From 9cca6af090446263cade6f42b5ad9d0b77bf98ee Mon Sep 17 00:00:00 2001 From: Roland Eigelsreiter Date: Fri, 29 Dec 2023 17:48:09 +0100 Subject: [PATCH] fixed potential xss in example scripts --- dist/example-js.html | 4 ++-- dist/example-php.php | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/dist/example-js.html b/dist/example-js.html index 51d4f70..a8a0bdf 100644 --- a/dist/example-js.html +++ b/dist/example-js.html @@ -30,8 +30,8 @@ let encrypted = url.searchParams.get('encrypted') ? atob(url.searchParams.get('encrypted')) : '{"ct":"hQDvpbAKTGp1mXgzSShR9g==","iv":"57fd85773d898d1f9f868c53b436e28f","s":"a2dac436512077c5"}' let password = '123456' let decrypted = CryptoJSAesJson.decrypt(encrypted, password) - results.innerHTML += 'Decrypted (From ' + encrypted + '):
' - results.innerHTML += decrypted + results.innerHTML += 'Decrypted (From ' + encrypted.replace(//g, '>') + '):
' + results.innerHTML += decrypted.replace(//g, '>') })() diff --git a/dist/example-php.php b/dist/example-php.php index ce6d6a5..86ad23d 100644 --- a/dist/example-php.php +++ b/dist/example-php.php @@ -8,7 +8,7 @@ $originalValue = ["Coming from PHP - We do encrypt an array", "123", ['nested']]; // this could be any value $password = "123456"; $encrypted = CryptoJsAes::encrypt($originalValue, $password); -echo "Encrypted:
" . $encrypted . "

\n"; +echo "Encrypted:
" . htmlentities($encrypted) . "

\n"; // something like: {"ct":"g9uYq0DJypTfiyQAspfUCkf+\/tpoW4DrZrpw0Tngrv10r+\/yeJMeseBwDtJ5gTnx","iv":"c8fdc314b9d9acad7bea9a865671ea51","s":"7e61a4cd341279af"} // decrypt @@ -16,4 +16,4 @@ $password = "123456"; $decrypted = CryptoJsAes::decrypt($encrypted, $password); -echo "Decrypted (From $encrypted):
" . print_r($decrypted, true); \ No newline at end of file +echo "Decrypted (From " . htmlentities($encrypted) . "):
" . htmlentities(print_r($decrypted, true)); \ No newline at end of file