Immediate fix to htmlEncode user added text (#5570)
There are likely problems remaining with the way that initCommentForm is creating its elements. I suspect that a malformed avatar url could be used maliciously.
This commit is contained in:
parent
4a02a783c4
commit
330bf8d3b3
1 changed files with 9 additions and 5 deletions
|
@ -1,5 +1,9 @@
|
||||||
'use strict';
|
'use strict';
|
||||||
|
|
||||||
|
function htmlEncode(text) {
|
||||||
|
return jQuery('<div />').text(text).html()
|
||||||
|
}
|
||||||
|
|
||||||
var csrf;
|
var csrf;
|
||||||
var suburl;
|
var suburl;
|
||||||
|
|
||||||
|
@ -394,12 +398,12 @@ function initCommentForm() {
|
||||||
switch (input_id) {
|
switch (input_id) {
|
||||||
case '#milestone_id':
|
case '#milestone_id':
|
||||||
$list.find('.selected').html('<a class="item" href=' + $(this).data('href') + '>' +
|
$list.find('.selected').html('<a class="item" href=' + $(this).data('href') + '>' +
|
||||||
$(this).text() + '</a>');
|
htmlEncode($(this).text()) + '</a>');
|
||||||
break;
|
break;
|
||||||
case '#assignee_id':
|
case '#assignee_id':
|
||||||
$list.find('.selected').html('<a class="item" href=' + $(this).data('href') + '>' +
|
$list.find('.selected').html('<a class="item" href=' + $(this).data('href') + '>' +
|
||||||
'<img class="ui avatar image" src=' + $(this).data('avatar') + '>' +
|
'<img class="ui avatar image" src=' + $(this).data('avatar') + '>' +
|
||||||
$(this).text() + '</a>');
|
htmlEncode($(this).text()) + '</a>');
|
||||||
}
|
}
|
||||||
$('.ui' + select_id + '.list .no-select').addClass('hide');
|
$('.ui' + select_id + '.list .no-select').addClass('hide');
|
||||||
$(input_id).val($(this).data('id'));
|
$(input_id).val($(this).data('id'));
|
||||||
|
@ -1538,7 +1542,7 @@ function searchUsers() {
|
||||||
$.each(response.data, function (i, item) {
|
$.each(response.data, function (i, item) {
|
||||||
var title = item.login;
|
var title = item.login;
|
||||||
if (item.full_name && item.full_name.length > 0) {
|
if (item.full_name && item.full_name.length > 0) {
|
||||||
title += ' (' + item.full_name + ')';
|
title += ' (' + htmlEncode(item.full_name) + ')';
|
||||||
}
|
}
|
||||||
items.push({
|
items.push({
|
||||||
title: title,
|
title: title,
|
||||||
|
@ -2692,7 +2696,7 @@ function initTopicbar() {
|
||||||
if (res.topics) {
|
if (res.topics) {
|
||||||
formattedResponse.success = true;
|
formattedResponse.success = true;
|
||||||
for (var i=0;i < res.topics.length;i++) {
|
for (var i=0;i < res.topics.length;i++) {
|
||||||
formattedResponse.results.push({"description": res.topics[i].Name, "data-value":res.topics[i].Name})
|
formattedResponse.results.push({"description": res.topics[i].Name, "data-value": res.topics[i].Name})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2813,7 +2817,7 @@ function initIssueList() {
|
||||||
// Parse the response from the api to work with our dropdown
|
// Parse the response from the api to work with our dropdown
|
||||||
$.each(response, function(index, issue) {
|
$.each(response, function(index, issue) {
|
||||||
filteredResponse.results.push({
|
filteredResponse.results.push({
|
||||||
'name' : '#' + issue.number + ' ' + issue.title,
|
'name' : '#' + issue.number + ' ' + htmlEncode(issue.title),
|
||||||
'value' : issue.id
|
'value' : issue.id
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
Reference in a new issue