Merge pull request #307 from gstrauss/html-escaping

HTML-escape special chars in version strings
mozilla · Dec 14, 2024 · 4b3fd74 · 4b3fd74
2 parents 560e77f + baf992a
commit 4b3fd74
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 90 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/js/index.js b/src/js/index.js
@@ -7,7 +7,7 @@ import '../css/index.scss';
 import { validHashKeys } from './constants.js';
 import configs from './configs.js';
 import state from './state.js';
-import { sleep } from './utils.js';
+import { sleep, xmlEntities } from './utils.js';
 
 
 // note if any button has changed so that we can update the fragment if it has
@@ -22,12 +22,6 @@ for (let x of Object.keys(configs)) {
 }
 
 
-function xmlEntities(str) {
-  return String(str).replace(/["&'<>`]/g,
-           function (x) { return '&#x'+x.codePointAt(0).toString(16)+';'; });
-}
-
-
 const render = async () => {
 
   document.getElementById('version').readOnly = false;
@@ -41,7 +35,7 @@ const render = async () => {
       <p>Select an application server in Server Software (above) to generate a sample TLS configuration.</p>
       <p>When using sample TLS configurations, replace example.com with your server name (e.g. hostname) and replace /path/to/... with actual paths to your local files.</p>
 `;
-    document.getElementById('output-config').innerHTML = '';
+    document.getElementById('output-config').innerText = '';
     document.getElementById('output-config-container').classList.toggle('d-none', true);
     document.getElementById('version').classList.toggle('text-disabled', true);
     document.getElementById('openssl').classList.toggle('text-disabled', true);
@@ -81,7 +75,7 @@ const render = async () => {
   document.getElementById('output-header').innerHTML = header;
 
   if (_state.output.protocols.length === 0) {
-    document.getElementById('output-config').innerHTML =
+    document.getElementById('output-config').innerText =
       `# unfortunately, ${_state.form.version_tags} is not supported with these software versions.`;
     // hide copy button
     document.getElementById('copy').classList.toggle('d-none', true);
@@ -94,7 +88,7 @@ const render = async () => {
   // render the config file for whichever server software we're using
   const renderedTemplate = templates[_state.form.server](_state.form, _state.output);
 
-  document.getElementById('output-config').innerHTML = xmlEntities(renderedTemplate);
+  document.getElementById('output-config').innerText = renderedTemplate;
 };
 
 

diff --git a/src/js/state.js b/src/js/state.js
@@ -1,6 +1,7 @@
 import configs from './configs.js';
 import sstls from '../static/guidelines/latest.json';
 import minver from './helpers/minver.js';
+import { xmlEntities } from './utils.js';
 
 
 export default async function () {
@@ -36,6 +37,10 @@ export default async function () {
   }
   version_tags += `, ${form['config'].value} config`;
 
+  // html-escape version_tags (even though version_tags is also used
+  // outside HTML contexts, HTML is not expected in version strings)
+  version_tags = xmlEntities(version_tags);
+
   // generate the header
   const date = new Date().toISOString().substr(0, 10);
   let header = `generated ${date}, Mozilla Guideline v${sstls.version}, ${version_tags}`;
@@ -71,7 +76,7 @@ export default async function () {
       ocsp: form['ocsp'].checked && supportsOcspStapling,
       opensslVersion: form['openssl'].value,
       server,
-      serverName: document.querySelector(`label[for=server-${server}]`).innerText,
+      serverName: configs[server].name,
       serverVersion: form['version'].value,
       version_tags,
     },

diff --git a/src/js/utils.js b/src/js/utils.js
@@ -2,3 +2,9 @@
 export const sleep = (milliseconds) => {
   return new Promise(resolve => setTimeout(resolve, milliseconds))
 };
+
+// HTML-escape XML special chars: " & ' < > `
+export const xmlEntities = (str) => {
+  return String(str).replace(/["&'<>`]/g,
+           function (x) { return '&#x'+x.codePointAt(0).toString(16)+';'; });
+};