diff options
| author | Yarden Shoham <git@yardenshoham.com> | 2024-03-16 15:25:27 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-03-16 13:25:27 +0000 |
| commit | f9b4efd42c17d7f75b689142b17575a478fe903c (patch) | |
| tree | 018f25d2888e35a6d9975c1828e788cf2206d512 /web_src/js/modules | |
| parent | c6e5ec51bd5d2d3ede30b7506e7cc47f18a49ca8 (diff) | |
| download | gitea-f9b4efd42c17d7f75b689142b17575a478fe903c.tar.gz gitea-f9b4efd42c17d7f75b689142b17575a478fe903c.zip | |
Forbid HTML injection using jQuery (#29843)
See
https://github.com/wikimedia/eslint-plugin-no-jquery/blob/master/docs/rules/no-append-html.md
Tested the following components and they work as before:
- notification table
- issue author dropdown
- comment edit box attachments div
Signed-off-by: Yarden Shoham <git@yardenshoham.com>
Co-authored-by: Giteabot <teabot@gitea.io>
Diffstat (limited to 'web_src/js/modules')
| -rw-r--r-- | web_src/js/modules/fomantic/dropdown.js | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/web_src/js/modules/fomantic/dropdown.js b/web_src/js/modules/fomantic/dropdown.js index caba8a2f28..7302078dbd 100644 --- a/web_src/js/modules/fomantic/dropdown.js +++ b/web_src/js/modules/fomantic/dropdown.js @@ -72,7 +72,9 @@ function delegateOne($dropdown) { dropdownTemplates.menu = function(response, fields, preserveHTML, className) { // when the dropdown menu items are loaded from AJAX requests, the items are created dynamically const menuItems = dropdownTemplatesMenuOld(response, fields, preserveHTML, className); - const $wrapper = $('<div>').append(menuItems); + const div = document.createElement('div'); + div.innerHTML = menuItems; + const $wrapper = $(div); const $items = $wrapper.find('> .item'); $items.each((_, item) => updateMenuItem($dropdown[0], item)); $dropdown[0][ariaPatchKey].deferredRefreshAriaActiveItem(); |