From 2fc5031d697eda61a50f289c89f36ab1d989643f Mon Sep 17 00:00:00 2001 From: holomekc <30546982+holomekc@users.noreply.github.com> Date: Tue, 26 Dec 2023 23:01:18 +0100 Subject: [PATCH] -xss hotfix --- .../src/app/directives/highlight-js.directive.ts | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/webapp/wiremock/src/app/directives/highlight-js.directive.ts b/webapp/wiremock/src/app/directives/highlight-js.directive.ts index e206b9a089..a9d5099064 100644 --- a/webapp/wiremock/src/app/directives/highlight-js.directive.ts +++ b/webapp/wiremock/src/app/directives/highlight-js.directive.ts @@ -1,5 +1,6 @@ -import {Directive, ElementRef, Input, NgZone, OnChanges, SimpleChanges} from '@angular/core'; -import {UtilService} from '../services/util.service'; +import { Directive, ElementRef, Input, NgZone, OnChanges, SecurityContext, SimpleChanges } from "@angular/core"; +import { UtilService } from "../services/util.service"; +import { DomSanitizer } from "@angular/platform-browser"; declare const hljs: any; @@ -14,7 +15,7 @@ export class HighlightJsDirective implements OnChanges { @Input() language: string; - constructor(private elementRef: ElementRef, private zone: NgZone) { + constructor(private elementRef: ElementRef, private zone: NgZone, private sanitizer: DomSanitizer) { } ngOnChanges(changes: SimpleChanges): void { @@ -30,7 +31,7 @@ export class HighlightJsDirective implements OnChanges { code.classList.add('hljs'); if (UtilService.isUndefined(this.wmHighlightJs) || this.wmHighlightJs.length === 0) { - code.innerHTML = ''; + code.innerHTML = this.sanitizer.sanitize(SecurityContext.HTML, ''); return; } @@ -40,9 +41,9 @@ export class HighlightJsDirective implements OnChanges { if (highlighted.language === 'json' || highlighted.language === 'xml' || highlighted.language === 'http' || highlighted.language === 'html') { - code.innerHTML = highlighted.value; + code.innerHTML = this.sanitizer.sanitize(SecurityContext.HTML, highlighted.value); } else { - code.innerHTML = prettyCode; + code.innerHTML = this.sanitizer.sanitize(SecurityContext.HTML, prettyCode); } }