From d79a4fadb942457b4c386244129f057ce4b84b7c Mon Sep 17 00:00:00 2001 From: Josh Kasten Date: Thu, 26 Oct 2023 21:13:10 +0000 Subject: [PATCH] use safer HTML decode --- src/page/bell/Bell.ts | 4 ++-- src/page/bell/Message.ts | 12 ++++-------- src/shared/utils/BrowserUtils.ts | 20 ++++++-------------- src/shared/utils/utils.ts | 6 ------ 4 files changed, 12 insertions(+), 30 deletions(-) diff --git a/src/page/bell/Bell.ts b/src/page/bell/Bell.ts index be35c108a..d7934f73d 100755 --- a/src/page/bell/Bell.ts +++ b/src/page/bell/Bell.ts @@ -5,7 +5,6 @@ import { addCssClass, addDomElement, contains, - decodeHtmlEntities, delay, nothing, once, @@ -30,6 +29,7 @@ import { import SubscriptionChangeEvent from '../models/SubscriptionChangeEvent'; import { bowserCastle } from '../../shared/utils/bowserCastle'; import OneSignal from '../../onesignal/OneSignal'; +import BrowserUtils from '../../shared/utils/BrowserUtils'; const logoSvg = ``; @@ -277,7 +277,7 @@ export default class Bell { resolve(); }); } else { - this.message.content = decodeHtmlEntities( + this.message.content = BrowserUtils.decodeHtmlEntities( this.message.getTipForState(), ); this.message.contentType = Message.TYPES.TIP; diff --git a/src/page/bell/Message.ts b/src/page/bell/Message.ts index 600f4a862..249634c09 100755 --- a/src/page/bell/Message.ts +++ b/src/page/bell/Message.ts @@ -1,10 +1,6 @@ +import BrowserUtils from '../../shared/utils/BrowserUtils'; import Log from '../../shared/libraries/Log'; -import { - decodeHtmlEntities, - delay, - getConsoleStyle, - nothing, -} from '../../shared/utils/utils'; +import { delay, getConsoleStyle, nothing } from '../../shared/utils/utils'; import AnimatedElement from './AnimatedElement'; import Bell from './Bell'; @@ -47,7 +43,7 @@ export default class Message extends AnimatedElement { ); return (this.shown ? this.hide() : nothing()) .then(() => { - this.content = decodeHtmlEntities(content); + this.content = BrowserUtils.decodeHtmlEntities(content); this.contentType = type; }) .then(() => { @@ -75,7 +71,7 @@ export default class Message extends AnimatedElement { } enqueue(message: string) { - this.queued.push(decodeHtmlEntities(message)); + this.queued.push(BrowserUtils.decodeHtmlEntities(message)); return new Promise((resolve) => { if (this.bell.badge.shown) { this.bell.badge diff --git a/src/shared/utils/BrowserUtils.ts b/src/shared/utils/BrowserUtils.ts index 21122536f..1616cd57d 100644 --- a/src/shared/utils/BrowserUtils.ts +++ b/src/shared/utils/BrowserUtils.ts @@ -1,20 +1,12 @@ -import Environment from '../helpers/Environment'; - export class BrowserUtils { - private static decodeTextArea: HTMLTextAreaElement | null = null; - public static decodeHtmlEntities(text: string) { - if (Environment.isBrowser()) { - if (!BrowserUtils.decodeTextArea) { - BrowserUtils.decodeTextArea = document.createElement('textarea'); - } - } - if (BrowserUtils.decodeTextArea) { - BrowserUtils.decodeTextArea.innerHTML = text; - return BrowserUtils.decodeTextArea.value; - } else { - // Not running in a browser environment, text cannot be decoded + // Decodes HTML encoded characters (like &) into their displayed value. + // Example: "<b>test</b>" becomes "test" + public static decodeHtmlEntities(text: string): string { + if (typeof DOMParser === 'undefined') { return text; } + const doc = new DOMParser().parseFromString(text, 'text/html'); + return doc.documentElement.textContent || ''; } } diff --git a/src/shared/utils/utils.ts b/src/shared/utils/utils.ts index 062813da3..832d973a1 100755 --- a/src/shared/utils/utils.ts +++ b/src/shared/utils/utils.ts @@ -3,9 +3,7 @@ import { WindowEnvironmentKind } from '../models/WindowEnvironmentKind'; import Database from '../services/Database'; import { OneSignalUtils } from './OneSignalUtils'; import { PermissionUtils } from './PermissionUtils'; -import { BrowserUtils } from './BrowserUtils'; import { Utils } from '../context/Utils'; -import bowser from 'bowser'; import TimeoutError from '../errors/TimeoutError'; import Log from '../libraries/Log'; import { bowserCastle } from './bowserCastle'; @@ -14,10 +12,6 @@ export function isArray(variable: any) { return Object.prototype.toString.call(variable) === '[object Array]'; } -export function decodeHtmlEntities(text: string) { - return BrowserUtils.decodeHtmlEntities(text); -} - export function removeDomElement(selector: string) { const els = document.querySelectorAll(selector); if (els.length > 0) {