From d0ad84daa08cdd00a084407dfab341b8273448c1 Mon Sep 17 00:00:00 2001 From: Samuel Tallet Date: Tue, 26 Oct 2021 14:38:09 +0200 Subject: [PATCH] Escape HTML output --- static/js/mpg.database.query.js | 9 ++++++--- static/js/mpg.js | 27 +++++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 3 deletions(-) diff --git a/static/js/mpg.database.query.js b/static/js/mpg.database.query.js index 3b29aa5..e9efbd2 100644 --- a/static/js/mpg.database.query.js +++ b/static/js/mpg.database.query.js @@ -483,7 +483,10 @@ MPG.eventListeners.addUpdate = function() { var documentField = event.currentTarget; - var documentFieldNewValue = window.prompt('New value', documentField.innerHTML); + var documentFieldNewValue = window.prompt( + 'New value', + MPG.helpers.unescapeHTML(documentField.innerHTML) + ); if ( documentFieldNewValue === null ) { return; @@ -518,8 +521,8 @@ MPG.eventListeners.addUpdate = function() { function(response) { if ( JSON.parse(response) === 1 ) { - documentField.innerHTML = MPG.helpers.convertAnyToString( - documentFieldNewValue + documentField.innerHTML = MPG.helpers.escapeHTML( + MPG.helpers.convertAnyToString(documentFieldNewValue) ); } diff --git a/static/js/mpg.js b/static/js/mpg.js index d19d37c..137f7c8 100644 --- a/static/js/mpg.js +++ b/static/js/mpg.js @@ -140,6 +140,33 @@ MPG.helpers.completeNavLinks = function(urlFragment) { }; +/** + * Escapes HTML tags and entities. + * This prevents HTML stored in MongoDB documents to be interpreted by browser. + * + * @param {string} html + * + * @returns {string} + */ +MPG.helpers.escapeHTML = function(html) { + + return html.replace(/&/g, '&').replace(//g, '>'); + +}; + +/** + * Unescapes HTML tags and entities. + * + * @param {string} html + * + * @returns {string} + */ +MPG.helpers.unescapeHTML = function(html) { + + return html.replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>'); + +}; + /** * Reloads collections of a specific database. *