taler-typescript-core

commit d49344dae8b92bd458418ac20d93f61616897dc2
parent 3c86bfb1435deba091771ca4e6135fbfd29b70ec
Author: Nullptrderef <nullptrderef@proton.me>
Date:   Wed, 14 Aug 2024 16:06:01 +0200

fix: qr code alt text xss

Diffstat:
M
packages/merchant-backoffice-ui/src/components/exception/QR.tsx
 | 
9
++++++++-

1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/packages/merchant-backoffice-ui/src/components/exception/QR.tsx b/packages/merchant-backoffice-ui/src/components/exception/QR.tsx
@@ -31,7 +31,14 @@ export function QR({ text }: { text: string }): VNode {
       const imageURL = `data:image/svg+xml,${encodeURIComponent(image)}`;
       divRef.current.innerHTML = `<img src=${JSON.stringify(
         imageURL,
-      )} alt=${JSON.stringify(`QR Code containing the data ${text}`)} />`;
+      )} alt=${JSON.stringify(
+        `QR Code containing the data ${text
+          .replace(/&/g, "&amp;")
+          .replace(/</g, "&lt;")
+          .replace(/>/g, "&gt;")
+          .replace(/"/g, "&quot;")
+          .replace(/'/g, "&#039;")}`,
+      )} />`;
     }
   });