mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-01 05:36:19 +01:00
Sanitize user-input on file name (#17666)
* Sanitize user-input on file name - Sanitize user-input before it get passed into the DOM. - Prevent things like "<iframe onload=alert(1)></iframe>" from being executed. This isn't a XSS attack as the server seems to be santizing the path as well. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
parent
5233051e64
commit
d8a8961b99
1 changed files with 2 additions and 1 deletions
|
@ -1,3 +1,4 @@
|
||||||
|
import {htmlEscape} from 'escape-goat';
|
||||||
import {initMarkupContent} from '../markup/content.js';
|
import {initMarkupContent} from '../markup/content.js';
|
||||||
import {createCodeEditor} from './codeeditor.js';
|
import {createCodeEditor} from './codeeditor.js';
|
||||||
|
|
||||||
|
@ -109,7 +110,7 @@ export function initRepoEditor() {
|
||||||
value = parts[i];
|
value = parts[i];
|
||||||
if (i < parts.length - 1) {
|
if (i < parts.length - 1) {
|
||||||
if (value.length) {
|
if (value.length) {
|
||||||
$(`<span class="section"><a href="#">${value}</a></span>`).insertBefore($(this));
|
$(`<span class="section"><a href="#">${htmlEscape(value)}</a></span>`).insertBefore($(this));
|
||||||
$('<div class="divider"> / </div>').insertBefore($(this));
|
$('<div class="divider"> / </div>').insertBefore($(this));
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
|
Loading…
Reference in a new issue