Merge pull request #1296 from dod-ccpo/bugfix/clin-title-xss
Remove an XSS vulnerability in CLIN title form input
This commit is contained in:
commit
29194a83e1
@ -1,4 +1,5 @@
|
|||||||
import { emitFieldChange } from '../lib/emitters'
|
import { emitFieldChange } from '../lib/emitters'
|
||||||
|
import escape from '../lib/escape'
|
||||||
import optionsinput from './options_input'
|
import optionsinput from './options_input'
|
||||||
import textinput from './text_input'
|
import textinput from './text_input'
|
||||||
import clindollaramount from './clin_dollar_amount'
|
import clindollaramount from './clin_dollar_amount'
|
||||||
@ -99,7 +100,7 @@ export default {
|
|||||||
computed: {
|
computed: {
|
||||||
clinTitle: function() {
|
clinTitle: function() {
|
||||||
if (!!this.clinNumber) {
|
if (!!this.clinNumber) {
|
||||||
return `CLIN ${this.clinNumber}`
|
return escape(`CLIN ${this.clinNumber}`)
|
||||||
} else {
|
} else {
|
||||||
return `CLIN`
|
return `CLIN`
|
||||||
}
|
}
|
||||||
|
21
js/lib/__tests__/escape.test.js
Normal file
21
js/lib/__tests__/escape.test.js
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
import escape from '../escape'
|
||||||
|
describe('escape', () => {
|
||||||
|
const htmlEscapes = {
|
||||||
|
'&': '&',
|
||||||
|
'<': '<',
|
||||||
|
'>': '>',
|
||||||
|
'"': '"',
|
||||||
|
"'": ''',
|
||||||
|
'/': '/',
|
||||||
|
}
|
||||||
|
it('should escape each character', () => {
|
||||||
|
for (let [char, escapedChar] of Object.entries(htmlEscapes)) {
|
||||||
|
expect(escape(char)).toBe(escapedChar)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
it('should escape multiple characters', () => {
|
||||||
|
expect(escape('& and < and > and " and \' and /')).toBe(
|
||||||
|
'& and < and > and " and ' and /'
|
||||||
|
)
|
||||||
|
})
|
||||||
|
})
|
20
js/lib/escape.js
Normal file
20
js/lib/escape.js
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
// https://stackoverflow.com/a/6020820
|
||||||
|
|
||||||
|
// List of HTML entities for escaping.
|
||||||
|
const htmlEscapes = {
|
||||||
|
'&': '&',
|
||||||
|
'<': '<',
|
||||||
|
'>': '>',
|
||||||
|
'"': '"',
|
||||||
|
"'": ''',
|
||||||
|
'/': '/',
|
||||||
|
}
|
||||||
|
|
||||||
|
const htmlEscaper = /[&<>"'\/]/g
|
||||||
|
|
||||||
|
// Escape a string for HTML interpolation.
|
||||||
|
const escape = string => {
|
||||||
|
return ('' + string).replace(htmlEscaper, match => htmlEscapes[match])
|
||||||
|
}
|
||||||
|
|
||||||
|
export default escape
|
Loading…
x
Reference in New Issue
Block a user