Closed doublemix closed 3 years ago
PR welcome, developers love do bad things
Working on it. Any recommendations/procedures for contributing?
Plan to only escape app name in HTML. Do you think of the other HTML interpolations should be escaped, as well? Don't think it can hurt.
Just send the PR, I will review and give advises
I noticed that the HTML generation functions directly interpolate user input such as
appName
andappShortName
. This makes it dangerous if working with user submitted content. For example:The above allows abritrary injection into the html head. (The above will create an alert box if the generated html is included into a page, although anything is possible at this point.)
Also, since
appName
andappShortName
is used in other places like the manifests, escaping beforehand is not really an option. Don't want&
showing up in output.At the least,
appName
andappShortName
need escaped in HTML. Color should be fine if format is validated. Paths can be url encoded before hand by developer.