diff options
| author | Andy Staudacher <andy.st@gmail.com> | 2009-09-01 01:12:02 -0700 |
|---|---|---|
| committer | Andy Staudacher <andy.st@gmail.com> | 2009-09-01 01:12:02 -0700 |
| commit | ff1979e12e0b012374e2ab3712b19f87e1a92e64 (patch) | |
| tree | 3c58fd3be9ff74838c01387ba0405ca95112aa0b | |
| parent | d2cea7905e342c2a9a7cec03058ab762d0d1ba7f (diff) | |
Fix XSS in tags JS
| -rw-r--r-- | modules/tag/js/tag.js | 10 | ||||
| -rw-r--r-- | modules/tag/views/admin_tags.html.php | 8 |
2 files changed, 12 insertions, 6 deletions
diff --git a/modules/tag/js/tag.js b/modules/tag/js/tag.js index 61ac73f4..aaae9e72 100644 --- a/modules/tag/js/tag.js +++ b/modules/tag/js/tag.js @@ -27,18 +27,24 @@ function closeEditInPlaceForms() { } } +function str_replace(search_term, replacement, string) { + var temp = string.split(search_term); + return temp.join(replacement); +} + function editInPlace(element) { closeEditInPlaceForms(); // create edit form var tag_id = $(this).attr('id').substr(5); - var tag_name = $(this).text(); + var tag_name = $(this).html(); var tag_width = $(this).width(); $(this).parent().data("revert", $(this).parent().html()); var form = '<form id="gRenameTagForm" method="post" class="ui-helper-clearfix" '; form += 'action="' + TAG_RENAME_URL.replace('__ID__', tag_id) + '">'; form += '<input name="csrf" type="hidden" value="' + csrf_token + '" />'; - form += '<input id="name" name="name" type="text" class="textbox" value="' + tag_name + '" />'; + form += '<input id="name" name="name" type="text" class="textbox" value="' + + str_replace('"', """, tag_name) + '" />'; form += '<input type="submit" class="submit ui-state-default ui-corner-all" value="' + save_i18n + '" i/>'; form += '<a href="#">' + cancel_i18n + '</a>'; form += '</form>'; diff --git a/modules/tag/views/admin_tags.html.php b/modules/tag/views/admin_tags.html.php index 3d805c5e..8f3693aa 100644 --- a/modules/tag/views/admin_tags.html.php +++ b/modules/tag/views/admin_tags.html.php @@ -1,9 +1,9 @@ <?php defined("SYSPATH") or die("No direct script access.") ?> <script> - var TAG_RENAME_URL = "<?= url::site("admin/tags/rename/__ID__") ?>"; + var TAG_RENAME_URL = <?= html::js_string(url::site("admin/tags/rename/__ID__")) ?>; $("document").ready(function() { // using JS for adding link titles to avoid running t() for each tag - $("#gTagAdmin .tag-name").attr("title", "<?= t("Click to edit this tag") ?>"); + $("#gTagAdmin .tag-name").attr("title", <?= t("Click to edit this tag")->for_js() ?>); $("#gTagAdmin .delete-link").attr("title", $(".delete-link:first span").html()); // In-place editing for tag admin @@ -11,8 +11,8 @@ }); // make some values available within tag.js var csrf_token = "<?= $csrf ?>"; - var save_i18n = '<?= t("save") ?>'; - var cancel_i18n = '<?= t("cancel") ?>'; + var save_i18n = <?= html::js_string(t("save")->for_html_attr()) ?>; + var cancel_i18n = <?= html::js_string(t("cancel")->for_html_attr()) ?>; </script> <div class="gBlock"> <h2> |