From 6dc7cfa21f599c45d291d30f8103d7914719e9f5 Mon Sep 17 00:00:00 2001 From: Selim Arsever Date: Thu, 9 Jul 2020 16:20:18 +0100 Subject: [PATCH] fix(securtiy): Properly encode HTML when serilaizing text --- src/app/fate-html-parser.service.ts | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/app/fate-html-parser.service.ts b/src/app/fate-html-parser.service.ts index bcbfb38..95293e4 100644 --- a/src/app/fate-html-parser.service.ts +++ b/src/app/fate-html-parser.service.ts @@ -1,5 +1,4 @@ import { Injectable } from '@angular/core'; - import { FateNode } from './fate-node'; import { FateType } from './fate-type.enum'; @@ -8,8 +7,6 @@ import { FateType } from './fate-type.enum'; }) export class FateHtmlParserService { - constructor() { } - public parse(html: string): FateNode { const div = document.createElement('div'); div.innerHTML = html; @@ -19,7 +16,7 @@ export class FateHtmlParserService { public parseElement(element: HTMLElement): FateNode { const nodes = this.parseType(element); let currentNode = nodes[0]; - + let isABlock = (currentNode.type === FateType.PARAGRAPH); for (let i = 1; i < nodes.length; i++) { currentNode.children.push(nodes[i]); @@ -250,12 +247,19 @@ export class FateHtmlParserService { return (child instanceof HTMLElement && child.nodeName === 'BR'); } + private p = document.createElement('p'); + protected encodeHtml(text: string) { + // From https://stackoverflow.com/a/29482788/829139 + this.p.textContent = text; + return this.p.innerHTML; + } + // Saves a Tree in string representation public serialize (node: FateNode, fallbackToBr: boolean = false): string { let serialized = ''; node.children.forEach((child) => { if (typeof child === 'string') { - serialized += child; + serialized += this.encodeHtml(child); } else { serialized += this.serializeType(child); }