From 10985d4b81c5c4c2fe7cc767e64caf65df2e9ee9 Mon Sep 17 00:00:00 2001 From: Miroslav Pejic Date: Mon, 29 May 2023 13:24:46 +0200 Subject: [PATCH] [mirotlaksfu] - improve check XSS --- app/src/XSS.js | 43 +++++++++++++++++++++++++++++-------------- 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/app/src/XSS.js b/app/src/XSS.js index a750dd7a..4bff3a55 100644 --- a/app/src/XSS.js +++ b/app/src/XSS.js @@ -7,27 +7,42 @@ const log = new Logger('Xss'); const checkXSS = (dataObject) => { try { if (typeof dataObject === 'object' && Object.keys(dataObject).length > 0) { - const escapedObj = escapeObject(dataObject); - const data = xss(JSON.stringify(escapedObj)); - log.debug('Check XSS done'); - return JSON.parse(data); + let objectJson = objectToJSONString(dataObject); + if (objectJson) { + let jsonString = xss(objectJson); + let jsonObject = JSONStringToObject(jsonString); + if (jsonObject) { + log.debug('XSS Object sanitization done'); + return jsonObject; + } + } } - return xss(dataObject); + if (typeof dataObject === 'string' || dataObject instanceof String) { + log.debug('XSS String sanitization done'); + return xss(dataObject); + } + log.warn('XSS not sanitized', dataObject); + return dataObject; } catch (error) { - log.error('Check XSS error', { error: error, data: dataObject }); + log.error('XSS error', { data: dataObject, error: error }); return dataObject; } }; -function escapeObject(obj) { - const escapedObj = {}; - for (const key in obj) { - if (obj.hasOwnProperty(key)) { - const escapedKey = key.replace(/[\\"']/g, '\\$&').replace(/\u0000/g, '\\0'); - escapedObj[escapedKey] = obj[key]; - } +function objectToJSONString(dataObject) { + try { + return JSON.stringify(dataObject); + } catch (error) { + return false; + } +} + +function JSONStringToObject(jsonString) { + try { + return JSON.parse(jsonString); + } catch (error) { + return false; } - return escapedObj; } module.exports = checkXSS;