Commit 182c369
authored
fix(security): escape double quotes in esc() to prevent XSS (#3209)
The esc() function in telegram-style.ts escaped &, <, > but not double
quotes. When esc() output is interpolated into HTML attribute values
(e.g. href="..."), unescaped quotes allow attribute injection (XSS).
- Add .replace(/"/g, '"') to esc() in telegram-style.ts
- Mirror fix in test helper esc() functions
- Add 2 new tests: double-quote escaping and combined HTML-special chars
Closes #3209
CodeQL: security/code-scanning/1421 parent 449abb0 commit 182c369
3 files changed
Lines changed: 12 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
7 | 7 | | |
8 | 8 | | |
9 | 9 | | |
10 | | - | |
| 10 | + | |
11 | 11 | | |
12 | 12 | | |
13 | 13 | | |
| |||
164 | 164 | | |
165 | 165 | | |
166 | 166 | | |
| 167 | + | |
| 168 | + | |
| 169 | + | |
| 170 | + | |
| 171 | + | |
| 172 | + | |
| 173 | + | |
| 174 | + | |
167 | 175 | | |
168 | 176 | | |
169 | 177 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
16 | | - | |
| 16 | + | |
17 | 17 | | |
18 | 18 | | |
19 | 19 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
19 | 19 | | |
20 | 20 | | |
21 | 21 | | |
22 | | - | |
| 22 | + | |
| 23 | + | |
23 | 24 | | |
24 | 25 | | |
25 | 26 | | |
| |||
0 commit comments