@@ -58,46 +58,56 @@ document.addEventListener("DOMContentLoaded", () => {
5858 } ,
5959 } ;
6060
61+ function escapeHtml ( text ) {
62+ const div = document . createElement ( 'div' ) ;
63+ div . textContent = text ;
64+ return div . innerHTML ;
65+ }
66+
6167 function syntaxHighlight ( json ) {
6268 if ( typeof json !== 'string' ) {
6369 json = JSON . stringify ( json , undefined , 2 ) ;
6470 }
65- json = json . replace ( / & / g, '&' ) . replace ( / < / g, '<' ) . replace ( / > / g, '>' ) ;
66- return json . replace ( / ( " ( \\ u [ a - z A - Z 0 - 9 ] { 4 } | \\ [ ^ u ] | [ ^ \\ " ] ) * " ( \s * : ) ? | \b ( t r u e | f a l s e | n u l l ) \b | - ? \d + (?: \. \d * ) ? (?: [ e E ] [ + - ] ? \d + ) ? ) / g, function ( match ) {
67- let cls = 'json-number' ;
68- if ( / ^ " / . test ( match ) ) {
69- if ( / : $ / . test ( match ) ) {
70- cls = 'json-key' ;
71- } else {
72- cls = 'json-string' ;
71+
72+ const escapedJson = escapeHtml ( json ) ;
73+
74+ return escapedJson . replace (
75+ / ( " ( \\ u [ a - z A - Z 0 - 9 ] { 4 } | \\ [ ^ u ] | [ ^ \\ " ] ) * " ( \s * : ) ? | \b ( t r u e | f a l s e | n u l l ) \b | - ? \d + (?: \. \d * ) ? (?: [ e E ] [ + - ] ? \d + ) ? ) / g,
76+ function ( match ) {
77+ let cls = 'json-number' ;
78+ if ( / ^ " / . test ( match ) ) {
79+ if ( / : $ / . test ( match ) ) {
80+ cls = 'json-key' ;
81+ } else {
82+ cls = 'json-string' ;
83+ }
84+ } else if ( / t r u e | f a l s e / . test ( match ) ) {
85+ cls = 'json-boolean' ;
86+ } else if ( / n u l l / . test ( match ) ) {
87+ cls = 'json-null' ;
7388 }
74- } else if ( / t r u e | f a l s e / . test ( match ) ) {
75- cls = 'json-boolean' ;
76- } else if ( / n u l l / . test ( match ) ) {
77- cls = 'json-null' ;
89+ return `<span class="${ cls } ">${ match } </span>` ;
7890 }
79- return '<span class="' + cls + '">' + match + '</span>' ;
80- } ) ;
91+ ) ;
8192 }
8293
8394 async function fetchData ( sourceKey , vulnId ) {
8495 const config = sourceConfigMap [ sourceKey ] ;
8596 let url ;
97+
98+ const safeId = encodeURIComponent ( vulnId ) ;
8699
87100 if ( config . proxySource ) {
88- url = `/triage/proxy?source=${ config . proxySource } &id=${ vulnId } ` ;
101+ url = `/triage/proxy?source=${ encodeURIComponent ( config . proxySource ) } &id=${ safeId } ` ;
89102 } else if ( config . urlTemplate ) {
90- url = config . urlTemplate . replace ( "{id}" , vulnId ) ;
103+ url = config . urlTemplate . replace ( "{id}" , safeId ) ;
91104 } else {
92- return Promise . reject ( new Error ( "Invalid configuration" ) ) ;
105+ throw new Error ( "Invalid configuration" ) ;
93106 }
94107
95108 const response = await fetch ( url ) ;
96109 if ( ! response . ok ) {
97- if ( response . status === 404 ) {
98- throw new Error ( "Not Found" ) ;
99- }
100- throw new Error ( `Error: ${ response . statusText } ` ) ;
110+ throw new Error ( response . status === 404 ? "Not Found" : `Error: ${ response . statusText } ` ) ;
101111 }
102112 return response . json ( ) ;
103113 }
0 commit comments