diff --git a/arduino-ide-extension/package.json b/arduino-ide-extension/package.json index 6dfb8e35a..79d087742 100644 --- a/arduino-ide-extension/package.json +++ b/arduino-ide-extension/package.json @@ -67,6 +67,7 @@ "cross-fetch": "^3.1.5", "dateformat": "^3.0.3", "deepmerge": "^4.2.2", + "dompurify": "^2.4.7", "drivelist": "^9.2.4", "electron-updater": "^4.6.5", "fast-deep-equal": "^3.1.3", diff --git a/arduino-ide-extension/src/browser/dialogs/ide-updater/ide-updater-dialog.tsx b/arduino-ide-extension/src/browser/dialogs/ide-updater/ide-updater-dialog.tsx index e73de643f..0598b2853 100644 --- a/arduino-ide-extension/src/browser/dialogs/ide-updater/ide-updater-dialog.tsx +++ b/arduino-ide-extension/src/browser/dialogs/ide-updater/ide-updater-dialog.tsx @@ -17,6 +17,7 @@ import { } from '../../../common/protocol/ide-updater'; import { LocalStorageService } from '@theia/core/lib/browser'; import { WindowService } from '@theia/core/lib/browser/window/window-service'; +import { sanitize } from 'dompurify'; @injectable() export class IDEUpdaterDialogProps extends DialogProps {} @@ -173,9 +174,8 @@ export class IDEUpdaterDialog extends ReactDialog { footer.appendChild(footerContent); const footerLink = document.createElement('a'); - footerLink.innerText = nls.localize( - 'arduino/ide-updater/donateLinkText', - 'donate to support us' + footerLink.innerText = sanitize( + nls.localize('arduino/ide-updater/donateLinkText', 'donate to support us') ); footerLink.classList.add('ide-updater-dialog--footer-link'); footerLink.onclick = () => @@ -190,10 +190,12 @@ export class IDEUpdaterDialog extends ReactDialog { footerLink.appendChild(footerLinkIcon); const placeholderKey = '%%link%%'; - const footerText = nls.localize( - 'arduino/ide-updater/donateText', - 'Open source is love, {0}', - placeholderKey + const footerText = sanitize( + nls.localize( + 'arduino/ide-updater/donateText', + 'Open source is love, {0}', + placeholderKey + ) ); const placeholder = footerText.indexOf(placeholderKey); if (placeholder !== -1) { diff --git a/arduino-ide-extension/src/browser/dialogs/version-welcome-dialog.tsx b/arduino-ide-extension/src/browser/dialogs/version-welcome-dialog.tsx index 6d5a71db0..380d980df 100644 --- a/arduino-ide-extension/src/browser/dialogs/version-welcome-dialog.tsx +++ b/arduino-ide-extension/src/browser/dialogs/version-welcome-dialog.tsx @@ -6,6 +6,7 @@ import { nls } from '@theia/core'; import { DialogProps } from '@theia/core/lib/browser'; import { WindowService } from '@theia/core/lib/browser/window/window-service'; import { AppService } from '../app-service'; +import { sanitize } from 'dompurify'; @injectable() export class VersionWelcomeDialogProps extends DialogProps {} @@ -87,10 +88,12 @@ export class VersionWelcomeDialog extends ReactDialog { const { appVersion } = appInfo; if (appVersion) { - this.titleNode.innerHTML = nls.localize( - 'arduino/versionWelcome/titleWithVersion', - 'Welcome to the new Arduino IDE {0}!', - appVersion + this.titleNode.innerText = sanitize( + nls.localize( + 'arduino/versionWelcome/titleWithVersion', + 'Welcome to the new Arduino IDE {0}!', + appVersion + ) ); } } diff --git a/yarn.lock b/yarn.lock index f70c3a914..0c3367a1b 100644 --- a/yarn.lock +++ b/yarn.lock @@ -5937,6 +5937,11 @@ dompurify@^2.2.9: resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.4.7.tgz#277adeb40a2c84be2d42a8bcd45f582bfa4d0cfc" integrity sha512-kxxKlPEDa6Nc5WJi+qRgPbOAbgTpSULL+vI3NUXsZMlkJxTqYI9wg5ZTay2sFrdZRWHPWNi+EdAhcJf81WtoMQ== +dompurify@^2.4.7: + version "2.5.7" + resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.5.7.tgz#6e0d36b9177db5a99f18ade1f28579db5ab839d7" + integrity sha512-2q4bEI+coQM8f5ez7kt2xclg1XsecaV9ASJk/54vwlfRRNQfDqJz2pzQ8t0Ix/ToBpXlVjrRIx7pFC/o8itG2Q== + dot-case@^3.0.4: version "3.0.4" resolved "https://registry.yarnpkg.com/dot-case/-/dot-case-3.0.4.tgz#9b2b670d00a431667a8a75ba29cd1b98809ce751"