andy/tinyUSB
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Mitigate potential xss.

Browse Source
This commit is contained in:
raldone01
2025-07-11 12:41:09 +02:00
parent a9c51a7e65
commit 4cb4fb2e28
1 changed files with 18 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
examples/device/webusb_serial/website/application.js
View File

@@ -34,6 +34,17 @@
const THEME_STATES = ['auto', 'light', 'dark']; const THEME_STATES = ['auto', 'light', 'dark'];
/// https://stackoverflow.com/a/6234804/4479969
const escapeHtml = unsafe => {
if (typeof unsafe !== 'string') unsafe = String(unsafe);
return unsafe
.replaceAll("&", "&")
.replaceAll("<", "&lt;")
.replaceAll(">", "&gt;")
.replaceAll('"', "&quot;")
.replaceAll("'", "&#039;");
};
class CommandHistoryEntry { class CommandHistoryEntry {
constructor(text) { constructor(text) {
this.text = text; this.text = text;
@@ -211,9 +222,9 @@
commandHistoryEntryBtn.type = 'button'; commandHistoryEntryBtn.type = 'button';
let time_str = new Date(commandHistoryEntry.time).toLocaleString(); let time_str = new Date(commandHistoryEntry.time).toLocaleString();
commandHistoryEntryBtn.innerHTML = ` commandHistoryEntryBtn.innerHTML = `
<span class="command-history-entry-time">${time_str}</span> <span class="command-history-entry-time">${escapeHtml(time_str)}</span>
<span class="command-history-entry-text">${commandHistoryEntry.text}</span> <span class="command-history-entry-text">${escapeHtml(commandHistoryEntry.text)}</span>
<span class="command-history-entry-count">×${commandHistoryEntry.count}</span> <span class="command-history-entry-count">×${escapeHtml(commandHistoryEntry.count)}</span>
`; `;
commandHistoryEntryBtn.addEventListener('click', () => { commandHistoryEntryBtn.addEventListener('click', () => {
if (uiCommandLineInput.disabled) return; if (uiCommandLineInput.disabled) return;
@@ -247,7 +258,7 @@
clearCommandHistory() { clearCommandHistory() {
this.commandHistory = []; this.commandHistory = [];
uiCommandHistoryScrollbox.innerHTML = ''; uiCommandHistoryScrollbox.textContent = '';
localStorage.removeItem('commandHistory'); localStorage.removeItem('commandHistory');
this.setStatus('Command history cleared', 'info'); this.setStatus('Command history cleared', 'info');
} }
@@ -322,8 +333,8 @@
let receivedDataEntryBtn = document.createElement('div'); let receivedDataEntryBtn = document.createElement('div');
receivedDataEntryBtn.className = 'received-data-entry'; receivedDataEntryBtn.className = 'received-data-entry';
receivedDataEntryBtn.innerHTML = ` receivedDataEntryBtn.innerHTML = `
<span class="received-data-entry-time">${new Date(entry.time).toLocaleString()}</span> <span class="received-data-entry-time">${escapeHtml(new Date(entry.time).toLocaleString())}</span>
<span class="received-data-entry-text">${entry.text}</span> <span class="received-data-entry-text">${escapeHtml(entry.text)}</span>
`; `;
documentFragment.appendChild(receivedDataEntryBtn); documentFragment.appendChild(receivedDataEntryBtn);
} }
@@ -352,7 +363,7 @@
clearReceivedData() { clearReceivedData() {
this.receivedData = []; this.receivedData = [];
uiReceivedDataScrollbox.innerHTML = ''; uiReceivedDataScrollbox.textContent = '';
localStorage.removeItem('receivedData'); localStorage.removeItem('receivedData');
this.setStatus('Received data cleared', 'info'); this.setStatus('Received data cleared', 'info');
} }