Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix(template-generator): fix xss problem in issue message
- use `_.escape` for html escape instead of `formatSourceCode`
- escape issue message when rendering issues\
   e.g. rule 'vue/no-lone-template' produces
   message '`<template>` require directive.'
  • Loading branch information
lyngai authored and mportuga committed Jun 2, 2022
1 parent f19967f commit 505c190
Showing 1 changed file with 3 additions and 12 deletions.
15 changes: 3 additions & 12 deletions lib/template-generator.js
Expand Up @@ -147,7 +147,7 @@ function renderIssue(message) {
severityName: message.severity === 1 ? 'Warning' : 'Error',
lineNumber: message.line,
column: message.column,
message: message.message,
message: _.escape(message.message),
ruleId: message.ruleId,
ruleLink: getRuleLink(message.ruleId)
});
Expand Down Expand Up @@ -206,15 +206,6 @@ function renderResultDetails(sourceCode, messages, parentIndex) {
});
}

/**
* Formats the source code before adding it to the HTML
* @param {string} sourceCode Source code string
* @returns {string} Source code string which will not cause issues in the HTML
*/
function formatSourceCode(sourceCode) {
return sourceCode.replace(/</g, '&#60;').replace(/>/g, '&#62;');
}

/**
* Creates the test results HTML
* @param {Array} results Test results.
Expand All @@ -235,7 +226,7 @@ function renderResults(results, currDir) {
// only renders the source code if there are issues present in the file
if (!_.isEmpty(result.messages)) {
// reads the file to get the source code if the source is not provided
const sourceCode = formatSourceCode(result.source || fs.readFileSync(result.filePath, 'utf8'));
const sourceCode = _.escape(result.source || fs.readFileSync(result.filePath, 'utf8'));

template += renderResultDetails(sourceCode, result.messages, index);
}
Expand Down Expand Up @@ -379,4 +370,4 @@ module.exports.generateTemplate = function generateTemplate(results, isMultiOn)
styles: isMultiOn && isOutputDirKnown() ? '<link rel="stylesheet" href="./styles.css">' : styles(),
scripts: isMultiOn && isOutputDirKnown() ? '<script type="text/javascript" src="./main.js"></script>' : scripts()
});
};
};

0 comments on commit 505c190

Please sign in to comment.