[🔒] Resolved another potential XSS attack

2023-12-06 19:04:57 +00:00 · 2023-12-06 19:04:57 +00:00 · 4801c46f73
commit 4801c46f73
parent 9a3a611c01
1 changed files with 3 additions and 2 deletions
--- a/src/builtin/apps/browser.ts
+++ b/src/builtin/apps/browser.ts
@ -2,6 +2,7 @@ import icon from '../../assets/icons/web-browser.svg'
 import { App } from '../../types'

 import FlowWindow from '../../structures/FlowWindow'
+import { sanitize } from '../../utils'

 export default class BrowserApp implements App {
  meta = {
@ -89,7 +90,7 @@ export default class BrowserApp implements App {
          if (this === tabManager.activeTab) {
            (win.content.querySelector('.toggle') as HTMLElement).innerHTML = 'toggle_off'
          }
-          this.iframe.src = win.content.querySelector('input')?.value as string
+          this.iframe.src = sanitize(win.content.querySelector('input')?.value as string)
        } else {
          if (this === tabManager.activeTab) {
            (win.content.querySelector('.toggle') as HTMLElement).innerHTML = 'toggle_on'
@ -167,7 +168,7 @@ export default class BrowserApp implements App {
        if (tabManager.activeTab.proxy) {
          tabManager.activeTab.iframe.src = `/service/${xor.encode((win.content.querySelector('.inp') as HTMLInputElement).value)}`
        } else {
-          tabManager.activeTab.iframe.src = (win.content.querySelector('.inp') as HTMLInputElement).value
+          tabManager.activeTab.iframe.src = sanitize((win.content.querySelector('.inp') as HTMLInputElement).value)
        }
      }
    })