From b4af886192cd38cc1223b729cc315429a537d026 Mon Sep 17 00:00:00 2001 From: yubiuser Date: Mon, 14 Apr 2025 16:21:21 +0200 Subject: [PATCH 1/3] HTML escape adlist URL before printing it in gravity stream Co-authored-by: DL6ER Signed-off-by: yubiuser --- scripts/js/gravity.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/js/gravity.js b/scripts/js/gravity.js index f3edb1e3..77083c91 100644 --- a/scripts/js/gravity.js +++ b/scripts/js/gravity.js @@ -5,7 +5,7 @@ * This file is copyright under the latest version of the EUPL. * Please see LICENSE file for your rights under this license. */ -/* global apiFailure:false */ +/* global apiFailure:false, utils:false */ "use strict"; @@ -91,7 +91,8 @@ function parseLines(outputElement, text) { for (let line of lines) { if (line[0] === "\r") { // This line starts with the "OVER" sequence. Replace them with "\n" before print - line = line.replaceAll("\r", "\n").replaceAll("\r", "\n"); + // we also escape HTML to prevent XSS attacks + line = utils.escapeHtml(line.replaceAll("\r", "\n").replaceAll("\r", "\n")); // Last line from the textarea will be overwritten, so we remove it const lastLineIndex = outputElement.innerHTML.lastIndexOf("\n"); From 55e8e4a328f77ceafa0b74c012d2a461504b3347 Mon Sep 17 00:00:00 2001 From: yubiuser Date: Sat, 19 Jul 2025 21:53:26 +0200 Subject: [PATCH 2/3] Use \u001B instead of (hidden) ESC character Signed-off-by: yubiuser --- scripts/js/gravity.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/js/gravity.js b/scripts/js/gravity.js index 77083c91..06fc4c3a 100644 --- a/scripts/js/gravity.js +++ b/scripts/js/gravity.js @@ -92,7 +92,7 @@ function parseLines(outputElement, text) { if (line[0] === "\r") { // This line starts with the "OVER" sequence. Replace them with "\n" before print // we also escape HTML to prevent XSS attacks - line = utils.escapeHtml(line.replaceAll("\r", "\n").replaceAll("\r", "\n")); + line = utils.escapeHtml(line.replaceAll("\r\u001B[K", "\n").replaceAll("\r", "\n")); // Last line from the textarea will be overwritten, so we remove it const lastLineIndex = outputElement.innerHTML.lastIndexOf("\n"); From febc2b870a05f976a0591a14f8f7bb99379ba162 Mon Sep 17 00:00:00 2001 From: yubiuser Date: Sun, 12 Oct 2025 15:43:37 +0200 Subject: [PATCH 3/3] Escape all lines to also prevent XSS for non-domain entries Signed-off-by: yubiuser --- scripts/js/gravity.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/js/gravity.js b/scripts/js/gravity.js index 06fc4c3a..425abdaa 100644 --- a/scripts/js/gravity.js +++ b/scripts/js/gravity.js @@ -89,10 +89,11 @@ function parseLines(outputElement, text) { const lines = text.split(/(?=\r)/g); for (let line of lines) { + // Escape HTML to prevent XSS attacks (both in adlist URL and non-domain entries) + line = utils.escapeHtml(line); if (line[0] === "\r") { // This line starts with the "OVER" sequence. Replace them with "\n" before print - // we also escape HTML to prevent XSS attacks - line = utils.escapeHtml(line.replaceAll("\r\u001B[K", "\n").replaceAll("\r", "\n")); + line = line.replaceAll("\r\u001B[K", "\n").replaceAll("\r", "\n"); // Last line from the textarea will be overwritten, so we remove it const lastLineIndex = outputElement.innerHTML.lastIndexOf("\n");