WildDragonLLC/dragonflight
1
0
Fork 0
Code Issues 18 Pull requests 3 Projects Releases Packages Wiki Activity Actions
dragonflight/services
History
ZGaetano 2bb731c7fc fix(users): prevent JS injection in delete onclick handlers for users/groups 
confirmDeleteUser and confirmDeleteGroup were building onclick handlers
like onclick="confirmDeleteUser('id','NAME')" using esc() which doesn't
escape single quotes.  Usernames or group names containing ' would break
the JS string; a crafted value like `'; alert(1)//` is stored XSS.

Fix: use JSON.stringify(value) to produce a properly-escaped double-quoted
JS string literal, then esc() to HTML-encode the surrounding quotes for
safe embedding in the HTML attribute.  Same technique now used in both
renderUsers() and renderGroups().
2026-05-19 00:11:06 -04:00
..
capture fix(capture): wire bootstrapAutoStart() + add missing captureManager/MAM_API_URL/server (regression from earlier conflict resolution) 2026-05-18 09:25:55 -04:00
editor fix(editor): show loading banner during auto-import so Edit feels responsive 2026-05-17 22:44:08 -04:00
mam-api fix(upload): scope original S3 keys under assetId to prevent collisions 2026-05-19 00:08:13 -04:00
premiere-plugin feat: in-library asset preview + Premiere plugin installer 2026-05-17 08:55:14 -04:00
web-ui fix(users): prevent JS injection in delete onclick handlers for users/groups 2026-05-19 00:11:06 -04:00
worker fix(worker/thumbnail): mark asset ready even when thumbnail extraction fails 2026-05-18 23:51:04 -04:00