From 5fee551d698ec652df8784a480460e8bb0179521 Mon Sep 17 00:00:00 2001 From: Yukai Huang Date: Mon, 21 Dec 2020 14:25:47 +0800 Subject: [PATCH] Fix fretboard title xss issue Signed-off-by: Yukai Huang --- package-lock.json | 2 +- public/js/lib/renderer/fretboard/fretboard.js | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/package-lock.json b/package-lock.json index c9b2e409..7ab88ee3 100644 --- a/package-lock.json +++ b/package-lock.json @@ -5404,7 +5404,7 @@ "integrity": "sha512-+eqpz5j8WONSzxmc4avCN4XX/6q5+J6JfWz2AaluZIOVNgXPxUjXBhKS73+nRhM3nE1pGeRMqkyZevTQWgYTTw==", "dev": true }, - "dictionary-en-gb": { + "dictionary-en-gb": { "version": "2.2.2", "resolved": "https://registry.npmjs.org/dictionary-en-gb/-/dictionary-en-gb-2.2.2.tgz", "integrity": "sha512-36Pz/2BGmJfXtAo5+IGOi+U6gwtxFsFXFJMOX0FC1z2YeLd1IXkxsfAhieC06OrdGie3SqCZmUOYeYgct5Hzzw==", diff --git a/public/js/lib/renderer/fretboard/fretboard.js b/public/js/lib/renderer/fretboard/fretboard.js index 48d1cb78..c7e56fd1 100644 --- a/public/js/lib/renderer/fretboard/fretboard.js +++ b/public/js/lib/renderer/fretboard/fretboard.js @@ -1,4 +1,5 @@ /* global $ */ +import escapeHTML from 'lodash/escape' import './css/i.css' import dotEmpty from './svg/dotEmpty.svg' @@ -41,7 +42,7 @@ export const renderFretBoard = (content, { title: fretTitle = '', type = '' }) = const fretboardHTML = $(`
`) if (fretTitle) { - $(fretboardHTML).append(`
${fretTitle}
`) + $(fretboardHTML).append(`
${escapeHTML(fretTitle)}
`) } // create fretboard background HTML