Escaping

tweaselORG · Dec 11, 2023 · 3fad5cb · 3fad5cb
1 parent 6ba8233
commit 3fad5cb
Show file tree

Hide file tree

Showing 6 changed files with 165 additions and 11 deletions.
diff --git a/package.json b/package.json
@@ -19,6 +19,7 @@
     "scripts": {
         "build": "parcel build",
         "fix": "yarn eslint . --ignore-path .gitignore --ext .js,.jsx,.ts,.tsx --fix",
+        "postinstall": "patch-package",
         "lint": "tsc && eslint . --ignore-path .gitignore --ext .js,.jsx,.ts,.tsx && git diff --check",
         "prepack": "rm -rf dist && yarn build && yarn typedoc",
         "test": "echo 'TODO: No tests specified yet.'",
@@ -62,6 +63,8 @@
         "husky": "4.3.7",
         "lint-staged": "13.2.3",
         "parcel": "2.10.3",
+        "patch-package": "^8.0.0",
+        "postinstall-postinstall": "^2.1.0",
         "prettier": "2.8.8",
         "typedoc": "0.24.8",
         "typedoc-plugin-markdown": "3.15.3",

diff --git a/patches/nunjucks+3.2.4.patch b/patches/nunjucks+3.2.4.patch
@@ -0,0 +1,13 @@
+diff --git a/node_modules/nunjucks/src/lib.js b/node_modules/nunjucks/src/lib.js
+index 352acb5..d32aaab 100644
+--- a/node_modules/nunjucks/src/lib.js
++++ b/node_modules/nunjucks/src/lib.js
+@@ -120,7 +120,7 @@ if (Object.setPrototypeOf) {
+ }
+ _exports.TemplateError = TemplateError;
+ function escape(val) {
+-  return val.replace(escapeRegex, lookupEscape);
++  return val === undefined ? '' : `#{\`\`\` ${(val + '').replace(/`/g, '`\u200b')}\`\`\`.text}`
+ }
+ _exports.escape = escape;
+ function isFunction(obj) {
diff --git a/src/index.ts b/src/index.ts
@@ -60,13 +60,20 @@ export const generate = async (options: GenerateOptions) => {
         {}
     );
 
-    const nunjucks = Nunjucks.configure({ autoescape: false, throwOnUndefined: true });
+    const nunjucks = Nunjucks.configure({ autoescape: true, throwOnUndefined: true });
     nunjucks.addFilter('dateFormat', (date: Date | string | undefined) =>
         date ? new Date(date).toLocaleString(options.language, { dateStyle: 'long', timeStyle: 'long' }) : undefined
     );
     nunjucks.addFilter('timeFormat', (date: Date | string | undefined) =>
         date ? new Date(date).toLocaleTimeString(options.language) : undefined
     );
+    // Wrap content in a raw/code block, properly escaping user input.
+    nunjucks.addFilter(
+        'code',
+        (s: string | undefined) =>
+            new Nunjucks.runtime.SafeString(s === undefined ? '' : `\`\`\` ${(s + '').replace(/`/g, '`\u200b')}\`\`\``)
+    );
+    // Translate.
     nunjucks.addGlobal(
         't',
         (key: keyof (typeof translations)['en']) => (

diff --git a/src/lib/har2pdf/index.ts b/src/lib/har2pdf/index.ts
@@ -33,7 +33,7 @@ export const generateTyp = (entries: (HarEntry & { index?: number })[], options?
      * Wrap content in a raw/code block, properly escaping user input (cf.
      * https://github.com/tweaselORG/meta/issues/42#issuecomment-1838486416).
      */
-    const $ = (s: string | undefined) => (s === undefined ? '' : `\`\`\` ${s.replace(/`/g, '\u200b`')} \`\`\``);
+    const $ = (s: string | undefined) => (s === undefined ? '' : `\`\`\` ${s.replace(/`/g, '`\u200b')}\`\`\``);
 
     const renderDate = (date: Date | string | undefined) => (date ? new Date(date).toISOString() : undefined);
     const renderHeaders = (headers: Header[] | undefined) =>

diff --git a/templates/en/report.typ b/templates/en/report.typ
@@ -16,7 +16,7 @@ The analysis was performed on {{ analysisMeta.analysisDate | dateFormat }} on ve
 
