diff options
| author | Marvin Borner | 2020-10-10 11:37:35 +0200 |
|---|---|---|
| committer | Marvin Borner | 2020-10-10 11:37:35 +0200 |
| commit | ad2d5dd284dc733a5fbd2a9f60c30fa1b7a0da73 (patch) | |
| tree | 2679845c62b523611578c021ab267268737ea923 | |
| parent | 54837fbd3614f97c06675ca416859dcbe96e1190 (diff) | |
Fixed HTML injection and middlename spaces
| -rw-r--r-- | poll/public/script.js | 15 | ||||
| -rw-r--r-- | quotes/index.js | 2 | ||||
| -rw-r--r-- | quotes/public/script.js | 4 |
3 files changed, 4 insertions, 17 deletions
diff --git a/poll/public/script.js b/poll/public/script.js index bfb686d..a1911fa 100644 --- a/poll/public/script.js +++ b/poll/public/script.js @@ -8,26 +8,13 @@ function appendOption(response) { response.forEach((elem) => { dropdown.insertAdjacentHTML( "beforeend", - `<option value="${elem["id"]}">${elem["name"]} ${elem["middlename"] ? elem["middlename"] : " "}${ + `<option value="${elem["id"]}">${elem["name"]} ${elem["middlename"] ? elem["middlename"] + " " : ""}${ elem["surname"] }</option>`, ); }); } -function appendQuote(response) { - response.forEach((elem) => { - document - .getElementById(elem["class"]) - .insertAdjacentHTML( - "beforeend", - `<li>${elem["name"]} ${elem["middlename"] ? elem["middlename"] : " "}${elem["surname"]}: ${ - elem["quote"] - }</li>`, - ); - }); -} - fetch("/auth/api/list") .then((response) => response.json()) .then((response) => appendOption(response)); diff --git a/quotes/index.js b/quotes/index.js index 5aa0646..0e0717b 100644 --- a/quotes/index.js +++ b/quotes/index.js @@ -11,7 +11,7 @@ app.post("/api/add", checkUser, async (req, res) => { await db.query("INSERT INTO quotes (user_id, author_id, quote) VALUE (?,?,?)", [ req.session.uid, parseInt(req.body.author), - req.body.quote, + req.body.quote.replace(/</g, "<").replace(/>/g, ">"), ]); res.redirect("/quotes"); } catch (e) { diff --git a/quotes/public/script.js b/quotes/public/script.js index f8486f9..d848814 100644 --- a/quotes/public/script.js +++ b/quotes/public/script.js @@ -11,7 +11,7 @@ function appendOption(response) { (response[i - 1 < 0 ? 0 : i - 1]["class_id"] !== elem["class_id"] ? `<option disabled>--${classes[elem["class_id"] - 1]}--</option>` : "") + - `<option value="${elem["id"]}">${elem["name"]} ${elem["middlename"] ? elem["middlename"] : " "}${ + `<option value="${elem["id"]}">${elem["name"]} ${elem["middlename"] ? elem["middlename"] + " " : ""}${ elem["surname"] }</option>`, ); @@ -24,7 +24,7 @@ function appendQuote(response) { .getElementById(elem["class"]) .insertAdjacentHTML( "beforeend", - `<li>${elem["name"]} ${elem["middlename"] ? elem["middlename"] : ""}${elem["surname"]}: ${ + `<li>${elem["name"]} ${elem["middlename"] ? elem["middlename"] + " " : ""}${elem["surname"]}: ${ elem["quote"] }${elem["owner"] ? ' <span data-id="' + elem["id"] + '">[x]</span></li>' : ""}`, ); |