WildDragonLLC/dragonflight
1
0
Fork 0
Code Issues 18 Pull requests 3 Projects Releases Packages Wiki Activity Actions
dragonflight/services/web-ui
History
ZGaetano 1e8cde81be fix(projects): prevent JS injection via bin names in onclick handlers 
binCard() was building onclick="renameBinPrompt('id', 'NAME')" by
calling esc() then .replace(/'/g, "\\'").  The problem: esc() converts
' to ', so the replace never fires on raw single quotes.  When the
HTML parser evaluates the attribute it decodes ' back to ', breaking
the JS string — and for injected payloads like `'; alert(1)//` this is
stored XSS.

Fix: use JSON.stringify(b.name) to produce a properly-escaped double-
quoted JS string literal, then esc() to HTML-encode the surrounding
double-quotes for safe embedding in the HTML attribute.
2026-05-19 00:09:49 -04:00
..
public fix(projects): prevent JS injection via bin names in onclick handlers 2026-05-19 00:09:49 -04:00
.dockerignore add services/web-ui/.dockerignore 2026-04-07 21:58:21 -04:00
.gitignore add services/web-ui/.gitignore 2026-04-07 21:58:22 -04:00
Dockerfile add services/web-ui/Dockerfile 2026-04-07 21:58:21 -04:00
nginx.conf feat(nav): add Home + Projects to sidebar across all pages; redirect login to home.html; bump image cache to v=hardhat3 2026-05-18 10:03:32 -04:00