vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4

XSS fixes (#6386)

Browse source 
* fix(XSS): Sanitise page name before routing

* fix(XSS): Sanitise tag value before saving it
This commit is contained in:
Faris Ansari 2018-11-03 11:52:09 +05:30 committed by GitHub
parent 8fe67e17c3
commit 6bbb84f9c3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
frappe/public/js/frappe/router.js
View file

@ -48,7 +48,8 @@ frappe.route = function() {
frappe.view_factory[route[0]].show();
} else {
// show page
frappe.views.pageview.show(route[0]);
const route_name = frappe.utils.xss_sanitise(route[0]);
frappe.views.pageview.show(route_name);
}

3
frappe/public/js/frappe/ui/tags.js
View file

@ -36,7 +36,8 @@ frappe.ui.Tags = class {
bind() {
this.$input.keypress((e) => {
if(e.which == 13 || e.keyCode == 13) {
this.addTag(this.$input.val());
const tagValue = frappe.utils.xss_sanitise(this.$input.val());
this.addTag(tagValue);
this.$input.val('');
}
});