MirrorMirror
/
lufi
mirror of https://framagit.org/fiat-tux/hat-softwares/lufi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix #128 — Prevent XSS in localStorage import

This commit is contained in:
Luc Didry 2018-10-28 16:45:43 +01:00
parent fef978c7e1
commit 6b5727ce91
No known key found for this signature in database
GPG Key ID: EA868E12D0257E3C
1 changed files with 20 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
themes/default/public/js/lufi-files.js
View File

@ -93,7 +93,7 @@ function importStorage(f) {
var hasImported = 0; var hasImported = 0;
for (i = 0; i < newFiles.length; i++) { for (i = 0; i < newFiles.length; i++) {
var item = newFiles[i]; var item = newFiles[i];
if (!itemExists(item.short)) { if (validURL(item.url) && !itemExists(item.short)) {
addItem(item); addItem(item);
hasImported++; hasImported++;
} }
@ -108,6 +108,19 @@ function importStorage(f) {
reader.readAsArrayBuffer(f[0]); reader.readAsArrayBuffer(f[0]);
} }
function validURL(str) {
try {
var url = new URL(str);
if (url.host) {
return true;
} else {
return false;
}
} catch(e) {
return false;
}
}
function delFile() { function delFile() {
var dlink = $(this).attr('data-dlink'); var dlink = $(this).attr('data-dlink');
var short = $(this).attr('data-short'); var short = $(this).attr('data-short');
@ -151,7 +164,12 @@ function massDelete(event) {
function populateFilesTable() { function populateFilesTable() {
$('#myfiles').empty(); $('#myfiles').empty();
var files = JSON.parse(localStorage.getItem('files')); var files = localStorage.getItem('files');
if (files === null) {
files = new Array();
} else {
files = JSON.parse(files);
}
files.sort(function(a, b) { files.sort(function(a, b) {
if (a.created_at < b.created_at) { if (a.created_at < b.created_at) {
return -1; return -1;