Changeset View
Changeset View
Standalone View
Standalone View
assets/src/utils/functions.js
| /** | /** | ||||
| * Copyright (C) 2018-2020 The Software Heritage developers | * Copyright (C) 2018-2022 The Software Heritage developers | ||||
| * See the AUTHORS file at the top-level directory of this distribution | * See the AUTHORS file at the top-level directory of this distribution | ||||
| * License: GNU Affero General Public License version 3, or any later version | * License: GNU Affero General Public License version 3, or any later version | ||||
| * See top-level LICENSE file for more information | * See top-level LICENSE file for more information | ||||
| */ | */ | ||||
| // utility functions | // utility functions | ||||
| import Cookies from 'js-cookie'; | import Cookies from 'js-cookie'; | ||||
| ▲ Show 20 Lines • Show All 150 Lines • ▼ Show 20 Lines | |||||
| export function getHumanReadableDate(data) { | export function getHumanReadableDate(data) { | ||||
| // Display iso format date string into a human readable date | // Display iso format date string into a human readable date | ||||
| // This is expected to be used by date field in datatable listing views | // This is expected to be used by date field in datatable listing views | ||||
| // Example: 3/24/2022, 10:31:08 AM | // Example: 3/24/2022, 10:31:08 AM | ||||
| const date = new Date(data); | const date = new Date(data); | ||||
| return date.toLocaleString(); | return date.toLocaleString(); | ||||
| } | } | ||||
| export function genLink(sanitizedUrl, type, openInNewTab = false, linkText = '') { | |||||
| // Display link. It's up to the caller to sanitize sanitizedUrl first. | |||||
| if (type === 'display' && sanitizedUrl) { | |||||
vlorentz: `encodeURI` is not sufficient to sanitize; which means maliciously crafted URLs can be used to… | |||||
Done Inline Actionswould having $.fn.dataTable.render.text().display(data); called within here be enough? ardumont: would having `$.fn.dataTable.render.text().display(data);` called within here be enough?
(it… | |||||
Done Inline ActionsFeels weird to use datatable here, but sure. Alternatively, you can use any of these methods: https://stackoverflow.com/questions/24816/escaping-html-strings-with-jquery vlorentz: Feels weird to use datatable here, but sure. Alternatively, you can use any of these methods… | |||||
Done Inline Actionsalso, I'm not sure it would try to escape " characters, $.fn.dataTable.render.text().display(data) is designed to escape HTML; not attribute values. And in particular, I just realized we should whitelist schemes; because typical escaping won't filter out javascript: pseudo-URLs vlorentz: also, I'm not sure it would try to escape `"` characters, `$.fn.dataTable.render.text().display… | |||||
| const encodedSanitizedUrl = encodeURI(sanitizedUrl); | |||||
| if (!linkText) { | |||||
| linkText = encodedSanitizedUrl; | |||||
| } | |||||
| let attrs = ''; | |||||
| if (openInNewTab) { | |||||
| attrs = 'target="_blank" rel="noopener noreferrer"'; | |||||
| } | |||||
| return `<a href="${encodedSanitizedUrl}" ${attrs}>${linkText}</a>`; | |||||
| } | |||||
| return sanitizedUrl; | |||||
| } | |||||
encodeURI is not sufficient to sanitize; which means maliciously crafted URLs can be used to XSS; for example by submitting javascript:alert(42) as URL.