Merge pull request #82 from onaluf/html_escaping

fix(securtiy): Properly encode HTML when serilaizing text
onaluf · Jul 9, 2020 · 87ff78d · 87ff78d
2 parents 2239314 + 6dc7cfa
commit 87ff78d
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/src/app/fate-html-parser.service.ts b/src/app/fate-html-parser.service.ts
@@ -1,5 +1,4 @@
 import { Injectable } from '@angular/core';
-
 import { FateNode } from './fate-node';
 import { FateType } from './fate-type.enum';
 
@@ -8,8 +7,6 @@ import { FateType } from './fate-type.enum';
 })
 export class FateHtmlParserService {
 
-  constructor() { }
-
   public parse(html: string): FateNode {
     const div = document.createElement('div');
     div.innerHTML = html;
@@ -19,7 +16,7 @@ export class FateHtmlParserService {
   public parseElement(element: HTMLElement): FateNode {
     const nodes = this.parseType(element);
     let currentNode = nodes[0];
-    
+
     let isABlock = (currentNode.type === FateType.PARAGRAPH);
     for (let i = 1; i < nodes.length; i++) {
       currentNode.children.push(nodes[i]);
@@ -250,12 +247,19 @@ export class FateHtmlParserService {
     return (child instanceof HTMLElement && child.nodeName === 'BR');
   }
 
+  private p = document.createElement('p');
+  protected encodeHtml(text: string) {
+    // From https://stackoverflow.com/a/29482788/829139
+    this.p.textContent = text;
+    return this.p.innerHTML;
+  }
+
   // Saves a Tree in string representation
   public serialize (node: FateNode, fallbackToBr: boolean = false): string {
     let serialized = '';
     node.children.forEach((child) => {
       if (typeof child === 'string') {
-        serialized += child;
+        serialized += this.encodeHtml(child);
       } else {
         serialized += this.serializeType(child);
       }