Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: prevent XSS
  • Loading branch information
ssshooter committed Nov 25, 2021
1 parent 6d5c5c6 commit 0734852
Show file tree
Hide file tree
Showing 7 changed files with 22 additions and 23 deletions.
2 changes: 1 addition & 1 deletion package.json
@@ -1,6 +1,6 @@
{
"name": "mind-elixir",
"version": "0.18.0",
"version": "0.18.1",
"description": "Mind elixir is a free open source mind map core.",
"main": "dist/MindElixir.js",
"scripts": {
Expand Down
1 change: 0 additions & 1 deletion readme.md
Expand Up @@ -51,7 +51,6 @@ import MindElixir, { E } from 'mind-elixir'
#### Script tag

```html
<script src="https://cdn.jsdelivr.net/npm/regenerator-runtime"></script>
<script src="https://cdn.jsdelivr.net/npm/mind-elixir/dist/mind-elixir.js"></script>
```

Expand Down
5 changes: 3 additions & 2 deletions src/plugin/contextMenu.ts
@@ -1,16 +1,17 @@
import i18n from '../i18n'
import { encodeHTML } from '../utils/index'

export default function(mind, option) {
const createTips = words => {
const div = document.createElement('div')
div.innerHTML = words
div.innerText = words
div.style.cssText = 'position:absolute;bottom:20px;left:50%;transform:translateX(-50%);'
return div
}
const createLi = (id, name, keyname) => {
const li = document.createElement('li')
li.id = id
li.innerHTML = `<span>${name}</span><span>${keyname}</span>`
li.innerHTML = `<span>${encodeHTML(name)}</span><span>${encodeHTML(keyname)}</span>`
return li
}
const locale = i18n[mind.locale] ? mind.locale : 'en'
Expand Down
17 changes: 6 additions & 11 deletions src/plugin/nodeMenu.ts
@@ -1,9 +1,8 @@
import i18n from '../i18n'

const createDiv = (id, name) => {
const createDiv = (id) => {
const div = document.createElement('div')
div.id = id
div.innerHTML = `<span>${name}</span>`
return div
}

Expand Down Expand Up @@ -31,9 +30,9 @@ const colorList = [
export default function(mind) {
const locale = i18n[mind.locale] ? mind.locale : 'en'
let bgOrFont
const styleDiv = createDiv('nm-style', 'style')
const tagDiv = createDiv('nm-tag', 'tag')
const iconDiv = createDiv('nm-icon', 'icon')
const styleDiv = createDiv('nm-style')
const tagDiv = createDiv('nm-tag')
const iconDiv = createDiv('nm-icon')

styleDiv.innerHTML = `
<div class="nm-fontsize-container">
Expand All @@ -60,12 +59,8 @@ export default function(mind) {
<span class="background">${i18n[locale].background}</span>
</div>
`
tagDiv.innerHTML = `
${i18n[locale].tag}<input class="nm-tag" tabindex="-1" placeholder="${i18n[locale].tagsSeparate}" /><br>
`
iconDiv.innerHTML = `
${i18n[locale].icon}<input class="nm-icon" tabindex="-1" placeholder="${i18n[locale].iconsSeparate}" /><br>
`
tagDiv.innerHTML = `${i18n[locale].tag}<input class="nm-tag" tabindex="-1" placeholder="${i18n[locale].tagsSeparate}" /><br>`
iconDiv.innerHTML = `${i18n[locale].icon}<input class="nm-icon" tabindex="-1" placeholder="${i18n[locale].iconsSeparate}" /><br>`

const menuContainer = document.createElement('nmenu')
menuContainer.innerHTML = `
Expand Down
2 changes: 1 addition & 1 deletion src/plugin/toolBar.ts
Expand Up @@ -14,7 +14,7 @@ function createToolBarRBContainer(mind) {
const zo = createButton('zoomout', 'move')
const zi = createButton('zoomin', 'add')
const percentage = document.createElement('span')
percentage.innerHTML = '100%'
percentage.innerText = '100%'
toolBarRBContainer.appendChild(fc)
toolBarRBContainer.appendChild(gc)
toolBarRBContainer.appendChild(zo)
Expand Down
14 changes: 7 additions & 7 deletions src/utils/dom.ts
@@ -1,7 +1,7 @@
import { LEFT, RIGHT, SIDE } from '../const'
import vari from '../var'
import { NodeObj } from '../index'

import { encodeHTML } from '../utils/index'
export type Top = HTMLElement

export type Group = HTMLElement
Expand Down Expand Up @@ -36,7 +36,7 @@ export const createGroup = function(nodeObj: NodeObj) {
}

export const shapeTpc = function(tpc: Topic, nodeObj: NodeObj) {
tpc.innerHTML = nodeObj.topic
tpc.innerText = nodeObj.topic

if (nodeObj.style) {
tpc.style.color = nodeObj.style.color || 'inherit'
Expand All @@ -56,23 +56,23 @@ export const shapeTpc = function(tpc: Topic, nodeObj: NodeObj) {
const linkContainer = $d.createElement('a')
linkContainer.className = 'hyper-link'
linkContainer.target = '_blank'
linkContainer.innerHTML = '🔗'
linkContainer.innerText = '🔗'
linkContainer.href = nodeObj.hyperLink
tpc.appendChild(linkContainer)
}
if (nodeObj.icons) {
const iconsContainer = $d.createElement('span')
iconsContainer.className = 'icons'
iconsContainer.innerHTML = nodeObj.icons
.map(icon => `<span>${icon}</span>`)
.map(icon => `<span>${encodeHTML(icon)}</span>`)
.join('')
tpc.appendChild(iconsContainer)
}
if (nodeObj.tags) {
const tagsContainer = $d.createElement('div')
tagsContainer.className = 'tags'
tagsContainer.innerHTML = nodeObj.tags
.map(tag => `<span>${tag}</span>`)
.map(tag => `<span>${encodeHTML(tag)}</span>`)
.join('')
tpc.appendChild(tagsContainer)
}
Expand Down Expand Up @@ -110,7 +110,7 @@ export function createInputDiv(tpc: Topic) {
let div = $d.createElement('div')
const origin = tpc.childNodes[0].textContent as string
tpc.appendChild(div)
div.innerHTML = origin
div.innerText = origin
div.contentEditable = 'true'
div.spellcheck = false
div.style.cssText = `min-width:${tpc.offsetWidth - 8}px;`
Expand Down Expand Up @@ -161,7 +161,7 @@ export function createInputDiv(tpc: Topic) {
export const createExpander = function(expanded: boolean | undefined): Expander {
const expander: Expander = $d.createElement('epd')
// 包含未定义 expanded 的情况,未定义视为展开
expander.innerHTML = expanded !== false ? '-' : '+'
expander.innerText = expanded !== false ? '-' : '+'
expander.expanded = expanded !== false
expander.className = expanded !== false ? 'minus' : ''
return expander
Expand Down
4 changes: 4 additions & 0 deletions src/utils/index.ts
@@ -1,6 +1,10 @@
import vari from '../var'
import { NodeObj } from '../index'

export function encodeHTML(s) {
return s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/"/g, '&quot;')
}

export const isMobile = (): boolean =>
/Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(
navigator.userAgent
Expand Down

0 comments on commit 0734852

Please sign in to comment.