From 19655130966544dde1f0171b30f7f0c7a2b27f43 Mon Sep 17 00:00:00 2001
From: Alicia Sykes <sykes.alicia@gmail.com>
Date: Thu, 1 Apr 2021 13:05:43 +0100
Subject: [PATCH] Santizes custom CSS

---
 src/components/Collapsable.vue | 37 +++++++++++++++++++---------------
 1 file changed, 21 insertions(+), 16 deletions(-)

diff --git a/src/components/Collapsable.vue b/src/components/Collapsable.vue
index f91dd6e8..392bfa2a 100644
--- a/src/components/Collapsable.vue
+++ b/src/components/Collapsable.vue
@@ -1,23 +1,23 @@
 <template>
   <div :class="`collapsable ${checkSpanNum(cols, 'col')} ${checkSpanNum(rows, 'row')}`"
-    :style="`${color ? 'background: '+color : ''}; ${customStyles}`"
+    :style="`${color ? 'background: '+color : ''}; ${sanitizeCustomStyles(customStyles)};`"
   >
-        <input
-            :id="`collapsible-${uniqueKey}`"
-            class="toggle"
-            type="checkbox"
-            :checked="getCollapseState()"
-            @change="collapseChanged"
-            tabIndex="-1"
-        >
-        <label :for="`collapsible-${uniqueKey}`" class="lbl-toggle" tabindex="-1">
-            <h3>{{ title }}</h3>
-        </label>
-        <div class="collapsible-content">
-          <div class="content-inner">
-            <slot></slot>
-            </div>
+    <input
+        :id="`collapsible-${uniqueKey}`"
+        class="toggle"
+        type="checkbox"
+        :checked="getCollapseState()"
+        @change="collapseChanged"
+        tabIndex="-1"
+    >
+    <label :for="`collapsible-${uniqueKey}`" class="lbl-toggle" tabindex="-1">
+      <h3>{{ title }}</h3>
+    </label>
+    <div class="collapsible-content">
+      <div class="content-inner">
+        <slot></slot>
         </div>
+    </div>
   </div>
 </template>
 
@@ -46,6 +46,11 @@ export default {
       numSpan = (numSpan > maxSpan) ? maxSpan : numSpan;
       return `${classPrefix}-${numSpan}`;
     },
+    /* Removes all special characters, except those allowed in valid CSS */
+    sanitizeCustomStyles(userCss) {
+      return userCss ? userCss.replace(/[^a-zA-Z0-9- :;.]/g, '') : '';
+    },
+    /* If not already done, then add object structure to local storage */
     initialiseStorage() {
       const initStorage = () => localStorage.setItem('collapseState', JSON.stringify({}));
       if (!localStorage.collapseState) initStorage(); // If not yet set, then init localstorage