6502
/
8bitworkshop
mirror of https://github.com/sehugg/8bitworkshop.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

ui: use DOMPurify to sanitize inputs to bootbox

This commit is contained in:
Steven Hugg 2022-09-13 22:13:46 -05:00
parent 7f998b7ed1
commit 4164ec1fcb
4 changed files with 64 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
package-lock.json generated
View File

@ -1,15 +1,16 @@
{
"name": "8bitworkshop",
"version": "3.9.1",
"version": "3.10.0",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"name": "8bitworkshop",
"version": "3.9.1",
"version": "3.10.0",
"license": "GPL-3.0",
"dependencies": {
"@types/chroma-js": "^2.1.3",
"@types/dompurify": "^2.3.4",
"@types/emscripten": "^1.39.5",
"@types/js-yaml": "^4.0.5",
"@wasmer/wasi": "^0.12.0",
@ -17,6 +18,7 @@
"binaryen": "^101.0.0",
"chroma-js": "^2.1.2",
"clipboard": "^2.0.6",
"dompurify": "^2.4.0",
"error-stack-parser": "^2.0.6",
"fast-png": "^5.0.4",
"file-saver": "^2.0.5",
@ -445,6 +447,14 @@
"resolved": "https://registry.npmjs.org/@types/chroma-js/-/chroma-js-2.1.3.tgz",
"integrity": "sha512-1xGPhoSGY1CPmXLCBcjVZSQinFjL26vlR8ZqprsBWiFyED4JacJJ9zHhh5aaUXqbY9B37mKQ73nlydVAXmr1+g=="
},
"node_modules/@types/dompurify": {
"version": "2.3.4",
"resolved": "https://registry.npmjs.org/@types/dompurify/-/dompurify-2.3.4.tgz",
"integrity": "sha512-EXzDatIb5EspL2eb/xPGmaC8pePcTHrkDCONjeisusLFrVfl38Pjea/R0YJGu3k9ZQadSvMqW0WXPI2hEo2Ajg==",
"dependencies": {
"@types/trusted-types": "*"
}
},
"node_modules/@types/emscripten": {
"version": "1.39.6",
"resolved": "https://registry.npmjs.org/@types/emscripten/-/emscripten-1.39.6.tgz",
@ -563,6 +573,11 @@
"integrity": "sha512-Hl219/BT5fLAaz6NDkSuhzasy49dwQS/DSdu4MdggFB8zcXv7vflBI3xp7FEmkmdDkBUI2bPUNeMttp2knYdxw==",
"dev": true
},
"node_modules/@types/trusted-types": {
"version": "2.0.2",
"resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.2.tgz",
"integrity": "sha512-F5DIZ36YVLE+PN+Zwws4kJogq47hNgX3Nx6WyDJ3kcplxyke3XIzB8uK5n/Lpm1HBsbGzd6nmGehL8cPekP+Tg=="
},
"node_modules/@types/yargs": {
"version": "16.0.4",
"resolved": "https://registry.npmjs.org/@types/yargs/-/yargs-16.0.4.tgz",
@ -1749,6 +1764,11 @@
"webidl-conversions": "^4.0.2"
}
},
"node_modules/dompurify": {
"version": "2.4.0",
"resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.4.0.tgz",
"integrity": "sha512-Be9tbQMZds4a3C6xTmz68NlMfeONA//4dOavl/1rNw50E+/QO0KVpbcU0PcaW0nsQxurXls9ZocqFxk8R2mWEA=="
},
"node_modules/dotenv": {
"version": "10.0.0",
"resolved": "https://registry.npmjs.org/dotenv/-/dotenv-10.0.0.tgz",
@ -6980,6 +7000,14 @@
"resolved": "https://registry.npmjs.org/@types/chroma-js/-/chroma-js-2.1.3.tgz",
"integrity": "sha512-1xGPhoSGY1CPmXLCBcjVZSQinFjL26vlR8ZqprsBWiFyED4JacJJ9zHhh5aaUXqbY9B37mKQ73nlydVAXmr1+g=="
},
"@types/dompurify": {
"version": "2.3.4",
"resolved": "https://registry.npmjs.org/@types/dompurify/-/dompurify-2.3.4.tgz",
"integrity": "sha512-EXzDatIb5EspL2eb/xPGmaC8pePcTHrkDCONjeisusLFrVfl38Pjea/R0YJGu3k9ZQadSvMqW0WXPI2hEo2Ajg==",
"requires": {
"@types/trusted-types": "*"
}
},
"@types/emscripten": {
"version": "1.39.6",
"resolved": "https://registry.npmjs.org/@types/emscripten/-/emscripten-1.39.6.tgz",
@ -7097,6 +7125,11 @@
"integrity": "sha512-Hl219/BT5fLAaz6NDkSuhzasy49dwQS/DSdu4MdggFB8zcXv7vflBI3xp7FEmkmdDkBUI2bPUNeMttp2knYdxw==",
"dev": true
},
"@types/trusted-types": {
"version": "2.0.2",
"resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.2.tgz",
"integrity": "sha512-F5DIZ36YVLE+PN+Zwws4kJogq47hNgX3Nx6WyDJ3kcplxyke3XIzB8uK5n/Lpm1HBsbGzd6nmGehL8cPekP+Tg=="
},
"@types/yargs": {
"version": "16.0.4",
"resolved": "https://registry.npmjs.org/@types/yargs/-/yargs-16.0.4.tgz",
@ -8017,6 +8050,11 @@
"webidl-conversions": "^4.0.2"
}
},
"dompurify": {
"version": "2.4.0",
"resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.4.0.tgz",
"integrity": "sha512-Be9tbQMZds4a3C6xTmz68NlMfeONA//4dOavl/1rNw50E+/QO0KVpbcU0PcaW0nsQxurXls9ZocqFxk8R2mWEA=="
},
"dotenv": {
"version": "10.0.0",
"resolved": "https://registry.npmjs.org/dotenv/-/dotenv-10.0.0.tgz",

