extern/django-helpdesk
1
0
Fork 1
mirror of https://github.com/django-helpdesk/django-helpdesk.git synced 2025-01-05 21:49:24 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #980 from noobpk/noobpk-fix-xss

Browse Source 
Add function `htmlEntities` into template ticket_list.html
This commit is contained in:
Garret Wassermann 2021-11-12 12:02:19 -05:00 committed by GitHub
commit 91b37f6d73
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
helpdesk/templates/helpdesk/ticket_list.html
View File

@ -330,7 +330,11 @@
function get_url(row) { function get_url(row) {
return "{% url 'helpdesk:view' 1234 %}".replace(/1234/, row.id.toString()); return "{% url 'helpdesk:view' 1234 %}".replace(/1234/, row.id.toString());
} }
function htmlEntities(str) {
return String(str).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
}
$(document).ready(function () { $(document).ready(function () {
// Ticket DataTable Initialization // Ticket DataTable Initialization
$('#ticketTable').DataTable({ $('#ticketTable').DataTable({
@ -366,7 +370,7 @@
if (type === 'display') { if (type === 'display') {
data = '<div class="tickettitle"><a href="' + get_url(row) + '" >' + data = '<div class="tickettitle"><a href="' + get_url(row) + '" >' +
row.id + '. ' + row.id + '. ' +
row.title + '</a></div>'; htmlEntities(row.title) + '</a></div>';
} }
return data return data
} }