Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge pull request #2757 from modoboa/fix/xss_issue_domain_form
Fixed XSS issue in domain creation form.
  • Loading branch information
tonioo committed Jan 24, 2023
2 parents 883cb4c + 7b7b6ba commit 354ab68
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 7 deletions.
4 changes: 2 additions & 2 deletions modoboa/admin/static/admin/js/admin.js
Expand Up @@ -152,7 +152,7 @@ Domains.prototype = {
: gettext("This operation will remove all data associated to this domain, excepting accounts.");

$("a[name=deldomain]").confirm({
question: function() { return this.$element.attr('title'); },
question: function() { return htmlEncode(this.$element.attr('title')); },
method: "POST",
warning: warnmsg,
checkboxes: deloptions,
Expand Down Expand Up @@ -295,7 +295,7 @@ Domains.prototype = {

optionsform_prefill: function() {
var $span = $("#id_dom_admin_username").next("span");
$span.html("@" + $("#id_name").val());
$span.html("@" + htmlEncode($("#id_name").val()));
},

domadminsform_init: function() {
Expand Down
10 changes: 5 additions & 5 deletions modoboa/admin/templates/admin/domains.html
Expand Up @@ -13,11 +13,11 @@
{{ block.super }}
<script src="{% static 'transport/js/transport.js' %}" type="text/javascript"></script>
<script type="text/javascript">
$(document).ready(function() {
admin = new Domains({
load_page_url: "{% url 'admin:domain_page' %}"
});
});
$(document).ready(function() {
admin = new Domains({
load_page_url: "{% url 'admin:domain_page' %}"
});
});
</script>
{% extra_static_content "domains" "js" user %}
{% endblock %}
Expand Down
9 changes: 9 additions & 0 deletions modoboa/static/js/global.js
Expand Up @@ -361,6 +361,15 @@ String.prototype.format = function() {
});
};

/**
* Simple HTML escape function
*/
function htmlEncode(str) {
return String(str).replace(/[^\w. ]/gi, function(c) {
return '&#'+c.charCodeAt(0)+';';
});
}

$(document).ready(function() {
$(document).ajaxSuccess(function(e, xhr, settings) { ajax_login_redirect(xhr); });
$(document).ajaxError(defaultAjaxErrorHandler);
Expand Down

0 comments on commit 354ab68

Please sign in to comment.