2
package.json
View File

@ -11,6 +11,7 @@
"license": "GPL-3.0",
"dependencies": {
"@types/chroma-js": "^2.1.3",
"@types/dompurify": "^2.3.4",
"@types/emscripten": "^1.39.5",
"@types/js-yaml": "^4.0.5",
"@wasmer/wasi": "^0.12.0",
@ -18,6 +19,7 @@
"binaryen": "^101.0.0",
"chroma-js": "^2.1.2",
"clipboard": "^2.0.6",
"dompurify": "^2.4.0",
"error-stack-parser": "^2.0.6",
"fast-png": "^5.0.4",
"file-saver": "^2.0.5",

39
src/ide/ui.ts
View File

@ -20,6 +20,7 @@ import { AssetEditorView } from "./views/asseteditor";
import { isMobileDevice } from "./views/baseviews";
import { CallStackView, DebugBrowserView } from "./views/treeviews";
import { saveAs } from "file-saver";
import DOMPurify = require("dompurify");
// external libs (TODO)
declare var Tour, GIF, Octokat;
@ -141,12 +142,12 @@ function alertError(s:string) {
setWaitDialog(false);
bootbox.alert({
title: '<span class="glyphicon glyphicon-alert" aria-hidden="true"></span> Alert',
message: s
message: DOMPurify.sanitize(s)
});
}
function alertInfo(s:string) {
setWaitDialog(false);
bootbox.alert(s);
bootbox.alert(DOMPurify.sanitize(s));
}
function fatalError(s:string) {
alertError(s);
@ -518,7 +519,7 @@ function handleFileUpload(files: FileList) {
} else {
qs.file = files[0].name;
bootbox.confirm({
message: "Open '" + qs.file + "' as main project file?",
message: "Open '" + DOMPurify.sanitize(qs.file) + "' as main project file?",
buttons: {
confirm: { label: "Open As New Project" },
cancel: { label: "Include/Link With Project Later" },
@ -558,7 +559,7 @@ function handleFileUpload(files: FileList) {
async function _openLocalDirectory(e) {
var pickerfn = window['showDirectoryPicker'];
if (!pickerfn) {
bootbox.alert(`This browser can't open local files on your computer, yet. Try Chrome.`);
alertError(`This browser can't open local files on your computer, yet. Try Chrome.`);
}
var dirHandle = await pickerfn();
var repoid = dirHandle.name;
@ -577,7 +578,7 @@ async function _openLocalDirectory(e) {
async function promptUser(message: string) : Promise<string> {
return new Promise( (resolve, reject) => {
bootbox.prompt(message, (result) => {
bootbox.prompt(DOMPurify.sanitize(message), (result) => {
resolve(result);
});
});
@ -600,7 +601,7 @@ async function getLocalFilesystem(repoid: string) : Promise<ProjectFilesystem> {
granted = await dirHandle.requestPermission(options);
}
if (granted !== 'granted') {
bootbox.alert(`Could not get permission to access filesystem.`);
alertError(`Could not get permission to access filesystem.`);
return;
}
return {
@ -663,7 +664,7 @@ async function getGithubService() {
function getBoundGithubURL() : string {
var toks = (repo_id||'').split('/');
if (toks.length != 2) {
alertError("<p>You are not in a GitHub repository.</p><p>Choose one from the pulldown, or Import or Publish one.</p>");
alertError("You are not in a GitHub repository. Choose one from the pulldown, or Import or Publish one.");
return null;
}
return 'https://github.com/' + toks[0] + '/' + toks[1];
@ -701,7 +702,7 @@ async function importProjectFromGithub(githuburl:string, replaceURL:boolean) {
}).catch( (e) => {
setWaitDialog(false);
console.log(e);
alertError("<p>Could not import " + githuburl + ".</p>" + e);
alertError("Could not import " + githuburl + "." + e);
});
}
@ -710,7 +711,7 @@ async function _loginToGithub(e) {
gh.login().then(() => {
alertInfo("You are signed in to Github.");
}).catch( (e) => {
alertError("<p>Could not sign in.</p>" + e);
alertError("Could not sign in." + e);
});
}
@ -809,13 +810,13 @@ function confirmCommit(sess) : Promise<GHSession> {
// anything changed?
if (files.length == 0) {
setWaitDialog(false);
bootbox.alert("No files changed.");
