fix(users): prevent JS injection in delete onclick handlers for users/groups
confirmDeleteUser and confirmDeleteGroup were building onclick handlers
like onclick="confirmDeleteUser('id','NAME')" using esc() which doesn't
escape single quotes. Usernames or group names containing ' would break
the JS string; a crafted value like `'; alert(1)//` is stored XSS.
Fix: use JSON.stringify(value) to produce a properly-escaped double-quoted
JS string literal, then esc() to HTML-encode the surrounding quotes for
safe embedding in the HTML attribute. Same technique now used in both
renderUsers() and renderGroups().
This commit is contained in:
parent
1e8cde81be
commit
2bb731c7fc
1 changed files with 3 additions and 3 deletions
|
|
@ -320,7 +320,7 @@
|
|||
<td>
|
||||
<div style="display:flex;gap:var(--sp-1);justify-content:flex-end;">
|
||||
<button class="btn btn-ghost btn-sm" onclick="editUser('${u.id}')">Edit</button>
|
||||
<button class="btn btn-danger btn-sm" onclick="confirmDeleteUser('${u.id}','${esc(u.username)}')">Delete</button>
|
||||
<button class="btn btn-danger btn-sm" onclick="confirmDeleteUser('${u.id}',${esc(JSON.stringify(u.username))})">Delete</button>
|
||||
</div>
|
||||
</td>
|
||||
</tr>`).join('');
|
||||
|
|
@ -427,7 +427,7 @@
|
|||
<td>
|
||||
<div style="display:flex;gap:var(--sp-1);justify-content:flex-end;">
|
||||
<button class="btn btn-ghost btn-sm" onclick="editGroup('${g.id}')">Edit</button>
|
||||
<button class="btn btn-danger btn-sm" onclick="confirmDeleteGroup('${g.id}','${esc(g.name)}')">Delete</button>
|
||||
<button class="btn btn-danger btn-sm" onclick="confirmDeleteGroup('${g.id}',${esc(JSON.stringify(g.name))})">Delete</button>
|
||||
</div>
|
||||
</td>
|
||||
</tr>`).join('');
|
||||
|
|
@ -572,4 +572,4 @@
|
|||
</script>
|
||||
<script src="js/auth-guard.js"></script>
|
||||
</body>
|
||||
</html>
|
||||
</html>
|
||||
|
|
|
|||
Loading…
Reference in a new issue