Skip to content

Commit 42002a6

Browse files
committed
fix: XSS security issue #1090
1 parent cb1cac8 commit 42002a6

4 files changed

Lines changed: 8 additions & 4 deletions

File tree

package.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -91,6 +91,7 @@
9191
"cordova": "12.0.0",
9292
"core-js": "^3.37.1",
9393
"crypto-js": "^4.2.0",
94+
"dompurify": "^3.2.2",
9495
"escape-string-regexp": "^5.0.0",
9596
"esprima": "^4.0.1",
9697
"filesize": "^10.1.2",

src/dialogs/alert.js

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
import DOMPurify from "dompurify";
12
import actionStack from "lib/actionStack";
23
import restoreTheme from "lib/restoreTheme";
34

@@ -26,7 +27,7 @@ function alert(titleText, message, onhide) {
2627
});
2728
const messageSpan = tag("span", {
2829
className: "message scroll",
29-
innerHTML: message,
30+
innerHTML: DOMPurify.sanitize(message),
3031
});
3132
const okBtn = tag("button", {
3233
textContent: strings.ok,

src/dialogs/confirm.js

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
import DOMPurify from "dompurify";
12
import actionStack from "lib/actionStack";
23
import restoreTheme from "lib/restoreTheme";
34

@@ -21,7 +22,7 @@ function confirm(titleText, message, isHTML) {
2122
});
2223
const messageSpan = tag("span", {
2324
className: "message scroll",
24-
innerHTML: isHTML ? message : undefined,
25+
innerHTML: isHTML ? DOMPurify.sanitize(message) : undefined,
2526
textContent: isHTML ? undefined : message,
2627
});
2728
const okBtn = tag("button", {

src/dialogs/loader.js

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
import DOMPurify from "dompurify";
12
import Ref from "html-tag-js/ref";
23
import actionStack from "lib/actionStack";
34
import restoreTheme from "lib/restoreTheme";
@@ -54,7 +55,7 @@ function create(titleText, message = "", options = {}) {
5455
<div
5556
ref={$message}
5657
className="message"
57-
innerHTML={message}
58+
innerHTML={DOMPurify.sanitize(message)}
5859
style={{ whiteSpace: "pre-wrap" }}
5960
></div>
6061
</span>
@@ -87,7 +88,7 @@ function create(titleText, message = "", options = {}) {
8788
$titleSpan.textContent = title;
8889
},
8990
setMessage(message) {
90-
$message.innerHTML = message;
91+
$message.innerHTML = DOMPurify.sanitize(message);
9192
},
9293
hide,
9394
show,

0 commit comments

Comments
 (0)