XSS localStorage

7 years ago · bb4eb1ed9a
parent b44ecff6ea
commit bb4eb1ed9a
1 changed files with 7 additions and 1 deletions
--- a/lib/util.js
+++ b/lib/util.js
@ -9,9 +9,15 @@ const parse = v => {
  } catch (e) {}
 }

+const escapeHtml = s =>
+  s
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/\//g, '&#x2F;')
+
 export const parseRGBA = obj => `rgba(${obj.r},${obj.g},${obj.b},${obj.a})`

-export const getState = morph.compose(parse, morph.get(KEY))
+export const getState = morph.compose(parse, escapeHtml, morph.get(KEY))
 export const saveState = (window, v) => assign(window, JSON.stringify(v))

 export const capitalizeFirstLetter = s => s.charAt(0).toUpperCase() + s.slice(1)