fix script injection to notification - bump to 2.17.0

Author: Dave Conway-Jones

CHANGELOG.md

@@ -1,10 +1,9 @@
-### 2.16.4-beta: Maintenance Release
-
-**Enhancements**
+### 2.17.0: Maintenance Release
 
  **Fixes**
 
   - Better vertical align larger button icons if supplied via label text
+  - Fix ui_notification node to not accept raw HTML by default, add option to allow.
 
 ### 2.16.3: Maintenance Release
 

dist/dashboard.appcache

@@ -24,4 +24,4 @@ fonts/weather-icons-lite.woff2
 NETWORK:
 *
 
-# hash: c50d6ccb3895b8cbd2a6114acbc93dc3c9c6f359018907aa8f609ffef066c498
+# hash: a27822f01b29538a854757969a42c6d6d898aab36f354980c53870c2058e5f60

dist/js/app.min.js

@@ -10,6 +10,7 @@
             outputs: {value: 0},
             ok: {value: 'OK', required: true},
             cancel: {value: ''},
+            raw: {value: false},
             topic: {value: ''},
             name: {value: ''}
         },
@@ -67,7 +68,7 @@
         <input type="text" id="node-input-highlight" placeholder="(optional) border highlight colour">
     </div>
     <div class="form-row" id="node-toast-sendtoall">
-        <label style="width:auto" for="node-input-sendall"><i class="fa fa-arrow-right"></i> Send to all browser sessions.</label>
+        <label style="width:auto" for="node-input-sendall"><i class="fa fa-arrow-right"></i> Send to all browser sessions. </label>
         <input type="checkbox" checked id="node-input-sendall" style="display:inline-block; width:auto; vertical-align:baseline;">
     </div>
     <div class="form-row" id="node-dialog-displayok">
@@ -78,6 +79,10 @@
         <label for="node-input-cancel"><i class="fa fa-times"></i> Secondary action label</label>
         <input type="text" id="node-input-cancel" placeholder="(optional label for Cancel button)">
     </div>
+    <div class="form-row" id="node-toast-raw">
+        <label style="width:auto" for="node-input-raw"><i class="fa fa-exclamation-triangle"></i> Accept raw HTML/JavaScript input. </label>
+        <input type="checkbox" id="node-input-raw" style="display:inline-block; width:auto; vertical-align:baseline;">
+    </div>
     <div class="form-row" id="node-dialog-topic">
         <label for="node-input-topic"><i class="fa fa-tasks"></i> Topic</label>
         <input type="text" id="node-input-topic" placeholder="(optional msg.topic)">
@@ -86,6 +91,8 @@
         <label for="node-input-name"><i class="fa fa-tag"></i> Name</label>
         <input type="text" id="node-input-name" placeholder="Name">
     </div>
+    <div class="form-tips"><b>Note</b>: checking <i>Accept raw HTML/JavaScript</i> can allow injection of code.
+    Ensure the input comes from trusted sources.</span></div>
 </script>
 
 <script type="text/x-red" data-help-name="ui_toast">

nodes/ui_toast.html

@@ -16,14 +16,15 @@ module.exports = function(RED) {
         this.topic = config.topic;
         if (config.sendall === undefined) { this.sendall = true; }
         else { this.sendall = config.sendall; }
+        this.raw = config.raw || false;
         var node = this;
 
         var noscript = function (content) {
             if (typeof content === "object") { return null; }
             content = '' + content;
-            content = content.replace(/<.*cript.*\/scrip.*>/ig, '');
-            content = content.replace(/ on\w+=".*"/g, '');
-            content = content.replace(/ on\w+=\'.*\'/g, '');
+            content = content.replace(/<.*cript.*/ig, '');
+            content = content.replace(/.on\w+=.*".*"/g, '');
+            content = content.replace(/.on\w+=.*\'.*\'/g, '');
             return content;
         }
 
@@ -41,7 +42,7 @@ module.exports = function(RED) {
 
         node.on('input', function(msg) {
             if (node.position !== "dialog" && node.sendall === true) { delete msg.socketid; }
-            msg.payload = noscript(msg.payload);
+            //msg.payload = noscript(msg.payload);
             ui.emitSocket('show-toast', {
                 title: node.topic || msg.topic,
                 message: msg.payload,
@@ -53,6 +54,7 @@ module.exports = function(RED) {
                 ok: node.ok,
                 cancel: node.cancel,
                 socketid: msg.socketid,
+                raw: node.raw,
                 msg: msg
             });
         });

nodes/ui_toast.js

@@ -1,6 +1,6 @@
 {
     "name": "node-red-dashboard",
-    "version": "2.16.4-beta",
+    "version": "2.17.0",
     "description": "A set of dashboard nodes for Node-RED",
     "keywords": [
         "node-red"

package.json

@@ -511,6 +511,11 @@ app.controller('MainController', ['$mdSidenav', '$window', 'UiEvents', '$locatio
         });
 
         events.on('show-toast', function (msg) {
+            if (msg.raw !== true) {
+                var temp = document.createElement('div');
+                temp.textContent = str;
+                msg.message = temp.innerHTML;
+            }
             if (msg.dialog === true) {
                 var confirm;
                 if (msg.cancel) {