JonKazama-Hellion/HellionChat
1
0
Fork 0
Code Issues Pull Requests Actions Releases 28 Activity

Switch to HTML encoded strings

Browse Source
This commit is contained in:
Infi
2024-08-27 18:13:02 +02:00
parent 0482f20fdf
commit 2d7d1c9615
3 changed files with 5 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ChatTwo/ChatTwo.csproj
-1
View File
@@ -55,7 +55,6 @@
<ItemGroup> <ItemGroup>
<PackageReference Include="DalamudPackager" Version="2.1.13" /> <PackageReference Include="DalamudPackager" Version="2.1.13" />
<PackageReference Include="EmbedIO" Version="3.5.2" /> <PackageReference Include="EmbedIO" Version="3.5.2" />
<PackageReference Include="HtmlSanitizer" Version="8.1.870" />
<PackageReference Include="MessagePack" Version="2.5.140" /> <PackageReference Include="MessagePack" Version="2.5.140" />
<PackageReference Include="Microsoft.Data.Sqlite" Version="8.0.4" /> <PackageReference Include="Microsoft.Data.Sqlite" Version="8.0.4" />
<PackageReference Include="Pidgin" Version="3.2.3" /> <PackageReference Include="Pidgin" Version="3.2.3" />
ChatTwo/Http/Processing.cs
+5 -4
View File
@@ -1,16 +1,15 @@
using System.Globalization; using System.Globalization;
using System.Net;
using ChatTwo.Code; using ChatTwo.Code;
using ChatTwo.Http.MessageProtocol; using ChatTwo.Http.MessageProtocol;
using ChatTwo.Util; using ChatTwo.Util;
using Dalamud.Game.Text.SeStringHandling.Payloads; using Dalamud.Game.Text.SeStringHandling.Payloads;
using Ganss.Xss;
namespace ChatTwo.Http; namespace ChatTwo.Http;
public class Processing public class Processing
{ {
private readonly Plugin Plugin; private readonly Plugin Plugin;
private readonly HtmlSanitizer Sanitizer = new();
public Processing(Plugin plugin) public Processing(Plugin plugin)
{ {
@@ -63,7 +62,7 @@ public class Processing
// The emote name should be safe, it is checked against a list from BTTV. // The emote name should be safe, it is checked against a list from BTTV.
// Still sanitizing it for the extra safety. // Still sanitizing it for the extra safety.
if (image is { Failed: false }) if (image is { Failed: false })
return $"<span class=\"emote-icon\"><img src=\"/emote/{Sanitizer.Sanitize(emotePayload.Code)}\"></span>"; return $"<span class=\"emote-icon\"><img src=\"/emote/{WebUtility.HtmlEncode(emotePayload.Code)}\"></span>";
} }
var colour = text.Foreground; var colour = text.Foreground;
@@ -84,7 +83,9 @@ public class Processing
userContent = Plugin.ChatLogWindow.HidePlayerInString(userContent, player.Name.TextValue, player.HomeWorld.Id); userContent = Plugin.ChatLogWindow.HidePlayerInString(userContent, player.Name.TextValue, player.HomeWorld.Id);
} }
userContent = Sanitizer.Sanitize(userContent); // HTML encode any user content to prevent xss
