Fix HTML Injection in build output

ktwrd · ktwrd · commit ece2c53965d8 · 2022-05-18T15:37:04.000+08:00
diff --git a/BuildService/Properties/VersionAutoIncrement.cs b/BuildService/Properties/VersionAutoIncrement.cs
@@ -1,5 +1,5 @@
 ﻿
 using System.Reflection;
 
-[assembly: AssemblyVersionAttribute("1.0.69.427")]
+[assembly: AssemblyVersionAttribute("1.0.69.456")]
 
diff --git a/BuildService/websocket.html b/BuildService/websocket.html
@@ -228,7 +228,7 @@
 			let text = await e.data.text()
             let split = text.split('\n')
             split[1] = JSON.stringify(JSON.parse(split[1]), null, '\t')
-            writeToScreen(`<div><pre><h3>response</h3><code>${split.join('\n')}</code></pre></div>`);
+            writeToScreen(`<div><pre><h3>response</h3><code>${split.join('\n').replace(/</g, "&lt;").replace(/>/g, "&gt;")}</code></pre></div>`);
             
             let data = JSON.parse(split[1])
             
@@ -269,7 +269,7 @@
                     }
 
                     if (data.content != null && data.content.length > 0)
-                        parentElement.innerHTML += `<pre><code timestamp="${data.timestamp}" outputType="${data.outputType}">${data.content}</code></pre>\n`
+                        parentElement.innerHTML += `<pre><code timestamp="${data.timestamp}" outputType="${data.outputType}">${data.content.replace(/</g, "&lt;").replace(/>/g, "&gt;")}</code></pre>\n`
                     break;
                 case 'BuildService.Shared.Build.BuildInstanceStatus':
                     if (data.Status == enumBuildStatus.Done && targetDictionary[data.Signature].CurrentBuildStatus != data.Status)

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`
`2`	`2`	`using System.Reflection;`
`3`	`3`
`4`		`-[assembly: AssemblyVersionAttribute("1.0.69.427")]`
	`4`	`+[assembly: AssemblyVersionAttribute("1.0.69.456")]`
`5`	`5`