diff options
author | Vitaly Takmazov <vitalyster@gmail.com> | 2022-02-02 21:51:13 +0300 |
---|---|---|
committer | Vitaly Takmazov <vitalyster@gmail.com> | 2022-02-02 21:51:13 +0300 |
commit | 858125c5615173e577f3565dd8e184fdb7d196aa (patch) | |
tree | 63ceb75c174efec49a0485a73e9000bd69c84e8a | |
parent | b2e002bc8e26d95b7748b6aecde8168f19cb5508 (diff) |
spectrum_manager: escape html in user input
-rw-r--r-- | spectrum_manager/src/html/js/app.js | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/spectrum_manager/src/html/js/app.js b/spectrum_manager/src/html/js/app.js index fcebfa42..b5674eaa 100644 --- a/spectrum_manager/src/html/js/app.js +++ b/spectrum_manager/src/html/js/app.js @@ -1,3 +1,10 @@ +function htmlEncode(s) { + var el = document.createElement("div"); + el.innerText = el.textContent = s; + s = el.innerHTML; + return s; +} + function show_instances() { $.get($.cookie("base_location") + "api/v1/instances", function(data) { var admin = $.cookie("admin") == "1"; @@ -251,12 +258,12 @@ function execute_command(instance, command) { function show_instance() { var query = new URL(document.location.href).searchParams; - $("#main_content").html("<h2>Instance: " + query.get("id") + "</h2><h4>Available commands:</h4><table id='commands'><tr><th>Name<th>Category</th><th>Description</th></tr></table><h4>Available variables:</h4><table id='variables'><tr><th>Name<th>Value</th><th>Read-only</th><th>Desc</th></tr></table>"); + $("#main_content").html("<h2>Instance: " + htmlEncode(query.get("id")) + "</h2><h4>Available commands:</h4><table id='commands'><tr><th>Name<th>Category</th><th>Description</th></tr></table><h4>Available variables:</h4><table id='variables'><tr><th>Name<th>Value</th><th>Read-only</th><th>Desc</th></tr></table>"); - $.get($.cookie("base_location") + "api/v1/instances/commands/" + query.get("id"), function(data) { + $.get($.cookie("base_location") + "api/v1/instances/commands/" + htmlEncode(query.get("id")), function(data) { $.each(data.commands, function(i, command) { var row = '<tr>' - row += '<td><a class="button_command" command="' + command.name + '" instance="' + query.get("id") + '" href="' + $.cookie("base_location") + 'api/v1/instances/command_args/' + query.get("id") + '?command=' + command.name +'">' + command.label + '</a></td>'; + row += '<td><a class="button_command" command="' + command.name + '" instance="' + htmlEncode(query.get("id") + '" href="' + $.cookie("base_location") + 'api/v1/instances/command_args/' + htmlEncode(query.get("id") + '?command=' + command.name +'">' + command.label + '</a></td>'; row += '<td>' + command.category + '</td>'; row += '<td>' + command.desc + '</td>'; row += '</tr>'; |