From b2c41163571e8b24b3d10bf36fd4b28174007caa Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Mon, 16 Nov 2020 18:16:20 -0500 Subject: [PATCH] Replace JQuery .text by .html - Prevents inserting unescaped HTML in page --- view/templates/admin/aside.tpl | 2 +- view/templates/event_head.tpl | 2 +- view/templates/photos_head.tpl | 2 +- view/templates/settings/head.tpl | 2 +- view/theme/frio/js/event_edit.js | 2 +- view/theme/frio/js/mod_photos.js | 2 +- view/theme/frio/js/modal.js | 4 ++-- view/theme/frio/js/theme.js | 8 ++++---- view/theme/frio/templates/admin/aside.tpl | 7 ++++--- view/theme/quattro/js/quattro.js | 4 ++-- view/theme/smoothly/templates/jot-header.tpl | 2 +- view/theme/vier/templates/event_head.tpl | 2 +- 12 files changed, 20 insertions(+), 19 deletions(-) diff --git a/view/templates/admin/aside.tpl b/view/templates/admin/aside.tpl index 0f624d8eb4..ecf71d8e56 100644 --- a/view/templates/admin/aside.tpl +++ b/view/templates/admin/aside.tpl @@ -4,7 +4,7 @@ $("nav").bind('nav-update', function(e,data){ var elm = $('#pending-update'); - var register = $(data).find('register').text(); + var register = $(data).find('register').html(); if (register=="0") { register=""; elm.hide();} else { elm.show(); } elm.html(register); }); diff --git a/view/templates/event_head.tpl b/view/templates/event_head.tpl index 8990c6fb25..3075408063 100644 --- a/view/templates/event_head.tpl +++ b/view/templates/event_head.tpl @@ -168,7 +168,7 @@ $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { var selstr; $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { - selstr = $(this).text(); + selstr = $(this).html(); $('#jot-public').hide(); }); if(selstr == null) { diff --git a/view/templates/photos_head.tpl b/view/templates/photos_head.tpl index 88fd067c8c..1d693e103c 100644 --- a/view/templates/photos_head.tpl +++ b/view/templates/photos_head.tpl @@ -10,7 +10,7 @@ $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { var selstr; $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { - selstr = $(this).text(); + selstr = $(this).html(); $('#jot-perms-icon').removeClass('unlock').addClass('lock'); $('#jot-public').hide(); }); diff --git a/view/templates/settings/head.tpl b/view/templates/settings/head.tpl index f1229a5aa5..6d58e54a6c 100644 --- a/view/templates/settings/head.tpl +++ b/view/templates/settings/head.tpl @@ -9,7 +9,7 @@ $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { var selstr; $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { - selstr = $(this).text(); + selstr = $(this).html(); $('#jot-perms-icon').removeClass('unlock').addClass('lock'); $('#jot-public').hide(); }); diff --git a/view/theme/frio/js/event_edit.js b/view/theme/frio/js/event_edit.js index a198eef07f..f7a9c4a760 100644 --- a/view/theme/frio/js/event_edit.js +++ b/view/theme/frio/js/event_edit.js @@ -23,7 +23,7 @@ $(document).ready(function() { $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { var selstr; $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { - selstr = $(this).text(); + selstr = $(this).html(); $('#jot-public').hide(); }); if (selstr == null) { diff --git a/view/theme/frio/js/mod_photos.js b/view/theme/frio/js/mod_photos.js index 692a7057f4..c75a997cab 100644 --- a/view/theme/frio/js/mod_photos.js +++ b/view/theme/frio/js/mod_photos.js @@ -5,7 +5,7 @@ $(document).ready(function() { $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { var selstr; $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { - selstr = $(this).text(); + selstr = $(this).html(); $('#jot-perms-icon').removeClass('unlock').addClass('lock'); $('#jot-public').hide(); }); diff --git a/view/theme/frio/js/modal.js b/view/theme/frio/js/modal.js index a088b08e34..241cfd4cea 100644 --- a/view/theme/frio/js/modal.js +++ b/view/theme/frio/js/modal.js @@ -192,12 +192,12 @@ function loadModalTitle() { var title = ""; // Get the text of the first element with "heading" class. - title = $("#modal-body .heading").first().text(); + title = $("#modal-body .heading").first().html(); // for event modals we need some speacial handling if($("#modal-body .event-wrapper .event-summary").length) { title = ' '; - var eventsum = $("#modal-body .event-wrapper .event-summary").text(); + var eventsum = $("#modal-body .event-wrapper .event-summary").html(); title = title + eventsum; } diff --git a/view/theme/frio/js/theme.js b/view/theme/frio/js/theme.js index 99ec88de1a..b630739668 100644 --- a/view/theme/frio/js/theme.js +++ b/view/theme/frio/js/theme.js @@ -146,7 +146,7 @@ $(document).ready(function(){ if( $(".search-content-wrapper").length ) { // get the text of the heading (we catch the plain text because we don't // want to have a h4 heading in the navbar - var searchText = $(".section-title-wrapper > h2").text(); + var searchText = $(".section-title-wrapper > h2").html(); // insert the plain text in a

