klmp200/Sith
1
0
Fork 0
mirror of https://github.com/ae-utbm/sith.git synced 2024-11-01 03:48:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #897 from ae-utbm/fix-xss

Browse Source 
Fix xss on select2 results
This commit is contained in:
thomas girod 2024-10-17 12:10:08 +02:00 committed by GitHub
commit 67ebb90ffa
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 16 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
core/static/webpack/utils/select2.ts
View File

@ -265,17 +265,22 @@ export function itemFormatter(user: { loading: boolean; text: string }) {
export function selectItemBuilder(pictureGetter?: (item: RemoteResult) => string) {
return (item: RemoteResult) => {
const picture = typeof pictureGetter === "function" ? pictureGetter(item) : null;
const imgHtml = picture
? `<img
src="${pictureGetter(item)}"
alt="${item.text}"
onerror="this.src = '/static/core/img/unknown.jpg'"
/>`
: "";
const wrapper = document.createElement("div");
wrapper.classList.add("select-item");
if (picture) {
const img = document.createElement("img");
img.src = picture;
img.alt = encodeURI(item.text);
img.onerror = () => {
img.src = "/static/core/img/unknown.jpg";
};
wrapper.appendChild(img);
}
const textSpan = document.createElement("span");
textSpan.classList.add("select-item-text");
textSpan.appendChild(document.createTextNode(item.text));
wrapper.appendChild(textSpan);
return $(`<div class="select-item">
${imgHtml}
<span class="select-item-text">${item.text}</span>
</div>`);
return $(wrapper);
};
}