Inicio Explorar Ayuda
Registro Iniciar sesión
dbs289
/
dcumcTest
1
0
Fork 0
Archivos Incidencias 0 Pull Requests 0 Wiki
Explorar el Código

Make it safer by having getContent function return an array of strings which are used as textContent rather than being interpolated (i.e. decreasing chance of XSS)

sbkwgh hace 7 años
padre
ea77775f20
commit
30beb0629d
Se han modificado 1 ficheros con 28 adiciones y 35 borrados
Dividir vista Mostrar estadísticas de diff
  1. 28 35
      frontend/src/components/InputEditorPreview.vue

+ 28 - 35
frontend/src/components/InputEditorPreview.vue
Ver fichero 

@@ -59,25 +59,13 @@
 
 							return `https://${countryVersion}.wikipedia.org/api/rest_v1/page/summary/${page}?redirect=true`;
 
 						},
 
 						getContent (link, data) {
 
-							let content = `
 
-								<h2>
 
-									<a
 
-										href='${data.content_urls.desktop.page}'
 
-										target='_blank'
 
-										rel='noopener noreferrer'
 
-									>
 
-										${data.titles.display}
 
-									</a>
 
-									<span>from ${link.hostname}</span>
 
-								</h2>
 
-								${data.extract.slice(0, 500).trim()}
 
-							`;
 
-
 
-							if(data.extract.length > 500) {
 
-								content += '...';
 
-							}
 
+							let content = data.extract.slice(0, 500).trim();
 
 
-							return content;
 
+							return {
 
+								title: data.titles.display,
 
+								URL: data.content_urls.desktop.page,
 
+								content: content.length > 500 ? content + '...' : content
 
+							}
 
 						}
 
 					},
 
 					'github': {
 
@@ -86,21 +74,11 @@
 
 							return 'https://api.github.com/repos' + link.pathname;
 
 						},
 
 						getContent (link, data) {
 
-							let content = `
 
-								<h2>
 
-									<a
 
-										href='${data.html_url}'
 
-										target='_blank'
 
-										rel='noopener noreferrer'
 
-									>
 
-										${data.full_name}
 
-									</a>
 
-									<span>from ${link.hostname}</span>
 
-								</h2>
 
-								${data.description}
 
-							`;
 
-
 
-							return content;
 
+							return {
 
+								title: data.full_name,
 
+								URL: data.html_url,
 
+								content: data.description
 
+							}
 
 						}
 
 					}
 
 				};
 
@@ -142,9 +120,24 @@
 
 						this.axios
 
 							.get(URL)
 
 							.then(res => {
 
-								let div = document.createElement('div');
 
+								let content = expandPattern.getContent(link, res.data);
 
+								let h = document.createElement.bind(document);
 
+								
+								let div = h('div');
 
+								let h2 = h('h2');
 
+								let a = h('a');
 
+								let span = h('span');
 
+								let textNode = document.createTextNode(content.content);
 
+
 
+								a.textContent = content.title;
 
+								a.href = content.URL;
 
+								span.textContent = 'from ' + link.hostname;
 
+
 
+								h2.appendChild(a);
 
+								h2.appendChild(span);
 
+								div.appendChild(h2)
 
+								div.appendChild(textNode)
 
 
-								div.innerHTML = expandPattern.getContent(link, res.data);
 
 								div.classList.add('input_editor_preview__expandable');
 
 								link.parentNode.replaceChild(div, link);