From aaa66a36297499cf9a195427674ef0b6f03e4024 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Mart=C3=ADnez?= Date: Sun, 15 Oct 2023 17:37:18 +0000 Subject: [PATCH] Add more html escaping --- src/mastodon-timeline.js | 38 ++++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/src/mastodon-timeline.js b/src/mastodon-timeline.js index 17b6020..393b298 100644 --- a/src/mastodon-timeline.js +++ b/src/mastodon-timeline.js @@ -155,9 +155,9 @@ MastodonApi.prototype.buildTimeline = async function () { if (this.LINK_SEE_MORE) { let linkSeeMorePath = ""; if (this.TIMELINE_TYPE === "profile") { - linkSeeMorePath = this.PROFILE_NAME; + linkSeeMorePath = encodeURIComponent(this.PROFILE_NAME); } else if (this.TIMELINE_TYPE === "hashtag") { - linkSeeMorePath = "tags/" + this.HASHTAG_NAME; + linkSeeMorePath = "tags/" + encodeURIComponent(this.HASHTAG_NAME); } else if (this.TIMELINE_TYPE === "local") { linkSeeMorePath = "public/local"; } @@ -218,7 +218,7 @@ MastodonApi.prototype.buildTimeline = async function () { e.target.parentNode.className !== "mt-toot-preview-image" && urlToot ) { - window.open(urlToot, "_blank"); + window.open(urlToot, "_blank", "noopener"); } }; @@ -324,7 +324,7 @@ MastodonApi.prototype.getTimelineData = async function () { reject(new Error("Something went wrong fetching data")); this.mtBodyContainer.innerHTML = '

Sorry, request failed:
' + - error.message + + this.escapeHtml(error.message) + "
"; this.mtBodyContainer.setAttribute("role", "none"); return { [key]: [] }; @@ -375,14 +375,14 @@ MastodonApi.prototype.assambleToot = function (c, i) { '' + - this.replaceQuotes(c.reblog.account.username) + + this.escapeHtml(c.reblog.account.username) + ' avatar' + "" + '
' + '' + - this.replaceQuotes(c.account.username) + + this.escapeHtml(c.account.username) + ' avatar' + "
" + "" + @@ -390,9 +390,9 @@ MastodonApi.prototype.assambleToot = function (c, i) { // User name and url userName = this.showEmojos( - c.reblog.account.display_name + this.escapeHtml(c.reblog.account.display_name ? c.reblog.account.display_name - : c.reblog.account.username, + : c.reblog.account.username), this.FETCHED_DATA.emojos ); user = @@ -422,7 +422,7 @@ MastodonApi.prototype.assambleToot = function (c, i) { '' + - c.account.username + + this.escapeHtml(c.account.username) + ' avatar' + "" + "" + @@ -430,7 +430,7 @@ MastodonApi.prototype.assambleToot = function (c, i) { // User name and url userName = this.showEmojos( - c.account.display_name ? c.account.display_name : c.account.username, + this.escapeHtml(c.account.display_name ? c.account.display_name : c.account.username), this.FETCHED_DATA.emojos ); user = @@ -438,7 +438,7 @@ MastodonApi.prototype.assambleToot = function (c, i) { '' + - userName + + this.escapeHtml(userName) + '' + "" + ""; @@ -720,7 +720,7 @@ MastodonApi.prototype.placeMedias = function (m, s) { '' + - (m.description ? this.replaceQuotes(m.description) : ' + ""; @@ -743,14 +743,14 @@ MastodonApi.prototype.placePreviewLink = function (c) { '">' + - this.replaceQuotes(c.image_description) + + this.escapeHtml(c.image_description) + '' : '
📄
') + "" + '
' + (c.provider_name ? '' + - this.parseHTMLstring(c.provider_name) + + this.escapeHtml(this.parseHTMLstring(c.provider_name)) + "" : "") + '' + @@ -758,7 +758,7 @@ MastodonApi.prototype.placePreviewLink = function (c) { "" + (c.author_name ? '' + - this.parseHTMLstring(c.author_name) + + this.escapeHtml(this.parseHTMLstring(c.author_name)) + "" : "") + "
" + @@ -812,12 +812,14 @@ MastodonApi.prototype.parseHTMLstring = function (s) { }; /** - * Replace quotes + * Escape quotes and other special characters, to make them safe to add + * to HTML content and attributes as plain text * @param {string} s String * @returns {string} String */ -MastodonApi.prototype.replaceQuotes = function (s) { - return s.replace('"', "'"); +MastodonApi.prototype.escapeHtml = function (s) { + return (s ?? "").replace("&", "&").replace("<", "<") + .replace(">", ">").replace('"', """); }; /**