From 2198bb5a1981177b04dd94b2b1b6a90c5d7a5c25 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Mon, 14 Nov 2022 14:21:40 +0100 Subject: Prevent XSS with ng-select When using ng-option See https://github.com/ng-select/ng-select/issues/1363 --- client/src/app/+admin/system/jobs/jobs.component.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'client/src/app/+admin/system/jobs') diff --git a/client/src/app/+admin/system/jobs/jobs.component.ts b/client/src/app/+admin/system/jobs/jobs.component.ts index d5da1b743..b8f3c3a68 100644 --- a/client/src/app/+admin/system/jobs/jobs.component.ts +++ b/client/src/app/+admin/system/jobs/jobs.component.ts @@ -2,6 +2,7 @@ import { SortMeta } from 'primeng/api' import { Component, OnInit } from '@angular/core' import { Notifier, RestPagination, RestTable } from '@app/core' import { peertubeLocalStorage } from '@root-helpers/peertube-web-storage' +import { escapeHTML } from '@shared/core-utils/renderer' import { Job, JobState, JobType } from '@shared/models' import { JobStateClient } from '../../../../types/job-state-client.type' import { JobTypeClient } from '../../../../types/job-type-client.type' @@ -142,7 +143,10 @@ export class JobsComponent extends RestTable implements OnInit { private loadJobStateAndType () { const state = peertubeLocalStorage.getItem(JobsComponent.LOCAL_STORAGE_STATE) - if (state) this.jobState = state as JobState + + // FIXME: We use that doesn't escape HTML + // https://github.com/ng-select/ng-select/issues/1363 + if (state) this.jobState = escapeHTML(state) as JobState const type = peertubeLocalStorage.getItem(JobsComponent.LOCAL_STORAGE_TYPE) if (type) this.jobType = type as JobType -- cgit v1.2.3