Skip to content

Commit

Permalink
Fix ui_text XSS
Browse files Browse the repository at this point in the history 
to close #772
  • Loading branch information
Dave Conway-Jones committed Aug 24, 2022
1 parent 672f748 commit 9305d1a
Show file tree
Hide file tree
Showing 5 changed files with 46 additions and 12 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@

### 3.1.9: Maintenance Release

- Fix Cross site scripting for ui_text format input. Issue #772

### 3.1.8: Maintenance Release

- Use Node-RED CSS vars for ui-bas to help themeing. PR #763
Expand Down
4 changes: 2 additions & 2 deletions dist/dashboard.appcache
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
CACHE MANIFEST
# Time: Wed May 25 2022 11:23:30 GMT+0100 (British Summer Time)
# Time: Wed Aug 24 2022 17:30:31 GMT+0100 (British Summer Time)

CACHE:
i18n.js
Expand All @@ -26,4 +26,4 @@ loading.html
NETWORK:
*

# hash: 22f744c7102e4eb0375d482c7bd34ac0d407159d34773e84e1f5087d0b6444d3
# hash: 9ff936fabba7ec5170a4f63f8f6b72aa1343c36c57f8382848eb81dae9ca5512
4 changes: 2 additions & 2 deletions dist/js/app.min.js
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "node-red-dashboard",
"version": "3.1.8",
"version": "3.1.9",
"description": "A set of dashboard nodes for Node-RED",
"keywords": [
"node-red"
Expand Down
44 changes: 37 additions & 7 deletions src/components/ui-component/ui-component-ctrl.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,28 +12,58 @@ angular.module('ui').controller('uiComponentController', ['$scope', 'UiEvents',
var me = this;

if (typeof me.item.format === "string") {
me.item.getText = $interpolate(me.item.format).bind(null, me.item);
if (me.item.format.indexOf("constructor") === -1) {
me.item.getText = $interpolate(me.item.format).bind(null, me.item);
}
else {
me.item.getText = function() { return me.item.format };
}
}

if (typeof me.item.label === "string") {
me.item.getLabel = $interpolate(me.item.label).bind(null, me.item);
me.item.safeLabel = "nr-dashboard-widget-" + (me.item.label).replace(/\W/g,'_');
if (me.item.label.indexOf("constructor") === -1) {
me.item.getLabel = $interpolate(me.item.label).bind(null, me.item);
me.item.safeLabel = "nr-dashboard-widget-" + (me.item.label).replace(/\W/g,'_');
}
else {
me.item.getText = function() { return me.item.label };
}
}

if (typeof me.item.tooltip === "string") {
me.item.getTooltip = $interpolate(me.item.tooltip).bind(null, me.item);
if (me.item.tooltip.indexOf("constructor") === -1) {
me.item.getTooltip = $interpolate(me.item.tooltip).bind(null, me.item);
}
else {
me.item.getText = function() { return me.item.tooltip };
}
}

if (typeof me.item.color === "string") {
me.item.getColor = $interpolate(me.item.color).bind(null, me.item);
if (me.item.color.indexOf("constructor") === -1) {
me.item.getColor = $interpolate(me.item.color).bind(null, me.item);
}
else {
me.item.getText = function() { return me.item.color };
}
}

if (typeof me.item.icon === "string") {
me.item.getIcon = $interpolate(me.item.icon).bind(null, me.item);
if (me.item.icon.indexOf("constructor") === -1) {
me.item.getIcon = $interpolate(me.item.icon).bind(null, me.item);
}
else {
me.item.getText = function() { return me.item.icon };
}
}

if (typeof me.item.units === "string") {
me.item.getUnits = $interpolate(me.item.units).bind(null, me.item);
if (me.item.units.indexOf("constructor") === -1) {
me.item.getUnits = $interpolate(me.item.units).bind(null, me.item);
}
else {
me.item.getText = function() { return me.item.units };
}
}

me.init = function () {
Expand Down

0 comments on commit 9305d1a

Please sign in to comment.