fix(ui): prevent xss from log

kestra-io · Oct 11, 2022 · e2fbcb2 · e2fbcb2
1 parent 3aa78cc
commit e2fbcb2
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 4 deletions.
diff --git a/ui/package-lock.json b/ui/package-lock.json
diff --git a/ui/package.json b/ui/package.json
@@ -48,7 +48,8 @@
     "vue-select": "^3.20.0",
     "vue-sidebar-menu": "^4.8.1",
     "vue2-datepicker": "^3.11.0",
-    "vuex": "^3.6.2"
+    "vuex": "^3.6.2",
+    "xss": "^1.0.14"
   },
   "devDependencies": {
     "@babel/core": "^7.18.13prismjs",

diff --git a/ui/src/components/logs/LogLine.vue b/ui/src/components/logs/LogLine.vue
@@ -21,6 +21,7 @@
 </template>
 <script>
     import Convert from "ansi-to-html"
+    import xss from "xss";
     let convert = new Convert();
 
     export default {
@@ -96,7 +97,7 @@
                 );
             },
             message() {
-                return !this.log.message ? "" : convert.toHtml(this.log.message);
+                return !this.log.message ? "" : convert.toHtml(xss(this.log.message));
             }
         },
     };