From 4801c46f7350b77005f20be9b83d6a3ddc58520b Mon Sep 17 00:00:00 2001 From: ThinLiquid Date: Wed, 6 Dec 2023 19:04:57 +0000 Subject: [PATCH] =?UTF-8?q?[=F0=9F=94=92]=20Resolved=20another=20potential?= =?UTF-8?q?=20XSS=20attack?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/builtin/apps/browser.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/builtin/apps/browser.ts b/src/builtin/apps/browser.ts index 55140a0..064a162 100644 --- a/src/builtin/apps/browser.ts +++ b/src/builtin/apps/browser.ts @@ -2,6 +2,7 @@ import icon from '../../assets/icons/web-browser.svg' import { App } from '../../types' import FlowWindow from '../../structures/FlowWindow' +import { sanitize } from '../../utils' export default class BrowserApp implements App { meta = { @@ -89,7 +90,7 @@ export default class BrowserApp implements App { if (this === tabManager.activeTab) { (win.content.querySelector('.toggle') as HTMLElement).innerHTML = 'toggle_off' } - this.iframe.src = win.content.querySelector('input')?.value as string + this.iframe.src = sanitize(win.content.querySelector('input')?.value as string) } else { if (this === tabManager.activeTab) { (win.content.querySelector('.toggle') as HTMLElement).innerHTML = 'toggle_on' @@ -167,7 +168,7 @@ export default class BrowserApp implements App { if (tabManager.activeTab.proxy) { tabManager.activeTab.iframe.src = `/service/${xor.encode((win.content.querySelector('.inp') as HTMLInputElement).value)}` } else { - tabManager.activeTab.iframe.src = (win.content.querySelector('.inp') as HTMLInputElement).value + tabManager.activeTab.iframe.src = sanitize((win.content.querySelector('.inp') as HTMLInputElement).value) } } })