Skip to content

Commit

Permalink
555 - Fix HTML value not escaped in DataField (#556)
Browse files Browse the repository at this point in the history 
* Escape HTML in DataField value

* Html data prop test
  • Loading branch information
@michalsnik
Guillaume Chau authored and michalsnik committed Jan 24, 2018
1 parent 0f2468a commit fb782d3
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 3 deletions.
3 changes: 2 additions & 1 deletion shells/dev/target/NativeTypes.vue
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,8 @@ export default {
},
largeArray: [],
i: new Set([1, 2, 3, 4, new Set([5, 6, 7, 8]), new Map([[1, 2], [3, 4], [5, new Map([[6, 7]])]])]),
j: new Map([[1, 2], [3, 4], [5, new Map([[6, 7]])], [8, new Set([1, 2, 3, 4, new Set([5, 6, 7, 8]), new Map([[1, 2], [3, 4], [5, new Map([[6, 7]])]])])]])
j: new Map([[1, 2], [3, 4], [5, new Map([[6, 7]])], [8, new Set([1, 2, 3, 4, new Set([5, 6, 7, 8]), new Map([[1, 2], [3, 4], [5, new Map([[6, 7]])]])])]]),
html: '<b>Bold</b> <i>Italic</i>'
}
},
computed: {
Expand Down
5 changes: 3 additions & 2 deletions src/devtools/components/DataField.vue
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,8 @@ import {
NAN,
isPlainObject,
sortByKey,
openInEditor
openInEditor,
escape
} from 'src/util'
import DataFieldEdit from '../mixins/data-field-edit'
Expand Down Expand Up @@ -285,7 +286,7 @@ export default {
if (typeMatch) {
return typeMatch[1]
} else {
return `<span>"</span>${value}<span>"</span>`
return `<span>"</span>${escape(value)}<span>"</span>`
}
} else {
return value
Expand Down
15 changes: 15 additions & 0 deletions src/util.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -426,3 +426,18 @@ export function openInEditor (file) {
eval(src)
}
}

const ESC = {
'<': '&lt;',
'>': '&gt;',
'"': '&quot;',
'&': '&amp;'
}

export function escape (s) {
return s.replace(/[<>"&]/g, escapeChar)
}

function escapeChar (a) {
return ESC[a] || a
}

0 comments on commit fb782d3

Please sign in to comment.