WildDragonLLC/dragonflight
1
0
Fork 0
Code Issues 18 Pull requests 3 Projects Releases Packages Wiki Activity Actions
dragonflight/services/web-ui/public
History
ZGaetano 2bb731c7fc fix(users): prevent JS injection in delete onclick handlers for users/groups 
confirmDeleteUser and confirmDeleteGroup were building onclick handlers
like onclick="confirmDeleteUser('id','NAME')" using esc() which doesn't
escape single quotes.  Usernames or group names containing ' would break
the JS string; a crafted value like `'; alert(1)//` is stored XSS.

Fix: use JSON.stringify(value) to produce a properly-escaped double-quoted
JS string literal, then esc() to HTML-encode the surrounding quotes for
safe embedding in the HTML attribute.  Same technique now used in both
renderUsers() and renderGroups().
2026-05-19 00:11:06 -04:00
..
css fix: remove Google Fonts, fix editor link to :47435, fix page titles 2026-05-18 22:56:51 -04:00
img feat(brand): add Wild Dragon logo + favicon 2026-05-18 14:11:29 +00:00
js fix(timeline): cap right-trim at source asset boundary 2026-05-19 00:02:34 -04:00
api-tokens.html fix: remove Google Fonts, fix editor link to :47435, fix page titles 2026-05-18 22:56:51 -04:00
capture.html fix(capture): use duration_ms field for recent captures duration display 2026-05-18 23:50:05 -04:00
edit.html feat: wire editor.html as primary editor, fix its sidebar/branding 2026-05-18 23:11:53 -04:00
editor.html fix(editor): keyboard tool shortcuts now actually switch the active tool 2026-05-18 23:53:38 -04:00
favicon.ico feat(brand): add Wild Dragon logo + favicon 2026-05-18 14:11:29 +00:00
home.html feat: wire editor.html as primary editor, fix its sidebar/branding 2026-05-18 23:11:53 -04:00
index.html fix(library): evict stale thumb URL on image load error, re-observe for retry 2026-05-18 23:46:12 -04:00
jobs.html fix(jobs): fetchJobs → loadJobs, add credentials to inline api helper 2026-05-18 23:48:56 -04:00
login.html feat(brand+home): swap sidebar to Wild Dragon logo, add favicon everywhere, fix home counters (status= not state=) 2026-05-18 10:13:08 -04:00
player.html feat(design): broadcast ops console redesign sweep 2026-05-17 19:05:22 -04:00
projects.html fix(projects): prevent JS injection via bin names in onclick handlers 2026-05-19 00:09:49 -04:00
recorders.html feat(recorders): add Edit Recorder panel with PATCH support 2026-05-18 23:35:16 -04:00
tokens.html feat: wire editor.html as primary editor, fix its sidebar/branding 2026-05-18 23:11:53 -04:00
upload.html feat: wire editor.html as primary editor, fix its sidebar/branding 2026-05-18 23:11:53 -04:00
users.html fix(users): prevent JS injection in delete onclick handlers for users/groups 2026-05-19 00:11:06 -04:00