From 661d3d28e97bb49bef075c0314edad5879148aaa Mon Sep 17 00:00:00 2001 From: Gusted Date: Sun, 16 Jan 2022 05:14:32 +0000 Subject: Prevent possible XSS when using jQuery (#18289) In the case of misuse or misunderstanding from a developer whereby, if `sel` can receive user-controlled data, jQuery `$(sel)` can lead to the creation of a new element. Current usage is using hard-coded selectors in the templates, but nobody prevents that from expanding to user-controlled somehow. --- web_src/js/features/comp/LabelEdit.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'web_src/js/features/comp') diff --git a/web_src/js/features/comp/LabelEdit.js b/web_src/js/features/comp/LabelEdit.js index 7d71e6effa..7c31080be8 100644 --- a/web_src/js/features/comp/LabelEdit.js +++ b/web_src/js/features/comp/LabelEdit.js @@ -1,7 +1,7 @@ import {initCompColorPicker} from './ColorPicker.js'; export function initCompLabelEdit(selector) { - if (!$(selector).length) return; + if (!$.find(selector).length) return; // Create label const $newLabelPanel = $('.new-label.segment'); $('.new-label.button').on('click', () => { -- cgit v1.2.3