Skip to content

Commit

Permalink
fix(player): Fixed issue with potential XSS attack for custom elements
Browse files Browse the repository at this point in the history
  • Loading branch information
@rafa8626
rafa8626 committed Aug 28, 2022
1 parent 9a811b9 commit c3a73bc
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 11 deletions.
7 changes: 4 additions & 3 deletions dist/esm/controls.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -322,10 +322,9 @@ class Controls {
Object.assign(element.style, item.styles);
}
if (item.type === 'button' && item.icon) {
const icon = /\.(jpg|png|svg|gif)$/.test(item.icon)
element.innerHTML = /\.(jpg|png|svg|gif)$/.test(item.icon)
? `<img src="${sanitize(item.icon)}">`
: sanitize(item.icon);
element.innerHTML = icon;
}
else if (item.content) {
element.innerHTML = sanitize(item.content, false);
Expand All @@ -344,7 +343,9 @@ class Controls {
const items = item.subitems.map((s) => {
let itemIcon = '';
if (s.icon) {
itemIcon = /\.(jpg|png|svg|gif)$/.test(s.icon) ? `<img src="${s.icon}">` : s.icon;
itemIcon = /\.(jpg|png|svg|gif)$/.test(s.icon)
? `<img src="${sanitize(s.icon)}">`
: sanitize(s.icon, false);
}
return `<div class="op-settings__menu-item" tabindex="0" ${s.title ? `title="${s.title}"` : ''} role="menuitemradio">
<div class="op-settings__menu-label" id="${s.id}" data-value="${item.id}-${s.id}">${itemIcon} ${s.label}</div>
Expand Down
5 changes: 2 additions & 3 deletions dist/openplayer.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4591,8 +4591,7 @@ var Controls = function () {
}

if (item.type === 'button' && item.icon) {
var icon = /\.(jpg|png|svg|gif)$/.test(item.icon) ? "<img src=\"".concat(sanitize(item.icon), "\">") : sanitize(item.icon);
element.innerHTML = icon;
element.innerHTML = /\.(jpg|png|svg|gif)$/.test(item.icon) ? "<img src=\"".concat(sanitize(item.icon), "\">") : sanitize(item.icon);
} else if (item.content) {
element.innerHTML = sanitize(item.content, false);
}
Expand All @@ -4614,7 +4613,7 @@ var Controls = function () {
var itemIcon = '';

if (s.icon) {
itemIcon = /\.(jpg|png|svg|gif)$/.test(s.icon) ? "<img src=\"".concat(s.icon, "\">") : s.icon;
itemIcon = /\.(jpg|png|svg|gif)$/.test(s.icon) ? "<img src=\"".concat(sanitize(s.icon), "\">") : sanitize(s.icon, false);
}

return "<div class=\"op-settings__menu-item\" tabindex=\"0\" ".concat(s.title ? "title=\"".concat(s.title, "\"") : '', " role=\"menuitemradio\">\n <div class=\"op-settings__menu-label\" id=\"").concat(s.id, "\" data-value=\"").concat(item.id, "-").concat(s.id, "\">").concat(itemIcon, " ").concat(s.label, "</div>\n </div>");
Expand Down
2 changes: 1 addition & 1 deletion dist/openplayer.min.js
View file

Large diffs are not rendered by default.

8 changes: 4 additions & 4 deletions src/js/controls.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -379,11 +379,9 @@ class Controls implements PlayerComponent {
}

if (item.type === 'button' && item.icon) {
const icon = /\.(jpg|png|svg|gif)$/.test(item.icon)
element.innerHTML = /\.(jpg|png|svg|gif)$/.test(item.icon)
? `<img src="${sanitize(item.icon)}">`
: sanitize(item.icon);

element.innerHTML = icon;
} else if (item.content) {
element.innerHTML = sanitize(item.content, false);
}
Expand All @@ -404,7 +402,9 @@ class Controls implements PlayerComponent {
const items = item.subitems.map((s) => {
let itemIcon = '';
if (s.icon) {
itemIcon = /\.(jpg|png|svg|gif)$/.test(s.icon) ? `<img src="${s.icon}">` : s.icon;
itemIcon = /\.(jpg|png|svg|gif)$/.test(s.icon)
? `<img src="${sanitize(s.icon)}">`
: sanitize(s.icon, false);
}
return `<div class="op-settings__menu-item" tabindex="0" ${
s.title ? `title="${s.title}"` : ''
Expand Down

0 comments on commit c3a73bc

Please sign in to comment.