tdsds.com/gitea
1
1
Fork 0
mirror of https://github.com/go-gitea/gitea synced 2025-07-05 01:57:20 +00:00
Code Releases Activity

Prevent possible XSS when using jQuery (#18289)

Browse Source 
In the case of misuse or misunderstanding from a developer whereby,
if `sel` can receive user-controlled data, jQuery `$(sel)` can lead to the
creation of a new element. Current usage is using hard-coded selectors
in the templates, but nobody prevents that from expanding to
user-controlled somehow.
This commit is contained in:
Gusted
2022-01-16 05:14:32 +00:00
committed by GitHub
parent 4b4884ce88
commit 661d3d28e9
10 changed files with 39 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
web_src/js/components/RepoBranchTagDropdown.js
View File

@ -2,7 +2,7 @@ import Vue from 'vue';
import {vueDelimiters} from './VueComponentLoader.js';
export function initRepoBranchTagDropdown(selector) {
$(selector).each(function () {
$.find(selector).each(function () {
const $dropdown = $(this);
const $data = $dropdown.find('.data');
const data = {