Browse Source
Escape user data from admin panel when calling JS
pull/404/head
Daniel García
6 years ago
No known key found for this signature in database
GPG Key ID: FC8A7D14C3CD543A
2 changed files with
34 additions and
5 deletions
-
src/config.rs
-
src/static/templates/admin/page.hbs
|
|
@ -423,7 +423,9 @@ fn load_templates(path: &str) -> Handlebars { |
|
|
|
let mut hb = Handlebars::new(); |
|
|
|
// Error on missing params
|
|
|
|
hb.set_strict_mode(true); |
|
|
|
// Register helpers
|
|
|
|
hb.register_helper("case", Box::new(CaseHelper)); |
|
|
|
hb.register_helper("jsesc", Box::new(JsEscapeHelper)); |
|
|
|
|
|
|
|
macro_rules! reg { |
|
|
|
($name:expr) => {{ |
|
|
@ -455,7 +457,6 @@ fn load_templates(path: &str) -> Handlebars { |
|
|
|
hb |
|
|
|
} |
|
|
|
|
|
|
|
#[derive(Clone, Copy)] |
|
|
|
pub struct CaseHelper; |
|
|
|
|
|
|
|
impl HelperDef for CaseHelper { |
|
|
@ -479,3 +480,31 @@ impl HelperDef for CaseHelper { |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
pub struct JsEscapeHelper; |
|
|
|
|
|
|
|
impl HelperDef for JsEscapeHelper { |
|
|
|
fn call<'reg: 'rc, 'rc>( |
|
|
|
&self, |
|
|
|
h: &Helper<'reg, 'rc>, |
|
|
|
_: &'reg Handlebars, |
|
|
|
_: &Context, |
|
|
|
_: &mut RenderContext<'reg>, |
|
|
|
out: &mut Output, |
|
|
|
) -> HelperResult { |
|
|
|
let param = h |
|
|
|
.param(0) |
|
|
|
.ok_or_else(|| RenderError::new("Param not found for helper \"js_escape\""))?; |
|
|
|
|
|
|
|
let value = param |
|
|
|
.value() |
|
|
|
.as_str() |
|
|
|
.ok_or_else(|| RenderError::new("Param for helper \"js_escape\" is not a String"))?; |
|
|
|
|
|
|
|
let escaped_value = value.replace('\\', "").replace('\'', "\\x22").replace('\"', "\\x27"); |
|
|
|
let quoted_value = format!(""{}"", escaped_value); |
|
|
|
|
|
|
|
out.write("ed_value)?; |
|
|
|
Ok(()) |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
@ -27,8 +27,8 @@ |
|
|
|
</span> |
|
|
|
</div> |
|
|
|
<div style="flex: 0 0 240px;"> |
|
|
|
<a class="mr-3" href="#" onclick='deauthUser("{{Id}}")'>Deauthorize sessions</a> |
|
|
|
<a class="mr-3" href="#" onclick='deleteUser("{{Id}}", "{{Email}}")'>Delete User</a> |
|
|
|
<a class="mr-3" href="#" onclick='deauthUser({{jsesc Id}})'>Deauthorize sessions</a> |
|
|
|
<a class="mr-3" href="#" onclick='deleteUser({{jsesc Id}}, {{jsesc Email}})'>Delete User</a> |
|
|
|
</div> |
|
|
|
</div> |
|
|
|
</div> |
|
|
@ -101,7 +101,7 @@ |
|
|
|
{{/if}} |
|
|
|
{{/each}} |
|
|
|
<button type="submit" class="btn btn-primary">Save</button> |
|
|
|
<button type="button" class="btn btn-danger float-right" onclick="deleteConfig();">Reset defaults</button> |
|
|
|
<button type="button" class="btn btn-danger float-right" onclick="deleteConf();">Reset defaults</button> |
|
|
|
</form> |
|
|
|
</div> |
|
|
|
</div> |
|
|
@ -192,7 +192,7 @@ |
|
|
|
"Error saving config", data); |
|
|
|
return false; |
|
|
|
} |
|
|
|
function deleteConfig() { |
|
|
|
function deleteConf() { |
|
|
|
var input = prompt("This will remove all user configurations, and restore the defaults and the " + |
|
|
|
"values set by the environment. This operation could be dangerous. Type 'DELETE' to proceed:"); |
|
|
|
if (input === "DELETE") { |
|
|
|