userContent = WebUtility.HtmlEncode(userContent);
if (text.Link is UriPayload uri) if (text.Link is UriPayload uri)
userContent = $"<a href=\"{uri.Uri}\" target=\"_blank\">{userContent}</a>"; userContent = $"<a href=\"{uri.Uri}\" target=\"_blank\">{userContent}</a>";
ChatTwo/packages.lock.json
-46
View File
@@ -17,17 +17,6 @@
"Unosquare.Swan.Lite": "3.1.0" "Unosquare.Swan.Lite": "3.1.0"
} }
}, },
"HtmlSanitizer": {
"type": "Direct",
"requested": "[8.1.870, )",
"resolved": "8.1.870",
"contentHash": "bQWYaKg8PrlgnhM9sPALl0UorpjWQkPTQiSTVyvm8imqF9lCLqBmtC0adUDi8xUYcdg6SJC+aHCw1MOjcg+Wnw==",
"dependencies": {
"AngleSharp": "[0.17.1]",
"AngleSharp.Css": "[0.17.0]",
"System.Collections.Immutable": "8.0.0"
}
},
"MessagePack": { "MessagePack": {
"type": "Direct", "type": "Direct",
"requested": "[2.5.140, )", "requested": "[2.5.140, )",
@@ -71,23 +60,6 @@
"Watson.Core": "6.2.2" "Watson.Core": "6.2.2"
} }
}, },
"AngleSharp": {
"type": "Transitive",
"resolved": "0.17.1",
"contentHash": "5MPI4bbixlwxb0W/smOMeIR+QlxMy5/5jD+WnIAw4pBC+7AhLPe5bS3cLgQMJyvd6q0A48sG+uYOt/ep406GLA==",
"dependencies": {
"System.Buffers": "4.5.1",
"System.Text.Encoding.CodePages": "6.0.0"
}
},
"AngleSharp.Css": {
"type": "Transitive",
"resolved": "0.17.0",
"contentHash": "bg0AcugmX6BFEi/DHG61QrwRU8iuiX4H8LZehdIzYdqOM/dgb3BsCTzNIcc1XADn4+xfQEdVwJYTSwUxroL4vg==",
"dependencies": {
"AngleSharp": "[0.17.0, 0.18.0)"
}
},
"CavemanTcp": { "CavemanTcp": {
"type": "Transitive", "type": "Transitive",
"resolved": "2.0.2", "resolved": "2.0.2",
@@ -151,16 +123,6 @@
"SQLitePCLRaw.core": "2.1.6" "SQLitePCLRaw.core": "2.1.6"
} }
}, },
"System.Buffers": {
"type": "Transitive",
"resolved": "4.5.1",
"contentHash": "Rw7ijyl1qqRS0YQD/WycNst8hUUMgrMH4FCn1nNm27M4VxchZ1js3fVjQaANHO5f3sN4isvP4a+Met9Y4YomAg=="
},
"System.Collections.Immutable": {
"type": "Transitive",
"resolved": "8.0.0",
"contentHash": "AurL6Y5BA1WotzlEvVaIDpqzpIPvYnnldxru8oXJU2yFxFUy3+pNXjXd1ymO+RA0rq0+590Q8gaz2l3Sr7fmqg=="
},
"System.Memory": { "System.Memory": {
"type": "Transitive", "type": "Transitive",
"resolved": "4.5.3", "resolved": "4.5.3",
@@ -171,14 +133,6 @@
"resolved": "6.0.0", "resolved": "6.0.0",
"contentHash": "/iUeP3tq1S0XdNNoMz5C9twLSrM/TH+qElHkXWaPvuNOt+99G75NrV0OS2EqHx5wMN7popYjpc8oTjC1y16DLg==" "contentHash": "/iUeP3tq1S0XdNNoMz5C9twLSrM/TH+qElHkXWaPvuNOt+99G75NrV0OS2EqHx5wMN7popYjpc8oTjC1y16DLg=="
}, },
"System.Text.Encoding.CodePages": {
"type": "Transitive",
"resolved": "6.0.0",
"contentHash": "ZFCILZuOvtKPauZ/j/swhvw68ZRi9ATCfvGbk1QfydmcXBkIWecWKn/250UH7rahZ5OoDBaiAudJtPvLwzw85A==",
"dependencies": {
"System.Runtime.CompilerServices.Unsafe": "6.0.0"
}
},
"System.Text.Encodings.Web": { "System.Text.Encodings.Web": {
"type": "Transitive", "type": "Transitive",
"resolved": "8.0.0", "resolved": "8.0.0",