84f5bca0a9
commit 2336e406f4
1 changed files with 18 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/mibew/js/source/default/utils.js
View File

@ -172,6 +172,21 @@
return (vex.getAllVexes().length > 0); return (vex.getAllVexes().length > 0);
}; };
/**
* Sanitize message used in Vex dialog
* @type {Function}
* @param {String} message A message to sanitize.
* @returns {String}
*/
var sanitizeMessage = function(message) {
return message.replace(/&/g, "&")
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;")
.replace(/"/g, "&quot;")
.replace(/'/g, "&#039;");
};
/** /**
* Alerts a message. * Alerts a message.
* @param {String} message A message that should be displayed. * @param {String} message A message that should be displayed.
@ -182,7 +197,7 @@
// Do not open alert if one already opened. // Do not open alert if one already opened.
return; return;
} }
vex.dialog.alert({message: message}); vex.dialog.alert({message: sanitizeMessage(message)});
}; };
/** /**
@ -195,7 +210,7 @@
Mibew.Utils.confirm = function(message, callback) { Mibew.Utils.confirm = function(message, callback) {
setVexDefaults(); setVexDefaults();
vex.dialog.confirm({ vex.dialog.confirm({
message: message, message: sanitizeMessage(message),
callback: callback callback: callback
}); });
}; };
@ -210,7 +225,7 @@
Mibew.Utils.prompt = function(message, callback) { Mibew.Utils.prompt = function(message, callback) {
setVexDefaults(); setVexDefaults();
vex.dialog.prompt({ vex.dialog.prompt({
message: message, message: sanitizeMessage(message),
callback: callback callback: callback
}); });
}; };