Dockery/Trilium
1
0
Fork 0
mirror of https://github.com/zadam/trilium.git synced 2025-10-31 02:16:05 +01:00
Code Issues Packages Projects Releases Activity

fix unescaped HTML in the tree node title, closes #1127

Browse Source
This commit is contained in:
zadam
2020-06-24 21:07:55 +02:00
parent 263b65997c
commit 89356918f1
2 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/public/app/services/utils.js
View File

@@ -64,8 +64,19 @@ function assertArguments() {
} }
} }
const entityMap = {
'&': '&',
'<': '&lt;',
'>': '&gt;',
'"': '&quot;',
"'": '&#39;',
'/': '&#x2F;',
'`': '&#x60;',
'=': '&#x3D;'
};
function escapeHtml(str) { function escapeHtml(str) {
return $('<div/>').text(str).html(); return str.replace(/[&<>"'`=\/]/g, s => entityMap[s]);
} }
async function stopWatch(what, func) { async function stopWatch(what, func) {

3
src/public/app/widgets/note_tree.js
View File

@@ -862,13 +862,14 @@ export default class NoteTreeWidget extends TabAwareWidget {
const branch = treeCache.getBranch(node.data.branchId); const branch = treeCache.getBranch(node.data.branchId);
const isFolder = this.isFolder(note); const isFolder = this.isFolder(note);
const title = (branch.prefix ? (branch.prefix + " - ") : "") + note.title;
node.data.isProtected = note.isProtected; node.data.isProtected = note.isProtected;
node.data.noteType = note.type; node.data.noteType = note.type;
node.folder = isFolder; node.folder = isFolder;
node.icon = this.getIcon(note, isFolder); node.icon = this.getIcon(note, isFolder);
node.extraClasses = this.getExtraClasses(note); node.extraClasses = this.getExtraClasses(note);
node.title = (branch.prefix ? (branch.prefix + " - ") : "") + note.title; node.title = utils.escapeHtml(title);
if (node.isExpanded() !== branch.isExpanded) { if (node.isExpanded() !== branch.isExpanded) {
node.setExpanded(branch.isExpanded, {noEvents: true}); node.setExpanded(branch.isExpanded, {noEvents: true});