From 0df2590de27c60c18b7db6e056347bd2aff5a887 Mon Sep 17 00:00:00 2001 From: Bernd Bestel Date: Tue, 8 Sep 2020 18:10:30 +0200 Subject: [PATCH] Excape HTML (where needed, for bootbox) (references #996) --- public/js/extensions.js | 8 ++++++++ public/viewjs/batteries.js | 2 +- public/viewjs/chores.js | 2 +- public/viewjs/components/productpicker.js | 2 +- public/viewjs/equipment.js | 2 +- public/viewjs/locations.js | 2 +- public/viewjs/mealplan.js | 4 ++-- public/viewjs/productgroups.js | 2 +- public/viewjs/products.js | 2 +- public/viewjs/quantityunits.js | 2 +- public/viewjs/recipeform.js | 6 +++--- public/viewjs/recipes.js | 6 +++--- public/viewjs/shoppinglist.js | 4 ++-- public/viewjs/shoppinglocations.js | 2 +- public/viewjs/taskcategories.js | 2 +- public/viewjs/tasks.js | 2 +- public/viewjs/userentities.js | 2 +- public/viewjs/userfields.js | 2 +- public/viewjs/users.js | 2 +- 19 files changed, 32 insertions(+), 24 deletions(-) diff --git a/public/js/extensions.js b/public/js/extensions.js index e24b5f67..9ed9e1f8 100644 --- a/public/js/extensions.js +++ b/public/js/extensions.js @@ -172,10 +172,12 @@ function animateCSS(selector, animationName, callback, speed = "faster") nodes.on('animationend', handleAnimationEnd); } + function RandomString() { return Math.random().toString(36).substring(2, 100) + Math.random().toString(36).substring(2, 100); } + function getQRCodeForContent(url) { var qr = qrcode(0, 'L'); @@ -183,6 +185,7 @@ function getQRCodeForContent(url) qr.make(); return qr.createImgTag(10, 5); } + function getQRCodeForAPIKey(apikey_type, apikey_key) { var content = U('/api') + '|' + apikey_key; @@ -192,3 +195,8 @@ function getQRCodeForAPIKey(apikey_type, apikey_key) } return getQRCodeForContent(content); } + +function SanitizeHtml(input) +{ + return $("
").text(input).html(); +} diff --git a/public/viewjs/batteries.js b/public/viewjs/batteries.js index 0829ebe4..71e1a216 100644 --- a/public/viewjs/batteries.js +++ b/public/viewjs/batteries.js @@ -21,7 +21,7 @@ $("#search").on("keyup", Delay(function() $(document).on('click', '.battery-delete-button', function(e) { - var objectName = $(e.currentTarget).attr('data-battery-name'); + var objectName = SanitizeHtml($(e.currentTarget).attr('data-battery-name')); var objectId = $(e.currentTarget).attr('data-battery-id'); bootbox.confirm({ diff --git a/public/viewjs/chores.js b/public/viewjs/chores.js index 7d3ca85a..a120bd6f 100644 --- a/public/viewjs/chores.js +++ b/public/viewjs/chores.js @@ -21,7 +21,7 @@ $("#search").on("keyup", Delay(function() $(document).on('click', '.chore-delete-button', function(e) { - var objectName = $(e.currentTarget).attr('data-chore-name'); + var objectName = SanitizeHtml($(e.currentTarget).attr('data-chore-name')); var objectId = $(e.currentTarget).attr('data-chore-id'); bootbox.confirm({ diff --git a/public/viewjs/components/productpicker.js b/public/viewjs/components/productpicker.js index 16d4bd5f..f90623c2 100644 --- a/public/viewjs/components/productpicker.js +++ b/public/viewjs/components/productpicker.js @@ -162,7 +162,7 @@ $('#product_id_text_input').on('blur', function(e) Grocy.Components.ProductPicker.PopupOpen = true; bootbox.dialog({ - message: __t('"%s" could not be resolved to a product, how do you want to proceed?', input), + message: __t('"%s" could not be resolved to a product, how do you want to proceed?', SanitizeHtml(input)), title: __t('Create or assign