Difuse/luci
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

luci-base: form.js: do not execute embedded script code in stripTags()

Browse source 
Instead of relying on .innerHTML which executes embedded script code to
parse a given HTML fragment, use dom.parse() which utilizies DOMParser()
internally in order to extract textContent in a safe manner.

Fixes: FS#4199
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=4199
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 993151504e)
This commit is contained in:
Jo-Philipp Wich 2021-12-23 17:06:09 +01:00
parent eaad9d920b
commit db88156dff
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
modules/luci-base/htdocs/luci-static/resources/form.js
View file

@ -287,7 +287,8 @@ var CBIAbstractElement = baseclass.extend(/** @lends LuCI.form.AbstractElement.p
if (typeof(s) == 'string' && !s.match(/[<>]/))
return s;
var x = E('div', {}, s);
var x = dom.parse('<div>' + s + '</div>');
return x.textContent || x.innerText || '';
},