composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-13 07:24:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

utils.js : deprecate EncodeHtml and copy it to CombodoSanitizer.EscapeHtml

Browse Source
This commit is contained in:
Pierre Goiffon
2021-10-19 08:43:27 +02:00
parent 6abdabd197
commit d73d39e71a
1 changed files with 32 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
js/utils.js
View File

@@ -596,8 +596,10 @@ function DisplayHistory(sSelector, sFilter, iCount, iStart) {
} }
/** /**
* @deprecated 3.0.0 N°4367 deprecated, use {@see CombodoSanitizer.EscapeHtml} instead
*
* @param sValue value to escape * @param sValue value to escape
* @param bReplaceAmp if false don't replace "&" (can be useful when sValue contrains html entities we want to keep) * @param bReplaceAmp if false don't replace "&" (can be useful when sValue contains html entities we want to keep)
* @returns {string} escaped value, ready to insert in the DOM without XSS risk * @returns {string} escaped value, ready to insert in the DOM without XSS risk
* *
* @since 2.6.5, 2.7.2, 3.0.0 N°3332 * @since 2.6.5, 2.7.2, 3.0.0 N°3332
@@ -1033,11 +1035,40 @@ const CombodoSanitizer = {
_CleanString: function (sValue, sDefaultValue, sRegExp) { _CleanString: function (sValue, sDefaultValue, sRegExp) {
return sValue.replace(sRegExp, ''); return sValue.replace(sRegExp, '');
}, },
_ReplaceString: function (sValue, sDefaultValue, sRegExp) { _ReplaceString: function (sValue, sDefaultValue, sRegExp) {
if (sRegExp.test(sValue)) { if (sRegExp.test(sValue)) {
return sValue; return sValue;
} else { } else {
return sDefaultValue; return sDefaultValue;
} }
},
/**
* @param sValue value to escape
* @param bReplaceAmp if false don't replace "&" (can be useful when sValue contains html entities we want to keep)
*
* @returns {string} escaped value, ready to insert in the DOM without XSS risk
*
* @since 2.6.5, 2.7.2, 3.0.0 N°3332
* @since 3.0.0 N°4367 deprecate EncodeHtml and copy the method here (CombodoSanitizer.EscapeHtml)
*
* @see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-1-html-encode-before-inserting-untrusted-data-into-html-element-content
* @see https://stackoverflow.com/questions/295566/sanitize-rewrite-html-on-the-client-side/430240#430240 why inserting in the DOM (for
* example the text() JQuery way) isn't safe
*/
EscapeHtml: function (sValue, bReplaceAmp) {
let sEncodedValue = (sValue+'')
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;')
.replace(/"/g, '&quot;')
.replace(/'/g, '&#x27;')
.replace(/\//g, '&#x2F;');
if (bReplaceAmp) {
sEncodedValue = sEncodedValue.replace(/&/g, '&amp;');
}
return sEncodedValue;
} }
} }