mirrors/CyberChef
1
0
Fork 0
mirror of https://github.com/gchq/CyberChef.git synced 2025-06-14 10:14:53 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Trying to fix the script tag vulnerability

Browse source 
With code taken directly from CodeQL's manual.

https://codeql.github.com/codeql-query-help/javascript/js-incomplete-multi-character-sanitization/
This commit is contained in:
Glenn R. Martin 2025-06-10 18:28:02 -04:00
parent 46799891d0
commit 6324a3a808
1 changed files with 5 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

17
src/core/operations/ParseAITokens.mjs
View file

@ -71,7 +71,7 @@ class ParseAITokens extends Operation {
const encodedTokens = fns.encode(input); // IDs
let displayTokens = [];
let displayTokens;
if (showIds) {
displayTokens = encodedTokens.map((x)=> x.toString());
} else {
@ -134,18 +134,11 @@ class ParseAITokens extends Operation {
*/
replaceSpacesOutsideTags(htmlString) {
return htmlString
.replace(/<script/ig, "&lt;script")
.replace(/(&lt;script\b[^>]*>.*?<\/script>)|(<[^>]*?>)|(\s+)/gi, (match, scriptTag, htmlTag, spaces) => {
if (scriptTag) {
// Sanitize the <script> tag by escaping it
return scriptTag
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;");
} else if (htmlTag) {
// Leave other HTML tags unchanged
return htmlTag;
.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/ig, "")
.replace(/(<[^>]*?>)|(\s+)/g, function(match, tag, spaces) {
if (tag) {
return tag;
} else if (spaces) {
// Replace spaces outside tags
return "";
}
})