From 8b44927cb60178c78f84808da164deffa7899a12 Mon Sep 17 00:00:00 2001 From: j433866 Date: Thu, 31 Jan 2019 15:18:37 +0000 Subject: [PATCH 1/2] Fix XSS for To Table operation and Magic button --- src/core/operations/ToTable.mjs | 2 +- src/web/OutputWaiter.mjs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/core/operations/ToTable.mjs b/src/core/operations/ToTable.mjs index 28cd9bf..6d10b34 100644 --- a/src/core/operations/ToTable.mjs +++ b/src/core/operations/ToTable.mjs @@ -57,7 +57,7 @@ class ToTable extends Operation { const [cellDelims, rowDelims, firstRowHeader, format] = args; // Process the input into a nested array of elements. - const tableData = Utils.parseCSV(input, cellDelims.split(""), rowDelims.split("")); + const tableData = Utils.parseCSV(Utils.escapeHtml(input), cellDelims.split(""), rowDelims.split("")); if (!tableData.length) return ""; diff --git a/src/web/OutputWaiter.mjs b/src/web/OutputWaiter.mjs index 28deaff..ed35c91 100755 --- a/src/web/OutputWaiter.mjs +++ b/src/web/OutputWaiter.mjs @@ -478,7 +478,7 @@ class OutputWaiter { */ showMagicButton(opSequence, result, recipeConfig) { const magicButton = document.getElementById("magic"); - magicButton.setAttribute("data-original-title", `${opSequence} will produce "${Utils.truncate(result, 30)}"`); + magicButton.setAttribute("data-original-title", `${opSequence} will produce "${Utils.truncate(Utils.escapeHtml(result), 30)}"`); magicButton.setAttribute("data-recipe", JSON.stringify(recipeConfig), null, ""); magicButton.classList.remove("hidden"); } From 74a22bcf9c4754e3bc107579c76d39c915d95695 Mon Sep 17 00:00:00 2001 From: j433866 Date: Thu, 31 Jan 2019 15:22:25 +0000 Subject: [PATCH 2/2] Swap ordering of truncating and escaping --- src/web/OutputWaiter.mjs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/web/OutputWaiter.mjs b/src/web/OutputWaiter.mjs index ed35c91..2d93507 100755 --- a/src/web/OutputWaiter.mjs +++ b/src/web/OutputWaiter.mjs @@ -478,7 +478,7 @@ class OutputWaiter { */ showMagicButton(opSequence, result, recipeConfig) { const magicButton = document.getElementById("magic"); - magicButton.setAttribute("data-original-title", `${opSequence} will produce "${Utils.truncate(Utils.escapeHtml(result), 30)}"`); + magicButton.setAttribute("data-original-title", `${opSequence} will produce "${Utils.escapeHtml(Utils.truncate(result), 30)}"`); magicButton.setAttribute("data-recipe", JSON.stringify(recipeConfig), null, ""); magicButton.classList.remove("hidden"); }