mirror of
https://github.com/ae-utbm/sith.git
synced 2024-11-24 18:14:22 +00:00
Merge pull request #897 from ae-utbm/fix-xss
Fix xss on select2 results
This commit is contained in:
commit
67ebb90ffa
@ -265,17 +265,22 @@ export function itemFormatter(user: { loading: boolean; text: string }) {
|
|||||||
export function selectItemBuilder(pictureGetter?: (item: RemoteResult) => string) {
|
export function selectItemBuilder(pictureGetter?: (item: RemoteResult) => string) {
|
||||||
return (item: RemoteResult) => {
|
return (item: RemoteResult) => {
|
||||||
const picture = typeof pictureGetter === "function" ? pictureGetter(item) : null;
|
const picture = typeof pictureGetter === "function" ? pictureGetter(item) : null;
|
||||||
const imgHtml = picture
|
const wrapper = document.createElement("div");
|
||||||
? `<img
|
wrapper.classList.add("select-item");
|
||||||
src="${pictureGetter(item)}"
|
if (picture) {
|
||||||
alt="${item.text}"
|
const img = document.createElement("img");
|
||||||
onerror="this.src = '/static/core/img/unknown.jpg'"
|
img.src = picture;
|
||||||
/>`
|
img.alt = encodeURI(item.text);
|
||||||
: "";
|
img.onerror = () => {
|
||||||
|
img.src = "/static/core/img/unknown.jpg";
|
||||||
|
};
|
||||||
|
wrapper.appendChild(img);
|
||||||
|
}
|
||||||
|
const textSpan = document.createElement("span");
|
||||||
|
textSpan.classList.add("select-item-text");
|
||||||
|
textSpan.appendChild(document.createTextNode(item.text));
|
||||||
|
wrapper.appendChild(textSpan);
|
||||||
|
|
||||||
return $(`<div class="select-item">
|
return $(wrapper);
|
||||||
${imgHtml}
|
|
||||||
<span class="select-item-text">${item.text}</span>
|
|
||||||
</div>`);
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user