Permalink
Browse files

Add ESLint plugin to prevent injection of unsanitized HTML, and sanit…

…ize video.title

JW8-718
  • Loading branch information...
robwalch committed Jan 7, 2019
1 parent 9da6bf2 commit ebd690c1c8fc9963eadfc5591cb3f887abf1d748
Showing with 14 additions and 5 deletions.
  1. +4 −1 .eslintrc
  2. +1 −0 package.json
  3. +1 −1 src/js/utils/dom.js
  4. +3 −3 src/js/view/view.js
  5. +5 −0 yarn.lock
@@ -18,7 +18,8 @@
},
"extends": "eslint:recommended",
"plugins": [
"no-for-of-loops"
"no-for-of-loops",
"no-unsanitized"
],
"rules": {
"valid-jsdoc": 2,
@@ -30,6 +31,8 @@
}
],
"no-for-of-loops/no-for-of-loops": 2,
"no-unsanitized/method": 2,
"no-unsanitized/property": 2,
"comma-dangle": 0,
"no-cond-assign": 2,
"no-console": ["warn", { "allow": ["warn", "error"] }],
@@ -19,6 +19,7 @@
"eslint": "5.7.0",
"eslint-plugin-import": "2.14.0",
"eslint-plugin-no-for-of-loops": "1.0.0",
"eslint-plugin-no-unsanitized": "3.0.2",
"esprima": "4.0.1",
"fast-diff": "1.1.2",
"file-loader": "1.1.11",
@@ -26,7 +26,7 @@ function appendHtml(element, html) {
element.appendChild(fragment);
}

function htmlToParentElement(html) {
export function htmlToParentElement(html) {
if (!parser) {
parser = new DOMParser();
}
@@ -20,6 +20,7 @@ import {
replaceClass,
toggleClass,
createElement,
htmlToParentElement,
bounds,
} from 'utils/dom';
import {
@@ -732,9 +733,8 @@ function View(_api, _model) {
}

// Writing a string to innerHTML completely decodes multiple-encoded strings
const dummyDiv = document.createElement('div');
dummyDiv.innerHTML = playlistItem.title || '';
videotag.setAttribute('title', dummyDiv.textContent);
const body = htmlToParentElement(playlistItem.title || '');
videotag.setAttribute('title', body.textContent);
}

function setPosterImage(item) {

Some generated files are not rendered by default. Learn more.

Oops, something went wrong.

0 comments on commit ebd690c

Please sign in to comment.