Fixed XSS on the dashboard's action log

projectsend · Jul 27, 2021 · 1d90d54 · 1d90d54
1 parent 7b4793c
commit 1d90d54
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/assets/src/js/helpers.js b/assets/src/js/helpers.js
@@ -0,0 +1,6 @@
+function htmlEncode(str)
+{
+    return String(str).replace(/[^\w. ]/gi, function(c){
+        return '&#'+c.charCodeAt(0)+';';
+    });
+}
diff --git a/assets/src/js/parts/widget_action_log.js b/assets/src/js/parts/widget_action_log.js
@@ -59,7 +59,7 @@
                                     <i class="fa fa-`+icon+`" aria-hidden="true"></i>
                                 </div>
                                 <div class="action">`+
-                                    item.formatted+`
+                                    htmlEncode(item.formatted)+`
                                 </div>
                             `);
                     });

diff --git a/gulpfile.js b/gulpfile.js
@@ -47,6 +47,7 @@ let assetsJs = [
 let appJs = [
     'assets/src/js/obj.js',
     'assets/src/js/main.js',
+    'assets/src/js/helpers.js',
     'assets/src/js/pages/*.js',
     'assets/src/js/parts/*.js'
 ];