projects / project / luci.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e2a8731) | patch
luci-base: form.js: do not execute embedded script code in stripTags()
authorJo-Philipp Wich <jo@mein.io>
Thu, 23 Dec 2021 16:06:09 +0000 (17:06 +0100)
committerJo-Philipp Wich <jo@mein.io>
Thu, 23 Dec 2021 16:10:32 +0000 (17:10 +0100)
commitad33852de03b28865505ecdd30cdc8c24f24417c
treea8562d397542466053c5df3c7d625b73c6cb7484tree | snapshot
parente2a873196a139b312b875fe8337d2ba35ab9083fcommit | diff
luci-base: form.js: do not execute embedded script code in stripTags()

Instead of relying on .innerHTML which executes embedded script code to
parse a given HTML fragment, use dom.parse() which utilizies DOMParser()
internally in order to extract textContent in a safe manner.

Fixes: FS#4199
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=4199
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 993151504e8e810c083d3257555bdcdc2f00673a)
modules/luci-base/htdocs/luci-static/resources/form.js diff | blob | history
Lua Configuration Interface (mirror)