Merge pull request #3052 from jumpserver/dev_bai

[Update] htmlEscape
5 years ago · 32dacecd24
4 changed files with 10 additions and 6 deletions
--- a/apps/perms/templates/perms/asset_permission_list.html
+++ b/apps/perms/templates/perms/asset_permission_list.html
@ -174,10 +174,11 @@ function initTable() {
 				}
            }},
            {targets: 8, createdCell: function (td, cellData, rowData) {
+                var name = htmlEscape(rowData.name);
                var update_btn = '<a href="{% url "perms:asset-permission-update" pk=DEFAULT_PK %}" class="btn btn-xs m-l-xs btn-info">{% trans "Update" %}</a>'.replace('{{ DEFAULT_PK }}', cellData);
                var del_btn = '<a class="btn btn-xs btn-danger m-l-xs btn-del" data-uid="{{ DEFAULT_PK }}" mark=1 data-name="99991938">{% trans "Delete" %}</a>'
                    .replace('{{ DEFAULT_PK }}', cellData)
-                    .replace('99991938', rowData.name);
+                    .replace('99991938', name);
                if (rowData.inherit) {
                    del_btn = del_btn.replace("mark", "disabled")
                }
--- a/apps/terminal/templates/terminal/terminal_list.html
+++ b/apps/terminal/templates/terminal/terminal_list.html
@ -69,16 +69,17 @@ function initTable() {
                }
            }},
            {targets: 6, createdCell: function (td, cellData, rowData) {
+                var name = htmlEscape(rowData.name);
                var update_btn = '<a href="{% url "terminal:terminal-update" pk=DEFAULT_PK %}" class="btn btn-xs btn-info">{% trans "Update" %}</a>'
                        .replace('{{ DEFAULT_PK }}', cellData);
                var delete_btn = '<a class="btn btn-xs btn-danger m-l-xs btn-del" data-id="{{ DEFAULT_PK }}" data-name="99991938">{% trans "Delete" %}</a>'
                        .replace('{{ DEFAULT_PK }}', cellData)
-                        .replace('99991938', rowData.name);
+                        .replace('99991938', name);
                var accept_btn = '<a class="btn btn-xs btn-primary btn-accept" data-id="{{ DEFAULT_PK }}">{% trans "Accept" %}</a> '
                        .replace('{{ DEFAULT_PK }}', cellData);
                var reject_btn = '<a class="btn btn-xs btn-danger m-l-xs btn-del" data-id="{{ DEFAULT_PK }}" data-name="99991938">{% trans "Reject" %}</a>'
                        .replace('{{ DEFAULT_PK }}', cellData)
-                        .replace('99991938', rowData.name);
+                        .replace('99991938', name);
                if (rowData.is_accepted) {
                    $(td).html(update_btn + delete_btn);
                } else {
--- a/apps/users/templates/users/user_group_list.html
+++ b/apps/users/templates/users/user_group_list.html
@ -67,11 +67,12 @@ function initTable() {
                $(td).html('<span href="javascript:void(0);" data-toggle="tooltip" title="' + cellData + '">' + innerHtml + '</span>');
             }},
            {targets: 4, createdCell: function (td, cellData, rowData) {
+                var name = htmlEscape(rowData.name);
                var update_btn = '<a href="{% url "users:user-group-update" pk=DEFAULT_PK %}" class="btn btn-xs btn-info">{% trans "Update" %}</a>'
                        .replace('{{ DEFAULT_PK }}', cellData);
                var del_btn = '<a class="btn btn-xs btn-danger m-l-xs btn_delete_user_group" data-gid="{{ DEFAULT_PK }}" data-name="99991938">{% trans "Delete" %}</a>'
                        .replace('{{ DEFAULT_PK }}', cellData)
-                        .replace('99991938', rowData.name);
+                        .replace('99991938', name);
                if (rowData.id === 1) {
                    $(td).html(update_btn)
                } else {
--- a/apps/users/templates/users/user_list.html
+++ b/apps/users/templates/users/user_list.html
@ -97,6 +97,7 @@ function initTable() {
                }
             }},
            {targets: 7, createdCell: function (td, cellData, rowData) {
+                var name = htmlEscape(rowData.name);
                var update_btn = "";
                if (rowData.role === 'Admin' && ('{{ request.user.role }}' !== 'Admin')) {
                    update_btn = '<a class="btn btn-xs disabled btn-info">{% trans "Update" %}</a>';
@ -109,11 +110,11 @@ function initTable() {
                if (rowData.id === 1 || rowData.username === "admin" || rowData.username === "{{ request.user.username }}" || (rowData.role === 'Admin' && ('{{ request.user.role }}' !== 'Admin'))) {
                    del_btn = '<a class="btn btn-xs btn-danger m-l-xs" disabled>{% trans "Delete" %}</a>'
                            .replace('{{ DEFAULT_PK }}', cellData)
-                            .replace('99991938', rowData.name);
+                            .replace('99991938', name);
                } else {
                    del_btn = '<a class="btn btn-xs btn-danger m-l-xs btn_user_delete" data-uid="{{ DEFAULT_PK }}" data-name="99991938">{% trans "Delete" %}</a>'
                            .replace('{{ DEFAULT_PK }}', cellData)
-                            .replace('99991938', rowData.name);
+                            .replace('99991938', name);
                }
                $(td).html(update_btn + del_btn)
             }}],