From abbe52c72c978e03c1e0f6fc740e96d197c8a4c5 Mon Sep 17 00:00:00 2001 From: Griatch Date: Sun, 17 Mar 2024 12:29:13 +0100 Subject: [PATCH] Fix potential security issue with goldenlayout DOM usage --- .../static/webclient/js/plugins/goldenlayout.js | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/evennia/web/static/webclient/js/plugins/goldenlayout.js b/evennia/web/static/webclient/js/plugins/goldenlayout.js index 7fe25d8db4..68ea5710bd 100644 --- a/evennia/web/static/webclient/js/plugins/goldenlayout.js +++ b/evennia/web/static/webclient/js/plugins/goldenlayout.js @@ -565,25 +565,29 @@ let goldenlayout = (function () { uploadLayouts(); } - - // + // // This is a helper function for when adding items from the OptionsUI's layout listing var addLayoutUI = function (layoutDiv, name) { - var div = $("
"); + // Create a div and set its id property + var div = $("
").attr("id", name); - var option = $(""); + // Create an option button and add click event listener + var option = $("", { type: "button", class: "goldenlayout", value: name }); option.on("click", onSwitchLayout); div.append(option); - if( name !== "default" && name !== activeLayoutName ) { - var remove = $(""); + // Conditionally add a remove button + if (name !== "default" && name !== activeLayoutName) { + var remove = $("", { type: "button", class: "removelayout", value: "X" }); remove.on("click", onRemoveLayout); div.append(remove); } + // Append the created div to the layoutDiv layoutDiv.append(div); } + // Listener for realtime changes to the layout name input field. // If the layout name is "default", the save button is disabled // to prevent the perception of overwriting the default layout.