WildDragonLLC/dragonflight
1
0
Fork 0
Code Issues 18 Pull requests 3 Projects Releases Packages Wiki Activity Actions

fix: prevent JS injection via token name in confirmRevoke onclick

Browse source 
Token names containing single quotes (e.g. "O'Brien's key") broke the
onclick attribute string by closing the JS string literal early.
Apply JSON.stringify+esc pattern so name is safely embedded as a
JSON string literal instead of a raw single-quoted string.
This commit is contained in:
Zac Gaetano 2026-05-19 00:27:31 -04:00
parent f8e42b886d
commit 9f7cb91cc2
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
services/web-ui/public/api-tokens.html
View file

@ -226,7 +226,7 @@
<div class="toast-container" id="toastContainer" aria-live="polite"></div>
<script src="js/api.js"></script>
<script src="js/api.js?v=6"></script>
<script>
let latestToken = null;
@ -271,7 +271,7 @@
&nbsp;·&nbsp; Expires: ${isExpired ? '<span style="color:var(--status-red)">Expired</span>' : expires}
</div>
</div>
<button class="btn btn-danger btn-sm" onclick="confirmRevoke('${t.id}','${esc(t.name)}')">Revoke</button>
<button class="btn btn-danger btn-sm" onclick="confirmRevoke('${t.id}',${esc(JSON.stringify(t.name))})">Revoke</button>
</div>`;
}).join('');
}
@ -349,4 +349,4 @@
</script>
<script src="js/auth-guard.js"></script>
</body>
</html>
</html>