Skip to content

Commit fbb18b6

Browse files
jackycutejackycute
committed
Fix stored XSS in the graphviz error message rendering [Security Issue]
Signed-off-by: Max Wu <jackymaxj@gmail.com>
1 parent 1434cdb commit fbb18b6

File tree

1 file changed

+6
-6
lines changed

1 file changed

+6
-6
lines changed

public/js/extra.js

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -333,7 +333,7 @@ export function finishView (view) {
333333
svg[0].setAttribute('preserveAspectRatio', 'xMidYMid meet')
334334
} catch (err) {
335335
$value.unwrap()
336-
$value.parent().append('<div class="alert alert-warning">' + err + '</div>')
336+
$value.parent().append(`<div class="alert alert-warning">${escapeHTML(err)}</div>`)
337337
console.warn(err)
338338
}
339339
})
@@ -357,7 +357,7 @@ export function finishView (view) {
357357
$value.children().unwrap().unwrap()
358358
} catch (err) {
359359
$value.unwrap()
360-
$value.parent().append('<div class="alert alert-warning">' + err + '</div>')
360+
$value.parent().append(`<div class="alert alert-warning">${escapeHTML(err)}</div>`)
361361
console.warn(err)
362362
}
363363
})
@@ -376,7 +376,7 @@ export function finishView (view) {
376376
$value.children().unwrap().unwrap()
377377
} catch (err) {
378378
$value.unwrap()
379-
$value.parent().append('<div class="alert alert-warning">' + err + '</div>')
379+
$value.parent().append(`<div class="alert alert-warning">${escapeHTML(err)}</div>`)
380380
console.warn(err)
381381
}
382382
})
@@ -398,7 +398,7 @@ export function finishView (view) {
398398
}
399399

400400
$value.unwrap()
401-
$value.parent().append('<div class="alert alert-warning">' + errormessage + '</div>')
401+
$value.parent().append(`<div class="alert alert-warning">${escapeHTML(errormessage)}</div>`)
402402
console.warn(errormessage)
403403
}
404404
})
@@ -418,7 +418,7 @@ export function finishView (view) {
418418
svg[0].setAttribute('preserveAspectRatio', 'xMidYMid meet')
419419
} catch (err) {
420420
$value.unwrap()
421-
$value.parent().append('<div class="alert alert-warning">' + err + '</div>')
421+
$value.parent().append(`<div class="alert alert-warning">${escapeHTML(err)}</div>`)
422422
console.warn(err)
423423
}
424424
})
@@ -578,7 +578,7 @@ export function postProcess (code) {
578578
if (warning && warning.length > 0) {
579579
warning.text(md.metaError)
580580
} else {
581-
warning = $('<div id="meta-error" class="alert alert-warning">' + md.metaError + '</div>')
581+
warning = $(`<div id="meta-error" class="alert alert-warning">${escapeHTML(md.metaError)}</div>`)
582582
result.prepend(warning)
583583
}
584584
}

0 commit comments

Comments
 (0)