fix XSS issue with styling #10

aardbol · Jul 5, 2019 · 5b17e4f · 5b17e4f
1 parent 4ff350e
commit 5b17e4f
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/index.html b/index.html
@@ -282,6 +282,17 @@ <h4 class="ui header">This is the encrypted version of your secret that is store
         decryptErrorElm.transition("fade in").find(id).show();
     }
 
+    /**
+     * Convert HTML to text
+     */
+    function stripHTML(dirtyString) {
+        var container = document.createElement('div'),
+            text = document.createTextNode(dirtyString);
+
+        container.appendChild(text);
+        return container.innerHTML; // innerHTML will be a xss safe string
+    }
+
     //---
     // DOM ready
     //--
@@ -422,7 +433,7 @@ <h4 class="ui header">This is the encrypted version of your secret that is store
                     $resultsecret.show().find('span:first').text(Tea.decrypt(json['data'], getDecryptionHashFromUrl()));
                     $resultsecret.find('span:first')
                         // styling formatting
-                        .html($resultsecret.find('span:first').text()
+                        .html(stripHTML($resultsecret.find('span:first').text())
                             .replace(/\[hl]/gi, "<code>")
                             .replace(/\[\/hl]/gi, "</code>")
                             .replace(/\[b]/gi, "<b>")