Ole-Morten Duesund
4a0a993e81
Add centralized escapeHtml() utility and apply it to every dynamic value inserted via innerHTML/template literals across the frontend. Data from VRS JSON sources and external CSV files (airline names, countries) flows through the backend as arbitrary strings that could contain HTML. While Go's json.Marshal escapes < > &, JavaScript's JSON.parse reverses those escapes before the values reach innerHTML — enabling script injection. Affected modules: aircraft-manager, ui-manager, callsign-manager, map-manager, and the 3D radar labels in app.js. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
22 lines
920 B
JavaScript
22 lines
920 B
JavaScript
// HTML sanitization utilities to prevent XSS when using innerHTML
|
|
//
|
|
// Data from ADS-B/VRS sources and external CSV files (airline names, countries)
|
|
// flows through the Go backend as JSON. While json.Marshal escapes < > &,
|
|
// JSON.parse() reverses those escapes. Any dynamic value inserted via innerHTML
|
|
// or template literals must be escaped to prevent script injection.
|
|
|
|
/**
|
|
* Escape a string for safe insertion into HTML content or attributes.
|
|
* Converts the five HTML-significant characters to their entity equivalents.
|
|
* @param {*} value - The value to escape (coerced to string, null/undefined become '')
|
|
* @returns {string} - HTML-safe string
|
|
*/
|
|
export function escapeHtml(value) {
|
|
if (value == null) return '';
|
|
return String(value)
|
|
.replace(/&/g, '&')
|
|
.replace(/</g, '<')
|
|
.replace(/>/g, '>')
|
|
.replace(/"/g, '"')
|
|
.replace(/'/g, ''');
|
|
}
|