Merge pull request #34 from archtika/devel

Escape user input <ins> and <del> elements in logs
2025-11-22 02:41:35 +01:00 · 2025-04-06 16:52:41 +02:00
parent 0c15769f63 5a6214878f
commit 281851f9a2
2 changed files with 10 additions and 13 deletions
--- a/web-app/src/routes/(authenticated)/website/[websiteId]/logs/+page.server.ts
+++ b/web-app/src/routes/(authenticated)/website/[websiteId]/logs/+page.server.ts
@@ -80,17 +80,18 @@ export const actions: Actions = {
    const htmlDiff = (oldValue: string, newValue: string) => {
      const diff = dmp.diff_main(oldValue, newValue);
      dmp.diff_cleanupSemantic(diff);
      return diff
        .map(([op, text]) => {
          const escapedText = text.replace(/</g, "&lt;").replace(/>/g, "&gt;");
          switch (op) {
            case 1:
-              return `<ins>${text}</ins>`;
+              return `<ins>${escapedText}</ins>`;
            case -1:
-              return `<del>${text}</del>`;
+              return `<del>${escapedText}</del>`;
            default:
-              return text;
+              return escapedText;
          }
        })
        .join("");
--- a/web-app/src/routes/(authenticated)/website/[websiteId]/logs/+page.svelte
+++ b/web-app/src/routes/(authenticated)/website/[websiteId]/logs/+page.svelte
@@ -141,24 +141,20 @@
                      <button type="submit">Compute diff</button>
                    </form>
                    {#if form?.logId === id && form?.currentDiff}
-                      <pre>{@html DOMPurify.sanitize(
+                      <pre>{@html form.currentDiff
-                          // .replace takes escaped text representations of line breaks and converts them to real line breaks that render correctly in HTML
+                          .replace(/\\\"/g, '"')
-                          form.currentDiff.replace(/\\r\\n|\\n|\\r/g, "\n").replace(/\\\"/g, '"'),
+                          .replace(/\\r\\n|\\n|\\r/g, "\n")}</pre>
                          {
                            ALLOWED_TAGS: ["ins", "del"]
                          }
                        )}</pre>
                    {/if}
                  {/if}
                  {#if new_value && !old_value}
                    <h4>New value</h4>
-                    <pre>{DOMPurify.sanitize(newValue)}</pre>
+                    <pre>{newValue.replace(/\\\"/g, '"').replace(/\\r\\n|\\n|\\r/g, "\n")}</pre>
                  {/if}
                  {#if old_value && !new_value}
                    <h4>Old value</h4>
-                    <pre>{DOMPurify.sanitize(oldValue)}</pre>
+                    <pre>{oldValue.replace(/\\\"/g, '"').replace(/\\r\\n|\\n|\\r/g, "\n")}</pre>
                  {/if}
                </Modal>
              </td>