Merge pull request from GHSA-p6rw-44q7-3fw4

Safer handling of user strings - 1.1.x

.gitignore

@@ -26,3 +26,5 @@ nbdime/webapp/static/**
 !nbdime/webapp/static/favicon.ico
 package-lock.json
 *.tsbuildinfo
+
+.idea

packages/labextension/package.json

@@ -55,7 +55,7 @@
     "@phosphor/commands": "^1.6.1",
     "mkdirp": "^0.5.1",
     "rimraf": "^2.6.3",
-    "typescript": "^3.5.2"
+    "typescript": "^3.7.2"
   },
   "jupyterlab": {
     "extension": true,

packages/labextension/src/widget.ts

@@ -241,9 +241,11 @@ namespace Private {
         <button class="nbdime-export" style="display: none">Export diff</button>
       </div>
       <div class=nbdime-header-banner>
-        <span class="nbdime-header-base">${baseLabel}</span>
-        <span class="nbdime-header-remote">${remoteLabel}</span>
+        <span class="nbdime-header-base"></span>
+        <span class="nbdime-header-remote"></span>
       </div>`;
+    (node.getElementsByClassName("nbdime-header-base")[0] as HTMLSpanElement).innerText = baseLabel;
+    (node.getElementsByClassName("nbdime-header-remote")[0] as HTMLSpanElement).innerText = remoteLabel;
 
     return new Widget({node});
   }

packages/nbdime/package.json

@@ -34,6 +34,7 @@
     "@phosphor/dragdrop": "^1.3.0",
     "@phosphor/signaling": "^1.2.2",
     "@phosphor/widgets": "^1.6.0",
+    "@types/node": "^16.10.2",
     "json-stable-stringify": "^1.0.1"
   },
   "devDependencies": {
@@ -42,7 +43,6 @@
     "@types/expect.js": "^0.3.29",
     "@types/json-stable-stringify": "^1.0.32",
     "@types/mocha": "^5.2.6",
-    "@types/node": "^12.0.10",
     "@types/sanitizer": "^0.0.28",
     "expect.js": "^0.3.1",
     "fs-extra": "^8.1.0",
@@ -56,7 +56,7 @@
     "karma-typescript-es6-transform": "^4.0.0",
     "mocha": "^6.0.2",
     "rimraf": "^2.6.3",
-    "typescript": "^3.5.2"
+    "typescript": "^3.7.2"
   },
   "peerDependencies": {
     "codemirror": "^5.0.0"

packages/nbdime/src/common/util.ts

@@ -298,7 +298,7 @@ function buildSelect(options: string[], select?: HTMLSelectElement): HTMLSelectE
   }
   for (let option of options) {
     let opt = document.createElement('option');
-    opt.value = opt.innerHTML = option;
+    opt.text = option;
     select.appendChild(opt);
   }
   return select;

packages/nbdime/src/upstreaming/flexlayout.ts

@@ -378,9 +378,9 @@ class FlexLayout extends PanelLayout {
     Private.toggleDirection(this.parent!, this._direction);
     let style = this.parent!.node.style;
     style.flexWrap = this._wrap ? 'wrap' : 'nowrap';
-    style.justifyContent = Private.translateFlexString(this._justifyContent);
-    style.alignContent = Private.translateFlexString(this._alignContent);
-    style.alignItems = Private.translateFlexString(this._alignItems);
+    style.justifyContent = Private.translateFlexString(this._justifyContent)!;
+    style.alignContent = Private.translateFlexString(this._alignContent)!;
+    style.alignItems = Private.translateFlexString(this._alignItems)!;
     this.parent!.fit();
   }
 
@@ -533,7 +533,7 @@ class FlexLayout extends PanelLayout {
     // Update display order
     for (let i = 0; i < widgets.length; ++i) {
       let widget = widgets[i];
-      widget.node.style.order = this.order ?  i.toString() : null;
+      widget.node.style.order = this.order ?  i.toString() : '';
     }
   }
 
@@ -717,7 +717,7 @@ namespace FlexLayout {
     if (value === 'auto') {
       widget.node.style.flexBasis = value as string;
     } else if (value === null) {
-      widget.node.style.flexBasis = value;
+      widget.node.style.flexBasis = '';
     } else {
       widget.node.style.flexBasis = value.toString() + 'px';
     }

packages/nbdime/test/src/common/util.spec.ts

@@ -257,6 +257,36 @@ describe('common', () => {
 
     });
 
+    describe('buildSelect', () => {
+
+      it('should create an empty select', () => {
+        let value = util.buildSelect([]);
+        expect(value.outerHTML).to.eql("<select></select>");
+      });
+
+      it('should reuse a given select', () => {
+        const select = document.createElement('select');
+        let value = util.buildSelect([], select);
+        expect(value).to.be(select);
+      });
+
+      it('should create a select with options', () => {
+        let value = util.buildSelect([
+          'foo',
+          'bar',
+          '<div>boo</div>'
+        ]);
+        expect(value.outerHTML).to.eql(
+          '<select>' +
+            '<option>foo</option>' +
+            '<option>bar</option>' +
+            '<option>&lt;div&gt;boo&lt;/div&gt;</option>' +
+          '</select>'
+        );
+      });
+
+    });
+
   });
 
 });

packages/webapp/src/app/diff.ts

@@ -182,11 +182,14 @@ function onDiffRequestCompleted(data: any) {
  */
 function onDiffRequestFailed(response: string) {
   console.log('Diff request failed.');
-  let root = document.getElementById('nbdime-root');
+  const root = document.getElementById('nbdime-root');
   if (!root) {
     throw new Error('Missing root element "nbidme-root"');
   }
-  root.innerHTML = '<pre>' + response + '</pre>';
+  const pre = document.createElement('pre');
+  pre.innerText = response;
+  root.innerHTML = '';
+  root.appendChild(pre);
   diffWidget = null;
   toggleSpinner(false);
 }

packages/webapp/src/app/merge.ts

@@ -177,7 +177,10 @@ function onMergeRequestFailed(response: string) {
   if (!root) {
     throw new Error('Missing root element "nbidme-root"');
   }
-  root.innerHTML = '<pre>' + response + '</pre>';
+  const pre = document.createElement('pre');
+  pre.innerText = response;
+  root.innerHTML = '';
+  root.appendChild(pre);
   mergeWidget = null;
   toggleSpinner(false);
 }