From fd75f3116aa30eb4958cc747f944f202ec69a484 Mon Sep 17 00:00:00 2001 From: Osmium Sorcerer Date: Wed, 3 Jun 2026 11:23:33 +0000 Subject: Remove safeTags, decodeChat, and prepChat Following the removal of innerHTML manipulation, we no longer need these sanitization functions. I've reviewed every safeTags call site to make sure the outputs don't end up anywhere unsafe, and malicious input can't malipulate DOM or execute code. These values either end up either as plain text (textContent, innerText, createTextNode, title, option) or as a URL path to request assets to the server (encoded using encodeURI). That is, if safeTags was even effective, considering all that function did was replace '<' and '>' symbols with Unicode lookalikes. Even the comment was suggesting the use of fundamentally safer functions instead of these hacks. Replace remaining uses of prepChat with unescapeChat as we still need to do the token substitution (like "" to "&"). decodeChat was escaping Unicode sequences like \uXXXX, but I don't see the reason for this, AO2 Client doesn't have this feature, and considering WebSocket text frames are strictly UTF-8, we don't need these encodings. --- webAO/client/handleCharacterInfo.ts | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) (limited to 'webAO/client/handleCharacterInfo.ts') diff --git a/webAO/client/handleCharacterInfo.ts b/webAO/client/handleCharacterInfo.ts index c7bcc94..278c6a7 100644 --- a/webAO/client/handleCharacterInfo.ts +++ b/webAO/client/handleCharacterInfo.ts @@ -1,5 +1,4 @@ import { client } from "../client"; -import { safeTags } from "../encoding"; import iniParse from "../iniParse"; import request from "../services/request"; import { AO_HOST } from "./aoHost"; @@ -22,17 +21,17 @@ export const setupCharacterBasic = (chargs: string[], charid: number) => { const mute_select = ( document.getElementById("mute_select") ); - mute_select.add(new Option(safeTags(chargs[0]), String(charid))); + mute_select.add(new Option(chargs[0], String(charid))); const pair_select = ( document.getElementById("pair_select") ); - pair_select.add(new Option(safeTags(chargs[0]), String(charid))); + pair_select.add(new Option(chargs[0], String(charid))); // Store defaults — these get replaced with actual ini values by ensureCharIni client.chars[charid] = { - name: safeTags(chargs[0]), - showname: safeTags(chargs[0]), - desc: safeTags(chargs[1]), + name: chargs[0], + showname: chargs[0], + desc: chargs[1], blips: "m", gender: "", side: "def", @@ -86,14 +85,14 @@ export const ensureCharIni = async (charid: number): Promise => { cini.emotions = Object.assign(default_emotions, cini.emotions); // Replace defaults with actual ini values - char.showname = safeTags(cini.options.showname); - char.blips = safeTags(cini.options.blips); - char.gender = safeTags(cini.options.gender); - char.side = safeTags(cini.options.side); + char.showname = cini.options.showname; + char.blips = cini.options.blips; + char.gender = cini.options.gender; + char.side = cini.options.side; char.chat = cini.options.chat === "" - ? safeTags(cini.options.category) - : safeTags(cini.options.chat); + ? cini.options.category + : cini.options.chat; char.icon = img ? img.src : ""; char.inifile = cini; @@ -124,7 +123,7 @@ export const handleCharacterInfo = async (chargs: string[], charid: number) => { // Reset inifile so ensureCharIni will re-fetch if (client.chars[charid]) { - client.chars[charid].name = safeTags(chargs[0]); + client.chars[charid].name = chargs[0]; client.chars[charid].inifile = null; } else { setupCharacterBasic(chargs, charid); -- cgit