Freifunk-Troisdorf/meshviewer
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[TASK] Prevent XSS in tooltip

Browse Source
This commit is contained in:
Xaver Maierhofer 2018-08-06 17:50:57 +02:00
parent 2192500d05
commit 8bf3498744
No known key found for this signature in database
GPG Key ID: 7FDCE23FD2EC9FE8
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/map/labellayer.js
View File

@ -87,7 +87,7 @@ define(['leaflet', 'rbush', 'helper', 'moment'],
m.on('click', function () { m.on('click', function () {
router.fullUrl({ node: d.node_id }); router.fullUrl({ node: d.node_id });
}); });
m.bindTooltip(d.hostname); m.bindTooltip(helper.escape(d.hostname));
dict[d.node_id] = m; dict[d.node_id] = m;
@ -114,7 +114,7 @@ define(['leaflet', 'rbush', 'helper', 'moment'],
line.setStyle(opts); line.setStyle(opts);
}; };
line.bindTooltip(d.source.hostname + ' ' + d.target.hostname + line.bindTooltip(helper.escape(d.source.hostname + ' ' + d.target.hostname) +
'<br><strong>' + helper.showDistance(d) + ' / ' + helper.showTq(d.source_tq) + ' - ' + helper.showTq(d.target_tq) + '<br>' + d.type + '</strong>'); '<br><strong>' + helper.showDistance(d) + ' / ' + helper.showTq(d.source_tq) + ' - ' + helper.showTq(d.target_tq) + '<br>' + d.type + '</strong>');
line.on('click', function () { line.on('click', function () {

6
lib/utils/helper.js
View File

@ -196,5 +196,11 @@ define({
btn.classList.add('ion-full-enter'); btn.classList.add('ion-full-enter');
} }
} }
},
escape: function escape(string) {
return string.replace(/</g, '&lt;')
.replace(/>/g, '&gt;')
.replace(/"/g, '&#34;')
.replace(/'/g, '&#39;');
} }
}); });