fix(xss): fix #1181

This commit is contained in:
mrilyew 2024-12-13 16:43:34 +03:00
parent 198bf7472d
commit 0a1f717b45
4 changed files with 16 additions and 8 deletions

View file

@ -164,11 +164,11 @@
<tbody> <tbody>
<tr> <tr>
<td width="120" valign="top"><span class="nobold">${tr('performer')}:</span></td> <td width="120" valign="top"><span class="nobold">${tr('performer')}:</span></td>
<td><input value='${audio_element.info.performer}' name="performer" type="text" autocomplete="off" maxlength="80" /></td> <td><input value='${escapeHtml(audio_element.info.performer)}' name="performer" type="text" autocomplete="off" maxlength="80" /></td>
</tr> </tr>
<tr> <tr>
<td width="120" valign="top"><span class="nobold">${tr('audio_name')}:</span></td> <td width="120" valign="top"><span class="nobold">${tr('audio_name')}:</span></td>
<td><input type="text" value='${audio_element.info.name}' name="name" autocomplete="off" maxlength="80" /></td> <td><input type="text" value='${escapeHtml(audio_element.info.name)}' name="name" autocomplete="off" maxlength="80" /></td>
</tr> </tr>
<tr> <tr>
<td width="120" valign="top"><span class="nobold">${tr('genre')}:</span></td> <td width="120" valign="top"><span class="nobold">${tr('genre')}:</span></td>
@ -178,7 +178,7 @@
</tr> </tr>
<tr> <tr>
<td width="120" valign="top"><span class="nobold">${tr('lyrics')}:</span></td> <td width="120" valign="top"><span class="nobold">${tr('lyrics')}:</span></td>
<td><textarea name="lyrics" style="resize: vertical;max-height: 300px;">${audio_element.info.lyrics}</textarea></td> <td><textarea name="lyrics" style="resize: vertical;max-height: 300px;">${escapeHtml(audio_element.info.lyrics)}</textarea></td>
</tr> </tr>
<tr> <tr>
<td width="120" valign="top"></td> <td width="120" valign="top"></td>

View file

@ -1306,12 +1306,12 @@ u(document).on("click", ".musicIcon.edit-icon", (e) => {
MessageBox(tr("edit_audio"), ` MessageBox(tr("edit_audio"), `
<div> <div>
${tr("performer")} ${tr("performer")}
<input name="performer" maxlength="256" type="text" value="${performer}"> <input name="performer" maxlength="256" type="text" value="${escapeHtml(performer)}">
</div> </div>
<div style="margin-top: 11px"> <div style="margin-top: 11px">
${tr("audio_name")} ${tr("audio_name")}
<input name="name" maxlength="256" type="text" value="${name}"> <input name="name" maxlength="256" type="text" value="${escapeHtml(name)}">
</div> </div>
<div style="margin-top: 11px"> <div style="margin-top: 11px">
@ -1359,7 +1359,7 @@ u(document).on("click", ".musicIcon.edit-icon", (e) => {
e.target.setAttribute("data-performer", escapeHtml(response.new_info.performer)) e.target.setAttribute("data-performer", escapeHtml(response.new_info.performer))
e.target.setAttribute("data-title", escapeHtml(response.new_info.name)) e.target.setAttribute("data-title", escapeHtml(response.new_info.name))
e.target.setAttribute("data-lyrics", response.new_info.lyrics_unformatted) e.target.setAttribute("data-lyrics", escapeHtml(response.new_info.lyrics_unformatted))
e.target.setAttribute("data-explicit", Number(response.new_info.explicit)) e.target.setAttribute("data-explicit", Number(response.new_info.explicit))
e.target.setAttribute("data-searchable", Number(!response.new_info.unlisted)) e.target.setAttribute("data-searchable", Number(!response.new_info.unlisted))
player.setAttribute("data-genre", response.new_info.genre) player.setAttribute("data-genre", response.new_info.genre)
@ -1374,7 +1374,7 @@ u(document).on("click", ".musicIcon.edit-icon", (e) => {
} else { } else {
player.insertAdjacentHTML("beforeend", ` player.insertAdjacentHTML("beforeend", `
<div class="lyrics"> <div class="lyrics">
${response.new_info.lyrics} ${escapeHtml(response.new_info.lyrics)}
</div> </div>
`) `)

View file

@ -2579,7 +2579,7 @@ async function changeStatus() {
document.querySelector("#page_status_text").innerHTML = `[ ${tr("change_status")} ]`; document.querySelector("#page_status_text").innerHTML = `[ ${tr("change_status")} ]`;
document.querySelector("#page_status_text").className = "edit_link page_status_edit_button"; document.querySelector("#page_status_text").className = "edit_link page_status_edit_button";
} else { } else {
document.querySelector("#page_status_text").innerHTML = status; document.querySelector("#page_status_text").innerHTML = escapeHtml(status);
document.querySelector("#page_status_text").className = "page_status page_status_edit_button"; document.querySelector("#page_status_text").className = "page_status page_status_edit_button";
} }

View file

@ -234,6 +234,10 @@ window.router = new class {
} }
u(document).on('click', 'a', async (e) => { u(document).on('click', 'a', async (e) => {
if(e.defaultPrevented) {
return
}
const target = u(e.target).closest('a') const target = u(e.target).closest('a')
const dom_url = target.attr('href') const dom_url = target.attr('href')
const id = target.attr('id') const id = target.attr('id')
@ -289,6 +293,10 @@ u(document).on('click', 'a', async (e) => {
}) })
u(document).on('submit', 'form', async (e) => { u(document).on('submit', 'form', async (e) => {
if(e.defaultPrevented) {
return
}
if(u('#ajloader').hasClass('shown')) { if(u('#ajloader').hasClass('shown')) {
e.preventDefault() e.preventDefault()
return return