Hawkin
/
arangodb
mirror of https://gitee.com/bigwinds/arangodb
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

prevent XSS in user management views

This commit is contained in:
Jan Steemann 2014-09-09 20:32:57 +02:00
parent d86efb649b
commit 80f7f61649
4 changed files with 13 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
js/apps/system/aardvark/frontend/js/templates/userBarView.ejs
View File

@ -9,9 +9,9 @@
<li class="dropdown-header" style="text-transform: none"> <li class="dropdown-header" style="text-transform: none">
<% <%
if (name) {%> if (name) {%>
<%=name%> (<%=username%>) <%=_.escape(name)%> (<%=_.escape(username)%>)
<% } else {%> <% } else {%>
<%=username%> <%=_.escape(username)%>
<% } %> <% } %>
<li class="dropdown-item"> <li class="dropdown-item">
<a id="userProfile" class="tab" href="#user">User profile</a> <a id="userProfile" class="tab" href="#user">User profile</a>

10
js/apps/system/aardvark/frontend/js/templates/userManagementView.ejs
View File

@ -69,7 +69,7 @@
active = user.get("active"), active = user.get("active"),
avatar = '<img src="'; avatar = '<img src="';
if (!img) { if (! img) {
avatar += 'img/arangodblogoAvatar_50.png'; avatar += 'img/arangodblogoAvatar_50.png';
} else { } else {
avatar += 'https://s.gravatar.com/avatar/'; avatar += 'https://s.gravatar.com/avatar/';
@ -77,16 +77,16 @@
avatar += '?s=50'; avatar += '?s=50';
} }
avatar += '" height="50" width="50" alt="" class="icon" id="'; avatar += '" height="50" width="50" alt="" class="icon" id="';
avatar += username; avatar += _.escape(username);
avatar += '" />'; avatar += '" />';
if (!name) { if (! name) {
name = " "; name = " ";
} }
%> %>
<div class="tile"> <div class="tile">
<div class="iconSet"> <div class="iconSet">
<span class="icon_arangodb_settings2 editUser" id="<%=username %>_edit-user" alt="Edit user" title="Edit user"></span> <span class="icon_arangodb_settings2 editUser" id="<%=_.escape(username) %>_edit-user" alt="Edit user" title="Edit user"></span>
</div> </div>
<%=avatar %> <%=avatar %>
<div class="tileBadge"> <div class="tileBadge">
@ -103,7 +103,7 @@
</span> </span>
</div> </div>
<h5 class="collectionName"><%=username %> <% if (name !== ' ') { %>(<%=name %>)<%}%></h5> <h5 class="collectionName"><%=_.escape(username) %> <% if (name !== ' ') { %>(<%=_.escape(name) %>)<%}%></h5>
</div> </div>
<%});%> <%});%>
</div> </div>

7
js/apps/system/aardvark/frontend/js/views/userBarView.js
View File

@ -66,12 +66,13 @@
img = currentUser.get("extra").img; img = currentUser.get("extra").img;
active = currentUser.get("active"); active = currentUser.get("active");
} }
if (!img) { if (! img) {
img = "img/arangodblogoAvatar_24.png"; img = "img/arangodblogoAvatar_24.png";
} else { }
else {
img = "https://s.gravatar.com/avatar/" + img + "?s=24"; img = "https://s.gravatar.com/avatar/" + img + "?s=24";
} }
if (!name) { if (! name) {
name = ""; name = "";
} }

4
js/apps/system/aardvark/frontend/js/views/userManagementView.js
View File

@ -10,7 +10,6 @@
el: '#content', el: '#content',
el2: '#userManagementThumbnailsIn', el2: '#userManagementThumbnailsIn',
template: templateEngine.createTemplate("userManagementView.ejs"), template: templateEngine.createTemplate("userManagementView.ejs"),
events: { events: {
@ -405,7 +404,7 @@
{ {
type: window.modalView.tables.READONLY, type: window.modalView.tables.READONLY,
label: "Username", label: "Username",
value: username value: _.escape(username)
}, },
{ {
type: window.modalView.tables.TEXT, type: window.modalView.tables.TEXT,
@ -555,6 +554,5 @@
window.modalView.show("modalTable.ejs", "Edit User Password", buttons, tableContent); window.modalView.show("modalTable.ejs", "Edit User Password", buttons, tableContent);
} }
}); });
}()); }());