frodovdr
/
node-red
mirror of https://github.com/node-red/node-red.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Properly escape html strings passed to debug

This commit is contained in:
Nick O'Leary 2016-11-27 21:51:34 +00:00
parent f2797a4153
commit 52fc497412
3 changed files with 27 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
editor/js/ui/utils.js
View File

@ -19,6 +19,9 @@ RED.utils = (function() {
function formatString(str) {
return str.replace(/\r?\n/g,"↵").replace(/\t/g,"→");
}
function sanitize(m) {
return m.replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;");
}
function buildMessageSummaryValue(value) {
var result;
@ -35,9 +38,11 @@ RED.utils = (function() {
result = $('<span class="debug-message-object-value debug-message-type-meta">object</span>');
}
} else if (typeof value === 'string') {
subvalue = value;
if (subvalue.length > 30) {
subvalue = subvalue.substring(0,30)+"&hellip;";
var subvalue;
if (value.length > 30) {
subvalue = sanitize(value.substring(0,30))+"&hellip;";
} else {
subvalue = sanitize(value);
}
result = $('<span class="debug-message-object-value debug-message-type-string"></span>').html('"'+formatString(subvalue)+'"');
} else {
@ -68,7 +73,7 @@ RED.utils = (function() {
var entryObj;
var header;
var headerHead;
var value,subvalue;
var value;
var element = $('<span class="debug-message-element"></span>');
if (!key) {
element.addClass("debug-message-top-level");
@ -98,23 +103,26 @@ RED.utils = (function() {
makeExpandable(header, function() {
$('<span class="debug-message-type-meta debug-message-object-type-header"></span>').html(typeHint||'string').appendTo(header);
var row = $('<div class="debug-message-object-entry collapsed"></div>').appendTo(element);
$('<pre class="debug-message-type-string"></pre>').html(obj).appendTo(row);
$('<pre class="debug-message-type-string"></pre>').text(obj).appendTo(row);
});
}
$('<span class="debug-message-type-string debug-message-object-header"></span>').html('"'+formatString(obj)+'"').appendTo(entryObj);
$('<span class="debug-message-type-string debug-message-object-header"></span>').html('"'+formatString(sanitize(obj))+'"').appendTo(entryObj);
} else if (typeof obj === 'number') {
e = $('<span class="debug-message-type-number"></span>').text(""+obj).appendTo(entryObj);
e.click(function(evt) {
var format = $(this).data('format');
if (format === 'hex') {
$(this).text(""+obj).data('format','dec');
} else {
$(this).text("0x"+(obj).toString(16)).data('format','hex');
}
evt.preventDefault();
});
if ((obj^0)===obj) {
e.addClass("debug-message-type-number-toggle");
e.click(function(evt) {
var format = $(this).data('format');
if (format === 'hex') {
$(this).text(""+obj).data('format','dec');
} else {
$(this).text("0x"+(obj).toString(16)).data('format','hex');
}
evt.preventDefault();
});
}
} else if (isArray) {
element.addClass('collapsed');
@ -155,7 +163,7 @@ RED.utils = (function() {
} catch(err) {
console.log(err);
}
$('<pre class="debug-message-type-string"></pre>').html(stringEncoding).appendTo(sr);
$('<pre class="debug-message-type-string"></pre>').text(stringEncoding).appendTo(sr);
var bufferOpts = $('<span class="debug-message-buffer-opts"></span>').appendTo(headerHead);
$('<a href="#"></a>').addClass('selected').html('raw').appendTo(bufferOpts).click(function(e) {
if ($(this).text() === 'raw') {

3
editor/sass/debug.scss
View File

@ -150,7 +150,8 @@
.debug-message-type-string { color: #b72828; }
.debug-message-type-null { color: #666; font-style: italic;}
.debug-message-type-meta { color: #666; font-style: italic;}
.debug-message-type-number { color: #2033d6;cursor: pointer;}
.debug-message-type-number { color: #2033d6; };
.debug-message-type-number-toggle { cursor: pointer;}
.debug-message-expandable {
cursor: pointer;

2
nodes/core/core/lib/debug/debug-utils.js
View File

@ -198,7 +198,7 @@ RED.debug = (function() {
var name = sanitize(((o.name?o.name:o.id)||"").toString());
var topic = sanitize((o.topic||"").toString());
var property = sanitize(o.property?o.property:'');
var payload = sanitize((o.msg||"").toString());
var payload = o.msg;
var format = sanitize((o.format||"").toString());
msg.className = 'debug-message'+(o.level?(' debug-message-level-'+o.level):'') +
((sourceNode&&sourceNode.z)?((" debug-message-flow-"+sourceNode.z+((filter&&(activeWorkspace!==sourceNode.z))?" hide":""))):"");