search

patorjk / Extendible-BBCode-Parser

Allows you to parse BBCode and to extend the markup to add your own tags. All major tags are supported and parser reports back any errors it finds.
http://patorjk.com/bbcode-previewer/
MIT License
133 stars 54 forks source link

Adressing some Issues #29

Closed Merulast closed 1 year ago

Merulast commented 1 year ago

25 - Hardening against injections

22 - Single block Tags

patorjk commented 1 year ago

Looked good, thanks!

termermc commented 1 year ago

@Merulast Thank you for addressing this, however I did notice some issues with escapes in securityFixes.

function securityFixes(text) {
        return text
            .replaceAll("'", '"') // This should be ' (' is an XML entity, but is non-standard for HTML)
            .replaceAll('"', ''') // This should be " (it seems you swapped " and ' for eachother)
            .replaceAll(';', '&#59;');
    }
Merulast commented 1 year ago

@Merulast Thank you for addressing this, however I did notice some issues with escapes in securityFixes.

function securityFixes(text) {
        return text
            .replaceAll("'", '"') // This should be ' (' is an XML entity, but is non-standard for HTML)
            .replaceAll('"', ''') // This should be " (it seems you swapped " and ' for eachother)
            .replaceAll(';', '&#59;');
    }

you are absolute right. I dont know how this mistake happened. urgs.

MichaelKaaden commented 1 year ago

@Merulast The fix seems to has added a little problem, though.

var result = XBBCODE.process({
     text: "<h1>Hello World!</h1>",
 });
 console.error("Errors", result.error);
 console.dir(result.errorQueue);
 console.log(result.html);

now produces &lt&#59;h1&gt&#59;Hello World!&lt&#59;/h1&gt&#59; instead of &lt;h1&gt;Hello World!&lt;/h1&gt;.

I prepared a PR to fix this: 31