alertInfo("No files changed.");
return;
}
// build commit confirm message
var msg = "";
for (var f of files) {
msg += f.filename + ": " + f.status;
msg += DOMPurify.sanitize(f.filename) + ": " + f.status;
if (f.additions || f.deletions || f.changes) {
msg += " (" + f.additions + " additions, " + f.deletions + " deletions, " + f.changes + " changes)";
};
@ -873,7 +874,7 @@ async function pushChangesToGithub(message:string) {
function _deleteRepository() {
var ghurl = getBoundGithubURL();
if (!ghurl) return;
bootbox.prompt("<p>Are you sure you want to delete this repository (" + ghurl + ") from browser storage?</p><p>All changes since last commit will be lost.</p><p>Type DELETE to proceed.<p>", (yes) => {
bootbox.prompt("<p>Are you sure you want to delete this repository (" + DOMPurify.sanitize(ghurl) + ") from browser storage?</p><p>All changes since last commit will be lost.</p><p>Type DELETE to proceed.<p>", (yes) => {
if (yes.trim().toUpperCase() == "DELETE") {
deleteRepository();
}
@ -976,7 +977,7 @@ function _downloadCassetteFile_apple2(e) {
var blob = new Blob([audout], {type: "audio/wav"});
saveAs(blob, audpath);
stdout += "Then connect your audio output to the cassette input, turn up the volume, and play the audio file.";
alertInfo('<pre style="white-space: pre-wrap">'+stdout+'</pre>');
alertInfo(stdout);
}
});
}
@ -1008,7 +1009,7 @@ function _downloadCassetteFile_vcs(e) {
let blob = new Blob([audout], {type: "audio/wav"});
saveAs(blob, audpath);
stdout += "\nConnect your audio output to the SuperCharger input, turn up the volume, and play the audio file.";
alertInfo('<pre style="white-space: pre-wrap">'+stdout+'</pre>');
alertInfo(stdout);
}
});
});
@ -1037,7 +1038,7 @@ function _revertFile(e) {
if (wnd && wnd.setText) {
var fn = projectWindows.getActiveID();
$.get( "presets/"+getBasePlatform(platform_id)+"/"+fn, (text) => {
bootbox.confirm("Reset '" + fn + "' to default?", (ok) => {
bootbox.confirm("Reset '" + DOMPurify.sanitize(fn) + "' to default?", (ok) => {
if (ok) {
wnd.setText(text);
}
@ -1056,7 +1057,7 @@ function _deleteFile(e) {
var wnd = projectWindows.getActive();
if (wnd && wnd.getPath) {
var fn = projectWindows.getActiveID();
bootbox.confirm("Delete '" + fn + "'?", (ok) => {
bootbox.confirm("Delete '" + DOMPurify.sanitize(fn) + "'?", (ok) => {
if (ok) {
store.removeItem(fn).then( () => {
// if we delete what is selected
@ -1080,7 +1081,7 @@ function _renameFile(e) {
if (wnd && wnd.getPath && current_project.getFile(wnd.getPath())) {
var fn = projectWindows.getActiveID();
bootbox.prompt({
title: "Rename '" + fn + "' to?",
title: "Rename '" + DOMPurify.sanitize(fn) + "' to?",
value: fn,
callback: (newfn) => {
var data = current_project.getFile(wnd.getPath());
@ -1823,8 +1824,8 @@ function addFileToProject(type, ext, linefn) {
var wnd = projectWindows.getActive();
if (wnd && wnd.insertText) {
bootbox.prompt({
title:"Add "+type+" File to Project",
value:"filename"+ext,
title:"Add "+DOMPurify.sanitize(type)+" File to Project",
value:"filename"+DOMPurify.sanitize(ext),
callback:(filename:string) => {
if (filename && filename.trim().length > 0) {
if (!checkEnteredFilename(filename)) return;

3
src/ide/waveform.ts
View File

@ -1,6 +1,7 @@
import { Toolbar } from "./toolbar";
import { VirtualList } from "../common/vlist";
import DOMPurify from "dompurify";
const BUILTIN_INPUT_PORTS = [
'clk', 'reset',
@ -359,7 +360,7 @@ export class WaveformView {
//min: 0,
//max: meta.len-1,
//placeholder: rangestr,
title: `Enter new value for "${meta.label}" (${rangestr}):`,
title: `Enter new value for "${DOMPurify.sanitize(meta.label)}" (${rangestr}):`,
callback: (result) => {
if (result != null) {
var value = parseInt(result);