format, improve sanitization, add xss test

2025-08-02 14:26:04 +00:00 · 2025-05-01 18:24:32 +00:00 · 2025-05-01 18:24:32 +00:00 · 39ab114e1a
commit 39ab114e1a
parent ead5acc151
2 changed files with 28 additions and 4 deletions
--- a/azalea-chat/src/component.rs
+++ b/azalea-chat/src/component.rs
@ -71,7 +71,8 @@ impl FormattedText {
    /// closures to drive styling, text transformation, and final cleanup.
    ///
    /// # Type params
-    /// - `F`: `(running, component, default) -> (prefix, suffix)` for per-component styling
+    /// - `F`: `(running, component, default) -> (prefix, suffix)` for
+    ///   per-component styling
    /// - `S`: `&str -> String` for text tweaks (escaping, mapping, etc.)
    /// - `C`: `&final_running_style -> String` for any trailing cleanup
    ///
@ -151,7 +152,6 @@ impl FormattedText {
        output
    }

-
    /// Convert this component into an
    /// [ANSI string](https://en.wikipedia.org/wiki/ANSI_escape_code).
    ///
@ -195,11 +195,20 @@ impl FormattedText {
        self.to_custom_format(
            |running, new, _| {
                (
-                    format!("<span style=\"{}\">", running.merged_with(new).get_html_style()),
+                    format!(
+                        "<span style=\"{}\">",
+                        running.merged_with(new).get_html_style()
+                    ),
                    "</span>".to_owned(),
                )
            },
-            |text| text.replace("<", "&lt;").replace("\n", "<br>"),
+            |text| {
+                text.replace("&", "&amp;")
+                    .replace("<", "&lt;")
+                    // usually unnecessary but good for compatibility
+                    .replace(">", "&gt;")
+                    .replace("\n", "<br>")
+            },
            |_| "".to_string(),
            &DEFAULT_STYLE,
        )
--- a/azalea-chat/src/text_component.rs
+++ b/azalea-chat/src/text_component.rs
@ -181,6 +181,21 @@ mod tests {
        );
    }

+    #[test]
+    fn test_xss_html() {
+        let component = TextComponent::new("§a<b>&\n§b</b>".to_string()).get();
+
+        assert_eq!(
+            component.to_html(),
+            format!(
+                "{GREEN}&lt;b&gt;&amp;<br>{END_SPAN}{AQUA}&lt;/b&gt;{END_SPAN}",
+                END_SPAN = "</span>",
+                GREEN = "<span style=\"color: #55FF55;\">",
+                AQUA = "<span style=\"color: #55FFFF;\">",
+            )
+        );
+    }
+
    #[test]
    fn test_legacy_color_code_to_component() {
        let component = TextComponent::new("§lHello §r§1w§2o§3r§4l§5d".to_string()).get();