#153 XSS safty improvements

Michael Mrowetz · Michael Mrowetz · commit 0a98ffbb91f8 · 2017-03-26T17:51:20.000+09:00
diff --git a/src/ts/transformers/har-tabs.ts b/src/ts/transformers/har-tabs.ts
@@ -131,5 +131,5 @@ function makeImgTab(entry: Entry): WaterfallEntryTab {
   return makeLazyWaterfallEntryTab(
     "Preview",
     (detailsHeight: number) => `<img class="preview" style="max-height:${(detailsHeight - 100)}px"
- data-src="${entry.request.url}" />`);
+ data-src="${entry.request.url.replace("\"", "&quot;")}" />`);
 }
diff --git a/src/ts/transformers/helpers.ts b/src/ts/transformers/helpers.ts
@@ -25,7 +25,7 @@ export function makeDefinitionList(dlKeyValues: KvTuple[], addClass: boolean = f
   return dlKeyValues
     .filter((tuple: KvTuple) => tuple[1] !== undefined)
     .map((tuple) => `
-      <dt ${makeClass(tuple[0])}>${tuple[0]}</dt>
+      <dt ${makeClass(tuple[0])}>${escapeHtml(tuple[0])}</dt>
       <dd>${escapeHtml(tuple[1])}</dd>
     `).join("");
 }

Original file line number	Diff line number	Diff line change
`@@ -131,5 +131,5 @@ function makeImgTab(entry: Entry): WaterfallEntryTab {`
`131`	`131`	`return makeLazyWaterfallEntryTab(`
`132`	`132`	`"Preview",`
`133`	`133`	(detailsHeight: number) => `<img class="preview" style="max-height:${(detailsHeight - 100)}px"
`134`		- data-src="${entry.request.url}" />`);
	`134`	+ data-src="${entry.request.url.replace("\"", """)}" />`);
`135`	`135`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ export function makeDefinitionList(dlKeyValues: KvTuple[], addClass: boolean = f`
`25`	`25`	`return dlKeyValues`
`26`	`26`	`.filter((tuple: KvTuple) => tuple[1] !== undefined)`
`27`	`27`	.map((tuple) => `
`28`		`- <dt ${makeClass(tuple[0])}>${tuple[0]}</dt>`
	`28`	`+ <dt ${makeClass(tuple[0])}>${escapeHtml(tuple[0])}</dt>`
`29`	`29`	`<dd>${escapeHtml(tuple[1])}</dd>`
`30`	`30`	`).join("");
`31`	`31`	`}`