diff options
| author | ArthurHoaro <arthur@hoa.ro> | 2020-10-06 17:30:18 +0200 |
|---|---|---|
| committer | ArthurHoaro <arthur@hoa.ro> | 2020-10-06 17:30:18 +0200 |
| commit | 72fbbcd6794facea2cf06d9742359d190257b00f (patch) | |
| tree | a4d6f446ec861f9a7591edb31f322e2a846b2bac /assets | |
| parent | df25b28dcd3cde54d42c18a55a810daa82bf5727 (diff) | |
| download | Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.gz Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.tar.zst Shaarli-72fbbcd6794facea2cf06d9742359d190257b00f.zip | |
Security: fix multiple XSS vulnerabilities + fix search tags with special chars
XSS vulnerabilities fixed in editlink, linklist, tag.cloud and tag.list.
Also fixed tag search with special characters: urlencode function needs to be applied on raw data, before espaping, otherwise the rendered URL is wrong.
Diffstat (limited to 'assets')
| -rw-r--r-- | assets/default/js/base.js | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/assets/default/js/base.js b/assets/default/js/base.js index d9933152..be986ae0 100644 --- a/assets/default/js/base.js +++ b/assets/default/js/base.js | |||
| @@ -555,6 +555,7 @@ function init(description) { | |||
| 555 | } | 555 | } |
| 556 | const refreshedToken = document.getElementById('token').value; | 556 | const refreshedToken = document.getElementById('token').value; |
| 557 | const fromtag = block.getAttribute('data-tag'); | 557 | const fromtag = block.getAttribute('data-tag'); |
| 558 | const fromtagUrl = block.getAttribute('data-tag-url'); | ||
| 558 | const xhr = new XMLHttpRequest(); | 559 | const xhr = new XMLHttpRequest(); |
| 559 | xhr.open('POST', `${basePath}/admin/tags`); | 560 | xhr.open('POST', `${basePath}/admin/tags`); |
| 560 | xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); | 561 | xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); |
| @@ -564,6 +565,7 @@ function init(description) { | |||
| 564 | location.reload(); | 565 | location.reload(); |
| 565 | } else { | 566 | } else { |
| 566 | block.setAttribute('data-tag', totag); | 567 | block.setAttribute('data-tag', totag); |
| 568 | block.setAttribute('data-tag-url', encodeURIComponent(totag)); | ||
| 567 | input.setAttribute('name', totag); | 569 | input.setAttribute('name', totag); |
| 568 | input.setAttribute('value', totag); | 570 | input.setAttribute('value', totag); |
| 569 | findParent(input, 'div', { class: 'rename-tag-form' }).style.display = 'none'; | 571 | findParent(input, 'div', { class: 'rename-tag-form' }).style.display = 'none'; |
| @@ -572,6 +574,9 @@ function init(description) { | |||
| 572 | .querySelector('a.tag-link') | 574 | .querySelector('a.tag-link') |
| 573 | .setAttribute('href', `${basePath}/?searchtags=${encodeURIComponent(totag)}`); | 575 | .setAttribute('href', `${basePath}/?searchtags=${encodeURIComponent(totag)}`); |
| 574 | block | 576 | block |
| 577 | .querySelector('a.count') | ||
| 578 | .setAttribute('href', `${basePath}/add-tag/${encodeURIComponent(totag)}`); | ||
| 579 | block | ||
| 575 | .querySelector('a.rename-tag') | 580 | .querySelector('a.rename-tag') |
| 576 | .setAttribute('href', `${basePath}/admin/tags?fromtag=${encodeURIComponent(totag)}`); | 581 | .setAttribute('href', `${basePath}/admin/tags?fromtag=${encodeURIComponent(totag)}`); |
| 577 | 582 | ||
| @@ -580,7 +585,7 @@ function init(description) { | |||
| 580 | awesomepletes = updateAwesompleteList('.rename-tag-input', existingTags, awesomepletes); | 585 | awesomepletes = updateAwesompleteList('.rename-tag-input', existingTags, awesomepletes); |
| 581 | } | 586 | } |
| 582 | }; | 587 | }; |
| 583 | xhr.send(`renametag=1&fromtag=${encodeURIComponent(fromtag)}&totag=${encodeURIComponent(totag)}&token=${refreshedToken}`); | 588 | xhr.send(`renametag=1&fromtag=${fromtagUrl}&totag=${encodeURIComponent(totag)}&token=${refreshedToken}`); |
| 584 | refreshToken(basePath); | 589 | refreshToken(basePath); |
| 585 | }); | 590 | }); |
| 586 | }); | 591 | }); |
| @@ -603,6 +608,7 @@ function init(description) { | |||
| 603 | event.preventDefault(); | 608 | event.preventDefault(); |
| 604 | const block = findParent(event.target, 'div', { class: 'tag-list-item' }); | 609 | const block = findParent(event.target, 'div', { class: 'tag-list-item' }); |
| 605 | const tag = block.getAttribute('data-tag'); | 610 | const tag = block.getAttribute('data-tag'); |
| 611 | const tagUrl = block.getAttribute('data-tag-url'); | ||
| 606 | const refreshedToken = document.getElementById('token').value; | 612 | const refreshedToken = document.getElementById('token').value; |
| 607 | 613 | ||
| 608 | if (confirm(`Are you sure you want to delete the tag "${tag}"?`)) { | 614 | if (confirm(`Are you sure you want to delete the tag "${tag}"?`)) { |
| @@ -612,7 +618,7 @@ function init(description) { | |||
| 612 | xhr.onload = () => { | 618 | xhr.onload = () => { |
| 613 | block.remove(); | 619 | block.remove(); |
| 614 | }; | 620 | }; |
| 615 | xhr.send(encodeURI(`deletetag=1&fromtag=${tag}&token=${refreshedToken}`)); | 621 | xhr.send(`deletetag=1&fromtag=${tagUrl}&token=${refreshedToken}`); |
| 616 | refreshToken(basePath); | 622 | refreshToken(basePath); |
| 617 | 623 | ||
| 618 | existingTags = existingTags.filter((tagItem) => tagItem !== tag); | 624 | existingTags = existingTags.filter((tagItem) => tagItem !== tag); |