[Bugfix] Data table xss attack

b6cd4a20 · ibuler · 37bb3441 · b6cd4a20 · b6cd4a20
Commit b6cd4a20 authored Jul 08, 2018 by ibuler
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

jumpserver.js apps/static/js/jumpserver.js +1 -1

user_list.html apps/users/templates/users/user_list.html +1 -1

No files found.
--- a/apps/static/js/jumpserver.js
+++ b/apps/static/js/jumpserver.js
@@ -272,7 +272,7 @@ jumpserver.initDataTable = function (options) {
              $(td).html('<input type="checkbox" class="text-center ipt_check" id=99991937>'.replace('99991937', cellData));
          }
      },
-      {className: 'text-center', targets: '_all'}
+      {className: 'text-center', render: $.fn.dataTable.render.text(), targets: '_all'}
  ];
  columnDefs = options.columnDefs ? options.columnDefs.concat(columnDefs) : columnDefs;
  var select = {

--- a/apps/users/templates/users/user_list.html
+++ b/apps/users/templates/users/user_list.html
@@ -59,7 +59,7 @@ function initTable() {
        ele: $('#user_list_table'),
        columnDefs: [
            {targets: 1, createdCell: function (td, cellData, rowData) {
-                var detail_btn = '<a href="{% url "users:user-detail" pk=DEFAULT_PK %}">' + cellData + '</a>';
+                var detail_btn = '<a href="{% url "users:user-detail" pk=DEFAULT_PK %}">' + escape(cellData) + '</a>';
                $(td).html(detail_btn.replace("{{ DEFAULT_PK }}", rowData.id));
             }},
            {targets: 4, createdCell: function (td, cellData) {