WildDragonLLC/dragonflight
1
0
Fork 0
Code Issues 10 Pull requests 3 Projects Releases Packages Wiki Activity Actions
dragonflight/services/web-ui/public
History
ZGaetano 1e8cde81be fix(projects): prevent JS injection via bin names in onclick handlers 
binCard() was building onclick="renameBinPrompt('id', 'NAME')" by
calling esc() then .replace(/'/g, "\\'").  The problem: esc() converts
' to ', so the replace never fires on raw single quotes.  When the
HTML parser evaluates the attribute it decodes ' back to ', breaking
the JS string — and for injected payloads like `'; alert(1)//` this is
stored XSS.

Fix: use JSON.stringify(b.name) to produce a properly-escaped double-
quoted JS string literal, then esc() to HTML-encode the surrounding
double-quotes for safe embedding in the HTML attribute.
2026-05-19 00:09:49 -04:00
..
css fix: remove Google Fonts, fix editor link to :47435, fix page titles 2026-05-18 22:56:51 -04:00
img feat(brand): add Wild Dragon logo + favicon 2026-05-18 14:11:29 +00:00
js fix(timeline): cap right-trim at source asset boundary 2026-05-19 00:02:34 -04:00
api-tokens.html fix: remove Google Fonts, fix editor link to :47435, fix page titles 2026-05-18 22:56:51 -04:00
capture.html fix(capture): use duration_ms field for recent captures duration display 2026-05-18 23:50:05 -04:00
edit.html feat: wire editor.html as primary editor, fix its sidebar/branding 2026-05-18 23:11:53 -04:00
editor.html fix(editor): keyboard tool shortcuts now actually switch the active tool 2026-05-18 23:53:38 -04:00
favicon.ico feat(brand): add Wild Dragon logo + favicon 2026-05-18 14:11:29 +00:00
home.html feat: wire editor.html as primary editor, fix its sidebar/branding 2026-05-18 23:11:53 -04:00
index.html fix(library): evict stale thumb URL on image load error, re-observe for retry 2026-05-18 23:46:12 -04:00
jobs.html fix(jobs): fetchJobs → loadJobs, add credentials to inline api helper 2026-05-18 23:48:56 -04:00
login.html feat(brand+home): swap sidebar to Wild Dragon logo, add favicon everywhere, fix home counters (status= not state=) 2026-05-18 10:13:08 -04:00
player.html feat(design): broadcast ops console redesign sweep 2026-05-17 19:05:22 -04:00
projects.html fix(projects): prevent JS injection via bin names in onclick handlers 2026-05-19 00:09:49 -04:00
recorders.html feat(recorders): add Edit Recorder panel with PATCH support 2026-05-18 23:35:16 -04:00
tokens.html feat: wire editor.html as primary editor, fix its sidebar/branding 2026-05-18 23:11:53 -04:00
upload.html feat: wire editor.html as primary editor, fix its sidebar/branding 2026-05-18 23:11:53 -04:00
users.html feat: wire editor.html as primary editor, fix its sidebar/branding 2026-05-18 23:11:53 -04:00