Richard/restincode
1
0
Fork 0
mirror of https://github.com/restincode/restincode.git synced 2026-06-11 08:15:18 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(memorial): sanitize references titles and fallback URL against XSS

Browse source 
Use jQuery DOM construction ($("<a>").attr().text()) instead of string
concatenation for reference links, preventing HTML injection from
untrusted title values. Pass fallback issue URL through safeUrl().
This commit is contained in:
mauvehed 2026-03-15 16:39:03 -05:00
parent eef5719567
commit 0c4853d88d
1 changed files with 9 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

17
memorial.html
View file

@ -119,17 +119,18 @@
if (!Array.isArray(data.references) || !data.references.length) {
$("#references").append(
"<p>No references have been submitted for this person. Help us by submitting <a href='" +
data.issue +
"'>here.</a></p>",
$("<p>").append(
"No references have been submitted for this person. Help us by submitting ",
$("<a>").attr("href", safeUrl(data.issue)).text("here."),
),
);
} else {
for (var r = 0; r < data.references.length; r++) {
var refTitle = data.references[r]["title"];
var refUrl = data.references[r]["url"];
var ref =
'<a href="' + safeUrl(refUrl) + '">' + refTitle + "</a>";
$("#references").append(ref);
$("#references").append(
$("<a>")
.attr("href", safeUrl(data.references[r]["url"]))
.text(data.references[r]["title"]),
);
}
}