Changeset View
Changeset View
Standalone View
Standalone View
assets/src/utils/functions.js
/** | /** | ||||
* Copyright (C) 2018-2020 The Software Heritage developers | * Copyright (C) 2018-2022 The Software Heritage developers | ||||
* See the AUTHORS file at the top-level directory of this distribution | * See the AUTHORS file at the top-level directory of this distribution | ||||
* License: GNU Affero General Public License version 3, or any later version | * License: GNU Affero General Public License version 3, or any later version | ||||
* See top-level LICENSE file for more information | * See top-level LICENSE file for more information | ||||
*/ | */ | ||||
// utility functions | // utility functions | ||||
import Cookies from 'js-cookie'; | import Cookies from 'js-cookie'; | ||||
▲ Show 20 Lines • Show All 150 Lines • ▼ Show 20 Lines | |||||
export function getHumanReadableDate(data) { | export function getHumanReadableDate(data) { | ||||
// Display iso format date string into a human readable date | // Display iso format date string into a human readable date | ||||
// This is expected to be used by date field in datatable listing views | // This is expected to be used by date field in datatable listing views | ||||
// Example: 3/24/2022, 10:31:08 AM | // Example: 3/24/2022, 10:31:08 AM | ||||
const date = new Date(data); | const date = new Date(data); | ||||
return date.toLocaleString(); | return date.toLocaleString(); | ||||
} | } | ||||
export function genLink(sanitizedUrl, type, openInNewTab = false, linkText = '') { | |||||
// Display link. It's up to the caller to sanitize sanitizedUrl first. | |||||
if (type === 'display' && sanitizedUrl) { | |||||
vlorentz: `encodeURI` is not sufficient to sanitize; which means maliciously crafted URLs can be used to… | |||||
Done Inline Actionswould having $.fn.dataTable.render.text().display(data); called within here be enough? ardumont: would having `$.fn.dataTable.render.text().display(data);` called within here be enough?
(it… | |||||
Done Inline ActionsFeels weird to use datatable here, but sure. Alternatively, you can use any of these methods: https://stackoverflow.com/questions/24816/escaping-html-strings-with-jquery vlorentz: Feels weird to use datatable here, but sure. Alternatively, you can use any of these methods… | |||||
Done Inline Actionsalso, I'm not sure it would try to escape " characters, $.fn.dataTable.render.text().display(data) is designed to escape HTML; not attribute values. And in particular, I just realized we should whitelist schemes; because typical escaping won't filter out javascript: pseudo-URLs vlorentz: also, I'm not sure it would try to escape `"` characters, `$.fn.dataTable.render.text().display… | |||||
const encodedSanitizedUrl = encodeURI(sanitizedUrl); | |||||
if (!linkText) { | |||||
linkText = encodedSanitizedUrl; | |||||
} | |||||
let attrs = ''; | |||||
if (openInNewTab) { | |||||
attrs = 'target="_blank" rel="noopener noreferrer"'; | |||||
} | |||||
return `<a href="${encodedSanitizedUrl}" ${attrs}>${linkText}</a>`; | |||||
} | |||||
return sanitizedUrl; | |||||
} |
encodeURI is not sufficient to sanitize; which means maliciously crafted URLs can be used to XSS; for example by submitting javascript:alert(42) as URL.