Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix XSS Vulnerability on Responses Row and Modal #546

Merged
merged 3 commits into from
Dec 28, 2021
Merged

Fix XSS Vulnerability on Responses Row and Modal #546

merged 3 commits into from
Dec 28, 2021

Conversation

zgary
Copy link
Contributor

@zgary zgary commented Dec 22, 2021

No description provided.

@zgary zgary requested a review from johnyu95 December 22, 2021 22:10
johnyu95
johnyu95 approved these changes Dec 23, 2021
View reviewed changes
Copy link
Contributor

@johnyu95 johnyu95 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@g-zhou, I made some additional changes.

  • Changed the format of row_html_id and modal_html_id. There was an additional row- prefix so the ID looked like row-row-1 before. Now it will be response-row-1 and response-modal-body-1. response-modal- is being used as the ID for the entire modal element so there was a chance that it would conflict which is why I used response-modal-body- instead.
  • There was one typo in modal_body/notes.html that was still using html_id so I changed that to modal_html_id.
  • In the script section of notes.html added an if statement to check for edit permissions. That part uses a textarea instead of a regular div so we need to target note-{{ response.id }} instead of modal_html_id.

Can you take a look at my commit and if everything looks good then you can merge.

@johnyu95 johnyu95 merged commit 1c798cf into main Dec 28, 2021
zgary added a commit that referenced this pull request Jan 4, 2022
@zgary
Revert "Merge pull request #546 from CityOfNewYork/g-zhou-xss-respons…
70695af 
…e-fix"

This reverts commit 1c798cf, reversing
changes made to db6d6b4.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johnyu95 johnyu95 johnyu95 approved these changes

Assignees

@johnyu95 johnyu95

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zgary @johnyu95