 = Findings
 
-During the analysis, the network traffic initiated by the app was recorded. In total, {{ harEntries.length }} requests were recorded between {{ harEntries[0].startTime | dateFormat }} and {{ harEntries[harEntries.length - 1].startTime | dateFormat }}. The recorded traffic is attached as a HAR file{{ " (MD5 checksum of the HAR file: `" + analysisMeta.harMd5 + "`)" if analysisMeta.harMd5 }}, a standard format used by HTTP(S) monitoring tools to export collected data.#footnote[#link("http://www.softwareishard.com/blog/har-12-spec/")] HAR files can be viewed using Firefox or Chrome, for example.#footnote[TODO: https://github.com/tweaselORG/docs.tweasel.org/issues/7] The contents of the recorded traffic are also reproduced in @har2pdf[Appendix]
+During the analysis, the network traffic initiated by the app was recorded. In total, {{ harEntries.length }} requests were recorded between {{ harEntries[0].startTime | dateFormat }} and {{ harEntries[harEntries.length - 1].startTime | dateFormat }}. The recorded traffic is attached as a HAR file{% if analysisMeta.harMd5 %} (MD5 checksum of the HAR file: {{ analysisMeta.harMd5 | code }}){% endif %}, a standard format used by HTTP(S) monitoring tools to export collected data.#footnote[#link("http://www.softwareishard.com/blog/har-12-spec/")] HAR files can be viewed using Firefox or Chrome, for example.#footnote[TODO: https://github.com/tweaselORG/docs.tweasel.org/issues/7] The contents of the recorded traffic are also reproduced in @har2pdf[Appendix]
 
 == Network traffic without any interaction
 
@@ -27,18 +27,18 @@ In total, there were {{ trackHarResult.length }} requests detected that transmit
 {% for adapterSlug, adapterResult in findings %}
 === {{ adapterSlug }} (TODO: nicer title)
 
-The app sent the following {{ adapterResult.requests.length }} requests to the tracker "{{ adapterSlug }}" (TODO: nicer title) (TODO: tracker URL), operated by "{{ adapterResult.adapter.tracker.name }}". For details on how the requests to this tracker were decoded and the reasoning for how the transmitted information was determined, see the documentation in the Tweasel Tracker Wiki#footnote[The documentation for "{{ adapterSlug }}" (TODO: nicer title) is available at: https://trackers.tweasel.org/t/{{ adapterSlug }}].
+The app sent the following {{ adapterResult.requests.length }} requests to the tracker "{{ adapterSlug }}" (TODO: nicer title) (TODO: tracker URL), operated by "{{ adapterResult.adapter.tracker.name }}". For details on how the requests to this tracker were decoded and the reasoning for how the transmitted information was determined, see the documentation in the Tweasel Tracker Wiki#footnote[The documentation for "{{ adapterSlug }}" (TODO: nicer title) is available at: #link("https://trackers.tweasel.org/t/{{ adapterSlug | safe }}")].
 
 {% for request in adapterResult.requests %}
 {% set harEntry = harEntries[request.harIndex] %}
-==== `{{ harEntry.request.method }}` request to `{{ harEntry.request.host }}` ({{ harEntry.startTime | timeFormat }})
+==== {{ harEntry.request.method | code }} request to {{ harEntry.request.host | code }} ({{ harEntry.startTime | timeFormat }})
 
-On {{ harEntry.startTime | dateFormat }}, the app sent a `{{ harEntry.request.method }}` request to `{{ harEntry.request.host }}`. This request is reproduced in @har2pdf-e{{ request.harIndex }}[Appendix].
+On {{ harEntry.startTime | dateFormat }}, the app sent a {{ harEntry.request.method | code }} request to {{ harEntry.request.host | code }}. This request is reproduced in @har2pdf-e{{ request.harIndex | safe }}[Appendix].
 
 The following information was detected as being transmitted through this request:
 
 {% for transmission in request.transmissions -%}
-+ {{ t("data-path-property-" + transmission.property.toLowerCase()) }} (transmitted as `{{ transmission.path }}` with the value `{{ transmission.value }}`)
++ {{ t("data-path-property-" + transmission.property.toLowerCase()) }} (transmitted as {{ transmission.path | code }} with the value {{ transmission.value | code }})
 {% endfor %}
 {% endfor %}
 {% endfor %}