From 6920a479089ee908303012504ac4042e5490f332 Mon Sep 17 00:00:00 2001 From: Mitesh Shah Date: Sun, 9 Aug 2020 13:45:07 +0530 Subject: [PATCH] feat: avoid xss fixes #3 Also fixed line-height on popup description --- contentscript.js | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/contentscript.js b/contentscript.js index f2d69ea..9667135 100644 --- a/contentscript.js +++ b/contentscript.js @@ -3,14 +3,19 @@ /* TODO - - Pop-up should be dismissable (per URL / per domain). - - Once dismissed, popup should not be shown on the same url/domain. Use cookies or localStorage for this. - Fix and test the options UI - Test and fix for Chrome, Brave & Firefox */ +function escapeHtml(str) { + var div = document.createElement('div'); + div.appendChild(document.createTextNode(str)); + return div.innerHTML; +} + const fillTemplate = function(templateString, templateVars){ - return new Function("return `"+templateString +"`;").call(templateVars); + let safeTemplateVars = Object.assign({}, ...Object.keys(templateVars).map(k => ({[k]: escapeHtml(templateVars[k])}))); + return new Function("return `"+templateString +"`;").call(safeTemplateVars); } const altTemplate = "\ @@ -34,16 +39,17 @@ function createRecommendedAlt(recommendedAlternative) { let recommendedAlt = document.createElement("div"); let betterBrandText = document.createElement("h1"); - betterBrandText.innerHTML = "Better"; + betterBrandText.textContent = "Better"; betterBrandText.setAttribute("style", "font-size: 32px; color: #222222; font-weight: bold; margin: 12px;"); let alternativeText = document.createElement("p"); - alternativeText.innerHTML = recommendedAlternative.desc; - alternativeText.setAttribute("style", "font-size: 20px; color: #222222; font-weight: bold; margin-top: 24px;"); + alternativeText.textContent = recommendedAlternative.desc; + alternativeText.setAttribute("style", "font-size: 20px; color: #222222; font-weight: bold; margin-top: 24px; line-height:1;"); let alternativeCTA = document.createElement("a"); - alternativeCTA.innerHTML = recommendedAlternative.name + " →"; - alternativeCTA.setAttribute("href", recommendedAlternative.url); + alternativeCTA.textContent = recommendedAlternative.name; + alternativeCTA.innerHTML += " →"; + alternativeCTA.setAttribute("href", escapeHtml(recommendedAlternative.url)); alternativeCTA.setAttribute("target", "_blank"); alternativeCTA.setAttribute("style", "display: inline-block; padding: 12px 24px; background-color: #222222; color: #ffffff; border-radius: 4px;");