WildDragonLLC/dragonflight
1
0
Fork 0
Code Issues 18 Pull requests 3 Projects Releases Packages Wiki Activity Actions
dragonflight/services/web-ui
History
ZGaetano 2bb731c7fc fix(users): prevent JS injection in delete onclick handlers for users/groups 
confirmDeleteUser and confirmDeleteGroup were building onclick handlers
like onclick="confirmDeleteUser('id','NAME')" using esc() which doesn't
escape single quotes.  Usernames or group names containing ' would break
the JS string; a crafted value like `'; alert(1)//` is stored XSS.

Fix: use JSON.stringify(value) to produce a properly-escaped double-quoted
JS string literal, then esc() to HTML-encode the surrounding quotes for
safe embedding in the HTML attribute.  Same technique now used in both
renderUsers() and renderGroups().
2026-05-19 00:11:06 -04:00
..
public fix(users): prevent JS injection in delete onclick handlers for users/groups 2026-05-19 00:11:06 -04:00
.dockerignore add services/web-ui/.dockerignore 2026-04-07 21:58:21 -04:00
.gitignore add services/web-ui/.gitignore 2026-04-07 21:58:22 -04:00
Dockerfile add services/web-ui/Dockerfile 2026-04-07 21:58:21 -04:00
nginx.conf feat(nav): add Home + Projects to sidebar across all pages; redirect login to home.html; bump image cache to v=hardhat3 2026-05-18 10:03:32 -04:00