Prevent innerHTML user input (#119)

NASA-AMMOS · Dec 1, 2023 · e434511 · e434511
1 parent 2e2fa41
commit e434511
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 13 deletions.
diff --git a/package.json b/package.json
@@ -1,8 +1,9 @@
 {
   "name": "openmct-mcws",
-  "version": "5.2.0-rc1",
+  "version": "5.2.0-rc2",
   "description": "Open MCT for MCWS",
   "devDependencies": {
+    "@braintree/sanitize-url": "6.0.2",
     "axios": "^0.21.2",
     "babel-loader": "8.2.3",
     "babel-plugin-istanbul": "6.1.1",
@@ -31,7 +32,7 @@
     "mini-css-extract-plugin": "2.6.0",
     "moment": "2.29.4",
     "node-bourbon": "^4.2.3",
-    "openmct": "nasa/openmct#omm-r5.2.0-rc1",
+    "openmct": "nasa/openmct#omm-r5.2.0-rc2",
     "openmct-legacy-support": "akhenry/openmct-legacy-support#omm-r5.1.0-rc1",
     "printj": "^1.2.1",
     "raw-loader": "^0.5.1",

diff --git a/pom.xml b/pom.xml
@@ -6,7 +6,7 @@
     <groupId>gov.nasa.arc.wtd</groupId>
     <artifactId>openmct-client</artifactId>
     <name>Open MCT for MCWS Client</name>
-    <version>5.2.0-rc1</version>
+    <version>5.2.0-rc2</version>
     <packaging>war</packaging>
 
     <properties>

diff --git a/src/identity/LoginService.js b/src/identity/LoginService.js
@@ -1,9 +1,7 @@
 /*global define*/
 define(
-    [
-        './login.html'
-    ],
-    function (loginTemplate) {
+    [],
+    function () {
 
 
         /**
@@ -48,9 +46,13 @@ define(
         LoginService.prototype.show = function () {
             this.overlay = document.createElement('div');
             this.overlay.classList.add('u-contents');
-            this.overlay.innerHTML = loginTemplate;
+
+            const iframe = document.createElement('iframe');
+            iframe.classList.add('c-login-overlay');
+            iframe.src = this.getLoginUrl();
+
+            this.overlay.appendChild(iframe);
             document.body.appendChild(this.overlay);
-            this.overlay.querySelector('iframe').src = this.getLoginUrl();
         };
 
         /**

diff --git a/src/identity/login.html b/src/identity/login.html
diff --git a/src/link/plugin.js b/src/link/plugin.js
@@ -1,7 +1,7 @@
 define([
-
+    '@braintree/sanitize-url'
 ], function (
-
+    urlSanitizeLib
 ) {
 
     function LinkPlugin() {
@@ -32,7 +32,13 @@ define([
                 view: function (domainObject) {
                     return {
                         show: function (container) {
-                            container.innerHTML = '<a href="' + domainObject.url + '">' + domainObject.name + '</a>'
+                            container.textContent = '';
+
+                            const anchor = document.createElement('a');
+                            anchor.href = urlSanitizeLib.sanitizeUrl(domainObject.url);
+                            anchor.textContent = domainObject.name;
+
+                            container.appendChild(anchor);
                         },
                         destroy: function () {}
                     };