xss fix

ddsky · ddsky · commit 2cbcedeb0cbd · 2016-09-09T17:52:29.000+02:00
diff --git a/bower.json b/bower.json
@@ -1,6 +1,6 @@
 {
   "name": "unibox",
-  "version": "1.14.1",
+  "version": "1.14.2",
   "main": [
     "js/unibox.min.js",
     "css/unibox.min.css"
diff --git a/css/unibox.css b/css/unibox.css
@@ -76,6 +76,8 @@ img.unibox-vis {
 	margin-left: 8px;
 	margin-top: 6px;
 	font-size: 18px;
+	text-align: left;
+	margin-bottom: 8px;
 }
 
 .unibox-ivf {
diff --git a/css/unibox.min.css b/css/unibox.min.css
diff --git a/js/unibox.js b/js/unibox.js
@@ -90,6 +90,15 @@ var UniBox = function () {
     // the maximum width of the suggest box, default: as wide as the input box
     var maxWidth = undefined;
 
+    var entityMap = {
+        "&": "&amp;",
+        "<": "&lt;",
+        ">": "&gt;",
+        '"': '&quot;',
+        "'": '&#39;',
+        "/": '&#x2F;'
+    };
+
     // hide the search suggests
     function resetSuggests(event) {
 
@@ -179,6 +188,12 @@ var UniBox = function () {
         return key.replace(/[ "§$%&/(){}+*,.;|]/g, '_').toLowerCase();
     }
 
+    function escapeHtml(string) {
+        return String(string).replace(/[&<>"'\/]/g, function (s) {
+            return entityMap[s];
+        });
+    }
+
     // update suggest box when new data is given
     function updateSuggestBox(data) {
 
@@ -189,6 +204,7 @@ var UniBox = function () {
         }
 
         var searchString = searchBox.val();
+        var searchStringXss = escapeHtml(searchString);
 
         //// fill the box
         suggestBox.html('');
@@ -240,10 +256,10 @@ var UniBox = function () {
 
                 if (suggest['link'] != undefined) {
                     suggestLine += '<a href="' + suggest['link'] + '">';
-                    suggestLine += highlightSearchWords(suggest['name'], searchString);
+                    suggestLine += highlightSearchWords(suggest['name'], searchStringXss);
                     suggestLine += '</a>';
                 } else {
-                    suggestLine += '<span>' + highlightSearchWords(suggest['name'], searchString) + '</span>';
+                    suggestLine += '<span>' + highlightSearchWords(suggest['name'], searchStringXss) + '</span>';
                 }
 
                 if (extraHtml != undefined) {
@@ -326,7 +342,7 @@ var UniBox = function () {
             }
 
             var invisibleBox = searchBoxParent.find('#unibox-invisible');
-            invisibleBox.html(searchString.replace(new RegExp(word['name'], 'gi'), '<span>' + word['name'] + '</span>'));
+            invisibleBox.html(searchStringXss.replace(new RegExp(word['name'], 'gi'), '<span>' + word['name'] + '</span>'));
 
             //console.log(word['image']+' : '+jQuery.inArray(word['image'], ivfWords));
 
diff --git a/js/unibox.min.js b/js/unibox.min.js
diff --git a/unibox.jquery.json b/unibox.jquery.json
@@ -6,7 +6,7 @@
     "search",
     "suggestion"
   ],
-  "version": "1.14.1",
+  "version": "1.14.2",
   "author": {
     "name": "David Urbansky",
     "url": "https://github.com/ddsky/unibox"

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "unibox",`
`3`		`- "version": "1.14.1",`
	`3`	`+ "version": "1.14.2",`
`4`	`4`	`"main": [`
`5`	`5`	`"js/unibox.min.js",`
`6`	`6`	`"css/unibox.min.css"`
Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,8 @@ img.unibox-vis {`
`76`	`76`	`margin-left: 8px;`
`77`	`77`	`margin-top: 6px;`
`78`	`78`	`font-size: 18px;`
	`79`	`+ text-align: left;`
	`80`	`+ margin-bottom: 8px;`
`79`	`81`	`}`
`80`	`82`
`81`	`83`	`.unibox-ivf {`