In Combined view, HTML in the OP_EQ section is not escaped
aaronpk opened this issue · 2 comments
aaronpk commented
To reproduce:
$old = '<b>three</b>';
$new = 'one
<b>two</b>
<b>three</b>';
echo Jfcherng\Diff\DiffHelper::calculate($old, $new, 'Combined');
Output (newlines added for readability):
<table class="diff-wrapper diff diff-html diff-combined">
<thead><tr><th>Differences</th></tr></thead>
<tbody class="change change-ins">
<tr data-type="+">
<td class="new">one</td>
</tr>
<tr data-type="+">
<td class="new"><b>two</b></td>
</tr>
</tbody>
<tbody class="change change-eq">
<tr data-type=" ">
<td class="new"><b>three</b></td>
</tr>
</tbody>
</table>
The line <b>two</b>
is properly escaped as <b>two</b>
, but <b>three</b>
is output literally.
This may lead to XSS if the diffed text that didn't change contains JavaScript.
aaronpk commented
Thanks for the quick fix!