Protect against script injection

2026-02-04 08:28:17 +08:00 · 2021-12-16 22:57:47 +01:00
parent 43439bbcd3
commit 8f0893447e
14 changed files with 178 additions and 107 deletions
--- a/js/template/BlueprintTemplate.js
+++ b/js/template/BlueprintTemplate.js
@@ -1,7 +1,7 @@
+import GraphSelector from "../graph/GraphSelector"
 import html from "./html"
 import sanitizeText from "./sanitizeText"
 import Template from "./Template"
-import GraphSelector from "../graph/GraphSelector"

 /** @typedef {import("../Blueprint").default} Blueprint */
 export default class BlueprintTemplate extends Template {
@@ -75,7 +75,7 @@ export default class BlueprintTemplate extends Template {
     */
    applyZoom(blueprint, newZoom) {
        blueprint.classList.remove(`ueb-zoom-${blueprint.zoom}`)
-        blueprint.classList.add(`ueb-zoom-${newZoom}`)
+        blueprint.classList.add(sanitizeText`ueb-zoom-${newZoom}`)
    }

    /**
@@ -83,8 +83,8 @@ export default class BlueprintTemplate extends Template {
     * @param {Blueprint} brueprint The blueprint element
     */
    applyExpand(blueprint) {
-        blueprint.gridElement.style.setProperty("--ueb-additional-x", blueprint.additional[0])
-        blueprint.gridElement.style.setProperty("--ueb-additional-y", blueprint.additional[1])
+        blueprint.gridElement.style.setProperty("--ueb-additional-x", sanitizeText(blueprint.additional[0]))
+        blueprint.gridElement.style.setProperty("--ueb-additional-y", sanitizeText(blueprint.additional[1]))
    }

    /**
@@ -92,7 +92,7 @@ export default class BlueprintTemplate extends Template {
     * @param {Blueprint} brueprint The blueprint element
     */
    applyTranlate(blueprint) {
-        blueprint.gridElement.style.setProperty("--ueb-translate-x", blueprint.translateValue[0])
-        blueprint.gridElement.style.setProperty("--ueb-translate-y", blueprint.translateValue[1])
+        blueprint.gridElement.style.setProperty("--ueb-translate-x", sanitizeText(blueprint.translateValue[0]))
+        blueprint.gridElement.style.setProperty("--ueb-translate-y", sanitizeText(blueprint.translateValue[1]))
    }
 }
--- a/js/template/NodeTemplate.js
+++ b/js/template/NodeTemplate.js
@@ -1,7 +1,8 @@
+import GraphPin from "../graph/GraphPin"
 import html from "./html"
 import PinEntity from "../entity/PinEntity"
+import sanitizeText from "./sanitizeText"
 import SelectableDraggableTemplate from "./SelectableDraggableTemplate"
-import GraphPin from "../graph/GraphPin"

 /**
 * @typedef {import("../graph/GraphNode").default} GraphNode
@@ -43,7 +44,7 @@ export default class NodeTemplate extends SelectableDraggableTemplate {
                    <div class="ueb-node-header">
                        <span class="ueb-node-name">
                            <span class="ueb-node-symbol"></span>
-                            <span class="ueb-node-text">${node.entity.getNodeDisplayName()}</span>
+                            <span class="ueb-node-text">${sanitizeText(node.entity.getNodeDisplayName())}</span>
                        </span>
                    </div>
                    <div class="ueb-node-body">
@@ -64,8 +65,8 @@ export default class NodeTemplate extends SelectableDraggableTemplate {
        if (node.selected) {
            node.classList.add("ueb-selected")
        }
-        node.style.setProperty("--ueb-position-x", node.location[0])
-        node.style.setProperty("--ueb-position-y", node.location[1])
+        node.style.setProperty("--ueb-position-x", sanitizeText(node.location[0]))
+        node.style.setProperty("--ueb-position-y", sanitizeText(node.location[1]))
        /** @type {HTMLElement} */
        let inputContainer = node.querySelector(".ueb-node-inputs")
        /** @type {HTMLElement} */
--- a/js/template/PinTemplate.js
+++ b/js/template/PinTemplate.js
@@ -1,4 +1,5 @@
 import html from "./html"
+import sanitizeText from "./sanitizeText"
 import Template from "./Template"

