diff --git a/src/public/index.html b/src/public/index.html
index 3254b7d..fca5e31 100644
--- a/src/public/index.html
+++ b/src/public/index.html
@@ -2127,6 +2127,12 @@
}
+ // escape strings for tooltips etc, to prevent html/script injection
+ // not used in vuejs, as that auto escapes
+ function escapeString(string) {
+ return string.replace(//g, ">");
+ }
+
function onNodesUpdated(updatedNodes) {
// clear nodes cache
@@ -2285,7 +2291,7 @@
distance = `${distanceInKilometers} kilometers`;
}
- const tooltip = `${node.long_name} heard ${neighbourNode.long_name}`
+ const tooltip = `${escapeString(node.long_name)} heard ${escapeString(neighbourNode.long_name)}`
+ `
SNR: ${neighbour.snr}dB`
+ `
Distance: ${distance}`
+ `
ID: ${neighbourNode.node_id} -> ${node.node_id}`
@@ -2473,8 +2479,8 @@
var loraFrequencyRange = getRegionFrequencyRange(node.region_name);
var tooltip = `
` +
- `${node.long_name}` +
- `
Short Name: ${node.short_name}` +
+ `${escapeString(node.long_name)}` +
+ `
Short Name: ${escapeString(node.short_name)}` +
`
MQTT Status: ${mqttStatus}` +
(node.num_online_local_nodes != null ? `
Local Nodes Online: ${node.num_online_local_nodes}` : '') +
`
Role: ${node.role_name}` +
@@ -2524,8 +2530,8 @@
// get from node name
var fromNode = findNodeById(waypoint.from);
- var tooltip = `${waypoint.name}` +
- (waypoint.description ? `
${waypoint.description}` : '') +
+ var tooltip = `${escapeString(waypoint.name)}` +
+ (waypoint.description ? `
${escapeString(waypoint.description)}` : '') +
`
Expires: ${moment(new Date(waypoint.expire * 1000)).fromNow()}` +
`
Lat/Lng: ${waypoint.latitude}, ${waypoint.longitude}` +
`
From ID: ${waypoint.from}` +
@@ -2533,7 +2539,7 @@
// show node name this waypoint is from, if possible
if(fromNode != null){
- tooltip += `
From Node: ${fromNode.long_name || 'Unnamed Node'}`;
+ tooltip += `
From Node: ${escapeString(fromNode.long_name) || 'Unnamed Node'}`;
} else {
tooltip += `
From Node: ???`;
}