Skip to content

Commit

Permalink
Remove code for special decoding of webdav response.
Browse files Browse the repository at this point in the history
decodeHTMLEntities seems not to be needed and it introduces
vulnerability: "DOM text reinterpreted as HTML" -  CWE-79, CWE-116
  • Loading branch information
ewelinagr committed Apr 24, 2024
1 parent 141e2e1 commit 796207e
Show file tree
Hide file tree
Showing 2 changed files with 1 addition and 20 deletions.
15 changes: 1 addition & 14 deletions projects/mercury/src/file/FileAPI.js
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,7 @@ import {createClient} from 'webdav';
import qs from 'qs';
import {compareBy, comparing} from '../common/utils/genericUtils';
// eslint-disable-next-line import/no-cycle
import {
decodeHTMLEntities,
encodePath,
generateUniqueFileName,
getFileName,
joinPaths,
joinPathsAvoidEmpty
} from './fileUtils';
import {encodePath, generateUniqueFileName, getFileName, joinPaths, joinPathsAvoidEmpty} from './fileUtils';
import {handleHttpError} from '../common/utils/httpUtils';

// Ensure that the client passes along the credentials
Expand Down Expand Up @@ -479,12 +472,6 @@ class FileAPI {
mapToFile = fileObject => {
const properties = {...fileObject, ...(fileObject.props || {})};
delete properties.props;
Object.keys(properties).forEach(key => {
// The WebDAV client does not properly decode the XML response,
// so we need to do that here
const value = properties[key];
properties[key] = typeof value === 'string' ? decodeHTMLEntities(value) : value;
});
return properties;
};
}
Expand Down
6 changes: 0 additions & 6 deletions projects/mercury/src/file/fileUtils.js
Original file line number Diff line number Diff line change
Expand Up @@ -137,12 +137,6 @@ export function generateUniqueFileName(fileName, usedNames = []) {
return newName;
}

export const decodeHTMLEntities = (htmlSource: string) => {
const element = document.createElement('textarea');
element.innerHTML = htmlSource;
return element.textContent;
};

export const isUnsafeFileName = fileName => NON_SAFE_FILE_NAMES.includes(fileName);

export const fileNameContainsInvalidCharacter = fileName =>
Expand Down

0 comments on commit 796207e

Please sign in to comment.