chore: add escape to prevent XSS (#833)

2 years ago · 65cc19c12e
parent c07b4a57ca
commit 65cc19c12e
6 changed files with 11 additions and 10 deletions
--- a/web/src/components/SearchBar.tsx
+++ b/web/src/components/SearchBar.tsx
@ -38,7 +38,7 @@ const SearchBar = () => {
  useEffect(() => {
    const text = locationStore.getState().query.text;
    setQueryText(text === undefined ? "" : text);
-  }, [locationStore.getState().query.text]);
+  }, [locationStore.state.query.text]);

  const handleMemoTypeItemClick = (type: MemoSpecType | undefined) => {
    const { type: prevType } = locationStore.getState().query ?? {};
--- a/web/src/labs/highlighter/index.ts
+++ b/web/src/labs/highlighter/index.ts
@ -1,6 +1,4 @@
-const escapeRegExp = (str: string): string => {
-  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-};
+import { escape } from "lodash";

 const walkthroughNodeWithKeyword = (node: HTMLElement, keyword: string) => {
  if (node.nodeType === 3) {
@ -19,8 +17,8 @@ export const highlightWithWord = (html: string, keyword?: string): string => {
  if (!keyword) {
    return html;
  }
-  keyword = escapeRegExp(keyword);
+  keyword = escape(keyword);
  const wrap = document.createElement("div");
-  wrap.innerHTML = html;
+  wrap.innerHTML = escape(html);
  return walkthroughNodeWithKeyword(wrap, keyword);
 };
--- a/web/src/labs/marked/parser/Bold.ts
+++ b/web/src/labs/marked/parser/Bold.ts
@ -1,3 +1,4 @@
+import { escape } from "lodash";
 import { marked } from "..";
 import Link from "./Link";

@ -14,7 +15,7 @@ const renderer = (rawStr: string): string => {
    return rawStr;
  }

-  const parsedContent = marked(matchResult[1], [], [Link]);
+  const parsedContent = marked(escape(matchResult[1]), [], [Link]);
  return `<strong>${parsedContent}</strong>`;
 };

--- a/web/src/labs/marked/parser/BoldEmphasis.ts
+++ b/web/src/labs/marked/parser/BoldEmphasis.ts
@ -1,3 +1,4 @@
+import { escape } from "lodash";
 import { marked } from "..";
 import Link from "./Link";

@ -14,7 +15,7 @@ const renderer = (rawStr: string): string => {
    return rawStr;
  }

-  const parsedContent = marked(matchResult[1], [], [Link]);
+  const parsedContent = marked(escape(matchResult[1]), [], [Link]);
  return `<strong><em>${parsedContent}</em></strong>`;
 };

--- a/web/src/labs/marked/parser/Emphasis.ts
+++ b/web/src/labs/marked/parser/Emphasis.ts
@ -1,3 +1,4 @@
+import { escape } from "lodash";
 import { marked } from "..";
 import Link from "./Link";

@ -14,7 +15,7 @@ const renderer = (rawStr: string): string => {
    return rawStr;
  }

-  const parsedContent = marked(matchResult[1], [], [Link]);
+  const parsedContent = marked(escape(matchResult[1]), [], [Link]);
  return `<em>${parsedContent}</em>`;
 };

--- a/web/src/labs/marked/parser/Link.ts
+++ b/web/src/labs/marked/parser/Link.ts
@ -17,7 +17,7 @@ const renderer = (rawStr: string): string => {
  if (!matchResult) {
    return rawStr;
  }
-  const parsedContent = marked(matchResult[1], [], [InlineCode, BoldEmphasis, Emphasis, Bold]);
+  const parsedContent = marked(escape(matchResult[1]), [], [InlineCode, BoldEmphasis, Emphasis, Bold]);
  return `<a class='link' target='_blank' rel='noreferrer' href='${escape(matchResult[2])}'>${parsedContent}</a>`;
 };