chore: bye bye xss

shrimplejs · Jun 10, 2024 · 292b913 · 292b913
1 parent dca60d0
commit 292b913
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 2 deletions.
diff --git a/src/util/replaceInterps.ts b/src/util/replaceInterps.ts
@@ -1,9 +1,10 @@
 import { InterpolationObject } from "./types";
+import sanitizeText from "./sanitizeText";
 
 export default function replaceInterps(str: string, interp?: InterpolationObject) {
-    console.log(interp)
     for (const key in interp) {
-        str = str.replaceAll(`{{${key}}}`, interp[key] as string);
+        // sanitize the key to prevent XSS
+        str = str.replaceAll(`{{${key}}}`, sanitizeText(interp[key] as string));
     }
     return str;
 }
diff --git a/src/util/sanitizeText.ts b/src/util/sanitizeText.ts
@@ -0,0 +1,17 @@
+const entityMap = {
+    '&': '&amp;',
+    '<': '&lt;',
+    '>': '&gt;',
+//    '"': '&quot;',
+//    "'": '&#39;',
+//    '/': '&#x2F;',
+//    '`': '&#x60;',
+//    '=': '&#x3D;'
+};
+
+export default function sanitizeText(text: string) {
+    return text.replace(/[&<>]/g, function (s) {
+        // @ts-ignore should be fine :clueless:
+        return entityMap[s];
+    });
+}
diff --git a/tests/getInterps.test.ts b/tests/getInterps.test.ts
@@ -6,4 +6,7 @@ it("should return values with interpolations replaced", () => {
 
   // test to handle nonexistent interpolaitons, should return the normal {{}} string
   expect(locales.t("interp.hello", {}, 'en')).toBe("Hello {{int}}");
+
+  // check to prevent XSS
+  expect(locales.t("interp.hello", { int: '<script>alert("XSS")</script>' }, 'en')).toBe(`Hello &lt;script&gt;alert("XSS")&lt;/script&gt;`);
 });