In Combined view, HTML in the OP_EQ section is not escaped

Question

In Combined view, HTML in the OP_EQ section is not escaped

aaronpk opened this issue 4 years ago · 2 comments

To reproduce:

$old = '<b>three</b>';

$new = 'one
<b>two</b>
<b>three</b>';

echo Jfcherng\Diff\DiffHelper::calculate($old, $new, 'Combined');

Output (newlines added for readability):

<table class="diff-wrapper diff diff-html diff-combined">
  <thead><tr><th>Differences</th></tr></thead>
<tbody class="change change-ins">
  <tr data-type="+">
    <td class="new">one</td>
  </tr>
  <tr data-type="+">
    <td class="new">&lt;b&gt;two&lt;/b&gt;</td>
  </tr>
</tbody>
<tbody class="change change-eq">
  <tr data-type=" ">
    <td class="new"><b>three</b></td>
  </tr>
</tbody>
</table>

The line two is properly escaped as two, but three is output literally.

This may lead to XSS if the diffed text that didn't change contains JavaScript.

Answer 1 · 2020-07-06T03:12:37.000Z

Thanks. Fixed in d32c7b6.

6.7.4 has been released.

Answer 2 · 2020-07-06T15:21:32.000Z

Thanks for the quick fix!