Skip to content

Commit

Permalink
fix Self XSS by injecting data attrbutte #727
Browse files Browse the repository at this point in the history
  • Loading branch information
@jcubic
jcubic committed Dec 30, 2021
1 parent eb85cf1 commit 77eb044
Show file tree
Hide file tree
Showing 7 changed files with 28 additions and 18 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
## 2.31.1
### Bugfix
* fixing low severity self XSS with potential more security implications [#727](https://github.com/jcubic/jquery.terminal/issues/727)

## 2.31.0
### Breaking
* remove undocumented `echo_command` (that was used by old `echo_newline` extension)
Expand Down
12 changes: 7 additions & 5 deletions js/jquery.terminal-2.31.0.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@
*
* broken image by Sophia Bai from the Noun Project (CC-BY)
*
* Date: Mon, 27 Dec 2021 10:26:13 +0000
* Date: Thu, 30 Dec 2021 10:53:02 +0000
*/
/* global define, Map */
/* eslint-disable */
Expand Down Expand Up @@ -5130,7 +5130,7 @@
// -------------------------------------------------------------------------
$.terminal = {
version: '2.31.0',
date: 'Mon, 27 Dec 2021 10:26:13 +0000',
date: 'Thu, 30 Dec 2021 10:53:02 +0000',
// colors from https://www.w3.org/wiki/CSS/Properties/color/keywords
color_names: [
'transparent', 'currentcolor', 'black', 'silver', 'gray', 'white',
Expand Down Expand Up @@ -6180,7 +6180,9 @@
return text;
} else {
return data.replace(/]/g, ']')
.replace(/>/g, '&gt;').replace(/</g, '&lt;');
.replace(/>/g, '&gt;')
.replace(/</g, '&lt;')
.replace(/"/g, '&quot;');
}
}
// -----------------------------------------------------------------
Expand Down Expand Up @@ -6365,7 +6367,7 @@
} else if (style.indexOf('@') !== -1) {
result += ' data-text/>';
} else {
result += ' data-text="' + data.replace(/"/g, '&quot;') + '">' +
result += ' data-text="' + data + '">' +
'<span>' + text + '</span></span>';
}
return result;
Expand All @@ -6386,7 +6388,7 @@
} else {
text = safe(text);
text = text.replace(/\\\]/, '&#93;');
var data = text;
var data = clean_data(text);
var extra = extra_css(text, settings);
var prefix;
if (extra.length) {
Expand Down
4 changes: 2 additions & 2 deletions js/jquery.terminal-2.31.0.min.js
View file

Large diffs are not rendered by default.

8 changes: 5 additions & 3 deletions js/jquery.terminal-src.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6180,7 +6180,9 @@
return text;
} else {
return data.replace(/&#93;/g, ']')
.replace(/>/g, '&gt;').replace(/</g, '&lt;');
.replace(/>/g, '&gt;')
.replace(/</g, '&lt;')
.replace(/"/g, '&quot;');
}
}
// -----------------------------------------------------------------
Expand Down Expand Up @@ -6365,7 +6367,7 @@
} else if (style.indexOf('@') !== -1) {
result += ' data-text/>';
} else {
result += ' data-text="' + data.replace(/"/g, '&quot;') + '">' +
result += ' data-text="' + data + '">' +
'<span>' + text + '</span></span>';
}
return result;
Expand All @@ -6386,7 +6388,7 @@
} else {
text = safe(text);
text = text.replace(/\\\]/, '&#93;');
var data = text;
var data = clean_data(text);
var extra = extra_css(text, settings);
var prefix;
if (extra.length) {
Expand Down
12 changes: 7 additions & 5 deletions js/jquery.terminal.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@
*
* broken image by Sophia Bai from the Noun Project (CC-BY)
*
* Date: Mon, 27 Dec 2021 10:26:13 +0000
* Date: Thu, 30 Dec 2021 10:53:02 +0000
*/
/* global define, Map */
/* eslint-disable */
Expand Down Expand Up @@ -5130,7 +5130,7 @@
// -------------------------------------------------------------------------
$.terminal = {
version: '2.31.0',
date: 'Mon, 27 Dec 2021 10:26:13 +0000',
date: 'Thu, 30 Dec 2021 10:53:02 +0000',
// colors from https://www.w3.org/wiki/CSS/Properties/color/keywords
color_names: [
'transparent', 'currentcolor', 'black', 'silver', 'gray', 'white',
Expand Down Expand Up @@ -6180,7 +6180,9 @@
return text;
} else {
return data.replace(/&#93;/g, ']')
.replace(/>/g, '&gt;').replace(/</g, '&lt;');
.replace(/>/g, '&gt;')
.replace(/</g, '&lt;')
.replace(/"/g, '&quot;');
}
}
// -----------------------------------------------------------------
Expand Down Expand Up @@ -6365,7 +6367,7 @@
} else if (style.indexOf('@') !== -1) {
result += ' data-text/>';
} else {
result += ' data-text="' + data.replace(/"/g, '&quot;') + '">' +
result += ' data-text="' + data + '">' +
'<span>' + text + '</span></span>';
}
return result;
Expand All @@ -6386,7 +6388,7 @@
} else {
text = safe(text);
text = text.replace(/\\\]/, '&#93;');
var data = text;
var data = clean_data(text);
var extra = extra_css(text, settings);
var prefix;
if (extra.length) {
Expand Down
4 changes: 2 additions & 2 deletions js/jquery.terminal.min.js
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion js/jquery.terminal.min.js.map
View file

Large diffs are not rendered by default.

0 comments on commit 77eb044

Please sign in to comment.