Browse Source
Sanitize user-input on file name (#17666)
* Sanitize user-input on file name - Sanitize user-input before it get passed into the DOM. - Prevent things like "<iframe onload=alert(1)></iframe>" from being executed. This isn't a XSS attack as the server seems to be santizing the path as well. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>tags/v1.16.0-rc1
Gusted
2 years ago
1 changed files with 2 additions and 1 deletions
+ 2
- 1
web_src/js/features/repo-editor.js
View File
| import {htmlEscape} from 'escape-goat'; | |||||
| import {initMarkupContent} from '../markup/content.js'; | import {initMarkupContent} from '../markup/content.js'; | ||||
| import {createCodeEditor} from './codeeditor.js'; | import {createCodeEditor} from './codeeditor.js'; | ||||
| value = parts[i]; | value = parts[i]; | ||||
| if (i < parts.length - 1) { | if (i < parts.length - 1) { | ||||
| if (value.length) { | if (value.length) { | ||||
| $(`<span class="section"><a href="#">${value}</a></span>`).insertBefore($(this)); | |||||
| $(`<span class="section"><a href="#">${htmlEscape(value)}</a></span>`).insertBefore($(this)); | |||||
| $('<div class="divider"> / </div>').insertBefore($(this)); | $('<div class="divider"> / </div>').insertBefore($(this)); | ||||
| } | } | ||||
| } else { | } else { |
Loading…