1
0
mirror of https://github.com/nileshtrivedi/better synced 2025-01-19 16:20:07 +01:00

Merge pull request #19 from nileshtrivedi/feature-protect-xss

feat: avoid xss fixes #3
This commit is contained in:
Nilesh 2020-08-11 01:49:02 +05:30 committed by GitHub
commit 8d94f2cfb7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -3,14 +3,19 @@
/* /*
TODO TODO
- Pop-up should be dismissable (per URL / per domain).
- Once dismissed, popup should not be shown on the same url/domain. Use cookies or localStorage for this.
- Fix and test the options UI - Fix and test the options UI
- Test and fix for Chrome, Brave & Firefox - Test and fix for Chrome, Brave & Firefox
*/ */
function escapeHtml(str) {
var div = document.createElement('div');
div.appendChild(document.createTextNode(str));
return div.innerHTML;
}
const fillTemplate = function(templateString, templateVars){ const fillTemplate = function(templateString, templateVars){
return new Function("return `"+templateString +"`;").call(templateVars); let safeTemplateVars = Object.assign({}, ...Object.keys(templateVars).map(k => ({[k]: escapeHtml(templateVars[k])})));
return new Function("return `"+templateString +"`;").call(safeTemplateVars);
} }
const altTemplate = "\ const altTemplate = "\
@ -34,16 +39,17 @@ function createRecommendedAlt(recommendedAlternative) {
let recommendedAlt = document.createElement("div"); let recommendedAlt = document.createElement("div");
let betterBrandText = document.createElement("h1"); let betterBrandText = document.createElement("h1");
betterBrandText.innerHTML = "Better"; betterBrandText.textContent = "Better";
betterBrandText.setAttribute("style", "font-size: 32px; color: #222222; font-weight: bold; margin: 12px;"); betterBrandText.setAttribute("style", "font-size: 32px; color: #222222; font-weight: bold; margin: 12px;");
let alternativeText = document.createElement("p"); let alternativeText = document.createElement("p");
alternativeText.innerHTML = recommendedAlternative.desc; alternativeText.textContent = recommendedAlternative.desc;
alternativeText.setAttribute("style", "font-size: 20px; color: #222222; font-weight: bold; margin-top: 24px;"); alternativeText.setAttribute("style", "font-size: 20px; color: #222222; font-weight: bold; margin-top: 24px; line-height:1;");
let alternativeCTA = document.createElement("a"); let alternativeCTA = document.createElement("a");
alternativeCTA.innerHTML = recommendedAlternative.name + " →"; alternativeCTA.textContent = recommendedAlternative.name;
alternativeCTA.setAttribute("href", recommendedAlternative.url); alternativeCTA.innerHTML += " →";
alternativeCTA.setAttribute("href", escapeHtml(recommendedAlternative.url));
alternativeCTA.setAttribute("target", "_blank"); alternativeCTA.setAttribute("target", "_blank");
alternativeCTA.setAttribute("style", "display: inline-block; padding: 12px 24px; background-color: #222222; color: #ffffff; border-radius: 4px;"); alternativeCTA.setAttribute("style", "display: inline-block; padding: 12px 24px; background-color: #222222; color: #ffffff; border-radius: 4px;");