Skip to content

Commit a3acfe7

Browse files
rossengeorgievrossengeorgiev
committed
fix XSS in user supplied data
1 parent 8c8bdb4 commit a3acfe7

File tree

1 file changed

+8
-0
lines changed

1 file changed

+8
-0
lines changed

js/tracker.js

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -627,6 +627,14 @@ function habitat_data(jsondata, alternative) {
627627
if (suffixes[k] !== undefined)
628628
suffix = suffixes[k];
629629

630+
if (typeof v === "string") {
631+
v = v.replace(/&/g, "&")
632+
.replace(/</g, "&lt;")
633+
.replace(/>/g, "&gt;")
634+
.replace(/"/g, "&quot;")
635+
.replace(/'/g, "&#039;");
636+
}
637+
630638
if(typeof alternative == 'boolean' && alternative) {
631639
output += "<div><b>" + name + ":&nbsp;</b>" + v + suffix + "</div>";
632640
} else {

0 commit comments

Comments
 (0)