💥 '); DROP TABLES 'commits' -- __injectCSS(); //

Author: GitSquared

src/_renderer.js

@@ -2,6 +2,24 @@
 window.eval = global.eval = function () {
     throw new Error("eval() is disabled for security reasons.");
 };
+// Security helper :)
+window._escapeHtml = (text) => {
+    let map = {
+        '&': '&',
+        '<': '&lt;',
+        '>': '&gt;',
+        '"': '&quot;',
+        "'": '&#039;'
+    };
+    return text.replace(/[&<>"']/g, m => {return map[m];});
+};
+window._purifyCSS = (str) => {
+    let map = {
+        '<': '&lt;',
+        '>': '&gt;'
+    };
+    return str.replace(/[&<>"']/g, m => {return map[m];});
+};
 
 // Initiate basic error handling
 window.onerror = (msg, path, line, col, error) => {
@@ -56,6 +74,8 @@ window._loadTheme = (theme) => {
     body {
         font-family: var(--font_main), sans-serif;
     }
+
+    ${window._purifyCSS(theme.injectCSS || "")}
     </style>`;
 
     window.theme = theme;

src/classes/filesystem.class.js

@@ -107,25 +107,25 @@ class FilesystemDisplay {
 
                                     this._tmp.dirs.forEach(e => {
                                         this.cwd.push({
-                                            name: this._escapeHtml(e),
+                                            name: window._escapeHtml(e),
                                             type: "dir"
                                         });
                                     });
                                     this._tmp.symlinks.forEach(e => {
                                         this.cwd.push({
-                                            name: this._escapeHtml(e),
+                                            name: window._escapeHtml(e),
                                             type: "symlink"
                                         });
                                     });
                                     this._tmp.files.forEach(e => {
                                         if (tcwd === themesDir && e.endsWith(".json")) {
                                             this.cwd.push({
-                                                name: this._escapeHtml(e),
+                                                name: window._escapeHtml(e),
                                                 type: "edex-theme"
                                             });
                                         } else {
                                             this.cwd.push({
-                                                name: this._escapeHtml(e),
+                                                name: window._escapeHtml(e),
                                                 type: "file"
                                             });
                                         }
@@ -204,14 +204,4 @@ class FilesystemDisplay {
             this.space_bar.bar.value = Math.round(this.fsBlock.use);
         };
     }
-    _escapeHtml(text) {
-        let map = {
-            '&': '&',
-            '<': '&lt;',
-            '>': '&gt;',
-            '"': '&quot;',
-            "'": '&#039;'
-        };
-        return text.replace(/[&<>"']/g, m => {return map[m];});
-    }
 }

src/ui.html

@@ -2,7 +2,7 @@
 <html>
     <head>
         <meta charset="utf-8" />
-        <meta http-equiv="Content-Security-Policy" content="default-src file: 'unsafe-inline'; connect-src ws:">
+        <meta http-equiv="Content-Security-Policy" content="default-src file: 'unsafe-inline'; img-src data:; connect-src ws:">
         <meta name="viewport" content="width=device-width, initial-scale=1.0">
         <title>eDEX-UI</title>