Fix possible XSS via repo branch

ovity · Jun 13, 2016 · 3bf37ea · 3bf37ea
1 parent 04f879c
commit 3bf37ea
Show file tree

Hide file tree

Showing 11 changed files with 14 additions and 6 deletions.
diff --git a/HISTORY.md b/HISTORY.md
@@ -1,3 +1,7 @@
+### v2.0.11
+* Encode branch before displaying to avoid XSS
+* Fix bug project ID not retrieved in latest GitLab layout
+
 ### v2.0.10
 * Retain forward slashes in URLs
 * Improve behavior of middle-click

diff --git a/dist/chrome.crx b/dist/chrome.crx
diff --git a/dist/chrome.zip b/dist/chrome.zip
diff --git a/dist/firefox.xpi b/dist/firefox.xpi
diff --git a/dist/opera.nex b/dist/opera.nex
diff --git a/dist/safari.safariextz b/dist/safari.safariextz
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "octotree",
-  "version": "2.0.10",
+  "version": "2.0.11",
   "description": "Code tree for GitHub and GitLab",
   "main": "inject.js",
   "scripts": {

diff --git a/src/config/chrome/manifest.json b/src/config/chrome/manifest.json
@@ -1,6 +1,6 @@
 {
   "name": "Octotree",
-  "version": "2.0.10",
+  "version": "2.0.11",
   "manifest_version": 2,
   "author": "Buu Nguyen",
   "description": "Code tree for GitHub and GitLab",

diff --git a/src/config/firefox/package.json b/src/config/firefox/package.json
@@ -9,7 +9,7 @@
   "icon": "resource://jid1-Om7eJGwA1U8Akg-at-jetpack/data/icons/icon48.png",
   "icon64": "resource://jid1-Om7eJGwA1U8Akg-at-jetpack/data/icons/icon64.png",
   "license": "MIT",
-  "version": "2.0.10",
+  "version": "2.0.11",
   "permissions": {
     "cross-domain-content": ["https://api.github.com", "https://github.com", "https://gitlab.com"],
     "private-browsing": true

diff --git a/src/config/safari/Info.plist b/src/config/safari/Info.plist
@@ -13,9 +13,9 @@
 		<key>CFBundleInfoDictionaryVersion</key>
 		<string>6.0</string>
 		<key>CFBundleShortVersionString</key>
-		<string>2.0.10</string>
+		<string>2.0.11</string>
 		<key>CFBundleVersion</key>
-		<string>2.0.10</string>
+		<string>2.0.11</string>
 		<key>Chrome</key>
 		<dict/>
 		<key>Content</key>

diff --git a/src/view.tree.js b/src/view.tree.js
@@ -59,7 +59,7 @@ class TreeView {
            '<a data-pjax href="/' + repo.username + '/' + repo.reponame + '">' + repo.reponame +'</a>' +
          '</div>' +
          '<div class="octotree_header_branch">' +
-           repo.branch +
+           this._deXss(repo.branch) +
          '</div>'
       )
       .on('click', 'a[data-pjax]', function (event) {
@@ -68,6 +68,10 @@ class TreeView {
       })
   }
 
+  _deXss(str) {
+    return str && str.replace(/[<>'"&]/g, '-')
+  }
+
   _sort(folder) {
     folder.sort((a, b) => {
       if (a.type === b.type) return a.text === b.text ? 0 : a.text < b.text ? -1 : 1