From 525973fde01e033fd9395635ee0944210f592a95 Mon Sep 17 00:00:00 2001 From: JisanAR03 Date: Wed, 1 Nov 2023 03:38:04 +0600 Subject: [PATCH] checking security --- .github/workflows/codeql-analysis.yml | 4 ++-- website/static/vendor/bootstrap/js/bootstrap.js | 13 ++++++++++++- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 7e3f67f79..3bf52a235 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -13,10 +13,10 @@ name: "CodeQL" on: push: - branches: [ main ] + branches: [ cc ] pull_request: # The branches below must be a subset of the branches above - branches: [ main ] + branches: [ cc ] schedule: - cron: '36 16 * * 2' diff --git a/website/static/vendor/bootstrap/js/bootstrap.js b/website/static/vendor/bootstrap/js/bootstrap.js index befba8815..6d6aae9ae 100644 --- a/website/static/vendor/bootstrap/js/bootstrap.js +++ b/website/static/vendor/bootstrap/js/bootstrap.js @@ -19,6 +19,11 @@ function sanitizeSelector(selector) { // Use a whitelist approach to only allow valid characters in a selector return selector.replace(/[^\w-#.:]/g, ''); } +function sanitizeInput(input) { + var div = document.createElement('div'); + div.appendChild(document.createTextNode(input)); + return div.innerHTML; +} /* ======================================================================== * Bootstrap: transition.js v3.3.7 * http://getbootstrap.com/javascript/#transitions @@ -1576,7 +1581,13 @@ function sanitizeSelector(selector) { Tooltip.prototype.setContent = function () { var $tip = this.tip() - var title = escapeHTML(this.getTitle()) + var title = this.getTitle() + if(this.options.html){ + title = sanitizeInput(title); + } + else{ + title = sanitizeSelector(title); + } $tip.find('.tooltip-inner')[this.options.html ? 'html' : 'text'](title) $tip.removeClass('fade in top bottom left right')