[Update] xss

2019-04-25 14:31:34 +08:00 · 2019-04-25 14:31:34 +08:00 · 8b98c20d68
parent 40d48cdfe4
commit 8b98c20d68
3 changed files with 17 additions and 8 deletions
--- a/apps/assets/templates/assets/admin_user_list.html
+++ b/apps/assets/templates/assets/admin_user_list.html
@ -44,9 +44,10 @@ $(document).ready(function(){
    var options = {
        ele: $('#admin_user_list_table'),
        columnDefs: [
-            {targets: 1, createdCell: function (td, cellData, rowData) {
+            {targets: 1, render: function (cellData, tp, rowData, meta) {
                cellData = htmlEscape(cellData);
                var detail_btn = '<a href="{% url "assets:admin-user-detail" pk=DEFAULT_PK %}">' + cellData + '</a>';
-                $(td).html(detail_btn.replace('{{ DEFAULT_PK }}', rowData.id));
+                return detail_btn.replace('{{ DEFAULT_PK }}', rowData.id);
            }},
            {targets: 4, createdCell: function (td, cellData) {
                var innerHtml = "";
@ -82,7 +83,6 @@ $(document).ready(function(){
                    innerHtml = "<span class='text-danger'>" + num.toFixed(1) + "% </span>";
                }
                $(td).html('<span href="javascript:void(0);" data-toggle="tooltip" title="' + cellData + '">' + innerHtml + '</span>');
            }},
            {targets: 8, createdCell: function (td, cellData, rowData) {
                var update_btn = '<a href="{% url "assets:admin-user-update" pk=DEFAULT_PK %}" class="btn btn-xs m-l-xs btn-info">{% trans "Update" %}</a>'.replace('{{ DEFAULT_PK }}', cellData);
@ -90,8 +90,8 @@ $(document).ready(function(){
                $(td).html(update_btn + del_btn)
             }}],
        ajax_url: '{% url "api-assets:admin-user-list" %}',
-        columns: [{data: function(){return ""}}, {data: "name" }, {data: "username" }, {data: "assets_amount" },
+        columns: [{data: function(){return ""}}, {data: "name"}, {data: "username" }, {data: "assets_amount" },
-                  {data: "reachable_amount"}, {data: "unreachable_amount"}, {data: "id"}, {data: "comment" }, {data: "id" }]
+                  {data: "reachable_amount"}, {data: "unreachable_amount"}, {data: "id"}, {data: "comment", render: $.fn.dataTable.render.text()}, {data: "id" }]
    };
    jumpserver.initServerSideDataTable(options)
 })
--- a/apps/static/js/jumpserver.js
+++ b/apps/static/js/jumpserver.js
@ -538,7 +538,11 @@ jumpserver.initServerSideDataTable = function (options) {
              $(td).html('<input type="checkbox" class="text-center ipt_check" id=99991937>'.replace('99991937', cellData));
          }
      },
-      {className: 'text-center', targets: '_all'}
+      {
          targets: '_all',
          className: 'text-center',
          render: $.fn.dataTable.render.text()
      }
  ];
  columnDefs = options.columnDefs ? options.columnDefs.concat(columnDefs) : columnDefs;
  var select = {
@ -945,4 +949,11 @@ function rootNodeAddDom(ztree, callback) {
        ztree.destroy();
        callback()
    })
 }
 function htmlEscape ( d ) {
    return typeof d === 'string' ?
        d.replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;') :
        d;
 }
--- a/apps/templates/_base_list.html
+++ b/apps/templates/_base_list.html
@ -2,10 +2,8 @@
 {% load static %}
 {% load i18n %}
 {% block custom_head_css_js %}
    <link href="{% static "css/plugins/datatables/datatables.min.css" %}" rel="stylesheet">
    <link href="{% static 'css/plugins/select2/select2.min.css' %}" rel="stylesheet">
    <script src="{% static 'js/plugins/select2/select2.full.min.js' %}"></script>
    <script src="{% static "js/plugins/datatables/datatables.min.js" %}"></script>
 {% endblock %}
 {% block content %}
 <div class="wrapper wrapper-content animated fadeInRight">