Skip to content

Commit

Permalink
excluded br revert from sanitizeHtml and created separate function (#617
Browse files Browse the repository at this point in the history 
)
  • Loading branch information
@maxmarkus
maxmarkus authored Jul 3, 2019
1 parent ef678f0 commit 0d6ac8f
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 6 deletions.
17 changes: 13 additions & 4 deletions core/src/utilities/helpers/escaping-helpers.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,15 @@ class EscapingHelpersClass {
.replace(/>/g, '>')
.replace(/"/g, '"')
.replace(/'/g, ''')
.replace(/javascript:/g, '')
.replace(/&lt;br&gt;/g, '<br>');
.replace(/javascript:/g, '');
}

restoreSanitizedBrs(text) {
return text
.replace(/&lt;br\/&gt;/g, '<br>')
.replace(/&lt;br \/&gt;/g, '<br>')
.replace(/&lt;br&gt;/g, '<br>')
.replace(/&lt;br &gt;/g, '<br>');
}

sanitizeParam(param) {
Expand All @@ -25,7 +32,7 @@ class EscapingHelpersClass {
}

processTextAndLinks(text, links, uniqueID) {
let sanitizedText = this.sanitizeHtml(text);
let sanitizedText = this.restoreSanitizedBrs(this.sanitizeHtml(text));
let initialValue = { sanitizedText, links: [] };

if (!links) {
Expand All @@ -34,7 +41,9 @@ class EscapingHelpersClass {

return Object.entries(links).reduce((acc, [key, content]) => {
const elemId = `_luigi_alert_${uniqueID}_link_${this.sanitizeParam(key)}`;
const escapedText = this.sanitizeHtml(content.text);
const escapedText = this.restoreSanitizedBrs(
this.sanitizeHtml(content.text)
);
const processedData = `<a id="${elemId}">${escapedText}</a>`;
const keyForRegex = this.escapeKeyForRegexp(key);
const pattern = new RegExp(`({${keyForRegex}})`, 'g');
Expand Down
10 changes: 8 additions & 2 deletions core/test/utilities/helpers/escaping-helpers.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,20 @@ describe('Escaping-helpers', () => {
const sanitizedHtml = EscapingHelpers.sanitizeHtml(text);
assert.equal(sanitizedHtml, '&amp;&lt;&gt;&quot;&#39;');

const text2 = `This is text <img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie); onclick=javascript:alert(document.cookie)><IMG SRC=j&#X41vascript:alert('test2')>`;
const text2 = `This is text <img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie); onclick=javascript:alert(document.cookie)><br><IMG SRC=j&#X41vascript:alert('test2')><br>`;
const sanitizedHtml2 = EscapingHelpers.sanitizeHtml(text2);
assert.equal(
sanitizedHtml2,
'This is text &lt;img src=&quot;http://url.to.file.which/not.exist&quot; onerror=alert(document.cookie); onclick=alert(document.cookie)&gt;&lt;IMG SRC=j&amp;#X41vascript:alert(&#39;test2&#39;)&gt;'
'This is text &lt;img src=&quot;http://url.to.file.which/not.exist&quot; onerror=alert(document.cookie); onclick=alert(document.cookie)&gt;&lt;br&gt;&lt;IMG SRC=j&amp;#X41vascript:alert(&#39;test2&#39;)&gt;&lt;br&gt;'
);
});

it('restoreSanitizedBrs', () => {
const text = '&lt;br&gt; &lt;br &gt; &lt;br /&gt; &lt;br/&gt;';
const sanitizedHtml = EscapingHelpers.restoreSanitizedBrs(text);
assert.equal(sanitizedHtml, '<br> <br> <br> <br>');
});

it('sanitizeParam', () => {
const param = '<>"\'/';
const sanitizedParam = EscapingHelpers.sanitizeParam(param);
Expand Down

0 comments on commit 0d6ac8f

Please sign in to comment.