mirror of
https://github.com/openvk/openvk
synced 2024-12-22 16:42:32 +03:00
fix(xss): fix #1181
This commit is contained in:
parent
198bf7472d
commit
0a1f717b45
4 changed files with 16 additions and 8 deletions
|
@ -164,11 +164,11 @@
|
|||
<tbody>
|
||||
<tr>
|
||||
<td width="120" valign="top"><span class="nobold">${tr('performer')}:</span></td>
|
||||
<td><input value='${audio_element.info.performer}' name="performer" type="text" autocomplete="off" maxlength="80" /></td>
|
||||
<td><input value='${escapeHtml(audio_element.info.performer)}' name="performer" type="text" autocomplete="off" maxlength="80" /></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="120" valign="top"><span class="nobold">${tr('audio_name')}:</span></td>
|
||||
<td><input type="text" value='${audio_element.info.name}' name="name" autocomplete="off" maxlength="80" /></td>
|
||||
<td><input type="text" value='${escapeHtml(audio_element.info.name)}' name="name" autocomplete="off" maxlength="80" /></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="120" valign="top"><span class="nobold">${tr('genre')}:</span></td>
|
||||
|
@ -178,7 +178,7 @@
|
|||
</tr>
|
||||
<tr>
|
||||
<td width="120" valign="top"><span class="nobold">${tr('lyrics')}:</span></td>
|
||||
<td><textarea name="lyrics" style="resize: vertical;max-height: 300px;">${audio_element.info.lyrics}</textarea></td>
|
||||
<td><textarea name="lyrics" style="resize: vertical;max-height: 300px;">${escapeHtml(audio_element.info.lyrics)}</textarea></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="120" valign="top"></td>
|
||||
|
|
|
@ -1306,12 +1306,12 @@ u(document).on("click", ".musicIcon.edit-icon", (e) => {
|
|||
MessageBox(tr("edit_audio"), `
|
||||
<div>
|
||||
${tr("performer")}
|
||||
<input name="performer" maxlength="256" type="text" value="${performer}">
|
||||
<input name="performer" maxlength="256" type="text" value="${escapeHtml(performer)}">
|
||||
</div>
|
||||
|
||||
<div style="margin-top: 11px">
|
||||
${tr("audio_name")}
|
||||
<input name="name" maxlength="256" type="text" value="${name}">
|
||||
<input name="name" maxlength="256" type="text" value="${escapeHtml(name)}">
|
||||
</div>
|
||||
|
||||
<div style="margin-top: 11px">
|
||||
|
@ -1359,7 +1359,7 @@ u(document).on("click", ".musicIcon.edit-icon", (e) => {
|
|||
|
||||
e.target.setAttribute("data-performer", escapeHtml(response.new_info.performer))
|
||||
e.target.setAttribute("data-title", escapeHtml(response.new_info.name))
|
||||
e.target.setAttribute("data-lyrics", response.new_info.lyrics_unformatted)
|
||||
e.target.setAttribute("data-lyrics", escapeHtml(response.new_info.lyrics_unformatted))
|
||||
e.target.setAttribute("data-explicit", Number(response.new_info.explicit))
|
||||
e.target.setAttribute("data-searchable", Number(!response.new_info.unlisted))
|
||||
player.setAttribute("data-genre", response.new_info.genre)
|
||||
|
@ -1374,7 +1374,7 @@ u(document).on("click", ".musicIcon.edit-icon", (e) => {
|
|||
} else {
|
||||
player.insertAdjacentHTML("beforeend", `
|
||||
<div class="lyrics">
|
||||
${response.new_info.lyrics}
|
||||
${escapeHtml(response.new_info.lyrics)}
|
||||
</div>
|
||||
`)
|
||||
|
||||
|
|
|
@ -2579,7 +2579,7 @@ async function changeStatus() {
|
|||
document.querySelector("#page_status_text").innerHTML = `[ ${tr("change_status")} ]`;
|
||||
document.querySelector("#page_status_text").className = "edit_link page_status_edit_button";
|
||||
} else {
|
||||
document.querySelector("#page_status_text").innerHTML = status;
|
||||
document.querySelector("#page_status_text").innerHTML = escapeHtml(status);
|
||||
document.querySelector("#page_status_text").className = "page_status page_status_edit_button";
|
||||
}
|
||||
|
||||
|
|
|
@ -234,6 +234,10 @@ window.router = new class {
|
|||
}
|
||||
|
||||
u(document).on('click', 'a', async (e) => {
|
||||
if(e.defaultPrevented) {
|
||||
return
|
||||
}
|
||||
|
||||
const target = u(e.target).closest('a')
|
||||
const dom_url = target.attr('href')
|
||||
const id = target.attr('id')
|
||||
|
@ -289,6 +293,10 @@ u(document).on('click', 'a', async (e) => {
|
|||
})
|
||||
|
||||
u(document).on('submit', 'form', async (e) => {
|
||||
if(e.defaultPrevented) {
|
||||
return
|
||||
}
|
||||
|
||||
if(u('#ajloader').hasClass('shown')) {
|
||||
e.preventDefault()
|
||||
return
|
||||
|
|
Loading…
Reference in a new issue