frodovdr/hyperion.ng
1
0
Fork 0
mirror of https://github.com/hyperion-project/hyperion.ng.git synced 2023-10-10 13:36:59 +02:00
Code Issues Releases Wiki Activity

Fix 1292 - Avoid XSS (#1297)

Browse Source 
* Fix 1292 - Avoid XSS

* Fix XSS on EffectConfiguration
This commit is contained in:
LordGrey 2021-08-19 08:52:17 +02:00 committed by GitHub
parent 0227694d20
commit bd3e12d3ac
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
assets/webconfig/js/content_effectsconfigurator.js
View File

@ -1,8 +1,8 @@
$(document).ready(function () { $(document).ready(function () {
performTranslation(); performTranslation();
// update instance listing // update instance listing
updateHyperionInstanceListing(); updateHyperionInstanceListing();
var oldDelList = []; var oldDelList = [];
var effectName = ""; var effectName = "";
@ -120,7 +120,7 @@ $(document).ready(function () {
// disable or enable control elements // disable or enable control elements
$("#name-input").on('change keyup', function (event) { $("#name-input").on('change keyup', function (event) {
effectName = $(this).val(); effectName = encodeHTML($(this).val());
if ($(this).val() == '') { if ($(this).val() == '') {
effects_editor.disable(); effects_editor.disable();
$("#eff_footer").children().attr('disabled', true); $("#eff_footer").children().attr('disabled', true);

4
assets/webconfig/js/content_general.js
View File

@ -37,7 +37,7 @@ $(document).ready(function () {
showInfoDialog('renInst', $.i18n('conf_general_inst_renreq_t'), getInstanceNameByIndex(inst)); showInfoDialog('renInst', $.i18n('conf_general_inst_renreq_t'), getInstanceNameByIndex(inst));
$("#id_btn_ok").off().on('click', function () { $("#id_btn_ok").off().on('click', function () {
requestInstanceRename(inst, $('#renInst_name').val()) requestInstanceRename(inst, encodeHTML($('#renInst_name').val()))
}); });
$('#renInst_name').off().on('input', function (e) { $('#renInst_name').off().on('input', function (e) {
@ -94,7 +94,7 @@ $(document).ready(function () {
}); });
$('#btn_create_inst').off().on('click', function (e) { $('#btn_create_inst').off().on('click', function (e) {
requestInstanceCreate($('#inst_name').val()); requestInstanceCreate(encodeHTML($('#inst_name').val()));
$('#inst_name').val(""); $('#inst_name').val("");
$('#btn_create_inst').attr('disabled', true) $('#btn_create_inst').attr('disabled', true)
}); });

2
assets/webconfig/js/content_logging.js
View File

@ -125,7 +125,7 @@ $(document).ready(function () {
var function_ = messages[idx].function; var function_ = messages[idx].function;
var line = messages[idx].line; var line = messages[idx].line;
var file_name = messages[idx].fileName; var file_name = messages[idx].fileName;
var msg = messages[idx].message; var msg = encodeHTML(messages[idx].message);
var level_string = messages[idx].levelString; var level_string = messages[idx].levelString;
var utime = messages[idx].utime; var utime = messages[idx].utime;

2
assets/webconfig/js/content_network.js
View File

@ -210,7 +210,7 @@ $(document).ready( function() {
} }
$('#btn_create_tok').off().on('click',function() { $('#btn_create_tok').off().on('click',function() {
requestToken($('#tok_comment').val()) requestToken(encodeHTML($('#tok_comment').val()))
$('#tok_comment').val("") $('#tok_comment').val("")
$('#btn_create_tok').attr('disabled', true) $('#btn_create_tok').attr('disabled', true)
}); });

4
assets/webconfig/js/ui_utils.js
View File

@ -1206,3 +1206,7 @@ function showInputOptionsForKey(editor, item, showForKeys, state) {
} }
showInputOptions(item, elements, state); showInputOptions(item, elements, state);
} }
function encodeHTML(s) {
return s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/"/g, '&quot;');
}