From 0d6ac8fb6908ad8cf224df3105e1cff1493c57cb Mon Sep 17 00:00:00 2001
From: Markus <1720843+maxmarkus@users.noreply.github.com>
Date: Wed, 3 Jul 2019 10:26:10 +0200
Subject: [PATCH] excluded br revert from sanitizeHtml and created separate
function (#617)
---
core/src/utilities/helpers/escaping-helpers.js | 17 +++++++++++++----
.../utilities/helpers/escaping-helpers.spec.js | 10 ++++++++--
2 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/core/src/utilities/helpers/escaping-helpers.js b/core/src/utilities/helpers/escaping-helpers.js
index c320aa430c..602e293136 100644
--- a/core/src/utilities/helpers/escaping-helpers.js
+++ b/core/src/utilities/helpers/escaping-helpers.js
@@ -7,8 +7,15 @@ class EscapingHelpersClass {
.replace(/>/g, '>')
.replace(/"/g, '"')
.replace(/'/g, ''')
- .replace(/javascript:/g, '')
- .replace(/<br>/g, '
');
+ .replace(/javascript:/g, '');
+ }
+
+ restoreSanitizedBrs(text) {
+ return text
+ .replace(/<br\/>/g, '
')
+ .replace(/<br \/>/g, '
')
+ .replace(/<br>/g, '
')
+ .replace(/<br >/g, '
');
}
sanitizeParam(param) {
@@ -25,7 +32,7 @@ class EscapingHelpersClass {
}
processTextAndLinks(text, links, uniqueID) {
- let sanitizedText = this.sanitizeHtml(text);
+ let sanitizedText = this.restoreSanitizedBrs(this.sanitizeHtml(text));
let initialValue = { sanitizedText, links: [] };
if (!links) {
@@ -34,7 +41,9 @@ class EscapingHelpersClass {
return Object.entries(links).reduce((acc, [key, content]) => {
const elemId = `_luigi_alert_${uniqueID}_link_${this.sanitizeParam(key)}`;
- const escapedText = this.sanitizeHtml(content.text);
+ const escapedText = this.restoreSanitizedBrs(
+ this.sanitizeHtml(content.text)
+ );
const processedData = `${escapedText}`;
const keyForRegex = this.escapeKeyForRegexp(key);
const pattern = new RegExp(`({${keyForRegex}})`, 'g');
diff --git a/core/test/utilities/helpers/escaping-helpers.spec.js b/core/test/utilities/helpers/escaping-helpers.spec.js
index 4ee54250cb..b728469309 100644
--- a/core/test/utilities/helpers/escaping-helpers.spec.js
+++ b/core/test/utilities/helpers/escaping-helpers.spec.js
@@ -8,14 +8,20 @@ describe('Escaping-helpers', () => {
const sanitizedHtml = EscapingHelpers.sanitizeHtml(text);
assert.equal(sanitizedHtml, '&<>"'');
- const text2 = `This is text 
)
`;
+ const text2 = `This is text
`;
const sanitizedHtml2 = EscapingHelpers.sanitizeHtml(text2);
assert.equal(
sanitizedHtml2,
- 'This is text <img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie); onclick=alert(document.cookie)><IMG SRC=jAvascript:alert('test2')>'
+ 'This is text <img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie); onclick=alert(document.cookie)><br><IMG SRC=jAvascript:alert('test2')><br>'
);
});
+ it('restoreSanitizedBrs', () => {
+ const text = '<br> <br > <br /> <br/>';
+ const sanitizedHtml = EscapingHelpers.restoreSanitizedBrs(text);
+ assert.equal(sanitizedHtml, '
');
+ });
+
it('sanitizeParam', () => {
const param = '<>"\'/';
const sanitizedParam = EscapingHelpers.sanitizeParam(param);