Merge pull request #2014 from 0xh3xa/master

a3957273 · web-flow · commit 5a3b7bc4c08a · 2025-04-05T05:14:58.000+01:00
Fix(RecipeWaiter): sanitize user input in addOperation to prevent XSS
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -123,6 +123,7 @@
     "d3": "7.9.0",
     "d3-hexbin": "^0.2.2",
     "diff": "^5.2.0",
+    "dompurify": "^3.2.5",
     "es6-promisify": "^7.0.0",
     "escodegen": "^2.1.0",
     "esprima": "^4.0.1",
diff --git a/src/web/waiters/RecipeWaiter.mjs b/src/web/waiters/RecipeWaiter.mjs
@@ -8,6 +8,7 @@ import HTMLOperation from "../HTMLOperation.mjs";
 import Sortable from "sortablejs";
 import Utils from "../../core/Utils.mjs";
 import {escapeControlChars} from "../utils/editorUtils.mjs";
+import DOMPurify from "dompurify";
 
 
 /**
@@ -435,7 +436,9 @@ class RecipeWaiter {
         const item = document.createElement("li");
 
         item.classList.add("operation");
-        item.innerHTML = name;
+        const clean = DOMPurify.sanitize(name);
+        item.innerHTML = clean;
+
         this.buildRecipeOperation(item);
         document.getElementById("rec-list").appendChild(item);
 
