Protect against XSS in diff-view by using application/json

koordinates · Jul 11, 2023 · 16e279b · 16e279b
1 parent 8fb2bd6
commit 16e279b
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@ _When adding new entries to the changelog, please include issue/PR numbers where
 ## 0.14.1 (UNRELEASED)
 
 - Fixes a bug where Git subprocesses (such as git clone) don't prompt the user for credentials or to resolve SSH issues on Windows. [#852](https://github.com/koordinates/kart/issues/852)
+- Better protection against XSS in the HTML diff viewer. [#884](https://github.com/koordinates/kart/pull/884)
 
 ## 0.14.0
 

diff --git a/kart/diff-view.html b/kart/diff-view.html
@@ -103,8 +103,9 @@
             top: 2px;
         }
     </style>
-    <script id="kart-data">const DATA=${geojson_data};</script>
+    <script id="kart-data" type="application/json">${geojson_data}</script>
     <script type="module">
+        const DATA = JSON.parse(document.getElementById('kart-data').textContent);
         const GEOM = '⭔'
 
         function buildMap() {

diff --git a/kart/html_diff_writer.py b/kart/html_diff_writer.py
@@ -1,3 +1,4 @@
+import html
 import json
 import string
 import sys
@@ -59,7 +60,7 @@ def write_diff(self, diff_format=DiffFormat.FULL):
         fo.write(
             template.substitute(
                 {
-                    "title": title,
+                    "title": html.escape(title),
                     "geojson_data": json.dumps(
                         all_datasets_geojson, cls=ExtendedJsonEncoder
                     ),

diff --git a/tests/test_diff.py b/tests/test_diff.py
@@ -8,10 +8,8 @@
 import pytest
 
 import kart
-from kart.base_diff_writer import BaseDiffWriter
 from kart.diff_format import DiffFormat
 from kart.diff_structs import Delta, DeltaDiff
-from kart.diff_util import get_file_diff
 from kart.json_diff_writers import JsonLinesDiffWriter
 from kart.geometry import hex_wkb_to_ogr
 from kart.repo import KartRepo
@@ -30,10 +28,10 @@ def _check_html_output(s):
     document = parser.parse(s)
     # find the <script> element containing data
     el = document.find("./head/script[@id='kart-data']")
-    # find the JSON
-    m = re.match(r"\s*const DATA=(.*);\s*$", el.text, flags=re.DOTALL)
+    # Make sure we're parsing it as JSON.
+    assert el.attrib == {"id": "kart-data", "type": "application/json"}
     # validate it
-    return json.loads(m.group(1))
+    return json.loads(el.text)
 
 
 @pytest.mark.parametrize("output_format", DIFF_OUTPUT_FORMATS)