Escape input, fixes #3990

2025-02-25 18:45:27 -06:00 · 2020-10-25 06:36:33 +01:00 · 2020-10-25 06:36:33 +01:00 · f6ce49b586
commit f6ce49b586
parent cf3d9d26fa
5 changed files with 54 additions and 5 deletions
--- a/public/v1/js/create_transaction.js
+++ b/public/v1/js/create_transaction.js
--- a/public/v1/js/edit_transaction.js
+++ b/public/v1/js/edit_transaction.js
--- a/resources/assets/js/components/transactions/AccountSelect.vue
+++ b/resources/assets/js/components/transactions/AccountSelect.vue
@ -135,7 +135,17 @@ export default {
        aSyncFunction: function (query, done) {
          axios.get(this.accountAutoCompleteURI + query)
              .then(res => {
-                done(res.data);
+                // loop over data
+                let escapedData = [];
+                let current;
+                for (const key in res.data) {
+                  if (res.data.hasOwnProperty(key) && /^0$|^[1-9]\d*$/.test(key) && key <= 4294967294) {
+                    current = res.data[key];
+                    current.description = this.escapeHtml(res.data[key].description)
+                    escapedData.push(current);
+                  }
+                }
+                done(escapedData);
              })
              .catch(err => {
                // any error handler
--- a/resources/assets/js/components/transactions/Category.vue
+++ b/resources/assets/js/components/transactions/Category.vue
@ -94,7 +94,17 @@ export default {
    aSyncFunction: function (query, done) {
      axios.get(this.categoryAutoCompleteURI + query)
          .then(res => {
-            done(res.data);
+            // loop over data
+            let escapedData = [];
+            let current;
+            for (const key in res.data) {
+              if (res.data.hasOwnProperty(key) && /^0$|^[1-9]\d*$/.test(key) && key <= 4294967294) {
+                current = res.data[key];
+                current.description = this.escapeHtml(res.data[key].description)
+                escapedData.push(current);
+              }
+            }
+            done(escapedData);
          })
          .catch(err => {
            // any error handler
--- a/resources/assets/js/components/transactions/TransactionDescription.vue
+++ b/resources/assets/js/components/transactions/TransactionDescription.vue
@ -83,12 +83,41 @@ export default {
    aSyncFunction: function (query, done) {
      axios.get(this.descriptionAutoCompleteURI + query)
          .then(res => {
-            done(res.data);
+
+            // loop over data
+            let escapedData = [];
+            let current;
+            for (const key in res.data) {
+              if (res.data.hasOwnProperty(key) && /^0$|^[1-9]\d*$/.test(key) && key <= 4294967294) {
+                current = res.data[key];
+                current.description = this.escapeHtml(res.data[key].description)
+                escapedData.push(current);
+              }
+            }
+            done(escapedData);
          })
          .catch(err => {
            // any error handler
          })
    },
+    escapeHtml: function (string) {
+
+      let entityMap = {
+        '&': '&amp;',
+        '<': '&lt;',
+        '>': '&gt;',
+        '"': '&quot;',
+        "'": '&#39;',
+        '/': '&#x2F;',
+        '`': '&#x60;',
+        '=': '&#x3D;'
+      };
+
+      return String(string).replace(/[&<>"'`=\/]/g, function fromEntityMap(s) {
+        return entityMap[s];
+      });
+
+    },
    search: function (input) {
      return ['ab', 'cd'];
    },