diff options
| author | Greg <supahgreg@users.noreply.github.com> | 2025-10-10 19:35:33 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-10-10 19:35:33 -0500 |
| commit | 92493059da37b3cbd7040f786b1129571e3893cc (patch) | |
| tree | ab8964c558a080362f9c0e6af09edaef2bb13764 | |
| parent | 80668d4fd818d2f2876b0d505a034865681ee485 (diff) | |
| parent | bb08b0acd5dbdfba068fad5332ddf51b485fc477 (diff) | |
Merge pull request #35 from tt-rss/bugfix/code-scanning-js-findings
Address two JS code scanning findings
| -rw-r--r-- | js/App.js | 59 | ||||
| -rw-r--r-- | js/CommonFilters.js | 2 | ||||
| -rwxr-xr-x | js/FeedTree.js | 11 | ||||
| -rwxr-xr-x | js/common.js | 4 |
4 files changed, 32 insertions, 44 deletions
@@ -411,40 +411,39 @@ const App = { }, // htmlspecialchars()-alike for headlines data-content attribute escapeHtml: function(p) { - if (typeof p == "string") { - const map = { - '&': '&', - '<': '<', - '>': '>', - '"': '"', - "'": ''' - }; + if (typeof p !== 'string') + return p; - return p.replace(/[&<>"']/g, function(m) { return map[m]; }); - } else { + const map = { + '&': '&', + '<': '<', + '>': '>', + '"': '"', + "'": ''', + '/': '/', + }; + + return p.replace(/[&<>"'\/]/g, m => map[m]); + }, + unescapeHtml: function(p) { + if (typeof p !== 'string' || p.indexOf('&') === -1) return p; - } + + return p.replace(/&(?:amp|lt|gt|quot|#x27|#x2F|#039|#47);/g, function(entity) { + switch (entity) { + case '&': return '&'; + case '<': return '<'; + case '>': return '>'; + case '"': return '"'; + case ''': case ''': return "'"; + case '/': case '/': return '/'; + default: return entity; + } + }); }, - // http://stackoverflow.com/questions/6251937/how-to-get-selecteduser-highlighted-text-in-contenteditable-element-and-replac getSelectedText: function() { - let text = ""; - - if (typeof window.getSelection != "undefined") { - const sel = window.getSelection(); - if (sel.rangeCount) { - const container = document.createElement("div"); - for (let i = 0, len = sel.rangeCount; i < len; ++i) { - container.appendChild(sel.getRangeAt(i).cloneContents()); - } - text = container.innerHTML; - } - } else if (typeof document.selection != "undefined") { - if (document.selection.type == "Text") { - text = document.selection.createRange().textText; - } - } - - return text.stripTags(); + const sel = window.getSelection(); + return sel ? sel.toString().trim() : ""; }, displayIfChecked: function(checkbox, elemId) { if (checkbox.checked) { diff --git a/js/CommonFilters.js b/js/CommonFilters.js index f6cc5a4e7..6d40373d6 100644 --- a/js/CommonFilters.js +++ b/js/CommonFilters.js @@ -527,6 +527,8 @@ const Filters = { `); if (!App.isPrefs()) { + // TODO: This section isn't working as expected (under Firefox 143, at least). + // `selectedText` is always empty at this point (tested by selecting some article text). const selectedText = App.getSelectedText(); if (selectedText != "") { diff --git a/js/FeedTree.js b/js/FeedTree.js index 67d2a8035..683205579 100755 --- a/js/FeedTree.js +++ b/js/FeedTree.js @@ -237,16 +237,7 @@ define(["dojo/_base/declare", "dojo/dom-construct", "dojo/_base/array", "dojo/co return rc; }, getLabel: function(item) { - let name = String(item.name); - - /* Horrible */ - name = name.replace(/"/g, "\""); - name = name.replace(/&/g, "&"); - name = name.replace(/—/g, "-"); - name = name.replace(/</g, "<"); - name = name.replace(/>/g, ">"); - - return name; + return App.unescapeHtml(item.name); }, expandParentNodes: function(feed, is_cat, list) { try { diff --git a/js/common.js b/js/common.js index 9635ab492..99cf52fa1 100755 --- a/js/common.js +++ b/js/common.js @@ -167,10 +167,6 @@ Array.prototype.uniq = function() { return this.filter((v, i, a) => a.indexOf(v) === i); }; -String.prototype.stripTags = function() { - return this.replace(/<\w+(\s+("[^"]*"|'[^']*'|[^>])+)?(\/)?>|<\/\w+>/gi, ''); -} - /* exported xhr */ const xhr = { _ts: 0, |