Merge pull request #34 from archtika/devel

Escape user input <ins> and <del> elements in logs
2025-11-22 10:51:36 +01:00 · 2025-04-06 16:52:41 +02:00 · 2025-04-06 16:43:12 +02:00 · 2025-04-06 12:25:43 +02:00 · 2025-04-06 09:41:31 +02:00
5 changed files with 16 additions and 19 deletions
--- a/nix/package.nix
+++ b/nix/package.nix
@@ -10,7 +10,7 @@ let
  web = buildNpmPackage {
    name = "web-app";
    src = ../web-app;
-    npmDepsHash = "sha256-2udi8vLLvdoZxIyRKLOCfEpEMsooxsIrM1wiua1QPAI=";
+    npmDepsHash = "sha256-J58LwSEQa0p6J6h/wPhpGY/60n9a7TOV5WfNm4K1NH0=";
    npmFlags = [ "--legacy-peer-deps" ];
    installPhase = ''
      mkdir -p $out/web-app
--- a/web-app/package-lock.json
+++ b/web-app/package-lock.json
@@ -36,7 +36,7 @@
        "svelte-check": "4.1.5",
        "typescript": "5.8.2",
        "typescript-eslint": "8.27.0",
-        "vite": "6.2.2"
+        "vite": "6.2.5"
      }
    },
    "node_modules/@ampproject/remapping": {
@@ -4575,9 +4575,9 @@
      "license": "MIT"
    },
    "node_modules/vite": {
-      "version": "6.2.2",
+      "version": "6.2.5",
-      "resolved": "https://registry.npmjs.org/vite/-/vite-6.2.2.tgz",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-6.2.5.tgz",
-      "integrity": "sha512-yW7PeMM+LkDzc7CgJuRLMW2Jz0FxMOsVJ8Lv3gpgW9WLcb9cTW+121UEr1hvmfR7w3SegR5ItvYyzVz1vxNJgQ==",
+      "integrity": "sha512-j023J/hCAa4pRIUH6J9HemwYfjB5llR2Ps0CWeikOtdR8+pAURAk0DoJC5/mm9kd+UgdnIy7d6HE4EAvlYhPhA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
--- a/web-app/package.json
+++ b/web-app/package.json
@@ -35,7 +35,7 @@
    "svelte-check": "4.1.5",
    "typescript": "5.8.2",
    "typescript-eslint": "8.27.0",
-    "vite": "6.2.2"
+    "vite": "6.2.5"
  },
  "dependencies": {
    "diff-match-patch": "1.0.5",
--- a/web-app/src/routes/(authenticated)/website/[websiteId]/logs/+page.server.ts
+++ b/web-app/src/routes/(authenticated)/website/[websiteId]/logs/+page.server.ts
@@ -80,17 +80,18 @@ export const actions: Actions = {
    const htmlDiff = (oldValue: string, newValue: string) => {
      const diff = dmp.diff_main(oldValue, newValue);
      dmp.diff_cleanupSemantic(diff);
      return diff
        .map(([op, text]) => {
          const escapedText = text.replace(/</g, "&lt;").replace(/>/g, "&gt;");
          switch (op) {
            case 1:
-              return `<ins>${text}</ins>`;
+              return `<ins>${escapedText}</ins>`;
            case -1:
-              return `<del>${text}</del>`;
+              return `<del>${escapedText}</del>`;
            default:
-              return text;
+              return escapedText;
          }
        })
        .join("");
--- a/web-app/src/routes/(authenticated)/website/[websiteId]/logs/+page.svelte
+++ b/web-app/src/routes/(authenticated)/website/[websiteId]/logs/+page.svelte
@@ -141,24 +141,20 @@
                      <button type="submit">Compute diff</button>
                    </form>
                    {#if form?.logId === id && form?.currentDiff}
-                      <pre>{@html DOMPurify.sanitize(
+                      <pre>{@html form.currentDiff
-                          // .replace takes escaped text representations of line breaks and converts them to real line breaks that render correctly in HTML
+                          .replace(/\\\"/g, '"')
-                          form.currentDiff.replace(/\\r\\n|\\n|\\r/g, "\n"),
+                          .replace(/\\r\\n|\\n|\\r/g, "\n")}</pre>
                          {
                            ALLOWED_TAGS: ["ins", "del"]
                          }
                        )}</pre>
                    {/if}
                  {/if}
                  {#if new_value && !old_value}
                    <h4>New value</h4>
-                    <pre>{DOMPurify.sanitize(newValue)}</pre>
+                    <pre>{newValue.replace(/\\\"/g, '"').replace(/\\r\\n|\\n|\\r/g, "\n")}</pre>
                  {/if}
                  {#if old_value && !new_value}
                    <h4>Old value</h4>
-                    <pre>{DOMPurify.sanitize(oldValue)}</pre>
+                    <pre>{oldValue.replace(/\\\"/g, '"').replace(/\\r\\n|\\n|\\r/g, "\n")}</pre>
                  {/if}
                </Modal>
              </td>
Author	SHA1	Message	Date
Thilo Hohlt	281851f9a2	Merge pull request #34 from archtika/devel Escape user input <ins> and <del> elements in logs	2025-04-06 16:52:41 +02:00
thiloho	5a6214878f	Escape user input <ins> and <del> elements in logs	2025-04-06 16:43:12 +02:00
Thilo Hohlt	0c15769f63	Merge pull request #33 from archtika/devel Update vite and replace escaped doublequotes with normal representation	2025-04-06 12:25:43 +02:00
thiloho	70a81158ef	Update vite and replace escaped doublequotes with normal representation	2025-04-06 09:41:31 +02:00