openclaw/oikos
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: escape user input in shopping renderItem to prevent XSS

Browse Source
This commit is contained in:
Ulas
2026-03-31 12:53:00 +02:00
parent 0e035af492
commit cd017c4d0d
1 changed files with 17 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
public/pages/shopping.js
+17 -4
View File
@@ -202,15 +202,15 @@ function renderItem(item) {
data-item-id="${item.id}"> data-item-id="${item.id}">
<button class="item-check ${isDone ? 'item-check--checked' : ''}" <button class="item-check ${isDone ? 'item-check--checked' : ''}"
data-action="toggle-item" data-id="${item.id}" data-checked="${item.is_checked}" data-action="toggle-item" data-id="${item.id}" data-checked="${item.is_checked}"
aria-label="${item.name} ${isDone ? 'als nicht erledigt markieren' : 'abhaken'}"> aria-label="${escHtml(item.name)} ${isDone ? 'als nicht erledigt markieren' : 'abhaken'}">
<i data-lucide="check" class="item-check__icon" aria-hidden="true"></i> <i data-lucide="check" class="item-check__icon" aria-hidden="true"></i>
</button> </button>
<div class="item-body"> <div class="item-body">
<div class="item-name">${item.name}</div> <div class="item-name">${escHtml(item.name)}</div>
${item.quantity ? `<div class="item-quantity">${item.quantity}</div>` : ''} ${item.quantity ? `<div class="item-quantity">${escHtml(item.quantity)}</div>` : ''}
</div> </div>
<button class="item-delete" data-action="delete-item" data-id="${item.id}" <button class="item-delete" data-action="delete-item" data-id="${item.id}"
aria-label="${item.name} löschen"> aria-label="${escHtml(item.name)} löschen">
<i data-lucide="x" style="width:16px;height:16px" aria-hidden="true"></i> <i data-lucide="x" style="width:16px;height:16px" aria-hidden="true"></i>
</button> </button>
</div> </div>
@@ -731,3 +731,16 @@ export async function render(container, { user }) {
} }
}); });
} }
// --------------------------------------------------------
// HTML-Escaping
// --------------------------------------------------------
function escHtml(str) {
if (!str) return '';
return String(str)
.replace(/&/g, '&amp;')
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;')
.replace(/"/g, '&quot;');
}