💥 '); DROP TABLES 'commits' -- __injectCSS(); //

6aae8778 · GitSquared · ea199bd0 · 6aae8778 · 6aae8778 · 6aae8778
隐藏空白更改
内联并排

Showing with 25 addition and 15 deletion

src/_renderer.js src/_renderer.js +20 -0

src/classes/filesystem.class.js src/classes/filesystem.class.js +4 -14

src/ui.html src/ui.html +1 -1

未找到文件。
--- a/src/_renderer.js
+++ b/src/_renderer.js
@@ -2,6 +2,24 @@
 window.eval = global.eval = function () {
    throw new Error("eval() is disabled for security reasons.");
 };
+// Security helper :)
+window._escapeHtml = (text) => {
+    let map = {
+        '&': '&amp;',
+        '<': '&lt;',
+        '>': '&gt;',
+        '"': '&quot;',
+        "'": '&#039;'
+    };
+    return text.replace(/[&<>"']/g, m => {return map[m];});
+};
+window._purifyCSS = (str) => {
+    let map = {
+        '<': '&lt;',
+        '>': '&gt;'
+    };
+    return str.replace(/[&<>"']/g, m => {return map[m];});
+};

 // Initiate basic error handling
 window.onerror = (msg, path, line, col, error) => {
@@ -56,6 +74,8 @@ window._loadTheme = (theme) => {
    body {
        font-family: var(--font_main), sans-serif;
    }
+
+    ${window._purifyCSS(theme.injectCSS || "")}
    </style>`;

    window.theme = theme;

--- a/src/classes/filesystem.class.js
+++ b/src/classes/filesystem.class.js
@@ -107,25 +107,25 @@ class FilesystemDisplay {

                                    this._tmp.dirs.forEach(e => {
                                        this.cwd.push({
-                                            name: this._escapeHtml(e),
+                                            name: window._escapeHtml(e),
                                            type: "dir"
                                        });
                                    });
                                    this._tmp.symlinks.forEach(e => {
                                        this.cwd.push({
-                                            name: this._escapeHtml(e),
+                                            name: window._escapeHtml(e),
                                            type: "symlink"
                                        });
                                    });
                                    this._tmp.files.forEach(e => {
                                        if (tcwd === themesDir && e.endsWith(".json")) {
                                            this.cwd.push({
-                                                name: this._escapeHtml(e),
+                                                name: window._escapeHtml(e),
                                                type: "edex-theme"
                                            });
                                        } else {
                                            this.cwd.push({
-                                                name: this._escapeHtml(e),
+                                                name: window._escapeHtml(e),
                                                type: "file"
                                            });
                                        }
@@ -204,14 +204,4 @@ class FilesystemDisplay {
            this.space_bar.bar.value = Math.round(this.fsBlock.use);
        };
    }
-    _escapeHtml(text) {
-        let map = {
-            '&': '&amp;',
-            '<': '&lt;',
-            '>': '&gt;',
-            '"': '&quot;',
-            "'": '&#039;'
-        };
-        return text.replace(/[&<>"']/g, m => {return map[m];});
-    }
 }
--- a/src/ui.html
+++ b/src/ui.html
@@ -2,7 +2,7 @@
 <html>
    <head>
        <meta charset="utf-8" />
-        <meta http-equiv="Content-Security-Policy" content="default-src file: 'unsafe-inline'; connect-src ws:">
+        <meta http-equiv="Content-Security-Policy" content="default-src file: 'unsafe-inline'; img-src data:; connect-src ws:">
        <meta name="viewport" content="width=device-width, initial-scale=1.0">
        <title>eDEX-UI</title>