frodovdr/node-red
1
0
Fork 0
mirror of https://github.com/node-red/node-red.git synced 2023-10-10 13:36:53 +02:00
Code Issues Releases Wiki Activity

Properly escape html strings passed to debug

Browse Source
This commit is contained in:
Nick O'Leary 2016-11-27 21:51:34 +00:00
parent f2797a4153
commit 52fc497412
3 changed files with 27 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
editor/js/ui/utils.js
View File

@ -19,6 +19,9 @@ RED.utils = (function() {
function formatString(str) { function formatString(str) {
return str.replace(/\r?\n/g,"↵").replace(/\t/g,"→"); return str.replace(/\r?\n/g,"↵").replace(/\t/g,"→");
} }
function sanitize(m) {
return m.replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;");
}
function buildMessageSummaryValue(value) { function buildMessageSummaryValue(value) {
var result; var result;
@ -35,9 +38,11 @@ RED.utils = (function() {
result = $('<span class="debug-message-object-value debug-message-type-meta">object</span>'); result = $('<span class="debug-message-object-value debug-message-type-meta">object</span>');
} }
} else if (typeof value === 'string') { } else if (typeof value === 'string') {
subvalue = value; var subvalue;
if (subvalue.length > 30) { if (value.length > 30) {
subvalue = subvalue.substring(0,30)+"&hellip;"; subvalue = sanitize(value.substring(0,30))+"&hellip;";
} else {
subvalue = sanitize(value);
} }
result = $('<span class="debug-message-object-value debug-message-type-string"></span>').html('"'+formatString(subvalue)+'"'); result = $('<span class="debug-message-object-value debug-message-type-string"></span>').html('"'+formatString(subvalue)+'"');
} else { } else {
@ -68,7 +73,7 @@ RED.utils = (function() {
var entryObj; var entryObj;
var header; var header;
var headerHead; var headerHead;
var value,subvalue; var value;
var element = $('<span class="debug-message-element"></span>'); var element = $('<span class="debug-message-element"></span>');
if (!key) { if (!key) {
element.addClass("debug-message-top-level"); element.addClass("debug-message-top-level");
@ -98,14 +103,16 @@ RED.utils = (function() {
makeExpandable(header, function() { makeExpandable(header, function() {
$('<span class="debug-message-type-meta debug-message-object-type-header"></span>').html(typeHint||'string').appendTo(header); $('<span class="debug-message-type-meta debug-message-object-type-header"></span>').html(typeHint||'string').appendTo(header);
var row = $('<div class="debug-message-object-entry collapsed"></div>').appendTo(element); var row = $('<div class="debug-message-object-entry collapsed"></div>').appendTo(element);
$('<pre class="debug-message-type-string"></pre>').html(obj).appendTo(row); $('<pre class="debug-message-type-string"></pre>').text(obj).appendTo(row);
}); });
} }
$('<span class="debug-message-type-string debug-message-object-header"></span>').html('"'+formatString(obj)+'"').appendTo(entryObj); $('<span class="debug-message-type-string debug-message-object-header"></span>').html('"'+formatString(sanitize(obj))+'"').appendTo(entryObj);
} else if (typeof obj === 'number') { } else if (typeof obj === 'number') {
e = $('<span class="debug-message-type-number"></span>').text(""+obj).appendTo(entryObj); e = $('<span class="debug-message-type-number"></span>').text(""+obj).appendTo(entryObj);
if ((obj^0)===obj) {
e.addClass("debug-message-type-number-toggle");
e.click(function(evt) { e.click(function(evt) {
var format = $(this).data('format'); var format = $(this).data('format');
if (format === 'hex') { if (format === 'hex') {
@ -115,6 +122,7 @@ RED.utils = (function() {
} }
evt.preventDefault(); evt.preventDefault();
}); });
}
} else if (isArray) { } else if (isArray) {
element.addClass('collapsed'); element.addClass('collapsed');
@ -155,7 +163,7 @@ RED.utils = (function() {
} catch(err) { } catch(err) {
console.log(err); console.log(err);
} }
$('<pre class="debug-message-type-string"></pre>').html(stringEncoding).appendTo(sr); $('<pre class="debug-message-type-string"></pre>').text(stringEncoding).appendTo(sr);
var bufferOpts = $('<span class="debug-message-buffer-opts"></span>').appendTo(headerHead); var bufferOpts = $('<span class="debug-message-buffer-opts"></span>').appendTo(headerHead);
$('<a href="#"></a>').addClass('selected').html('raw').appendTo(bufferOpts).click(function(e) { $('<a href="#"></a>').addClass('selected').html('raw').appendTo(bufferOpts).click(function(e) {
if ($(this).text() === 'raw') { if ($(this).text() === 'raw') {

3
editor/sass/debug.scss
View File

@ -150,7 +150,8 @@
.debug-message-type-string { color: #b72828; } .debug-message-type-string { color: #b72828; }
.debug-message-type-null { color: #666; font-style: italic;} .debug-message-type-null { color: #666; font-style: italic;}
.debug-message-type-meta { color: #666; font-style: italic;} .debug-message-type-meta { color: #666; font-style: italic;}
.debug-message-type-number { color: #2033d6;cursor: pointer;} .debug-message-type-number { color: #2033d6; };
.debug-message-type-number-toggle { cursor: pointer;}
.debug-message-expandable { .debug-message-expandable {
cursor: pointer; cursor: pointer;

2
nodes/core/core/lib/debug/debug-utils.js
View File

@ -198,7 +198,7 @@ RED.debug = (function() {
var name = sanitize(((o.name?o.name:o.id)||"").toString()); var name = sanitize(((o.name?o.name:o.id)||"").toString());
var topic = sanitize((o.topic||"").toString()); var topic = sanitize((o.topic||"").toString());
var property = sanitize(o.property?o.property:''); var property = sanitize(o.property?o.property:'');
var payload = sanitize((o.msg||"").toString()); var payload = o.msg;
var format = sanitize((o.format||"").toString()); var format = sanitize((o.format||"").toString());
msg.className = 'debug-message'+(o.level?(' debug-message-level-'+o.level):'') + msg.className = 'debug-message'+(o.level?(' debug-message-level-'+o.level):'') +
((sourceNode&&sourceNode.z)?((" debug-message-flow-"+sourceNode.z+((filter&&(activeWorkspace!==sourceNode.z))?" hide":""))):""); ((sourceNode&&sourceNode.z)?((" debug-message-flow-"+sourceNode.z+((filter&&(activeWorkspace!==sourceNode.z))?" hide":""))):"");