TRKJ/gitea
2
0
Fork 0
mirror of https://gitee.com/gitea/gitea synced 2025-11-04 16:40:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

Prevent possible XSS when using jQuery (#18289)

Browse Source 
In the case of misuse or misunderstanding from a developer whereby,
if `sel` can receive user-controlled data, jQuery `$(sel)` can lead to the
creation of a new element. Current usage is using hard-coded selectors
in the templates, but nobody prevents that from expanding to
user-controlled somehow.
This commit is contained in:
Gusted
2022-01-16 05:14:32 +00:00
committed by GitHub
parent 4b4884ce88
commit 661d3d28e9
10 changed files with 39 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
web_src/js/features/common-global.js
View File

@@ -124,7 +124,7 @@ export function initGlobalCommon() {
$('.tabable.menu .item').tab();
$('.toggle.button').on('click', function () {
$($(this).data('target')).slideToggle(100);
$.find($(this).data('target')).slideToggle(100);
});
// make table <tr> and <td> elements clickable like a link
@@ -202,7 +202,7 @@ export function initGlobalLinkActions() {
closable: false,
onApprove() {
if ($this.data('type') === 'form') {
$($this.data('form')).trigger('submit');
$.find($this.data('form')).trigger('submit');
return;
}
@@ -240,7 +240,7 @@ export function initGlobalLinkActions() {
closable: false,
onApprove() {
if ($this.data('type') === 'form') {
$($this.data('form')).trigger('submit');
$.find($this.data('form')).trigger('submit');
return;
}
@@ -293,7 +293,7 @@ export function initGlobalLinkActions() {
export function initGlobalButtons() {
$('.show-panel.button').on('click', function () {
$($(this).data('panel')).show();
$.find($(this).data('panel')).show();
});
$('.hide-panel.button').on('click', function (event) {
@@ -301,7 +301,7 @@ export function initGlobalButtons() {
event.preventDefault();
let sel = $(this).attr('data-panel');
if (sel) {
$(sel).hide();
$.find(sel).hide();
return;
}
sel = $(this).attr('data-panel-closest');
@@ -314,8 +314,8 @@ export function initGlobalButtons() {
});
$('.show-modal.button').on('click', function () {
$($(this).data('modal')).modal('show');
const colorPickers = $($(this).data('modal')).find('.color-picker');
$.find($(this).data('modal')).modal('show');
const colorPickers = $.find($(this).data('modal')).find('.color-picker');
if (colorPickers.length > 0) {
initCompColorPicker();
}