Remove unsafe assignments to innerHTML

passff · Aug 18, 2021 · afb00c7 · afb00c7
1 parent cb87997
commit afb00c7
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 17 deletions.
diff --git a/src/modules/page.js b/src/modules/page.js
@@ -354,8 +354,11 @@ PassFF.Page = (function () {
       let doc = popup_menu.contentDocument;
       let popup_div = doc.getElementsByTagName("div")[0];
       if (matchItems.length === 0) {
-        popup_div.innerHTML = '<div class="alert">'
-          + _('passff_no_entries_found') + '</div>';
+        let alert_el = doc.createElement("div");
+        alert_el.classList.add("alert");
+        alert_el.textContent = _('passff_no_entries_found');
+        popup_div.innerHTML = "";
+        popup_div.appendChild(alert_el);
       }
       matchItems.filter(i => i.isLeaf || i.hasFields).forEach(item => {
         let entry = document.createElement("div");
@@ -868,7 +871,7 @@ PassFF.Page = (function () {
       let dialog_text = null;
       dialog_text = dialog.querySelector("div p");
       dialog_text.textContent = message; // prevent HTML injection
-      dialog_text.innerHTML = dialog_text.textContent.replace(/\n/g, '<br />');
+      parse_markdown(dialog_text);
       return new Promise(function (resolve, reject) {
         let button = dialog.querySelector("button:first-child");
         button.addEventListener("click", () => {

diff --git a/src/modules/util.js b/src/modules/util.js
@@ -20,28 +20,46 @@ function _(key, params) {
 
 function parse_markdown(obj) {
   let str = obj.innerHTML;
-  str = str.replace(/\[([^\]]+)\]\(([^\}]+)\)/,
-    function (match, p1, p2) {
+  obj.innerHTML = "";
+  let patterns = [
+    [/\[([^\]]+)\]\(([^\}\)]+)\)/, function (match, p1, p2) {
       let a = document.createElement("a");
       a.setAttribute("href", p2);
       a.textContent = p1;
-      return a.outerHTML;
-    });
-  str = str.replace(/```([\s\S]+)```/,
-    function (match, p1) {
+      return a;
+    }],
+    [/```([\s\S]+)```/, function (match, p1) {
       let c = document.createElement("code");
       c.classList.add("block");
       c.textContent = p1;
-      return c.outerHTML;
-    });
-  str = str.replace(/`([\s\S]+)`/,
-    function (match, p1) {
+      return c;
+    }],
+    [/`([\s\S]+)`/, function (match, p1) {
       let c = document.createElement("code");
       c.textContent = p1;
-      return c.outerHTML;
-    });
-  str = str.replace(/\n/g, '<br />');
-  obj.innerHTML = str;
+      return c;
+    }],
+    [/\n/, function (match) {
+      return document.createElement("br");
+    }],
+  ];
+  while (str.length > 0) {
+    let matches = patterns.map(p => str.match(p[0]));
+    let [i_match, match_start] = matches
+      .map((m, i) => [i, (m === null) ? -1 : m.index])
+      .filter(m => m[1] >= 0)
+      .reduce((acc, val) => (val[1] < acc[1]) ? val : acc, [-1, str.length + 1]);
+    let match_end = str.length;
+    if (i_match >= 0) {
+      let match = matches[i_match];
+      match_end = match_start + match[0].length;
+      obj.appendChild(document.createTextNode(str.substring(0, match_start)));
+      obj.appendChild(patterns[i_match][1](...match));
+    } else {
+      obj.appendChild(document.createTextNode(str));
+    }
+    str = str.substring(match_end);
+  }
 }
 
 /* #############################################################################