Merge pull request #2014 from 0xh3xa/master

Fix(RecipeWaiter): sanitize user input in addOperation to prevent XSS
2025-12-05 23:53:27 +00:00 · 2025-04-05 05:14:58 +01:00
parent 848660f8e1 c83e1ac4fb
commit 5a3b7bc4c0
3 changed files with 22 additions and 8 deletions
--- a/package-lock.json
+++ b/package-lock.json
@@ -37,6 +37,7 @@
        "d3": "7.9.0",
        "d3-hexbin": "^0.2.2",
        "diff": "^5.2.0",
+        "dompurify": "^3.2.5",
        "es6-promisify": "^7.0.0",
        "escodegen": "^2.1.0",
        "esprima": "^4.0.1",
@@ -50,7 +51,6 @@
        "jimp": "^0.22.12",
        "jq-web": "^0.5.1",
        "jquery": "3.7.1",
-        "js-crc": "^0.2.0",
        "js-sha3": "^0.9.3",
        "jsesc": "^3.0.2",
        "json5": "^2.2.3",
@@ -4365,6 +4365,13 @@
        "@types/node": "*"
      }
    },
+    "node_modules/@types/trusted-types": {
+      "version": "2.0.7",
+      "resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz",
+      "integrity": "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==",
+      "license": "MIT",
+      "optional": true
+    },
    "node_modules/@types/ws": {
      "version": "8.5.13",
      "resolved": "https://registry.npmjs.org/@types/ws/-/ws-8.5.13.tgz",
@@ -8411,6 +8418,15 @@
        "url": "https://github.com/fb55/domhandler?sponsor=1"
      }
    },
+    "node_modules/dompurify": {
+      "version": "3.2.5",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.2.5.tgz",
+      "integrity": "sha512-mLPd29uoRe9HpvwP2TxClGQBzGXeEC/we/q+bFlmPPmj2p2Ugl3r6ATu/UU1v77DXNcehiBg9zsr1dREyA/dJQ==",
+      "license": "(MPL-2.0 OR Apache-2.0)",
+      "optionalDependencies": {
+        "@types/trusted-types": "^2.0.7"
+      }
+    },
    "node_modules/domutils": {
      "version": "2.8.0",
      "resolved": "https://registry.npmjs.org/domutils/-/domutils-2.8.0.tgz",
@@ -12303,12 +12319,6 @@
      "integrity": "sha512-m4avr8yL8kmFN8psrbFFFmB/If14iN5o9nw/NgnnM+kybDJpRsAynV2BsfpTYrTRysYUdADVD7CkUUizgkpLfg==",
      "license": "MIT"
    },
-    "node_modules/js-crc": {
-      "version": "0.2.0",
-      "resolved": "https://registry.npmjs.org/js-crc/-/js-crc-0.2.0.tgz",
-      "integrity": "sha512-8DdCSAOACpF8WDAjyDFBC2rj8OS4HUP9mNZBDfl8jCiPCnJG+2bkuycalxwZh6heFy6PrMvoWTp47lp6gzT65A==",
-      "license": "MIT"
-    },
    "node_modules/js-sha3": {
      "version": "0.9.3",
      "resolved": "https://registry.npmjs.org/js-sha3/-/js-sha3-0.9.3.tgz",
--- a/package.json
+++ b/package.json
@@ -123,6 +123,7 @@
    "d3": "7.9.0",
    "d3-hexbin": "^0.2.2",
    "diff": "^5.2.0",
+    "dompurify": "^3.2.5",
    "es6-promisify": "^7.0.0",
    "escodegen": "^2.1.0",
    "esprima": "^4.0.1",
--- a/src/web/waiters/RecipeWaiter.mjs
+++ b/src/web/waiters/RecipeWaiter.mjs
@@ -8,6 +8,7 @@ import HTMLOperation from "../HTMLOperation.mjs";
 import Sortable from "sortablejs";
 import Utils from "../../core/Utils.mjs";
 import {escapeControlChars} from "../utils/editorUtils.mjs";
+import DOMPurify from "dompurify";


 /**
@@ -435,7 +436,9 @@ class RecipeWaiter {
        const item = document.createElement("li");

        item.classList.add("operation");
-        item.innerHTML = name;
+        const clean = DOMPurify.sanitize(name);
+        item.innerHTML = clean;
+
        this.buildRecipeOperation(item);
        document.getElementById("rec-list").appendChild(item);