From d125d77a9b49907d7acc3558552873a1f6d9db73 Mon Sep 17 00:00:00 2001 From: Mia Rodriguez <62818119+xNasuni@users.noreply.github.com> Date: Fri, 31 May 2024 17:26:36 -0400 Subject: [PATCH] prevented xss from comment text --- web-resources/wresources.js | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/web-resources/wresources.js b/web-resources/wresources.js index b1d1b98..ccfc838 100644 --- a/web-resources/wresources.js +++ b/web-resources/wresources.js @@ -2,6 +2,26 @@ function e(e) { return e && e.__esModule ? e.default : e; } + function stopXSS(str) { // this might not be adequate enough for XSS prevention. + if (str == null || str.length == 0) { + str = ''; + } + var out = "" + var len = str.length + + for (cnt = 0; cnt < len; cnt++) { + c = str.charCodeAt(cnt); + if ((c >= 97 && c <= 122) || + (c >= 65 && c <= 90 ) || + (c >= 48 && c <= 57 )) { + out += str.charAt(cnt); + } else { + out += '&#' + c + ';'; + } + } + + return out; + } var t = 'undefined' != typeof globalThis ? globalThis @@ -7526,6 +7546,7 @@ let renderFullText = ''; const runs = contentText.runs || []; for (const run of runs) { + run.text = stopXSS(run.text) // this might not be adequate enough for XSS prevention. fullText += run.text || ''; try { if (run.attachment) { @@ -7637,6 +7658,7 @@ let renderFullText = ''; const runs = subItem.commentRenderer.contentText.runs || []; for (const run of runs) { + run.text = stopXSS(run.text) // this might not be adequate enough for XSS prevention. try { if (run.text) { fullText += run.text; @@ -7754,6 +7776,7 @@ const runs = subItem.commentRenderer.contentText.runs || []; for (const run of runs) { + run.text = stopXSS(run.text) // this might not be adequate enough for XSS prevention. try { if (run.text) { fullText += run.text;