diff --git a/hledger-web/Hledger/Web/Widget/AddForm.hs b/hledger-web/Hledger/Web/Widget/AddForm.hs index ad31ef961..2ebc3a533 100644 --- a/hledger-web/Hledger/Web/Widget/AddForm.hs +++ b/hledger-web/Hledger/Web/Widget/AddForm.hs @@ -17,6 +17,7 @@ import Data.List (dropWhileEnd, intercalate, unfoldr) import Data.Maybe (isJust) import qualified Data.Set as S import Data.Text (Text) +import Data.Text.Encoding.Base64 (encodeBase64) import qualified Data.Text as T import Data.Time (Day) import Text.Blaze.Internal (Markup, preEscapedString) @@ -95,13 +96,19 @@ addForm j today = identifyForm "add" $ \extra -> do intercalate "," $ map ( ("{\"value\":" ++). (++"}"). - show . - -- avoid https://github.com/simonmichael/hledger/issues/236 - T.replace "" "<\\/script>" + -- This will convert a value such as ``hledger!`` into + -- ``atob("aGxlZGdlciE=")``. When this gets evaluated on the client, + -- the resulting string is ``hledger!`` again. The same data is + -- passed, but the user-controlled bit of that string can only use + -- characters [a-zA-Z0-9+=/], making it impossible to break out of + -- string context. + b64wrap ) ts, "]" ] where +b64wrap :: Text -> String +b64wrap = ("atob(\""++) . (++"\")") . T.unpack . encodeBase64 validateTransaction :: FormResult Day diff --git a/hledger-web/hledger-web.cabal b/hledger-web/hledger-web.cabal index b79d34df7..ac1641fcb 100644 --- a/hledger-web/hledger-web.cabal +++ b/hledger-web/hledger-web.cabal @@ -156,6 +156,7 @@ library Decimal >=0.5.1 , aeson >=1 , base >=4.11 && <4.16 + , base64 , blaze-html , blaze-markup , bytestring diff --git a/hledger-web/package.yaml b/hledger-web/package.yaml index 6ee1a52cd..d9e395b8e 100644 --- a/hledger-web/package.yaml +++ b/hledger-web/package.yaml @@ -103,6 +103,7 @@ library: - hledger >=1.22.99 && <1.23 - aeson >=1 - base >=4.11 && <4.16 + - base64 - blaze-html - blaze-markup - bytestring diff --git a/stack8.6.yaml b/stack8.6.yaml index 816f916eb..fc5b6cde0 100644 --- a/stack8.6.yaml +++ b/stack8.6.yaml @@ -31,6 +31,8 @@ extra-deps: - githash-0.1.4.0 # for hledger-ui: # for hledger-web: +- ghc-byteorder-4.11.0.0.10 +- base64-0.4.2.3 # Workaround for https://github.com/commercialhaskell/stack/issues/3922 # Try dropping this.. after stack 2 has been out a while ? Or now ? How about now ? diff --git a/stack8.8.yaml b/stack8.8.yaml index 140554d53..39e1d8bd3 100644 --- a/stack8.8.yaml +++ b/stack8.8.yaml @@ -20,6 +20,7 @@ extra-deps: # for hledger: # for hledger-ui: # for hledger-web: +- ghc-byteorder-4.11.0.0.10 # for Shake.hs: # for precise profiling, per https://www.tweag.io/posts/2020-01-30-haskell-profiling.html: