opensourcemirror
/
CodeMirror
mirror of https://github.com/codemirror/CodeMirror.git
1
0
Fork 0
Code Issues Releases Wiki Activity

[tern addon] Make sure dialog text is HTML escaped 

This addresses a potential XSS vulnerability caused by tern's
construction of inline HTML where text input is not escaped, which is
then passed to the openDialog function for rendering. The construction
is replaced with an equivalent DOM fragment construction, which
the openDialog API also supports.

This is currently a blocker for CodeMirror users that want to enforce
Trusted Types in their web application.
This commit is contained in:
Bjarki Ágúst Guðmundsson 2022-07-09 12:53:36 +02:00 committed by GitHub
parent 52dc64004c
commit a6fdd560c7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
addon/tern/tern.js
View File

@ -589,10 +589,16 @@
}
function dialog(cm, text, f) {
if (cm.openDialog)
cm.openDialog(text + ": <input type=text>", f);
else
if (cm.openDialog) {
var fragment = document.createDocumentFragment();
fragment.appendChild(document.createTextNode(text + ": "));
var input = document.createElement("input");
input.type = "text";
fragment.appendChild(input);
cm.openDialog(fragment, f);
} else {
f(prompt(text, ""));
}
}
// Tooltips