git724/forgejo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4

Prevent possible XSS when using jQuery (#18289)

Browse source 
In the case of misuse or misunderstanding from a developer whereby,
if `sel` can receive user-controlled data, jQuery `$(sel)` can lead to the
creation of a new element. Current usage is using hard-coded selectors
in the templates, but nobody prevents that from expanding to
user-controlled somehow.
This commit is contained in:
Gusted 2022-01-16 05:14:32 +00:00 committed by GitHub
parent 4b4884ce88
commit 661d3d28e9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 39 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

2
web_src/js/features/repo-branch.js
View file

@ -2,6 +2,6 @@ export function initRepoBranchButton() {
$('.show-create-branch-modal.button').on('click', function () {
$('#create-branch-form')[0].action = $('#create-branch-form').data('base-action') + $(this).data('branch-from-urlcomponent');
$('#modal-create-branch-from-span').text($(this).data('branch-from'));
$($(this).data('modal')).modal('show');
$.find($(this).data('modal')).modal('show');
});
}