Use base64 to solve security stuff

Enter-tainer · Jun 23, 2024 · 128f6f3 · 128f6f3
1 parent 524e6e1
commit 128f6f3
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/addons/frontend/index.html b/addons/frontend/index.html
@@ -22,6 +22,7 @@
         state = state.replace("preview-arg:state:", "");
         /// Set it later when acquiring the VSCode API
         window.vscode_state = JSON.parse(state);
+        window.vscode_state.fsPath = atob(window.vscode_state.fsPath);
       }
 
       /// https://stackoverflow.com/questions/13586999/color-difference-similarity-between-two-values-with-js

diff --git a/addons/vscode/src/extension.ts b/addons/vscode/src/extension.ts
@@ -495,8 +495,7 @@ const launchPreview = async (task: LaunchInBrowserTask | LaunchInWebViewTask) =>
 		html = html.replace(
 			"preview-arg:previewMode:Doc",
 			`preview-arg:previewMode:${previewMode}`
-		).replace("preview-arg:state:{}", `preview-arg:state:${JSON.stringify({ mode: task.mode, fsPath: bindDocument.uri.fsPath.replace(/`/g, "\\`") })}`);
-		// Replace all the backticks here ^ to avoid the backtick "escaping" the string in the JS itself and executing other code.
+		).replace("preview-arg:state:{}", `preview-arg:state:${JSON.stringify({ mode: task.mode, fsPath: Buffer.from(bindDocument.uri.fsPath).toString("base64") })}`);
 
 		panel.webview.html = html.replace("ws://127.0.0.1:23625", `ws://127.0.0.1:${dataPlanePort}`);
 		// 虽然配置的是 http，但是如果是桌面客户端，任何 tcp 连接都支持，这也就包括了 ws