consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Avoid using html() to set languages description

Browse Source 
The jQuery html() function does not filter <script> tags, so if somehow
an attacker introduced a <script> in the translation, we would be
vulnerable to a XSS attack.

Note using $.parseHTML wouldn't solve the problem, since it doesn't
filter attributes in image tags.

Since changing the text of the part which doesn't have the count wasn't
very clean, I've added another <span> tag for the part with the
description, and so we can use jQuery's text() function to replace it.
This commit is contained in:
Javi Martín
2019-10-19 02:20:59 +02:00
parent d61e8cb6a6
commit 7f1bfc6bd7
4 changed files with 20 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
app/assets/javascripts/globalize.js
View File

@@ -77,9 +77,10 @@
update_description: function() {
var count, description;
count = App.Globalize.enabled_locales().length;
description = App.Globalize.language_description(count);
$(".js-languages-description").html(description);
$(".js-languages-count").text(count);
description = $(App.Globalize.language_description(count)).filter(".description").text();
$(".js-languages-description .description").text(description);
$(".js-languages-description .count").text(count);
},
language_description: function(count) {
switch (count) {