Fix XSS issues in library ui code

2019-02-06 22:25:25 +00:00 · 2019-02-06 22:25:25 +00:00 · a301bf8bf5
parent 37b3601c47
commit a301bf8bf5
1 changed files with 7 additions and 6 deletions
--- a/packages/node_modules/@node-red/editor-client/src/js/ui/library.js
+++ b/packages/node_modules/@node-red/editor-client/src/js/ui/library.js
@ -45,7 +45,7 @@ RED.library = (function() {
                            a = document.createElement("a");
                            a.href="#";
                            var label = i.replace(/^@.*\//,"").replace(/^node-red-contrib-/,"").replace(/^node-red-node-/,"").replace(/-/," ").replace(/_/," ");
-                            a.innerHTML = label;
+                            a.innerText = label;
                            li.appendChild(a);
                            li.appendChild(buildMenu(data.d[i],root+(root!==""?"/":"")+i));
                            ul.appendChild(li);
@ -58,7 +58,7 @@ RED.library = (function() {
                            li = document.createElement("li");
                            a = document.createElement("a");
                            a.href="#";
-                            a.innerHTML = data.f[i];
+                            a.innerText = data.f[i];
                            a.flowName = root+(root!==""?"/":"")+data.f[i];
                            a.onclick = function() {
                                $.get('library/flows/'+this.flowName, function(data) {
@ -125,8 +125,8 @@ RED.library = (function() {
                    li.onclick = (function () {
                        var dirName = v;
                        return function(e) {
-                            var bcli = $('<li class="active"><span class="divider">/</span> <a href="#">'+dirName+'</a></li>');
+                            var bcli = $('<li class="active"><span class="divider">/</span> </li>');
-                            $("a",bcli).click(function(e) {
+                            $('<a href="#"></a>').text(dirName).appendTo(bcli).click(function(e) {
                                $(this).parent().nextAll().remove();
                                $.getJSON("library/"+options.url+root+dirName,function(data) {
                                    $("#node-select-library").children().first().replaceWith(buildFileList(root+dirName+"/",data));
@ -141,12 +141,13 @@ RED.library = (function() {
                            });
                        }
                    })();
-                    li.innerHTML = '<i class="fa fa-folder"></i> '+v+"</i>";
+                    $('<i class="fa fa-folder"></i>').appendTo(li);
                    $('<span>').text(" "+v).appendTo(li);
                    ul.appendChild(li);
                } else {
                    // file
                    li = buildFileListItem(v);
-                    li.innerHTML = v.name;
+                    li.innerText = v.name;
                    li.onclick = (function() {
                        var item = v;
                        return function(e) {