Mirrorlandia_minetest/contentdb
1
0
Fork 0
mirror of https://github.com/minetest/contentdb.git synced 2025-01-24 06:51:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix potentiall XSS vulnerability

Browse Source
This commit is contained in:
rubenwardy 2018-05-27 21:33:50 +01:00
parent 63af1535b9
commit ca7708437b
No known key found for this signature in database
GPG Key ID: A1E29D52FF81513C
1 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
app/templates/packages/create_edit.html
View File

@ -22,14 +22,22 @@
{% endfor %} {% endfor %}
] ]
function escape(unsafe) {
return unsafe
.replace(/&/g, "&")
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;")
.replace(/"/g, "&quot;")
.replace(/'/g, "&#039;");
}
all_packages = meta_packages.slice(); all_packages = meta_packages.slice();
{% for p in packages %} {% for p in packages %}
{# This is safe as name can only contain `[a-z0-9_]` #}
all_packages.push({ all_packages.push({
id: "{{ p.author.username }}/{{ p.name }}", id: "{{ p.author.username }}/{{ p.name }}",
value: {{ p.title | tojson }} + " by " + {{ p.author.display_name | tojson }}, value: escape({{ p.title | tojson }} + " by " + {{ p.author.display_name | tojson }}),
toString: function() { return {{ p.title | tojson }} + " by " + {{ p.author.display_name | tojson }} + " only"; }, toString: function() { return escape({{ p.title | tojson }} + " by " + {{ p.author.display_name | tojson }} + " only"); },
}); });
{% endfor %} {% endfor %}
</script> </script>