gritter: Treat strings as text, not HTML

This forces users to use jQuery or DOM objects if they want formatting, which helps avoid XSS vulnerabilities.
2020-10-19 20:48:53 -04:00 · 2020-10-19 20:48:53 -04:00 · a712ce457d
parent 8463134125
commit a712ce457d
2 changed files with 9 additions and 4 deletions
--- a/src/static/js/chat.js
+++ b/src/static/js/chat.js
@ -193,7 +193,10 @@ var chat = (function()

          if(!chatOpen && ctx.duration > 0) {
            $.gritter.add({
-              text: '<span class="author-name">' + ctx.authorName + '</span>' + ctx.text,
+              // Note: ctx.authorName and ctx.text are already HTML-escaped.
+              text: $('<p>')
+                  .append($('<span>').addClass('author-name').html(ctx.authorName))
+                  .append(ctx.text),
              sticky: ctx.sticky,
              time: 5000,
              position: 'bottom',
--- a/src/static/js/gritter.js
+++ b/src/static/js/gritter.js
@ -11,7 +11,8 @@
 * Edited by Sebastian Castro <sebastian.castro@protonmail.com> on 2020-03-31
 *
 * Edited by Richard Hansen <rhansen@rhansen.org> on 2020-10-19 to accept jQuery or DOM objects for
- * notification title and text.
+ * notification title and text, and to treat plain strings as text instead of HTML (to avoid XSS
+ * vunlerabilities).
 */

 (function($){
@ -142,7 +143,8 @@

 			// String replacements on the template
 			if(title){
-				title = this._tpl_title.clone().append(title);
+				title = this._tpl_title.clone().append(
+						typeof title === 'string' ? document.createTextNode(title) : title);
 			}else{
 				title = '';
 			}
@ -152,7 +154,7 @@
 			tmp.addClass(item_class);
 			tmp.find('.gritter-content')
 					.append(title)
-					.append(typeof text === 'string' ? $('<p>').html(text) : text);
+					.append(typeof text === 'string' ? $('<p>').text(text) : text);

 			// If it's false, don't show another gritter message
 			if(this['_before_open_' + number]() === false){