composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-13 07:24:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

N°4374 - Add sanitizer helper for front end (JS)

Browse Source
This commit is contained in:
acognet
2021-10-19 11:25:07 +02:00
parent 8a7f0d346d
commit 88fda1466e
2 changed files with 10 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
js/components/breadcrumbs.js
View File

@@ -114,8 +114,8 @@ $(function()
if (sTitle.length === 0) { if (sTitle.length === 0) {
sTitle = sLabel; sTitle = sLabel;
} }
sTitle = CombodoSanitizer.EscapeHtml(sTitle, false); sTitle = CombodoSanitizer.EscapeHtml(sTitle, true);
sLabel = CombodoSanitizer.EscapeHtml(sLabel, false); sLabel = CombodoSanitizer.EscapeHtml(sLabel, true);
if ((this.options.new_entry !== null) && (iEntry === aBreadCrumb.length-1)) { if ((this.options.new_entry !== null) && (iEntry === aBreadCrumb.length-1)) {
// Last entry is the current page // Last entry is the current page

23
js/utils.js
View File

@@ -1046,29 +1046,22 @@ const CombodoSanitizer = {
/** /**
* @param sValue value to escape * @param sValue value to escape
* @param bReplaceAmp if false don't replace "&" (can be useful when sValue contains html entities we want to keep) * @param bOutputInHtml if true return html ("<" become "&lt;")
* * if false return text ("<" stay "<")
* @returns {string} escaped value, ready to insert in the DOM without XSS risk * @returns {string} escaped value, ready to insert in the DOM without XSS risk
* *
* @since 2.6.5, 2.7.2, 3.0.0 N°3332 * @since 2.6.5, 2.7.2, 3.0.0 N°3332
* @since 3.0.0 N°4367 deprecate EncodeHtml and copy the method here (CombodoSanitizer.EscapeHtml) * @since 3.0.0 N°4367 deprecate EncodeHtml and replace by this new method (CombodoSanitizer.EscapeHtml) - params and script are not exactly the same
* *
* @see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-1-html-encode-before-inserting-untrusted-data-into-html-element-content * @see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-1-html-encode-before-inserting-untrusted-data-into-html-element-content
* @see https://stackoverflow.com/questions/295566/sanitize-rewrite-html-on-the-client-side/430240#430240 why inserting in the DOM (for * @see https://stackoverflow.com/questions/295566/sanitize-rewrite-html-on-the-client-side/430240#430240 why inserting in the DOM (for
* example the text() JQuery way) isn't safe * example the text() JQuery way) isn't safe
*/ */
EscapeHtml: function (sValue, bReplaceAmp) { EscapeHtml: function (sValue, bOutputInHtml = true) {
let sEncodedValue = (sValue+'') if (bOutputInHtml) {
.replace(/</g, '&lt;') return $('<div>').text(sValue).html();
.replace(/>/g, '&gt;')
.replace(/"/g, '&quot;')
.replace(/'/g, '&#x27;')
.replace(/\//g, '&#x2F;');
if (bReplaceAmp) {
sEncodedValue = sEncodedValue.replace(/&/g, '&amp;');
} }
return $('<div>').text(sValue).text();
return sEncodedValue; // return sValue;
} }
} }