web-manager 3.2.63 → 3.2.64

Sign up to get free protection for your applications and to get access to all the features.
Files changed (2) hide show
  1. package/lib/utilities.js +11 -21
  2. package/package.json +1 -1
package/lib/utilities.js CHANGED
@@ -108,29 +108,19 @@ Utilities.clipboardCopy = function (input) {
108
108
  Utilities.escapeHTML = function (str) {
109
109
  shadow = shadow || document.createElement('p');
110
110
  shadow.innerHTML = '';
111
+
112
+ // This automatically escapes HTML entities like <, >, &, etc.
111
113
  shadow.appendChild(document.createTextNode(str));
112
114
 
113
- return shadow.innerHTML
114
- .replaceAll('&', '&amp;')
115
- .replaceAll('<', '&lt;')
116
- .replaceAll('>', '&gt;')
117
- .replaceAll('"', '&quot;')
118
- .replaceAll('\'', '&#039;');
119
-
120
- // return shadow.innerHTML.replace(/[&<>"']/g, function (m) {
121
- // switch (m) {
122
- // case '&':
123
- // return '&amp;';
124
- // case '<':
125
- // return '&lt;';
126
- // case '>':
127
- // return '&gt;';
128
- // case '"':
129
- // return '&quot;';
130
- // case "'":
131
- // return '&#039;';
132
- // }
133
- // });
115
+ // This is needed to escape quotes to prevent attribute injection
116
+ return shadow.innerHTML.replace(/["']/g, function(m) {
117
+ switch (m) {
118
+ case '"':
119
+ return '&quot;';
120
+ default:
121
+ return '&#039;';
122
+ }
123
+ });
134
124
  }
135
125
 
136
126
  Utilities.getContext = function () {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "web-manager",
3
- "version": "3.2.63",
3
+ "version": "3.2.64",
4
4
  "description": "Easily access important variables such as the query string, current domain, and current page in a single object.",
5
5
  "main": "index.js",
6
6
  "scripts": {