Skip to content

fix: escape wallet table values#5

Open
1507819106zxzx-crypto wants to merge 1 commit into
BitgesellOfficial:masterfrom
1507819106zxzx-crypto:harden-table-rendering
Open

fix: escape wallet table values#5
1507819106zxzx-crypto wants to merge 1 commit into
BitgesellOfficial:masterfrom
1507819106zxzx-crypto:harden-table-rendering

Conversation

@1507819106zxzx-crypto

Copy link
Copy Markdown

Summary:

  • Escape transaction IDs and wallet addresses before rendering them into table HTML attributes/text.
  • URL-encode explorer and hash-route path segments generated from table values.
  • Adds a small shared escapeHtml helper for wallet table renderers.

Why:
The normal data shape should be Bitgesell addresses and transaction hashes, but these values are still sourced from local wallet storage and remote API responses before being interpolated into HTML strings. Encoding them keeps abnormal or compromised data from breaking attributes or injecting markup in the wallet UI.

Verification:

  • node --check src/utils.js
  • node --check src/transactions/transactions.js
  • node --check src/my-addresses/my-addresses.js
  • npx eslint --rule "linebreak-style: 0" src/utils.js src/transactions/transactions.js src/my-addresses/my-addresses.js
  • git diff --check

Related bounty: BitgesellOfficial/bitgesell#39 / BitgesellOfficial/bitgesell#81
Payout address if accepted: 0x4451dF3D21925eF7a62D20eEdc80B99f7140C5D2

@MyTH-zyxeon

Copy link
Copy Markdown

Review-assist note for the Bitgesell #81 improvement lane.

I checked the public PR body and diff. This is a focused wallet UI hardening fix:

  • escapes wallet addresses and transaction IDs before interpolating them into table HTML attributes/text
  • URL-encodes hash-route and explorer path segments generated from wallet table values
  • adds a shared escapeHtml helper for wallet table renderers instead of repeating ad hoc replacements
  • keeps the normal wallet data flow intact while reducing markup/attribute injection risk from abnormal local wallet storage or remote API data

Suggested maintainer checks before merge:

  • run node --check src/utils.js
  • run node --check src/transactions/transactions.js
  • run node --check src/my-addresses/my-addresses.js
  • run npx eslint --rule "linebreak-style: 0" src/utils.js src/transactions/transactions.js src/my-addresses/my-addresses.js
  • manually render one normal address/txid and one value containing HTML-sensitive characters to confirm table text/attributes and explorer/send routes remain safe

From the public patch shape, this looks like a useful low-risk wallet UI hardening candidate for the #81 improvement queue. I did not run wallet, node, RPC, payment, or live-chain actions for this review-assist note.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants