Skip to content

Commit

Permalink
Fix DOM text reinterpreted as HTML
Browse files Browse the repository at this point in the history
lwesterhof committed Aug 13, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
1 parent d90c67e commit bba188e
Showing 11 changed files with 32 additions and 19 deletions.
6 changes: 3 additions & 3 deletions deposit/static/deposit/js/dlgFileBrowseOperations.js
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/* global browse, path */
/* global browse, DOMPurify, path */
'use strict'

let folderSelectBrowser = null
@@ -133,7 +133,7 @@ $(document).ready(function () {
<td class="item-progress">-</td>
</tr>
`
$('.multi-select-table tbody').append(row)
$('.multi-select-table tbody').append(DOMPurify.sanitize(row))
})

if (action === 'multiple-delete') {
@@ -694,7 +694,7 @@ function dlgMakeBreadcrumb (urlEncodedDir) {
/// alert handling
function dlgSelectAlertShow (errorMessage) {
$('#dlg-select-alert-panel').removeClass('hide')
$('#dlg-select-alert-panel span').html(errorMessage)
$('#dlg-select-alert-panel span').html(DOMPurify.sanitize(errorMessage))
}

function dlgSelectAlertHide () {
1 change: 1 addition & 0 deletions deposit/templates/deposit/data.html
Original file line number Diff line number Diff line change
@@ -13,6 +13,7 @@
var path = {{ path|tojson|safe }};
var view = 'browse';
</script>
<script src="{{ url_for('static', filename='lib/purify-3.1.6/js/purify.min.js') }}"></script>
<script src="{{ url_for('static', filename='lib/datatables-1.13.5/datatables.min.js') }}"></script>
<script src="{{ url_for('deposit_bp.static', filename='lib/flow-js/flow.min.js') }}"></script>
<script src="{{ url_for('deposit_bp.static', filename='lib/dragbetter-js/jquery.dragbetter.js') }}"></script>
19 changes: 11 additions & 8 deletions group_manager/static/group_manager/js/group_manager.js
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/* global bootstrap, FileReader, jQuery, Option */
/* global bootstrap, DOMPurify, FileReader, jQuery, Option */
'use strict'

let enteredUsername = ''
@@ -973,7 +973,8 @@ $(function () {
$('.properties-update').removeClass('hidden')
$('.users').removeClass('hidden')

$('#group-properties-group-name').html('<strong>[' + groupName + ']</strong>')
const sanitizedGroupName = DOMPurify.sanitize('<strong>[' + groupName + ']</strong>')
$('#group-properties-group-name').html(sanitizedGroupName)

$oldGroup.removeClass('active')
$group.addClass('active')
@@ -1346,7 +1347,8 @@ $(function () {
// $(this).val(null).trigger('change')
}).on('change', function () {
// Reset the subcategory value
$($(this).attr('data-subcategory')).val(null).trigger('change')
const sanitizedSubCategory = DOMPurify.sanitize($(this).attr('data-subcategory'))
$(sanitizedSubCategory).val(null).trigger('change')

// bring over the category value to the schema-id if exists.
if (that.schemaIDs.includes($(this).select2('data')[0].id)) {
@@ -1376,6 +1378,8 @@ $(function () {
$(sel).filter('.selectify-subcategory').each(function () {
const $el = $(this)

const sanitizedCategory = DOMPurify.sanitize($el.attr('data-category'))

$el.select2({
placeholder: 'Select a subcategory or enter a new name',
ajax: {
@@ -1386,7 +1390,7 @@ $(function () {
data: function (params) {
const request = {
query: '',
category: $($el.attr('data-category')).val()
category: $(sanitizedCategory).val()
}
if (params.term) {
request.query = params.term
@@ -1544,7 +1548,8 @@ $(function () {

users.forEach(function (userName) {
// Exclude users already in the group.
if (!(userName in that.groups[$($el.attr('data-group')).val()].members)) {
const sanitizedGroup = DOMPurify.sanitize($el.attr('data-group'))
if (!(userName in that.groups[$(sanitizedGroup).val()].members)) {
const nameAndZone = userName.split('#')
results.push({
id: userName,
@@ -2209,12 +2214,10 @@ $(function () {
})

// Group creation {{{

$('#f-group-create-prefix-div a').on('click', function (e) {
// Select new group prefix.
const newPrefix = $(this).attr('data-value')
const newPrefix = DOMPurify.sanitize($(this).attr('data-value'))
const oldPrefix = $('#f-group-create-name').attr('data-prefix')

$('#f-group-create-prefix-div button .text').html(newPrefix + '&nbsp;')
$('#f-group-create-name').attr('data-prefix', newPrefix)

1 change: 1 addition & 0 deletions group_manager/templates/group_manager/index.html
Original file line number Diff line number Diff line change
@@ -9,6 +9,7 @@
{% endblock style %}

