Closed Merulast closed 1 year ago
Looked good, thanks!
@Merulast Thank you for addressing this, however I did notice some issues with escapes in securityFixes.
function securityFixes(text) {
return text
.replaceAll("'", '"') // This should be ' (' is an XML entity, but is non-standard for HTML)
.replaceAll('"', ''') // This should be " (it seems you swapped " and ' for eachother)
.replaceAll(';', ';');
}
@Merulast Thank you for addressing this, however I did notice some issues with escapes in securityFixes.
function securityFixes(text) { return text .replaceAll("'", '"') // This should be ' (' is an XML entity, but is non-standard for HTML) .replaceAll('"', ''') // This should be " (it seems you swapped " and ' for eachother) .replaceAll(';', ';'); }
you are absolute right. I dont know how this mistake happened. urgs.
@Merulast The fix seems to has added a little problem, though.
var result = XBBCODE.process({
text: "<h1>Hello World!</h1>",
});
console.error("Errors", result.error);
console.dir(result.errorQueue);
console.log(result.html);
now produces <;h1>;Hello World!<;/h1>;
instead of <h1>Hello World!</h1>
.
I prepared a PR to fix this: 31
25 - Hardening against injections
22 - Single block Tags