Merge pull request #1187 from CatoTH/v4-js-fixes

Update Libraries + JS Sanitizing

Author: CatoTH

assets/gulpfile.vue.js

@@ -94,7 +94,12 @@ function transformVueSfc(source, filePath, vueUrl) {
     });
 
     if (styleChunks.length) {
-        const allStyles = styleChunks.join('\n').replace(/`/g, '\\`');
+        const allStyles = styleChunks
+            .join('\n')
+            .replace(/\\/g, '\\\\')   // escape backslashes FIRST
+            .replace(/`/g, '\\`')      // then escape backticks
+            .replace(/\$\{/g, '\\${'); // and escape template literal interpolation
+
         parts.push(`
 (function injectStyles() {
   const el = document.createElement('style');

package.json

@@ -29,7 +29,7 @@
         "@types/typeahead": "^0.11.32",
         "autoprefixer": "^10.5.0",
         "confusing-browser-globals": "^1.0.11",
-        "eslint": "^10.4.1",
+        "eslint": "^10.5.0",
         "eslint-plugin-promise": "^7.3.0",
         "globals": "^17.6.0",
         "gulp": "^5.0.1",
@@ -41,7 +41,7 @@
         "gulp-uglify": "^3.0.2",
         "pa11y": "^9.1.1",
         "postcss": "^8.5.15",
-        "sass": "^1.100.0"
+        "sass": "^1.101.0"
     },
     "directories": {
         "bin": "./bin/"
@@ -58,7 +58,7 @@
         "isotope-layout": "^3.0.6",
         "moment": "^2.30.1",
         "requirejs": "^2.3.8",
-        "rollup": "^4.61.1",
+        "rollup": "^4.62.0",
         "sortablejs": "^1.15.7",
         "vue": "^3.5.38",
         "vue-draggable-plus": "^0.6.1",

pnpm-lock.yaml

@@ -3,3 +3,5 @@ allowBuilds:
   es5-ext: false
   puppeteer: false
 minimumReleaseAge: 4320 # 3 Days - a bit more conservative than the default
+overrides:
+  postcss: ^8.5.15

pnpm-workspace.yaml

@@ -47,7 +47,14 @@ export class AppearanceEdit {
             if ($selected.length === 0) {
                 $selected = $inputs.first();
             }
-            $editLink.attr("href", editLinkDefault.replace(/DEFAULT/, $selected.val()));
+
+            const parsed = new URL(editLinkDefault.replace(/DEFAULT/, $selected.val()), window.location.origin);
+            const path = parsed.pathname + parsed.search;
+            if (/^\/[a-zA-Z0-9\-_/?=&.,]*$/.test(path)) {
+                $editLink.attr("href", path);
+            } else {
+                console.error("Rejected unsafe redirect path:", path);
+            }
         };
         $inputs.on("change", onChange);
         onChange();

web/js/modules/backend/AppearanceEdit.js

@@ -95,7 +95,13 @@ export class MotionList {
                         link = link.replace("INACTIVE", inactive);
                         link = link.replace("REPLACED", replaced);
                         link = link.replace("MOTIONTYPES", motionTypes.join(","));
-                        $(this).attr("href", link);
+                        const url = new URL(link, window.location.origin);
+                        const path = url.pathname + url.search;
+                        if (/^\/[a-zA-Z0-9\-_/?=&.,]*$/.test(path)) {
+                            $(this).attr("href", path);
+                        } else {
+                            console.error("Rejected unsafe redirect path:", path);
+                        }
                     });
                 };
             $dd.find("input[type=checkbox]").on("change", recalcLinks).trigger("change");

web/js/modules/backend/MotionList.js

@@ -592,10 +592,16 @@ class MotionMergeAmendmentsTextarea {
             html = html.replace(new RegExp(ent, 'g'), entities[ent]);
         });
 
-        return html.replace(/\s+</g, '<').replace(/>\s+/g, '>')
-            .replace(/<[^>]*ice-ins[^>]*>/g, 'ice-ins') // make sure accepted insertions are still recognized as change
-            .replace(/<ins[^>]*>/g, 'ice-ins')
-            .replace(/<[^>]*>/g, '');
+        let previous;
+        do {
+            previous = html;
+            html = html.replace(/\s+</g, '<').replace(/>\s+/g, '>')
+                .replace(/<[^>]*ice-ins[^>]*>/g, 'ice-ins') // make sure accepted insertions are still recognized as change
+                .replace(/<ins[^>]*>/g, 'ice-ins')
+                .replace(/<[^>]*>/g, '');
+        } while (html !== previous);
+
+        return html;
     }
 
     onChanged() {

web/js/modules/frontend/MotionMergeAmendments.js

@@ -49,7 +49,13 @@ export class InitDb {
     gotoLanguageVariant = () => {
         let href = window.location.href.split("?")[0]
         href += "?language=" + $("#language").val()
-        window.location.href = href
+        const url = new URL(href, window.location.origin);
+        const path = url.pathname + url.search;
+        if (/^\/[a-zA-Z0-9\-_/?=&.,]*$/.test(path)) {
+            window.location.href = path;
+        } else {
+            console.error("Rejected unsafe redirect path:", path);
+        }
     }
 
     /**

web/js/modules/installation/InitDb.js

@@ -312,8 +312,14 @@ export class SiteCreateWizard {
 
         $form.find("#panelLanguage input").on("change", function () {
             const val = /** @type {string} */ ($form.find("#panelLanguage input:checked").val());
-            const url = $form.find("#panelLanguage").data("url").replace(/LNG/, val);
-            window.location.href = url;
+            const url = new URL($form.find("#panelLanguage").data("url").replace(/LNG/, val), window.location.origin);
+            const path = url.pathname + url.search;
+
+            if (/^\/[a-zA-Z0-9\-_/?=&.,]*$/.test(path)) {
+                window.location.href = path;
+            } else {
+                console.error("Rejected unsafe redirect path:", path);
+            }
         });
 
         // The enter key should not submit the form, but lead to the next panel