{% block scripts %}
<script src="{{ url_for('static', filename='lib/purify-3.1.6/js/purify.min.js') }}"></script>
<script src="{{ url_for('group_manager_bp.static', filename='js/group_manager.js') }}"></script>
<script src="{{ url_for('group_manager_bp.static', filename='lib/select2/select2.full.min.js') }}"></script>
<script>
6 changes: 3 additions & 3 deletions research/static/research/js/dlgFileBrowseOperations.js
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/* global browse */
/* global browse, DOMPurify */
'use strict'

let folderSelectBrowser = null
@@ -126,7 +126,7 @@ $(document).ready(function () {
<td class="item-progress">-</td>
</tr>
`
$('.multi-select-table tbody').append(row)
$('.multi-select-table tbody').append(DOMPurify.sanitize(row))
})

if (action === 'multiple-delete') {
@@ -707,7 +707,7 @@ function dlgMakeBreadcrumb (urlEncodedDir) {
/// alert handling
function dlgSelectAlertShow (errorMessage) {
$('#dlg-select-alert-panel').removeClass('hide')
$('#dlg-select-alert-panel span').html(errorMessage)
$('#dlg-select-alert-panel span').html(DOMPurify.sanitize(errorMessage))
}

function dlgSelectAlertHide () {
1 change: 1 addition & 0 deletions research/templates/research/browse.html
Original file line number Diff line number Diff line change
@@ -3,6 +3,7 @@
{% block title %}{{ super() }} &dash; Research{% endblock title %}

{% block scripts %}
<script src="{{ url_for('static', filename='lib/purify-3.1.6/js/purify.min.js') }}"></script>
<script src="{{ url_for('static', filename='lib/datatables-1.13.5/datatables.min.js') }}"></script>
<script src="{{ url_for('research_bp.static', filename='lib/flow-js/flow.min.js') }}"></script>
<script src="{{ url_for('research_bp.static', filename='js/research.js') }}"></script>
8 changes: 5 additions & 3 deletions search/static/search/js/revision.js
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
/* global DOMPurify */
'use strict'

// Handles content of two tables
@@ -412,7 +413,8 @@ $(document).ready(function () {
$('#newFileName').val($('#org_folder_select_filename').val()) // Is in dialog where to enter a new name when duplicate

// For error reporting
$('.mode-dlg-exists .alert-warning').html('The file name <b>' + $('#org_folder_select_filename').val() + '</b> (location: ' + $('#org_folder_select_path').val() + ') already exists')
const errorReport = DOMPurify.sanitize('The file name <b>' + $('#org_folder_select_filename').val() + '</b> (location: ' + $('#org_folder_select_path').val() + ') already exists')
$('.mode-dlg-exists .alert-warning').html(errorReport)

restoreRevision('restore_no_overwrite')
})
@@ -453,7 +455,7 @@ $(document).ready(function () {

// select-folder
function dlgAlertShow (alertMessage) {
$('.alert-folder-select').html(alertMessage)
$('.alert-folder-select').html(DOMPurify.sanitize(alertMessage))
}

// dlg-select-folder
@@ -593,7 +595,7 @@ async function restoreRevision (overwriteFlag) {

// Alerts to user in dialog when file already exists
function dlgAlreadyExistsAlert (message) {
$('.alert-dlg-already-exists').html(message)
$('.alert-dlg-already-exists').html(DOMPurify.sanitize(message))
}

/// ////////////////////////////////////////////////////////////////////////////////////////////////////////
4 changes: 3 additions & 1 deletion search/static/search/js/search.js
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
/* global DOMPurify */
'use strict'

let currentSearchString
@@ -30,7 +31,8 @@ $(document).ready(function () {
}

$('#search-panel a').on('click', function () {
$('#search_concept').html($(this).text())
const sanitizedSearchConcept = DOMPurify.sanitize($(this).text())
$('#search_concept').html(sanitizedSearchConcept)
$('#search_concept').attr('data-type', $(this).attr('data-type'))

if ($(this).attr('data-type') === 'status') {
1 change: 1 addition & 0 deletions search/templates/search/search.html
Original file line number Diff line number Diff line change
@@ -3,6 +3,7 @@
{% block title %}{{ super() }} &dash; Search{% endblock title %}

{% block scripts %}
<script src="{{ url_for('static', filename='lib/purify-3.1.6/js/purify.min.js') }}"></script>
<script src="{{ url_for('static', filename='lib/datatables-1.13.5/datatables.min.js') }}"></script>
<script src="{{ url_for('search_bp.static', filename='js/revision.js') }}"></script>
<script src="{{ url_for('search_bp.static', filename='js/search.js') }}"></script>
3 changes: 2 additions & 1 deletion vault/static/vault/js/dlgSelectCollection.js
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
/* global DOMPurify */
'use strict'

let urlEncodedPath = ''
@@ -100,7 +101,7 @@ function dlgShowFolderSelectDialog (orgPath) {
/// alert handling
function dlgSelectAlertShow (errorMessage) {
$('#dlg-select-alert-panel').removeClass('hide')
$('#dlg-select-alert-panel span').html(errorMessage)
$('#dlg-select-alert-panel span').html(DOMPurify.sanitize(errorMessage))
}

function dlgSelectAlertHide () {
1 change: 1 addition & 0 deletions vault/templates/vault/browse.html
Original file line number Diff line number Diff line change
@@ -8,6 +8,7 @@
{% endblock style %}

{% block scripts %}
<script src="{{ url_for('static', filename='lib/purify-3.1.6/js/purify.min.js') }}"></script>
<script src="{{ url_for('static', filename='lib/datatables-1.13.5/datatables.min.js') }}"></script>
<script src="{{ url_for('vault_bp.static', filename='js/vault.js') }}"></script>
<script src="{{ url_for('vault_bp.static', filename='js/dlgSelectCollection.js') }}"></script>

0 comments on commit bba188e

Please sign in to comment.