Skip to content

Commit ee5e5a5

Browse files
silverwindsilverwind
authored
Improve HTML escaping helper (#12562)
The previous method did not escape single quotes which under some circumstances can lead to XSS vulnerabilites and the fact that it depends on jQuery is also not ideal. Replace it with a lightweight module.
1 parent 03ba12a commit ee5e5a5

3 files changed

Lines changed: 13 additions & 10 deletions

File tree

package-lock.json

Lines changed: 5 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
"cssnano": "4.1.10",
1919
"domino": "2.1.5",
2020
"dropzone": "5.7.0",
21+
"escape-goat": "3.0.0",
2122
"fast-glob": "3.2.2",
2223
"file-loader": "6.0.0",
2324
"fomantic-ui": "2.8.4",

web_src/js/index.js

Lines changed: 7 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import './publicpath.js';
66
import './polyfills.js';
77

88
import Vue from 'vue';
9+
import {htmlEscape} from 'escape-goat';
910
import 'jquery.are-you-sure';
1011
import './vendor/semanticdropdown.js';
1112
import {svg} from './utils.js';
@@ -25,10 +26,6 @@ import {createCodeEditor} from './features/codeeditor.js';
2526

2627
const {AppSubUrl, StaticUrlPrefix, csrf} = window.config;
2728

28-
function htmlEncode(text) {
29-
return jQuery('<div />').text(text).html();
30-
}
31-
3229
let previewFileModes;
3330
const commentMDEditors = {};
3431

@@ -532,12 +529,12 @@ function initCommentForm() {
532529
switch (input_id) {
533530
case '#milestone_id':
534531
$list.find('.selected').html(`<a class="item" href=${$(this).data('href')}>${
535-
htmlEncode($(this).text())}</a>`);
532+
htmlEscape($(this).text())}</a>`);
536533
break;
537534
case '#assignee_id':
538535
$list.find('.selected').html(`<a class="item" href=${$(this).data('href')}>` +
539536
`<img class="ui avatar image" src=${$(this).data('avatar')}>${
540-
htmlEncode($(this).text())}</a>`);
537+
htmlEscape($(this).text())}</a>`);
541538
}
542539
$(`.ui${select_id}.list .no-select`).addClass('hide');
543540
$(input_id).val($(this).data('id'));
@@ -1942,7 +1939,7 @@ function searchUsers() {
19421939
$.each(response.data, (_i, item) => {
19431940
let title = item.login;
19441941
if (item.full_name && item.full_name.length > 0) {
1945-
title += ` (${htmlEncode(item.full_name)})`;
1942+
title += ` (${htmlEscape(item.full_name)})`;
19461943
}
19471944
items.push({
19481945
title,
@@ -2223,7 +2220,7 @@ function initTemplateSearch() {
22232220
// Parse the response from the api to work with our dropdown
22242221
$.each(response.data, (_r, repo) => {
22252222
filteredResponse.results.push({
2226-
name: htmlEncode(repo.full_name),
2223+
name: htmlEscape(repo.full_name),
22272224
value: repo.id
22282225
});
22292226
});
@@ -3500,8 +3497,8 @@ function initIssueList() {
35003497
return;
35013498
}
35023499
filteredResponse.results.push({
3503-
name: `#${issue.number} ${htmlEncode(issue.title)
3504-
}<div class="text small dont-break-out">${htmlEncode(issue.repository.full_name)}</div>`,
3500+
name: `#${issue.number} ${htmlEscape(issue.title)
3501+
}<div class="text small dont-break-out">${htmlEscape(issue.repository.full_name)}</div>`,
35053502
value: issue.id
35063503
});
35073504
});

0 commit comments

Comments
 (0)