domi/forgejo-domi
1
0
Fork 0
forked from forgejo/forgejo
Code Pull requests Activity

Forbid HTML injection using jQuery (#29843)

Browse source 
See
https://github.com/wikimedia/eslint-plugin-no-jquery/blob/master/docs/rules/no-append-html.md

Tested the following components and they work as before:
- notification table
- issue author dropdown
- comment edit box attachments div

Signed-off-by: Yarden Shoham <git@yardenshoham.com>
Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit f9b4efd42c17d7f75b689142b17575a478fe903c)
This commit is contained in:
Yarden Shoham 2024-03-16 15:25:27 +02:00 committed by Earl Warren
parent 9ea9b850da
commit c1b6182625
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
5 changed files with 12 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

5
web_src/js/features/repo-legacy.js
View file

@ -436,13 +436,12 @@ async function onEditContent(event) {
const $content = $segment;
if (!$content.find('.dropzone-attachments').length) {
if (data.attachments !== '') {
$content.append(`<div class="dropzone-attachments"></div>`);
$content.find('.dropzone-attachments').replaceWith(data.attachments);
$content[0].append(data.attachments);
}
} else if (data.attachments === '') {
$content.find('.dropzone-attachments').remove();
} else {
$content.find('.dropzone-attachments').replaceWith(data.attachments);
$content.find('.dropzone-attachments')[0].outerHTML = data.attachments;
}
if (dz) {
dz.emit('submit');