Fix xss in formating people list in sharing dialog

2025-08-31 22:54:11 +00:00 · 2015-05-07 11:45:04 +08:00
parent 756177c952
commit 74b7428d21
3 changed files with 48 additions and 45 deletions
--- a/static/scripts/common.js
+++ b/static/scripts/common.js
@@ -477,43 +477,46 @@ define([
            });
        },

-        contactInputOptionsForSelect2: {
-            placeholder: gettext("Enter emails or select contacts"),
+        contactInputOptionsForSelect2: function() {
+            var _this = this;
+            return {
+                placeholder: gettext("Enter emails or select contacts"),

-            // with 'tags', the user can directly enter, not just select
-            // tags need `<input type="hidden" />`, not `<select>`
-            tags: function () {
-                var contacts = app.pageOptions.contacts || [];
-                var contact_list = [];
-                for (var i = 0, len = contacts.length; i < len; i++) {
-                    contact_list.push({ // 'id' & 'text' are required by the plugin
-                        "id": contacts[i].email,
-                        // for search. both name & email can be searched.
-                        // use ' '(space) to separate name & email
-                        "text": contacts[i].name + ' ' + contacts[i].email,
-                        "avatar": contacts[i].avatar,
-                        "name": contacts[i].name
-                    });
-                }
-                return contact_list;
-            },
+                // with 'tags', the user can directly enter, not just select
+                // tags need `<input type="hidden" />`, not `<select>`
+                tags: function () {
+                    var contacts = app.pageOptions.contacts || [];
+                    var contact_list = [];
+                    for (var i = 0, len = contacts.length; i < len; i++) {
+                        contact_list.push({ // 'id' & 'text' are required by the plugin
+                            "id": contacts[i].email,
+                            // for search. both name & email can be searched.
+                            // use ' '(space) to separate name & email
+                            "text": contacts[i].name + ' ' + contacts[i].email,
+                            "avatar": contacts[i].avatar,
+                            "name": contacts[i].name
+                        });
+                    }
+                    return contact_list;
+                },

-            tokenSeparators: [',', ' '],
+                tokenSeparators: [',', ' '],

-            // format items shown in the drop-down menu
-            formatResult: function(item) {
-                if (item.avatar) {
-                    return item.avatar + '<span class="text">' + item.name + '<br />' + item.id + '</span>';
-                } else {
-                    return; // if no match, show nothing
-                }
-            },
+                // format items shown in the drop-down menu
+                formatResult: function(item) {
+                    if (item.avatar) {
+                        return item.avatar + '<span class="text">' + _this.HTMLescape(item.name) + '<br />' + _this.HTMLescape(item.id) + '</span>';
+                    } else {
+                        return; // if no match, show nothing
+                    }
+                },

-            // format selected item shown in the input
-            formatSelection: function(item) {
-                return item.name || item.id; // if no name, show the email, i.e., when directly input, show the email
-            },
-            escapeMarkup: function(m) { return m; }
+                // format selected item shown in the input
+                formatSelection: function(item) {
+                    return _this.HTMLescape(item.name || item.id); // if no name, show the email, i.e., when directly input, show the email
+                },
+                escapeMarkup: function(m) { return m; }
+            }
        },

        // check if a file is an image