[Bugfix] Data table xss attack

2018-07-08 13:02:43 +08:00 · 2018-07-08 13:02:43 +08:00 · b6cd4a20c5
parent 37bb344166
commit b6cd4a20c5
2 changed files with 2 additions and 2 deletions
--- a/apps/static/js/jumpserver.js
+++ b/apps/static/js/jumpserver.js
@ -272,7 +272,7 @@ jumpserver.initDataTable = function (options) {
              $(td).html('<input type="checkbox" class="text-center ipt_check" id=99991937>'.replace('99991937', cellData));
          }
      },
-      {className: 'text-center', targets: '_all'}
+      {className: 'text-center', render: $.fn.dataTable.render.text(), targets: '_all'}
  ];
  columnDefs = options.columnDefs ? options.columnDefs.concat(columnDefs) : columnDefs;
  var select = {
--- a/apps/users/templates/users/user_list.html
+++ b/apps/users/templates/users/user_list.html
@ -59,7 +59,7 @@ function initTable() {
        ele: $('#user_list_table'),
        columnDefs: [
            {targets: 1, createdCell: function (td, cellData, rowData) {
-                var detail_btn = '<a href="{% url "users:user-detail" pk=DEFAULT_PK %}">' + cellData + '</a>';
+                var detail_btn = '<a href="{% url "users:user-detail" pk=DEFAULT_PK %}">' + escape(cellData) + '</a>';
                $(td).html(detail_btn.replace("{{ DEFAULT_PK }}", rowData.id));
             }},
            {targets: 4, createdCell: function (td, cellData) {