mirrors/CyberChef
1
0
Fork 0
mirror of https://github.com/gchq/CyberChef.git synced 2025-06-14 18:25:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Trying to fix the script tag vulnerability

Browse source 
With code taken directly from CodeQL's manual.

https://codeql.github.com/codeql-query-help/javascript/js-incomplete-multi-character-sanitization/
This commit is contained in:
Glenn R. Martin 2025-06-10 18:28:02 -04:00
parent 46799891d0
commit 6324a3a808
1 changed files with 5 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

17
src/core/operations/ParseAITokens.mjs
View file

@ -71,7 +71,7 @@ class ParseAITokens extends Operation {
const encodedTokens = fns.encode(input); // IDs const encodedTokens = fns.encode(input); // IDs
let displayTokens = []; let displayTokens;
if (showIds) { if (showIds) {
displayTokens = encodedTokens.map((x)=> x.toString()); displayTokens = encodedTokens.map((x)=> x.toString());
} else { } else {
@ -134,18 +134,11 @@ class ParseAITokens extends Operation {
*/ */
replaceSpacesOutsideTags(htmlString) { replaceSpacesOutsideTags(htmlString) {
return htmlString return htmlString
.replace(/<script/ig, "&lt;script") .replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/ig, "")
.replace(/(&lt;script\b[^>]*>.*?<\/script>)|(<[^>]*?>)|(\s+)/gi, (match, scriptTag, htmlTag, spaces) => { .replace(/(<[^>]*?>)|(\s+)/g, function(match, tag, spaces) {
if (scriptTag) { if (tag) {
// Sanitize the <script> tag by escaping it return tag;
return scriptTag
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;");
} else if (htmlTag) {
// Leave other HTML tags unchanged
return htmlTag;
} else if (spaces) { } else if (spaces) {
// Replace spaces outside tags
return ""; return "";
} }
}) })