security: fix XSS vulnerabilities in GanttChart and AuditPage
- Add escapeHtml utility function for HTML entity encoding - Apply escapeHtml to GanttChart popup HTML template - Apply escapeHtml to AuditPage PDF export HTML template This prevents potential XSS attacks if task names, user names, or other dynamic content contains malicious HTML/JavaScript. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
beabigegg
24
frontend/src/utils/escapeHtml.ts
Normal file
24
frontend/src/utils/escapeHtml.ts
Normal file
@@ -0,0 +1,24 @@
|
||||
/**
|
||||
* Escapes HTML special characters to prevent XSS attacks.
|
||||
* Use this when inserting dynamic content into HTML strings.
|
||||
*/
|
||||
export function escapeHtml(unsafe: string | null | undefined): string {
|
||||
if (unsafe == null) return ''
|
||||
return String(unsafe)
|
||||
.replace(/&/g, '&')
|
||||
.replace(/</g, '<')
|
||||
.replace(/>/g, '>')
|
||||
.replace(/"/g, '"')
|
||||
.replace(/'/g, ''')
|
||||
}
|
||||
|
||||
/**
|
||||
* Escapes HTML for use in HTML attributes.
|
||||
* More restrictive than escapeHtml - also escapes backticks and equals.
|
||||
*/
|
||||
export function escapeAttr(unsafe: string | null | undefined): string {
|
||||
if (unsafe == null) return ''
|
||||
return escapeHtml(unsafe)
|
||||
.replace(/`/g, '`')
|
||||
.replace(/=/g, '=')
|
||||
}
|
||||
Reference in New Issue
Block a user