Merge pull request #478 from irskep/bug-fixes

irskep · web-flow · commit 7efd7d890833 · 2017-12-18T09:22:31.000-08:00
Fix XSS vuln. Add yarn.lock and 'yarn dev' script.
diff --git a/package.json b/package.json
@@ -5,7 +5,9 @@
   "main": "lib/js",
   "scripts": {
     "prepublish": "gulp commonjs",
-    "test": "echo \"Error: no test specified\" && exit 1"
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "dev": "gulp dev",
+    "gulp": "gulp"
   },
   "repository": {
     "type": "git",
diff --git a/src/core/fontmetrics.js b/src/core/fontmetrics.js
@@ -39,6 +39,23 @@
   var NAME = "FontMetrics Library"
   var VERSION = "1-2012.0121.1300";
 
+  var entityMap = {
+    '&': '&amp;',
+    '<': '&lt;',
+    '>': '&gt;',
+    '"': '&quot;',
+    "'": '&#39;',
+    '/': '&#x2F;',
+    '`': '&#x60;',
+    '=': '&#x3D;'
+  };
+
+  function escapeHTML (string) {
+    return String(string).replace(/[&<>"'`=\/]/g, function (s) {
+      return entityMap[s];
+    });
+  }
+
   // if there is no getComputedStyle, this library won't work.
   if(!document.defaultView.getComputedStyle) {
     throw("ERROR: 'document.defaultView.getComputedStyle' not found. This library only works in browsers that can report computed CSS values.");
@@ -99,7 +116,7 @@
     leadDiv.style.position = "absolute";
     leadDiv.style.opacity = 0;
     leadDiv.style.font = fontString;
-    leadDiv.innerHTML = textstring + "<br/>" + textstring;
+    leadDiv.innerHTML = escapeHTML(textstring) + "<br/>" + escapeHTML(textstring);
     document.body.appendChild(leadDiv);
 
     // make some initial guess at the text leading (using the standard TeX ratio)
diff --git a/src/core/svgRenderer.coffee b/src/core/svgRenderer.coffee
@@ -18,6 +18,19 @@ renderShapeToSVG = (shape, opts={}) ->
   else
     throw "Can't render shape of type #{shape.className} to SVG"
 
+entityMap = {
+  '&': '&amp;',
+  '<': '&lt;',
+  '>': '&gt;',
+  '"': '&quot;',
+  "'": '&#39;',
+  '/': '&#x2F;',
+  '`': '&#x60;',
+  '=': '&#x3D;'
+}
+
+escapeHTML = (string) -> String(string).replace /[&<>"'`=\/]/g, (s) -> entityMap[s]
+
 
 defineSVGRenderer 'Rectangle', (shape) ->
   x1 = shape.x
@@ -171,7 +184,7 @@ defineSVGRenderer 'Text', (shape) ->
       dy = if i == 0 then 0 else '1.2em'
       return "
         <tspan x='#{shape.x}' dy='#{dy}' alignment-baseline='text-before-edge'>
-          #{line}
+          #{escapeHTML(line)}
         </tspan>"
     ).join('')}
   </text>
diff --git a/yarn.lock b/yarn.lock
