Andreas/tracks
1
0
Fork 0
mirror of https://github.com/TracksApp/tracks.git synced 2025-09-22 05:50:47 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge commit from fork

Browse source 
Fix a few reflected XSS vulnerabilities
This commit is contained in:
Jyri-Petteri Paloposki 2024-07-25 23:52:51 +03:00 committed by GitHub
commit 75420d9c38
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 12 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

6
app/controllers/todos_controller.rb
View file

@ -863,8 +863,10 @@ class TodosController < ApplicationController
end end
@single_tag = @tag_expr.size == 1 && @tag_expr[0].size == 1 @single_tag = @tag_expr.size == 1 && @tag_expr[0].size == 1
@tag_name = @tag_expr[0][0]
@tag_title = @single_tag ? @tag_name : tag_title(@tag_expr) # These are used in the templates, sanitise to prevent XSS.
@tag_name = sanitize(@tag_expr[0][0])
@tag_title = sanitize(@single_tag ? @tag_name : tag_title(@tag_expr))
end end
def filter_format_for_tag_view def filter_format_for_tag_view

12
app/views/layouts/application.html.erb
View file

@ -7,14 +7,14 @@
<%= javascript_include_tag "application" %> <%= javascript_include_tag "application" %>
<%= csrf_meta_tags %> <%= csrf_meta_tags %>
<script type="text/javascript"> <script type="text/javascript">
var SOURCE_VIEW = '<%=@source_view%>'; var SOURCE_VIEW = '<%=j @source_view %>';
var AUTH_TOKEN = '<%= raw(protect_against_forgery? ? form_authenticity_token.inspect : "") %>' var AUTH_TOKEN = '<%=j raw(protect_against_forgery? ? form_authenticity_token.inspect : "") %>'
var TAG_NAME = '<%= @tag_name ? @tag_name : "" %>' var TAG_NAME = '<%=j @tag_name ? @tag_name : "" %>'
var GROUP_VIEW_BY = '<%= @group_view_by ? @group_view_by : "" %>' var GROUP_VIEW_BY = '<%=j @group_view_by ? @group_view_by : "" %>'
var defaultContexts = <%= default_contexts_for_autocomplete.html_safe rescue '{}' %>; var defaultContexts = <%= default_contexts_for_autocomplete.html_safe rescue '{}' %>;
var defaultTags = <%= default_tags_for_autocomplete.html_safe rescue '{}' %>; var defaultTags = <%= default_tags_for_autocomplete.html_safe rescue '{}' %>;
var dateFormat = '<%= date_format_for_date_picker %>'; var dateFormat = '<%=j date_format_for_date_picker %>';
var weekStart = '<%= current_user.prefs.week_starts %>'; var weekStart = '<%=j current_user.prefs.week_starts %>';
function relative_to_root(path) { return '<%= root_url %>'+path; }; function relative_to_root(path) { return '<%= root_url %>'+path; };
<% if current_user.prefs.refresh != 0 -%> <% if current_user.prefs.refresh != 0 -%>
setup_auto_refresh(<%= current_user.prefs["refresh"].to_i*60000 %>); setup_auto_refresh(<%= current_user.prefs["refresh"].to_i*60000 %>);

4
app/views/stats/show_selection_from_chart.html.erb
View file

@ -4,8 +4,8 @@
unless @further unless @further
-%> -%>
<%= raw t('stats.click_to_show_actions_from_week', <%= raw t('stats.click_to_show_actions_from_week',
:link => link_to("here", show_actions_from_chart_path(:id=>"#{params[:id]}_end", :index => params[:index])), :link => link_to("here", show_actions_from_chart_path(:id=>"#{params[:id].to_i}_end", :index => params[:index].to_i)),
:week => params[:index]) :week => params[:index].to_i)
-%> -%>
<% <%
end end