Roy
/
vuln_patch
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Where I'll publicize submitted security patches of varying urgency after a week of unresponsiveness (without Forking).
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1 Commit
1 Branch
0 Tags
107 KiB
 
Tag: Branch: Tree: 4cf6c07977
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '4cf6c07977'
${ noResults }
vuln_patch/dnnsoftware/Dnn.Platform/0001-Help-prevent-XSS-attac...

40 lines
2.4 KiB
Raw Blame History

From 999f5e1e7467fc688f00515e14ff247cdeb730d3 Mon Sep 17 00:00:00 2001
From: Roy <roy@royvanlunsen.nl>
Date: Wed, 27 Mar 2024 13:38:58 +0100
Subject: [PATCH 1/2] Help prevent XSS attacks through access to database
"displayName" column.
---
DNN Platform/Modules/Journal/Scripts/mentionsInput.js | 2 +-
.../admin/personaBar/scripts/permissionGrid.js | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/DNN Platform/Modules/Journal/Scripts/mentionsInput.js b/DNN Platform/Modules/Journal/Scripts/mentionsInput.js
index 6672d9694f..064588c833 100644
--- a/DNN Platform/Modules/Journal/Scripts/mentionsInput.js
+++ b/DNN Platform/Modules/Journal/Scripts/mentionsInput.js
@@ -162,7 +162,7 @@
$this.data('ui-autocomplete')._renderItem = function(ul, item) {
return $('<li></li>')
.data('ui-autocomplete-item', item)
- .append('<a><img src="' + item.avatar + '" /><span class="dn">' + item.displayName + '<span></a>')
+ .append('<a><img src="' + item.avatar + '" />' + $('<span class="dn"></span>').text(dnn.decodeHTML(item.displayName)) + '</a>')
.appendTo(ul);
};
diff --git a/Dnn.AdminExperience/Library/Dnn.PersonaBar.UI/admin/personaBar/scripts/permissionGrid.js b/Dnn.AdminExperience/Library/Dnn.PersonaBar.UI/admin/personaBar/scripts/permissionGrid.js
index cca1593c04..e096a53944 100644
--- a/Dnn.AdminExperience/Library/Dnn.PersonaBar.UI/admin/personaBar/scripts/permissionGrid.js
+++ b/Dnn.AdminExperience/Library/Dnn.PersonaBar.UI/admin/personaBar/scripts/permissionGrid.js
@@ -109,7 +109,7 @@ if (typeof dnn.controls === "undefined" || dnn.controls === null) { dnn.controls
var cols = header.find('>td:not(:first-child)');
var row = $('<tr class="dnnItem ' + (table.find('> tr').length % 2 === 0 ? 'dnnGridAltItem' : 'dnnGridItem') + '"></tr>');
row.data('key', type == "users" ? data.userId : data.roleId);
- row.append('<td class="permissionHeader">' + (type == "users" ? data.displayName : data.roleName) + "</td>");
+ row.append($('<td class="permissionHeader"></td>').text(dnn.decodeHTML(type == "users" ? data.displayName : data.roleName)));
for (var i = 0; i < cols.length; i++) {
var headerCol = cols.eq(i);
var permissionId = headerCol.data('permissionId');
--
2.32.0