From d9d6b7aa37b0536d99451c0815f71413a75a365e Mon Sep 17 00:00:00 2001 From: MikeCAT Date: Sat, 18 Mar 2023 00:32:06 +0900 Subject: [PATCH 1/2] fix XSS in operation TranslateDateTimeFormat --- .../operations/TranslateDateTimeFormat.mjs | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/src/core/operations/TranslateDateTimeFormat.mjs b/src/core/operations/TranslateDateTimeFormat.mjs index 65b4e1fe..12feac3f 100644 --- a/src/core/operations/TranslateDateTimeFormat.mjs +++ b/src/core/operations/TranslateDateTimeFormat.mjs @@ -24,7 +24,8 @@ class TranslateDateTimeFormat extends Operation { this.description = "Parses a datetime string in one format and re-writes it in another.

Run with no input to see the relevant format string examples."; this.infoURL = "https://momentjs.com/docs/#/parsing/string-format/"; this.inputType = "string"; - this.outputType = "html"; + this.outputType = "string"; + this.presentType = "html"; this.args = [ { "name": "Built in formats", @@ -53,12 +54,14 @@ class TranslateDateTimeFormat extends Operation { "value": ["UTC"].concat(moment.tz.names()) } ]; + + this.invalidFormatMessage = "Invalid format."; } /** * @param {string} input * @param {Object[]} args - * @returns {html} + * @returns {string} */ run(input, args) { const [inputFormat, inputTimezone, outputFormat, outputTimezone] = args.slice(1); @@ -68,12 +71,24 @@ class TranslateDateTimeFormat extends Operation { date = moment.tz(input, inputFormat, inputTimezone); if (!date || date.format() === "Invalid date") throw Error; } catch (err) { - return `Invalid format.\n\n${FORMAT_EXAMPLES}`; + return this.invalidFormatMessage; } return date.tz(outputTimezone).format(outputFormat); } + /** + * @param {string} data + * @returns {html} + */ + present(data) { + if (data === this.invalidFormatMessage) { + return `${data}\n\n${FORMAT_EXAMPLES}`; + } + return data.replace(/&/g, "&") + .replace(//g, ">"); + } } export default TranslateDateTimeFormat; From ab283fc801fb192d5f05d9f2e2b6d10017a80903 Mon Sep 17 00:00:00 2001 From: MikeCAT Date: Sat, 18 Mar 2023 00:54:43 +0900 Subject: [PATCH 2/2] use Utils.escapeHtml instead of manual escaping --- src/core/operations/TranslateDateTimeFormat.mjs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/core/operations/TranslateDateTimeFormat.mjs b/src/core/operations/TranslateDateTimeFormat.mjs index 12feac3f..60a4cdda 100644 --- a/src/core/operations/TranslateDateTimeFormat.mjs +++ b/src/core/operations/TranslateDateTimeFormat.mjs @@ -5,6 +5,7 @@ */ import Operation from "../Operation.mjs"; +import Utils from "../Utils.mjs"; import moment from "moment-timezone"; import {DATETIME_FORMATS, FORMAT_EXAMPLES} from "../lib/DateTime.mjs"; @@ -85,9 +86,7 @@ class TranslateDateTimeFormat extends Operation { if (data === this.invalidFormatMessage) { return `${data}\n\n${FORMAT_EXAMPLES}`; } - return data.replace(/&/g, "&") - .replace(//g, ">"); + return Utils.escapeHtml(data); } }