From 1eb93e9be1e11665abce99c027ffa367e292c052 Mon Sep 17 00:00:00 2001 From: ThinLiquid Date: Mon, 4 Dec 2023 15:17:29 +0000 Subject: [PATCH 1/2] =?UTF-8?q?[=F0=9F=94=92]=20Resolved=20potential=20XSS?= =?UTF-8?q?=20attacks?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- package-lock.json | 2 +- public/uv/uv.bundle.js | 4 +++- src/structures/FlowWindow.ts | 5 +++-- src/utils.ts | 21 +++++++++++++++++++++ 4 files changed, 28 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index 7bffc66..e71ba1f 100644 --- a/package-lock.json +++ b/package-lock.json @@ -12,8 +12,8 @@ "@ptkdev/logger": "^1.8.0", "eruda": "^3.0.1", "filer": "^1.4.1", - "prism-code-editor": "^2.2.1", "material-symbols": "^0.14.1", + "prism-code-editor": "^2.2.1", "uuid": "^9.0.1" }, "devDependencies": { diff --git a/public/uv/uv.bundle.js b/public/uv/uv.bundle.js index 4a43fdc..f440917 100644 --- a/public/uv/uv.bundle.js +++ b/public/uv/uv.bundle.js @@ -17962,6 +17962,8 @@ function deepAssign(dest, src) { for (const key in src) { + if (!src.hasOwnProperty(key)) continue; + if (key === "__proto__" || key === "constructor") continue; if (hasOwnProperty.call(src, key)) { if (isObject(dest[key])) { deepAssign(dest[key], copy(src[key])); @@ -39189,7 +39191,7 @@ str = new String(str).trim(); if (!str || this.urlRegex.test(str)) return str; - if (str.startsWith('javascript:')) { + if (str.startsWith('javascript:') || str.startsWith("data:") || str.startsWith("vbscript:")) { return 'javascript:' + this.js.rewrite(str.slice('javascript:'.length)); }; diff --git a/src/structures/FlowWindow.ts b/src/structures/FlowWindow.ts index 4d29a9d..ef4f361 100644 --- a/src/structures/FlowWindow.ts +++ b/src/structures/FlowWindow.ts @@ -1,6 +1,7 @@ import { v4 as uuid } from 'uuid' import WindowManager from '../instances/WindowManager' import { FlowWindowConfig } from '../types' +import { sanitize } from '../utils'; /** * Makes an element draggable. @@ -108,9 +109,9 @@ class FlowWindow { this.element.style.height = `${config.height ?? 200}px` this.header = document.createElement('window-header') - this.header.innerHTML = `
${config.title}
minimizeclose` + this.header.innerHTML = `
${sanitize(config.title)}
minimizeclose` if (config.canResize) { - this.header.innerHTML = `
${config.title}
minimizesquareclose` + this.header.innerHTML = `
${sanitize(config.title)}
minimizesquareclose` } (this.header.querySelector('#close') as HTMLElement).onclick = () => { diff --git a/src/utils.ts b/src/utils.ts index 5ab2caa..4ae9181 100644 --- a/src/utils.ts +++ b/src/utils.ts @@ -30,3 +30,24 @@ export const getTime = async (): Promise => { return timeString } + +/** + * Sanitizes a string of all HTML elements. + * + * @param string String to be sanitized + * @returns Sanitized string + */ +export const sanitize = (string: string): string => { + const map: { + [key: string]: string + } = { + '&': '&', + '<': '<', + '>': '>', + '"': '"', + '\'': ''', + '/': '/' + } + const reg = /[&<>"'/]/ig + return string.replace(reg, (match) => (map[match])) +} From a4acc9655e4d53350d557d6e2283f0ae29f8c247 Mon Sep 17 00:00:00 2001 From: ThinLiquid Date: Mon, 4 Dec 2023 15:18:34 +0000 Subject: [PATCH 2/2] =?UTF-8?q?[=E2=9C=94=EF=B8=8F]=20Follow=20ts-standard?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/structures/FlowWindow.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/structures/FlowWindow.ts b/src/structures/FlowWindow.ts index ef4f361..7124116 100644 --- a/src/structures/FlowWindow.ts +++ b/src/structures/FlowWindow.ts @@ -1,7 +1,7 @@ import { v4 as uuid } from 'uuid' import WindowManager from '../instances/WindowManager' import { FlowWindowConfig } from '../types' -import { sanitize } from '../utils'; +import { sanitize } from '../utils' /** * Makes an element draggable.