Pi-Hole/web
1
0
Fork 0
mirror of https://github.com/pi-hole/web.git synced 2025-12-24 04:38:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Escape all lines to also prevent XSS for non-domain entries

Browse Source 
Signed-off-by: yubiuser <github@yubiuser.dev>
This commit is contained in:
yubiuser
2025-10-12 15:43:37 +02:00
parent 55e8e4a328
commit febc2b870a
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
scripts/js/gravity.js
View File

@@ -89,10 +89,11 @@ function parseLines(outputElement, text) {
const lines = text.split(/(?=\r)/g);
for (let line of lines) {
// Escape HTML to prevent XSS attacks (both in adlist URL and non-domain entries)
line = utils.escapeHtml(line);
if (line[0] === "\r") {
// This line starts with the "OVER" sequence. Replace them with "\n" before print
// we also escape HTML to prevent XSS attacks
line = utils.escapeHtml(line.replaceAll("\r\u001B[K", "\n").replaceAll("\r", "\n"));
line = line.replaceAll("\r\u001B[K", "\n").replaceAll("\r", "\n");
// Last line from the textarea will be overwritten, so we remove it
const lastLineIndex = outputElement.innerHTML.lastIndexOf("\n");