fix: escape possible html codes from popup texts. Prevents XSS attack…

…s through this vector.
kieler · Apr 6, 2023 · 0d34781 · 0d34781
1 parent 5e4542e
commit 0d34781
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 1 deletion.
diff --git a/packages/klighd-core/src/hover/popup-provider.ts b/packages/klighd-core/src/hover/popup-provider.ts
@@ -45,14 +45,15 @@ export class PopupModelProvider implements IPopupModelProvider {
         ) {
             const tooltip = this.findTooltip(request.parent, request.element.id);
             if (tooltip) {
+                const escapedTooltip = this.escapeHtml(tooltip);
                 return <HtmlRootSchema>{
                     type: "html",
                     id: "popup",
                     children: [
                         <PreRenderedElementSchema>{
                             type: "pre-rendered",
                             id: "popup-body",
-                            code: `<div>${tooltip}</div>`,
+                            code: `<div class="klighd-popup">${escapedTooltip}</div>`,
                         },
                     ],
                     canvasBounds: request.bounds,
@@ -75,4 +76,19 @@ export class PopupModelProvider implements IPopupModelProvider {
             return rendering.properties['klighd.tooltip'] as string;
         }
     }
+
+    /**
+     * Escapes the given string to prevent XSS attacks and to let it appear correctly in HTML.
+     * @param unsafe The string to escape.
+     * @returns The escaped string.
+     */
+    private escapeHtml(unsafe: string): string {
+        return unsafe
+            .replace(/&/g, "&amp;")
+            .replace(/</g, "&lt;")
+            .replace(/>/g, "&gt;")
+            .replace(/"/g, "&quot;")
+            .replace(/'/g, "&#039;")
+            .replace(/\n/g, "<br/>");
+    }
 }
diff --git a/packages/klighd-core/styles/main.css b/packages/klighd-core/styles/main.css
@@ -17,6 +17,7 @@
 
 @import "./theme.css";
 @import "./options.css";
+@import "./popup.css";
 @import "./sidebar.css";
 @import "sprotty/css/sprotty.css";
 

diff --git a/packages/klighd-core/styles/popup.css b/packages/klighd-core/styles/popup.css
@@ -0,0 +1,20 @@
+/*
+ * KIELER - Kiel Integrated Environment for Layout Eclipse RichClient
+ *
+ * http://rtsys.informatik.uni-kiel.de/kieler
+ *
+ * Copyright 2023 by
+ * + Kiel University
+ *   + Department of Computer Science
+ *     + Real-Time and Embedded Systems Group
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+
+.klighd-popup {
+    color: black;
+}