 /**
@@ -31,6 +32,6 @@ export default class PinTemplate extends Template {
     */
    apply(pin) {
        super.apply(pin)
-        pin.classList.add("ueb-node-" + pin.isInput() ? "input" : "output", "ueb-node-value-" + pin.getType())
+        pin.classList.add("ueb-node-" + pin.isInput() ? "input" : "output", "ueb-node-value-" + sanitizeText(pin.getType()))
    }
 }
--- a/js/template/SelectableDraggableTemplate.js
+++ b/js/template/SelectableDraggableTemplate.js
@@ -1,4 +1,4 @@
-import html from "./html"
+import sanitizeText from "./sanitizeText"
 import Template from "./Template"

 /**
@@ -11,8 +11,8 @@ export default class SelectableDraggableTemplate extends Template {
     * @param {SelectableDraggable} element Element of the graph
     */
    applyLocation(element) {
-        element.style.setProperty("--ueb-position-x", element.location[0])
-        element.style.setProperty("--ueb-position-y", element.location[1])
+        element.style.setProperty("--ueb-position-x", sanitizeText(element.location[0]))
+        element.style.setProperty("--ueb-position-y", sanitizeText(element.location[1]))
    }

    /**
--- a/js/template/SelectorTemplate.js
+++ b/js/template/SelectorTemplate.js
@@ -1,3 +1,4 @@
+import sanitizeText from "./sanitizeText"
 import Template from "./Template"

 /**
@@ -21,11 +22,11 @@ export default class SelectorTemplate extends Template {
     */
    applyStartSelecting(selector, initialPosition) {
        // Set initial position
-        selector.style.setProperty("--ueb-select-from-x", initialPosition[0])
-        selector.style.setProperty("--ueb-select-from-y", initialPosition[1])
+        selector.style.setProperty("--ueb-select-from-x", sanitizeText(initialPosition[0]))
+        selector.style.setProperty("--ueb-select-from-y", sanitizeText(initialPosition[1]))
        // Final position coincide with the initial position, at the beginning of selection
-        selector.style.setProperty("--ueb-select-to-x", initialPosition[0])
-        selector.style.setProperty("--ueb-select-to-y", initialPosition[1])
+        selector.style.setProperty("--ueb-select-to-x", sanitizeText(initialPosition[0]))
+        selector.style.setProperty("--ueb-select-to-y", sanitizeText(initialPosition[1]))
        selector.dataset.selecting = "true"
    }

@@ -34,8 +35,8 @@ export default class SelectorTemplate extends Template {
     * @param {GraphSelector} selector Selector element
     */
    applyDoSelecting(selector, finalPosition) {
-        selector.style.setProperty("--ueb-select-to-x", finalPosition[0])
-        selector.style.setProperty("--ueb-select-to-y", finalPosition[1])
+        selector.style.setProperty("--ueb-select-to-x", sanitizeText(finalPosition[0]))
+        selector.style.setProperty("--ueb-select-to-y", sanitizeText(finalPosition[1]))
    }

    /**
--- a/js/template/sanitizeText.js
+++ b/js/template/sanitizeText.js
@@ -1,9 +1,17 @@
 const div = document.createElement("div")

+const tagReplacement = {
+    '&': '&amp;',
+    '<': '&lt;',
+    '>': '&gt;',
+    "'": '&#39;',
+    '"': '&quot;'
+}
+
 function sanitizeText(value) {
-    div.textContent = value
-    value = div.textContent
-    div.innerHTML = ""
+    if (value.constructor === String) {
+        return value.replace(/[&<>'"]/g, tag => tagReplacement[tag])
+    }
    return value
 }