From d2d0f34bf85e8fa81a62053dd8279f9d65f526c9 Mon Sep 17 00:00:00 2001 From: John <74227617+shimakaze09@users.noreply.github.com> Date: Sun, 24 Nov 2024 17:56:33 +1300 Subject: [PATCH] Fix code scanning alert no. 1: Unsafe HTML constructed from library input Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- Web/wwwroot/js/bootstrap-treeview.js | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/Web/wwwroot/js/bootstrap-treeview.js b/Web/wwwroot/js/bootstrap-treeview.js index 07ff274..7df5d44 100644 --- a/Web/wwwroot/js/bootstrap-treeview.js +++ b/Web/wwwroot/js/bootstrap-treeview.js @@ -651,29 +651,39 @@ } }; + // Helper function to escape unsafe characters + Tree.prototype.escapeHtml = function (unsafe) { + return unsafe + .replace(/&/g, "&") + .replace(//g, ">") + .replace(/"/g, """) + .replace(/'/g, "'"); + }; + // Construct trees style based on user options Tree.prototype.buildStyle = function () { let style = '.node-' + this.elementId + '{'; if (this.options.color) { - style += 'color:' + this.options.color + ';'; + style += 'color:' + this.escapeHtml(this.options.color) + ';'; } if (this.options.backColor) { - style += 'background-color:' + this.options.backColor + ';'; + style += 'background-color:' + this.escapeHtml(this.options.backColor) + ';'; } if (!this.options.showBorder) { style += 'border:none;'; } else if (this.options.borderColor) { - style += 'border:1px solid ' + this.options.borderColor + ';'; + style += 'border:1px solid ' + this.escapeHtml(this.options.borderColor) + ';'; } style += '}'; if (this.options.onhoverColor) { style += '.node-' + this.elementId + ':not(.node-disabled):hover{' + - 'background-color:' + this.options.onhoverColor + ';' + + 'background-color:' + this.escapeHtml(this.options.onhoverColor) + ';' + '}'; }