From: Akiyah Date: Sat, 4 Jan 2014 17:07:25 +0000 (+0900) Subject: fix XSS in labels X-Git-Tag: v1.1.0~67^2~2 X-Git-Url: https://adrianiainlam.tk/git/?a=commitdiff_plain;h=7afca02d30cc9815409cbc3bafa42993615ed541;hp=e88a95b4dbb4cb6f8d8cb4086209915944cbea54;p=dygraphs.git fix XSS in labels --- diff --git a/plugins/legend.js b/plugins/legend.js index 66408b6..f4eb665 100644 --- a/plugins/legend.js +++ b/plugins/legend.js @@ -120,6 +120,10 @@ var calculateEmWidthInDiv = function(div) { return oneEmWidth; }; +var escapeHTML = function(str) { + return str.replace(/&/g, "&").replace(/"/g, """).replace(//g, ">"); +} + legend.prototype.select = function(e) { var xValue = e.selectedX; var points = e.selectedPoints; @@ -208,7 +212,7 @@ generateLegendHTML = function(g, x, sel_points, oneEmWidth) { strokePattern = g.getOption("strokePattern", labels[i]); dash = generateLegendDashHTML(strokePattern, series.color, oneEmWidth); html += "" + - dash + " " + labels[i] + ""; + dash + " " + escapeHTML(labels[i]) + ""; } return html; } @@ -245,7 +249,7 @@ generateLegendHTML = function(g, x, sel_points, oneEmWidth) { // TODO(danvk): use a template string here and make it an attribute. html += "" + " " + - pt.name + ": " + yval + ""; + escapeHTML(pt.name) + ": " + yval + ""; } return html; };