Skip to content

Commit 7749435

Browse files
xuzuodongxuzuodong
authored
fix(client): XSS vulnerability in components tab (#726)
1 parent c8cfd6a commit 7749435

File tree

2 files changed

+3
-2
lines changed

2 files changed

+3
-2
lines changed

packages/applet/src/components/state/StateFieldViewer.vue

+2-2
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
import type { CustomInspectorState, InspectorCustomState } from '@vue/devtools-kit'
33
import type { EditorAddNewPropType } from '~/composables/state-editor'
44
import { rpc } from '@vue/devtools-core'
5-
import { DevToolsV6PluginAPIHookKeys, DevToolsV6PluginAPIHookPayloads, formatInspectorStateValue, getInspectorStateValueType, getRaw, toEdit, toSubmit } from '@vue/devtools-kit'
5+
import { DevToolsV6PluginAPIHookKeys, DevToolsV6PluginAPIHookPayloads, escape, formatInspectorStateValue, getInspectorStateValueType, getRaw, toEdit, toSubmit } from '@vue/devtools-kit'
66
import { isArray, isObject, sortByKey } from '@vue/devtools-shared'
77
import { vTooltip, VueButton, VueIcon } from '@vue/devtools-ui'
88
import { computed, ref, watch } from 'vue'
@@ -71,7 +71,7 @@ const normalizedDisplayedValue = computed(() => {
7171
const _value = type.value === 'custom' && !_type ? `"${displayedValue.value}"` : (displayedValue.value === '' ? `""` : displayedValue.value)
7272
const normalizedType = type.value === 'custom' && _type === 'ref' ? getInspectorStateValueType(_value) : type.value
7373
const selectText = type.value === 'string' ? 'select-text' : ''
74-
const result = `<span title="${type.value === 'string' ? props.data.value : ''}" class="${normalizedType}-state-type flex whitespace-nowrap ${selectText}">${_value}</span>`
74+
const result = `<span title="${type.value === 'string' ? escape(props.data.value as unknown as string) : ''}" class="${normalizedType}-state-type flex whitespace-nowrap ${selectText}">${_value}</span>`
7575
7676
if (extraDisplayedValue)
7777
return `${result} <span class="text-gray-500">(${extraDisplayedValue})</span>`

packages/devtools-kit/src/index.ts

+1
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ export type * from './core/component-inspector'
1212
export { INFINITY, NAN, NEGATIVE_INFINITY, UNDEFINED } from './core/component/state/constants'
1313
export { formatInspectorStateValue, getInspectorStateValueType, getRaw, toEdit, toSubmit } from './core/component/state/format'
1414
export { isPlainObject } from './core/component/state/is'
15+
export { escape } from './core/component/state/util'
1516
export type * from './core/component/types'
1617
export { updateDevToolsClientDetected } from './core/devtools-client/detected'
1718
export type * from './core/open-in-editor'

0 commit comments

Comments
 (0)