fix: sanitize doublequote string to prevent xss

dalkak2 · Dec 19, 2023 · 6e12922 · 6e12922
1 parent 642232b
commit 6e12922
Showing 1 changed file with 11 additions and 6 deletions.
diff --git a/src/util/visit.ts b/src/util/visit.ts
@@ -6,12 +6,16 @@ import {
     Function_,
 } from "../mod.ts"
 import * as cg from "./codegen.ts"
-import {
+import type {
     Expression,
 } from "./codegen.ts"
 
 import JSON5 from "https://esm.sh/[email protected]"
 
+const stringExpr =
+    (str: string) => 
+    `"` + str.replaceAll(`"`, `\\"`) + `"` as Expression
+
 export class Visitor {
     visitProject(project: Project) {
         return [
@@ -76,7 +80,7 @@ export class Visitor {
                 [
                     ...this.paramsToExpressions(event.params),
                     this.blockGroupToArrow(rest),
-                    `"$obj$"` as Expression,
+                    stringExpr("$obj$"),
                 ]
             )
         }
@@ -140,16 +144,17 @@ export class Visitor {
             return block.toString() as Expression
 
         if (typeof block == "string")
-            return `"${block}"` as Expression
+            return stringExpr(block)
 
         if (!block)
             return "" as Expression
 
         if (block.type == "number")
             return block.params[0]!.toString() as Expression
 
-        if (block.type == "text")
-            return `"${block.params[0]}"` as Expression
+        if (block.type == "text") {
+            return stringExpr(String(block.params[0] as string | number))
+        }
 
         if (
             block.type.startsWith("stringParam_")
@@ -176,7 +181,7 @@ export class Visitor {
                 ...this.paramsToExpressions(block.params),
                 ...block.statements
                     .map(blockGroup => this.blockGroupToArrow.bind(this)(blockGroup)),
-                `"$obj$"` as Expression,
+                stringExpr("$obj$"),
             ]
         )
     }