diff options
| author | Gusted <williamzijl7@hotmail.com> | 2022-01-16 05:14:32 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-16 13:14:32 +0800 |
| commit | 661d3d28e97bb49bef075c0314edad5879148aaa (patch) | |
| tree | 9b4a0c1a8244b003b9467f861088d6eadbaafabc /web_src/js/features/common-global.js | |
| parent | 4b4884ce889439f092d3797984e768e0cf2a278e (diff) | |
| download | gitea-661d3d28e97bb49bef075c0314edad5879148aaa.tar.gz gitea-661d3d28e97bb49bef075c0314edad5879148aaa.zip | |
Prevent possible XSS when using jQuery (#18289)
In the case of misuse or misunderstanding from a developer whereby,
if `sel` can receive user-controlled data, jQuery `$(sel)` can lead to the
creation of a new element. Current usage is using hard-coded selectors
in the templates, but nobody prevents that from expanding to
user-controlled somehow.
Diffstat (limited to 'web_src/js/features/common-global.js')
| -rw-r--r-- | web_src/js/features/common-global.js | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/web_src/js/features/common-global.js b/web_src/js/features/common-global.js index bf9d21ac49..258a056e32 100644 --- a/web_src/js/features/common-global.js +++ b/web_src/js/features/common-global.js @@ -124,7 +124,7 @@ export function initGlobalCommon() { $('.tabable.menu .item').tab(); $('.toggle.button').on('click', function () { - $($(this).data('target')).slideToggle(100); + $.find($(this).data('target')).slideToggle(100); }); // make table <tr> and <td> elements clickable like a link @@ -202,7 +202,7 @@ export function initGlobalLinkActions() { closable: false, onApprove() { if ($this.data('type') === 'form') { - $($this.data('form')).trigger('submit'); + $.find($this.data('form')).trigger('submit'); return; } @@ -240,7 +240,7 @@ export function initGlobalLinkActions() { closable: false, onApprove() { if ($this.data('type') === 'form') { - $($this.data('form')).trigger('submit'); + $.find($this.data('form')).trigger('submit'); return; } @@ -293,7 +293,7 @@ export function initGlobalLinkActions() { export function initGlobalButtons() { $('.show-panel.button').on('click', function () { - $($(this).data('panel')).show(); + $.find($(this).data('panel')).show(); }); $('.hide-panel.button').on('click', function (event) { @@ -301,7 +301,7 @@ export function initGlobalButtons() { event.preventDefault(); let sel = $(this).attr('data-panel'); if (sel) { - $(sel).hide(); + $.find(sel).hide(); return; } sel = $(this).attr('data-panel-closest'); @@ -314,8 +314,8 @@ export function initGlobalButtons() { }); $('.show-modal.button').on('click', function () { - $($(this).data('modal')).modal('show'); - const colorPickers = $($(this).data('modal')).find('.color-picker'); + $.find($(this).data('modal')).modal('show'); + const colorPickers = $.find($(this).data('modal')).find('.color-picker'); if (colorPickers.length > 0) { initCompColorPicker(); } |