Skip to content

GitLab

Commit 02f062b5 authored by comfyanonymous's avatar comfyanonymous
Browse files

Sanitize unknown node types on load to prevent XSS.

parent 1ffa8858
Hide whitespace changes
Inline Side-by-side
Showing with 17 additions and 0 deletions
web/scripts/app.js
View file @ 02f062b5
...@@ -5,6 +5,22 @@ import { api } from "./api.js"; ...@@ -5,6 +5,22 @@ import { api } from "./api.js";
import { defaultGraph } from "./defaultGraph.js"; import { defaultGraph } from "./defaultGraph.js";
import { getPngMetadata, getWebpMetadata, importA1111, getLatentMetadata } from "./pnginfo.js"; import { getPngMetadata, getWebpMetadata, importA1111, getLatentMetadata } from "./pnginfo.js";
function sanitizeNodeName(string) {
let entityMap = {
'&': '',
'<': '',
'>': '',
'"': '',
"'": '',
'`': '',
'=': ''
};
return String(string).replace(/[&<>"'`=\/]/g, function fromEntityMap (s) {
return entityMap[s];
});
}
/** /**
* @typedef {import("types/comfy").ComfyExtension} ComfyExtension * @typedef {import("types/comfy").ComfyExtension} ComfyExtension
*/ */
...@@ -1480,6 +1496,7 @@ export class ComfyApp { ...@@ -1480,6 +1496,7 @@ export class ComfyApp {
// Find missing node types // Find missing node types
if (!(n.type in LiteGraph.registered_node_types)) { if (!(n.type in LiteGraph.registered_node_types)) {
n.type = sanitizeNodeName(n.type);
missingNodeTypes.push(n.type); missingNodeTypes.push(n.type);
} }
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment