Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMax Magorsch <arzano@gentoo.org>2020-04-20 18:28:35 +0200
committerMax Magorsch <arzano@gentoo.org>2020-04-20 18:28:35 +0200
commite52d831e385a09802f3f94a865ba157d0eba4e84 (patch)
tree666c6ef24f2e31c9b8aebb64ebf0d9285aff7baa
parentMake the label on the login page clickable (diff)
downloadglsamaker-master.tar.gz
glsamaker-master.tar.bz2
glsamaker-master.zip
Escape comments before storing them in the databaseHEADmasterdev
Signed-off-by: Max Magorsch <arzano@gentoo.org>
Diffstat
-rw-r--r--pkg/app/handler/cvetool/comments.go3
-rw-r--r--pkg/app/handler/glsa/comments.go2
-rw-r--r--web/packs/src/javascript/cvetool.js4
3 files changed, 6 insertions, 3 deletions
diff --git a/pkg/app/handler/cvetool/comments.go b/pkg/app/handler/cvetool/comments.go
index 3d76d75..1659ea7 100644
--- a/pkg/app/handler/cvetool/comments.go
+++ b/pkg/app/handler/cvetool/comments.go
@@ -8,6 +8,7 @@ import (
"glsamaker/pkg/models/cve"
"encoding/json"
"glsamaker/pkg/models/users"
+ "html"
"net/http"
"time"
)
@@ -52,7 +53,7 @@ func addNewCommment(id string, user *users.User, comment string) (cve.Comment, e
CVEId: id,
UserId: user.Id,
User: user,
- Message: comment,
+ Message: html.EscapeString(comment),
Date: time.Now(),
}
diff --git a/pkg/app/handler/glsa/comments.go b/pkg/app/handler/glsa/comments.go
index 1381984..bc626ef 100644
--- a/pkg/app/handler/glsa/comments.go
+++ b/pkg/app/handler/glsa/comments.go
@@ -91,7 +91,7 @@ func AddNewCommment(id string, user *users.User, comment string, commentType str
User: user,
UserBadge: user.Badge,
Type: commentType,
- Message: comment,
+ Message: html.EscapeString(comment),
Date: time.Now(),
}
diff --git a/web/packs/src/javascript/cvetool.js b/web/packs/src/javascript/cvetool.js
index b9a8272..1e483b8 100644
--- a/web/packs/src/javascript/cvetool.js
+++ b/web/packs/src/javascript/cvetool.js
@@ -339,7 +339,7 @@ function registerCommentListener(){
if(data != "err") {
var comment = JSON.parse(data);
var commentDate = '<small class="text-muted">' + comment.Date.split("T")[0] + ' ' + comment.Date.split("T")[1].split(".")[0] + ' UTC</small>';
- var newComment = '<div class="col-3 text-right mb-3"><b>' + comment.User.Name + '</b><br/>' + commentDate + '</div><div class="col-9 mb-3"><div class="card" style="background: none;"><div class="card-body">' + escape(comment.Message) + '</div></div></div>';
+ var newComment = '<div class="col-3 text-right mb-3"><b>' + comment.User.Name + '</b><br/>' + commentDate + '</div><div class="col-9 mb-3"><div class="card" style="background: none;"><div class="card-body">' + comment.Message + '</div></div></div>';
$('.comments-section[data-cveid="' + cveid + '"]').append(newComment);
}
return
@@ -517,4 +517,6 @@ function updateBugInformation(cveid, bugid){
});
}
+
+
export default {initDatatable, destroyDatatable}