Merge pull request #15 from shennyg/fix/escape-entities-craft4

Tam · web-flow · commit 801df4dc7c4d · 2024-05-09T13:50:59.000+01:00
Escape HTML entities in log files for Craft 4
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,11 @@
+## 4.0.1 - 2024-03-19
+### Fixed
+- Escape unsafe HTML, this allows XML and HTML tags to display as text instead of render
+
+## 3.0.6 - 2022-05-10
+### Fixed
+- Escape unsafe HTML, this allows XML and HTML tags to display as text instead of render
+
 ## 4.0.0 - 2022-07-11
 ### Changed
 - Craft 4 release
diff --git a/composer.json b/composer.json
@@ -1,6 +1,7 @@
 {
   "name": "ether/logs",
   "description": "Access logs from the CP",
+  "version": "4.0.1",
   "type": "craft-plugin",
   "minimum-stability": "dev",
   "require": {
diff --git a/src/Utility.php b/src/Utility.php
@@ -63,6 +63,43 @@ function ($var) {
 CSS;
 
 		$js = <<<JS
+/** Mixin to extend the String type with a method to escape unsafe characters
+ *  for use in HTML.  Uses OWASP guidelines for safe strings in HTML.
+ * 
+ *  Credit: http://benv.ca/2012/10/4/you-are-probably-misusing-DOM-text-methods/
+ *          https://github.com/janl/mustache.js/blob/16ffa430a111dc293cd9ed899ecf9da3729f58bd/mustache.js#L62
+ *
+ *  Maintained by stevejansen_github@icloud.com
+ *
+ *  @license http://opensource.org/licenses/MIT
+ *
+ *  @version 1.0
+ *
+ *  @mixin
+ */
+(function(){
+  "use strict";
+
+  function escapeHtml() {
+    return this.replace(/[&<>"'\/]/g, function (s) {
+      var entityMap = {
+          "&": "&amp;",
+          "<": "&lt;",
+          ">": "&gt;",
+          '"': '&quot;',
+          "'": '&#39;',
+          "/": '&#x2F;'
+        };
+
+      return entityMap[s];
+    });
+  }
+
+  if (typeof(String.prototype.escapeHtml) !== 'function') {
+    String.prototype.escapeHtml = escapeHtml;
+  }
+})();
+
 const logElem = document.getElementById("__log");
 
 function streamLog (log) {
@@ -75,7 +112,7 @@ function streamLog (log) {
 	}).then(data => data.text()).then(data => {
 		let html = "";
 		
-		data.split("\\n").forEach(line => {
+		data.escapeHtml().split("\\n").forEach(line => {
 			let m = /^(\d{4}(-\d{2}){2} (\d{2}:){2}\d{2}) (\[[^\]]+\]){3}\[([^\]]+)\]\[([^\]]+)\]/i.exec(line);
 			if (m !== null) {
 				let colour = "";

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "ether/logs",`
`3`	`3`	`"description": "Access logs from the CP",`
	`4`	`+ "version": "4.0.1",`
`4`	`5`	`"type": "craft-plugin",`
`5`	`6`	`"minimum-stability": "dev",`
`6`	`7`	`"require": {`