product'), onEscape: function() { diff --git a/public/viewjs/equipment.js b/public/viewjs/equipment.js index 0bdb87e5..ebfb003c 100644 --- a/public/viewjs/equipment.js +++ b/public/viewjs/equipment.js @@ -68,7 +68,7 @@ $("#search").on("keyup", Delay(function() $(document).on('click', '.equipment-delete-button', function(e) { - var objectName = $(e.currentTarget).attr('data-equipment-name'); + var objectName = SanitizeHtml($(e.currentTarget).attr('data-equipment-name')); var objectId = $(e.currentTarget).attr('data-equipment-id'); bootbox.confirm({ diff --git a/public/viewjs/locations.js b/public/viewjs/locations.js index 28947d3a..6bab2dcf 100644 --- a/public/viewjs/locations.js +++ b/public/viewjs/locations.js @@ -21,7 +21,7 @@ $("#search").on("keyup", Delay(function() $(document).on('click', '.location-delete-button', function(e) { - var objectName = $(e.currentTarget).attr('data-location-name'); + var objectName = SanitizeHtml($(e.currentTarget).attr('data-location-name')); var objectId = $(e.currentTarget).attr('data-location-id'); bootbox.confirm({ diff --git a/public/viewjs/mealplan.js b/public/viewjs/mealplan.js index 002ffee5..13c4c00e 100644 --- a/public/viewjs/mealplan.js +++ b/public/viewjs/mealplan.js @@ -563,7 +563,7 @@ $(document).on('click', '.recipe-order-missing-button', function(e) // to prevent that the tooltip stays until clicked anywhere else document.activeElement.blur(); - var objectName = $(e.currentTarget).attr('data-recipe-name'); + var objectName = SanitizeHtml($(e.currentTarget).attr('data-recipe-name')); var objectId = $(e.currentTarget).attr('data-recipe-id'); var button = $(this); var servings = $(e.currentTarget).attr('data-mealplan-servings'); @@ -667,7 +667,7 @@ $(document).on('click', '.recipe-consume-button', function(e) // to prevent that the tooltip stays until clicked anywhere else document.activeElement.blur(); - var objectName = $(e.currentTarget).attr('data-recipe-name'); + var objectName = SanitizeHtml($(e.currentTarget).attr('data-recipe-name')); var objectId = $(e.currentTarget).attr('data-recipe-id'); var servings = $(e.currentTarget).attr('data-mealplan-servings'); diff --git a/public/viewjs/productgroups.js b/public/viewjs/productgroups.js index af64c63d..40587899 100644 --- a/public/viewjs/productgroups.js +++ b/public/viewjs/productgroups.js @@ -21,7 +21,7 @@ $("#search").on("keyup", Delay(function() $(document).on('click', '.product-group-delete-button', function(e) { - var objectName = $(e.currentTarget).attr('data-group-name'); + var objectName = SanitizeHtml($(e.currentTarget).attr('data-group-name')); var objectId = $(e.currentTarget).attr('data-group-id'); bootbox.confirm({ diff --git a/public/viewjs/products.js b/public/viewjs/products.js index 5934c4b0..77d1da70 100644 --- a/public/viewjs/products.js +++ b/public/viewjs/products.js @@ -38,7 +38,7 @@ if (typeof GetUriParam("product-group") !== "undefined") $(document).on('click', '.product-delete-button', function(e) { - var objectName = $(e.currentTarget).attr('data-product-name'); + var objectName = SanitizeHtml($(e.currentTarget).attr('data-product-name')); var objectId = $(e.currentTarget).attr('data-product-id'); Grocy.Api.Get('stock/products/' + objectId, diff --git a/public/viewjs/quantityunits.js b/public/viewjs/quantityunits.js index 9d5766a1..8b5cc35f 100644 --- a/public/viewjs/quantityunits.js +++ b/public/viewjs/quantityunits.js @@ -21,7 +21,7 @@ $("#search").on("keyup", Delay(function() $(document).on('click', '.quantityunit-delete-button', function(e) { - var objectName = $(e.currentTarget).attr('data-quantityunit-name'); + var objectName = SanitizeHtml($(e.currentTarget).attr('data-quantityunit-name')); var objectId = $(e.currentTarget).attr('data-quantityunit-id'); bootbox.confirm({ diff --git a/public/viewjs/recipeform.js b/public/viewjs/recipeform.js index 9a36d7ed..09501c47 100644 --- a/public/viewjs/recipeform.js +++ b/public/viewjs/recipeform.js @@ -126,7 +126,7 @@ $('#recipe-form input').keydown(function(event) $(document).on('click', '.recipe-pos-delete-button', function(e) { - var objectName = $(e.currentTarget).attr('data-recipe-pos-name'); + var objectName = SanitizeHtml($(e.currentTarget).attr('data-recipe-pos-name')); var objectId = $(e.currentTarget).attr('data-recipe-pos-id'); bootbox.confirm({ @@ -163,7 +163,7 @@ $(document).on('click', '.recipe-pos-delete-button', function(e) $(document).on('click', '.recipe-include-delete-button', function(e) { - var objectName = $(e.currentTarget).attr('data-recipe-include-name'); + var objectName = SanitizeHtml($(e.currentTarget).attr('data-recipe-include-name')); var objectId = $(e.currentTarget).attr('data-recipe-include-id'); bootbox.confirm({ @@ -200,7 +200,7 @@ $(document).on('click', '.recipe-include-delete-button', function(e) $(document).on('click', '.recipe-pos-show-note-button', function(e) { - var note = $(e.currentTarget).attr('data-recipe-pos-note'); + var note = SanitizeHtml($(e.currentTarget).attr('data-recipe-pos-note')); bootbox.alert(note); }); diff --git a/public/viewjs/recipes.js b/public/viewjs/recipes.js index 56d03d21..d176c435 100644 --- a/public/viewjs/recipes.js +++ b/public/viewjs/recipes.js @@ -81,7 +81,7 @@ $(".recipe-delete").on('click', function(e) { e.preventDefault(); - var objectName = $(e.currentTarget).attr('data-recipe-name'); + var objectName = SanitizeHtml($(e.currentTarget).attr('data-recipe-name')); var objectId = $(e.currentTarget).attr('data-recipe-id'); bootbox.confirm({ @@ -118,7 +118,7 @@ $(".recipe-delete").on('click', function(e) $(document).on('click', '.recipe-shopping-list', function(e) { - var objectName = $(e.currentTarget).attr('data-recipe-name'); + var objectName = SanitizeHtml($(e.currentTarget).attr('data-recipe-name')); var objectId = $(e.currentTarget).attr('data-recipe-id'); bootbox.confirm({ @@ -164,7 +164,7 @@ $(document).on('click', '.recipe-shopping-list', function(e) $(".recipe-consume").on('click', function(e) { - var objectName = $(e.currentTarget).attr('data-recipe-name'); + var objectName = SanitizeHtml($(e.currentTarget).attr('data-recipe-name')); var objectId = $(e.currentTarget).attr('data-recipe-id'); bootbox.confirm({ diff --git a/public/viewjs/shoppinglist.js b/public/viewjs/shoppinglist.js index 3244e25e..b1c78433 100644 --- a/public/viewjs/shoppinglist.js +++ b/public/viewjs/shoppinglist.js @@ -77,7 +77,7 @@ $(".status-filter-message").on("click", function() $("#delete-selected-shopping-list").on("click", function() { - var objectName = $("#selected-shopping-list option:selected").text(); + var objectName = SanitizeHtml($("#selected-shopping-list option:selected").text()); var objectId = $("#selected-shopping-list").val(); bootbox.confirm({ @@ -158,7 +158,7 @@ $(document).on('click', '#add-products-below-min-stock-amount', function(e) $(document).on('click', '#clear-shopping-list', function(e) { bootbox.confirm({ - message: __t('Are you sure to empty shopping list "%s"?', $("#selected-shopping-list option:selected").text()), + message: __t('Are you sure to empty shopping list "%s"?', SanitizeHtml($("#selected-shopping-list option:selected").text())), closeButton: false, buttons: { confirm: { diff --git a/public/viewjs/shoppinglocations.js b/public/viewjs/shoppinglocations.js index 5843ba00..c5bdb6ee 100644 --- a/public/viewjs/shoppinglocations.js +++ b/public/viewjs/shoppinglocations.js @@ -21,7 +21,7 @@ $("#search").on("keyup", Delay(function() $(document).on('click', '.shoppinglocation-delete-button', function(e) { - var objectName = $(e.currentTarget).attr('data-shoppinglocation-name'); + var objectName = SanitizeHtml($(e.currentTarget).attr('data-shoppinglocation-name')); var objectId = $(e.currentTarget).attr('data-shoppinglocation-id'); bootbox.confirm({ diff --git a/public/viewjs/taskcategories.js b/public/viewjs/taskcategories.js index d3953b43..025bfc64 100644 --- a/public/viewjs/taskcategories.js +++ b/public/viewjs/taskcategories.js @@ -21,7 +21,7 @@ $("#search").on("keyup", Delay(function() $(document).on('click', '.task-category-delete-button', function(e) { - var objectName = $(e.currentTarget).attr('data-category-name'); + var objectName = SanitizeHtml($(e.currentTarget).attr('data-category-name')); var objectId = $(e.currentTarget).attr('data-category-id'); bootbox.confirm({ diff --git a/public/viewjs/tasks.js b/public/viewjs/tasks.js index 7e93c03d..e8a84d92 100644 --- a/public/viewjs/tasks.js +++ b/public/viewjs/tasks.js @@ -119,7 +119,7 @@ $(document).on('click', '.delete-task-button', function(e) { e.preventDefault(); - var objectName = $(e.currentTarget).attr('data-task-name'); + var objectName = SanitizeHtml($(e.currentTarget).attr('data-task-name')); var objectId = $(e.currentTarget).attr('data-task-id'); bootbox.confirm({ diff --git a/public/viewjs/userentities.js b/public/viewjs/userentities.js index 74bbaf98..e6c5e85a 100644 --- a/public/viewjs/userentities.js +++ b/public/viewjs/userentities.js @@ -21,7 +21,7 @@ $("#search").on("keyup", Delay(function() $(document).on('click', '.userentity-delete-button', function(e) { - var objectName = $(e.currentTarget).attr('data-userentity-name'); + var objectName = SanitizeHtml($(e.currentTarget).attr('data-userentity-name')); var objectId = $(e.currentTarget).attr('data-userentity-id'); bootbox.confirm({ diff --git a/public/viewjs/userfields.js b/public/viewjs/userfields.js index 5d5c2711..b9b69b28 100644 --- a/public/viewjs/userfields.js +++ b/public/viewjs/userfields.js @@ -33,7 +33,7 @@ $("#entity-filter").on("change", function() $(document).on('click', '.userfield-delete-button', function(e) { - var objectName = $(e.currentTarget).attr('data-userfield-name'); + var objectName = SanitizeHtml($(e.currentTarget).attr('data-userfield-name')); var objectId = $(e.currentTarget).attr('data-userfield-id'); bootbox.confirm({ diff --git a/public/viewjs/users.js b/public/viewjs/users.js index d0d4c675..bc17bf8d 100644 --- a/public/viewjs/users.js +++ b/public/viewjs/users.js @@ -21,7 +21,7 @@ $("#search").on("keyup", Delay(function() $(document).on('click', '.user-delete-button', function(e) { - var objectName = $(e.currentTarget).attr('data-user-username'); + var objectName = SanitizeHtml($(e.currentTarget).attr('data-user-username')); var objectId = $(e.currentTarget).attr('data-user-id'); bootbox.confirm({