Closed cyn8 closed 1 year ago
diff2html handles escaping already so you should not need to escape anything before invoking it.
Can you provide an example to replicate the problem?
I ended up changing the code around so that the diff variable is filled with the contents of a separate request made in JS. I originally had just rendered the page with the unescaped contents within the <script>
tag, which could lead to cross-site scripting if provided with a malicious diff.
I guess an option to enable/disable the escaping provided by diff2html would be nice, but there are other ways to solve the problem I should've looked into. Thanks for the quick reply.
Not sure I understand what you mean, but diff2html should not be vulnerable to any type of injection. If it is I would like to know about it a fix it. So if you were able to please provide an example.
Step 0: Describe your environment
{ drawFileList: true, matching: 'lines', highlight: true }
Step 1: Describe the problem:
Because some of the diffs I have use HTML metacharacters (
<>
, etc), I run the generated diff through the PHP functionhtmlspecialchars()
before passing it to diff2html-ui, in order prevent injection by malicious code inside diffs.Unfortunately, by doing so, the actual
<
and>
characters are not rendered, instead I see<
and>
in the browser, and by viewing the rendered HTML, it seems those characters are rendered as follows (snippet):I have tried not using
htmlspecialchars()
to display the diff, but then the page breaks as sometimes the diff will include things like</script>
etc.Steps to reproduce:
diff example:
Observed Results:
Expected Results:
<
to be displayed as<
, and vice versa.Relevant Code:
see above (step 2)