From 7d9a22023088868ac289b6306a6885d07da439e7 Mon Sep 17 00:00:00 2001 From: thatsatechnique <28403172+thatsatechnique@users.noreply.github.com> Date: Fri, 6 Mar 2026 12:55:07 -0800 Subject: [PATCH] fix(ook): replace innerHTML with createElement/textContent in appendFrameEntry MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Addresses final upstream review — all backend-derived values (timestamp, bit_count, rssi, hex, ascii) now use DOM methods instead of innerHTML interpolation, closing the last XSS surface. Bumps cache-buster to ook2. Co-Authored-By: Claude Opus 4.6 --- static/js/modes/ook.js | 55 +++++++++++++++++++++++++++++------------- templates/index.html | 2 +- 2 files changed, 39 insertions(+), 18 deletions(-) diff --git a/static/js/modes/ook.js b/static/js/modes/ook.js index 4ad6f1b..451682c 100644 --- a/static/js/modes/ook.js +++ b/static/js/modes/ook.js @@ -235,25 +235,46 @@ var OokMode = (function () { div.dataset.inverted = msg.inverted ? '1' : '0'; var color = hasPrintable ? '#00ff88' : 'var(--text-dim)'; - var suffix = ''; - if (msg.inverted) suffix += ' (inv)'; - var rssiStr = (msg.rssi !== undefined && msg.rssi !== null) - ? ' ' + msg.rssi.toFixed(1) + ' dB SNR' - : ''; + // Build header line: timestamp [bitcount] rssi (inv) + var tsSpan = document.createElement('span'); + tsSpan.style.color = 'var(--text-dim)'; + tsSpan.textContent = msg.timestamp; - div.innerHTML = - '' + msg.timestamp + '' + - ' [' + msg.bit_count + 'b]' + - rssiStr + suffix + - '
' + - '' + - 'hex: ' + interp.hex + - '' + - '
' + - '' + - 'ascii: ' + _esc(interp.ascii) + - ''; + var bcSpan = document.createElement('span'); + bcSpan.style.color = '#888'; + bcSpan.textContent = ' [' + msg.bit_count + 'b]'; + + div.appendChild(tsSpan); + div.appendChild(bcSpan); + + if (msg.rssi !== undefined && msg.rssi !== null) { + var rssiSpan = document.createElement('span'); + rssiSpan.style.cssText = 'color:#666; font-size:10px'; + rssiSpan.textContent = ' ' + msg.rssi.toFixed(1) + ' dB SNR'; + div.appendChild(rssiSpan); + } + + if (msg.inverted) { + var invSpan = document.createElement('span'); + invSpan.style.opacity = '.5'; + invSpan.textContent = ' (inv)'; + div.appendChild(invSpan); + } + + // Hex line + div.appendChild(document.createElement('br')); + var hexSpan = document.createElement('span'); + hexSpan.style.cssText = 'padding-left:8em; color:' + color + '; font-family:var(--font-mono); font-size:10px'; + hexSpan.textContent = 'hex: ' + interp.hex; + div.appendChild(hexSpan); + + // ASCII line + div.appendChild(document.createElement('br')); + var ascSpan = document.createElement('span'); + ascSpan.style.cssText = 'padding-left:8em; color:' + (hasPrintable ? '#aaffcc' : '#555') + '; font-family:var(--font-mono); font-size:10px'; + ascSpan.textContent = 'ascii: ' + interp.ascii; + div.appendChild(ascSpan); div.style.cssText = 'font-size:11px; padding: 4px 0; border-bottom: 1px solid #1a1a1a; line-height:1.6;'; diff --git a/templates/index.html b/templates/index.html index f2f1234..09f317a 100644 --- a/templates/index.html +++ b/templates/index.html @@ -3393,7 +3393,7 @@ - +