diff --git a/CHANGES.md b/CHANGES.md index 5424c6f2..df0322cc 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,7 +1,9 @@ # Release Notes + ## Version 1.25 +- Security improvements thanks to [Rikaard Hosein](https://github.com/rikaardhosein) [fix 661](https://github.com/tprouvot/Salesforce-Inspector-reloaded/issues/661) - Fix `Use Favicon Color` option which was not working key [issue 634](https://github.com/tprouvot/Salesforce-Inspector-reloaded/issues/634) raised by [Gary Woodhouse](https://github.com/Garywoo) - Add `Clear` button in Event Monitor and REST Explorer - Fix `Field Creator` shortcut key [issue 608](https://github.com/tprouvot/Salesforce-Inspector-reloaded/issues/608) diff --git a/addon/data-export.js b/addon/data-export.js index da60b33c..4407ad83 100644 --- a/addon/data-export.js +++ b/addon/data-export.js @@ -683,7 +683,8 @@ class Model { } let contextValueField = contextValueFields[0]; let queryMethod = useToolingApi ? "tooling/query" : vm.queryAll ? "queryAll" : "query"; - let whereClause = contextValueField.field.name + " like '%" + searchTerm.replace(/'/g, "\\'") + "%'"; + //let whereClause = contextValueField.field.name + " like '%" + searchTerm.replace(/'/g, "\\'") + "%'"; + let whereClause = contextValueField.field.name + " like '%" + searchTerm.replace(/([\\'])/g, "\\$1") + "%'"; if (contextValueField.sobjectDescribe.name.toLowerCase() === "recordtype"){ let sobject = contextPath.split(".")[0]; sobject = sobject.toLowerCase() === "recordtype" ? vm.autocompleteResults.sobjectName : sobject; diff --git a/addon/inspector.js b/addon/inspector.js index 921d378a..a7466e76 100644 --- a/addon/inspector.js +++ b/addon/inspector.js @@ -51,8 +51,8 @@ export let sfConn = { let xhr = new XMLHttpRequest(); url += (url.includes("?") ? "&" : "?") + "cache=" + Math.random(); const sfHost = "https://" + this.instanceHostname; - xhr.open(method, sfHost + url, true); - + const fullUrl = new URL(url, sfHost); + xhr.open(method, fullUrl.toString(), true); xhr.setRequestHeader("Accept", "application/json; charset=UTF-8"); if (api == "bulk") { diff --git a/addon/manifest.json b/addon/manifest.json index 65e19f27..6157dcab 100644 --- a/addon/manifest.json +++ b/addon/manifest.json @@ -10,7 +10,9 @@ "default_title": "Open popup" }, "minimum_chrome_version": "88", - "permissions": ["cookies"], + "permissions": [ + "cookies" + ], "host_permissions": [ "https://*.salesforce.com/*", "https://*.salesforce-setup.com/*", @@ -50,8 +52,14 @@ "https://*.builder.salesforce-experience.com/*" ], "all_frames": true, - "css": ["button.css", "inspect-inline.css"], - "js": ["button.js", "inspect-inline.js"] + "css": [ + "button.css", + "inspect-inline.css" + ], + "js": [ + "button.js", + "inspect-inline.js" + ] } ], "background": { @@ -73,7 +81,27 @@ "options.html", "event-monitor.html" ], - "matches": ["https://*/*"], + "matches": [ + "https://*.salesforce.com/*", + "https://*.salesforce-setup.com/*", + "https://*.visual.force.com/*", + "https://*.vf.force.com/*", + "https://*.lightning.force.com/*", + "https://*.cloudforce.com/*", + "https://*.visualforce.com/*", + "https://*.sfcrmapps.cn/*", + "https://*.sfcrmproducts.cn/*", + "https://*.salesforce.mil/*", + "https://*.visual.force.mil/*", + "https://*.vf.force.mil/*", + "https://*.lightning.force.mil/*", + "https://*.cloudforce.mil/*", + "https://*.visualforce.mil/*", + "https://*.crmforce.mil/*", + "https://*.lightning.force.com.mcas.ms/*", + "https://*.force.com/*", + "https://*.builder.salesforce-experience.com/*" + ], "extension_ids": [] } ], @@ -111,4 +139,4 @@ "description": "Event Monitor" } } -} +} \ No newline at end of file