heading and give it a class var newText = '

'+searchText+'

'; // append the new heading to the navbar @@ -208,7 +208,7 @@ $(document).ready(function(){ // get the heading element var heading = $(".network-content-wrapper > .section-title-wrapper > h2"); // get the text of the heading - var headingContent = heading.text(); + var headingContent = heading.html(); // create a new element with the content of the heading var newText = '

'+headingContent+'

'; // remove the old heading element @@ -221,7 +221,7 @@ $(document).ready(function(){ // get the heading element var heading = $(".community-content-wrapper > h3").first(); // get the text of the heading - var headingContent = heading.text(); + var headingContent = heading.html(); // create a new element with the content of the heading var newText = '

'+headingContent+'

'; // remove the old heading element @@ -790,7 +790,7 @@ function bin2hex (s) { // Dropdown menus with the class "dropdown-head" will display the active tab // as button text function toggleDropdownText(elm) { - $(elm).closest(".dropdown").find('.btn').html($(elm).text() + ' '); + $(elm).closest(".dropdown").find('.btn').html($(elm).html() + ' '); $(elm).closest(".dropdown").find('.btn').val($(elm).data('value')); $(elm).closest("ul").children("li").show(); $(elm).parent("li").hide(); diff --git a/view/theme/frio/templates/admin/aside.tpl b/view/theme/frio/templates/admin/aside.tpl index 0ba58e5aec..b02f5f6149 100644 --- a/view/theme/frio/templates/admin/aside.tpl +++ b/view/theme/frio/templates/admin/aside.tpl @@ -3,9 +3,10 @@ $(function(){ $("nav").bind('nav-update', function(e,data){ var elm = $('#pending-update'); - var register = $(data).find('register').text(); - if (register=="0") { register = ""; } - elm.html(register); + var register = parseInt($(data).find('register').text()); + if (register > 0) { + elm.html(register); + } }); }); diff --git a/view/theme/quattro/js/quattro.js b/view/theme/quattro/js/quattro.js index 89407569b7..e91794feba 100644 --- a/view/theme/quattro/js/quattro.js +++ b/view/theme/quattro/js/quattro.js @@ -2,8 +2,8 @@ $(document).ready(function(){ $('nav').bind('nav-update', function(e,data){ var notifCount = $(data).find('notif').attr('count'); - var intro = $(data).find('intro').text(); - var mail = $(data).find('mail').text(); + var intro = parseInt($(data).find('intro').text()); + var mail = parseInt($(data).find('mail').text()); $(".tool .notify").removeClass("on"); $(data).find("group").each(function() { diff --git a/view/theme/smoothly/templates/jot-header.tpl b/view/theme/smoothly/templates/jot-header.tpl index 3a70a5a9cc..71e54246b3 100644 --- a/view/theme/smoothly/templates/jot-header.tpl +++ b/view/theme/smoothly/templates/jot-header.tpl @@ -86,7 +86,7 @@ function enableOnUser(){ $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { var selstr; $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { - selstr = $(this).text(); + selstr = $(this).html(); $('#jot-perms-icon').removeClass('unlock').addClass('lock'); $('#jot-public').hide(); $('.profile-jot-net input').attr('disabled', 'disabled'); diff --git a/view/theme/vier/templates/event_head.tpl b/view/theme/vier/templates/event_head.tpl index 75f6f4b046..2c7b3070a7 100644 --- a/view/theme/vier/templates/event_head.tpl +++ b/view/theme/vier/templates/event_head.tpl @@ -170,7 +170,7 @@ $('#contact_allow, #contact_deny, #group_allow, #group_deny').change(function() { var selstr; $('#contact_allow option:selected, #contact_deny option:selected, #group_allow option:selected, #group_deny option:selected').each( function() { - selstr = $(this).text(); + selstr = $(this).html(); $('#jot-public').hide(); }); if(selstr == null) {