Skip to content

Commit

Permalink
fix: xss vulnerability (#752) (#879)
Browse files Browse the repository at this point in the history 
* env: update dependencies

* also updates `package-lock.json` file

* env: add dompurify package

* fix: sanitize template for preventing xss attack

* env: update tui-time-picker
  • Loading branch information
@adhrinae
adhrinae authored Aug 30, 2021
1 parent b05f074 commit 064de34
Show file tree
Hide file tree
Showing 8 changed files with 14,614 additions and 49 deletions.
14,636 changes: 14,597 additions & 39 deletions package-lock.json
View file

Large diffs are not rendered by default.

5 changes: 3 additions & 2 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,8 +101,9 @@
"doc": "tuidoc"
},
"dependencies": {
"dompurify": "^2.3.1",
"tui-code-snippet": "^1.5.0",
"tui-date-picker": "^4.0.2",
"tui-time-picker": "^2.0.1"
"tui-date-picker": "^4.3.0",
"tui-time-picker": "^2.1.4"
}
}
3 changes: 2 additions & 1 deletion src/js/view/month/month.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
*/
'use strict';

var DOMPurify = require('dompurify');
var util = require('tui-code-snippet');
var config = require('../../config'),
datetime = require('../../common/datetime'),
Expand Down Expand Up @@ -238,7 +239,7 @@ Month.prototype.render = function() {
styles: styles
};

vLayout.panels[0].container.innerHTML = tmpl(baseViewModel);
vLayout.panels[0].container.innerHTML = DOMPurify.sanitize(tmpl(baseViewModel));

this._renderChildren(vLayout.panels[1].container, calendar, theme);

Expand Down
5 changes: 3 additions & 2 deletions src/js/view/month/weekdayInMonth.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
*/
'use strict';

var DOMPurify = require('dompurify');
var util = require('tui-code-snippet');
var config = require('../../config'),
common = require('../../common/common.js'),
Expand Down Expand Up @@ -114,7 +115,7 @@ WeekdayInMonth.prototype.render = function(viewModel) {
setIsOtherMonthFlag(baseViewModel.dates, this.options.renderMonth, viewModel.theme);
}

container.innerHTML = baseTmpl(baseViewModel);
container.innerHTML = DOMPurify.sanitize(baseTmpl(baseViewModel));

scheduleContainer = domutil.find(
config.classname('.weekday-schedules'),
Expand All @@ -125,7 +126,7 @@ WeekdayInMonth.prototype.render = function(viewModel) {
return;
}

scheduleContainer.innerHTML = scheduleTmpl(baseViewModel);
scheduleContainer.innerHTML = DOMPurify.sanitize(scheduleTmpl(baseViewModel));

common.setAutoEllipsis(
config.classname('.weekday-schedule-title'),
Expand Down
3 changes: 2 additions & 1 deletion src/js/view/week/dayGrid.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
*/
'use strict';

var DOMPurify = require('dompurify');
var util = require('tui-code-snippet');
var config = require('../../config'),
common = require('../../common/common'),
Expand Down Expand Up @@ -152,7 +153,7 @@ DayGrid.prototype.render = function(viewModel) {
scheduleContainerTop = this.options.scheduleContainerTop;
var dayGridSchedule;

container.innerHTML = baseTmpl(baseViewModel);
container.innerHTML = DOMPurify.sanitize(baseTmpl(baseViewModel));

this.children.clear();

Expand Down
3 changes: 2 additions & 1 deletion src/js/view/week/dayGridSchedule.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
*/
'use strict';

var DOMPurify = require('dompurify');
var util = require('tui-code-snippet');
var Weekday = require('../weekday'),
tmpl = require('../template/week/dayGridSchedule.hbs');
Expand Down Expand Up @@ -38,7 +39,7 @@ DayGridSchedule.prototype.render = function(viewModel) {

baseViewModel = this.getBaseViewModel(viewModel);

container.innerHTML = tmpl(baseViewModel);
container.innerHTML = DOMPurify.sanitize(tmpl(baseViewModel));

this.fire('afterRender', baseViewModel);
};
Expand Down
3 changes: 2 additions & 1 deletion src/js/view/week/dayname.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
*/
'use strict';

var DOMPurify = require('dompurify');
var util = require('tui-code-snippet');
var config = require('../../config');
var common = require('../../common/common');
Expand Down Expand Up @@ -98,7 +99,7 @@ DayName.prototype.render = function(viewModel) {
styles: styles
});

this.container.innerHTML = daynameTmpl(baseViewModel);
this.container.innerHTML = DOMPurify.sanitize(daynameTmpl(baseViewModel));
};

/**
Expand Down
5 changes: 3 additions & 2 deletions src/js/view/week/timeGrid.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
*/
'use strict';

var DOMPurify = require('dompurify');
var util = require('tui-code-snippet');
var config = require('../../config');
var common = require('../../common/common');
Expand Down Expand Up @@ -477,7 +478,7 @@ TimeGrid.prototype.render = function(viewModel) {

baseViewModel.showHourMarker = baseViewModel.todaymarkerLeft >= 0;

container.innerHTML = mainTmpl(baseViewModel);
container.innerHTML = DOMPurify.sanitize(mainTmpl(baseViewModel));

/**********
* Render sticky container for timezone display label
Expand Down Expand Up @@ -510,7 +511,7 @@ TimeGrid.prototype.render = function(viewModel) {
TimeGrid.prototype.renderStickyContainer = function(baseViewModel) {
var stickyContainer = this.stickyContainer;

stickyContainer.innerHTML = timezoneStickyTmpl(baseViewModel);
stickyContainer.innerHTML = DOMPurify.sanitize(timezoneStickyTmpl(baseViewModel));

stickyContainer.style.display = baseViewModel.timezones.length > 1 ? 'block' : 'none';
stickyContainer.style.width = baseViewModel.styles.leftWidth;
Expand Down

0 comments on commit 064de34

Please sign in to comment.