commit d7eeaaf24952bc893ef6209d428c8d9b775b618b
parent a744b9437aac62b54092eb752b4f1d1045550acc
Author: Daniel GarcĂa <dani-garcia@users.noreply.github.com>
Date: Sun, 17 Feb 2019 15:22:27 +0100
Escape user data from admin panel when calling JS
Diffstat:
2 files changed, 34 insertions(+), 5 deletions(-)
diff --git a/src/config.rs b/src/config.rs
@@ -423,7 +423,9 @@ fn load_templates(path: &str) -> Handlebars {
let mut hb = Handlebars::new();
// Error on missing params
hb.set_strict_mode(true);
+ // Register helpers
hb.register_helper("case", Box::new(CaseHelper));
+ hb.register_helper("jsesc", Box::new(JsEscapeHelper));
macro_rules! reg {
($name:expr) => {{
@@ -455,7 +457,6 @@ fn load_templates(path: &str) -> Handlebars {
hb
}
-#[derive(Clone, Copy)]
pub struct CaseHelper;
impl HelperDef for CaseHelper {
@@ -479,3 +480,31 @@ impl HelperDef for CaseHelper {
}
}
}
+
+pub struct JsEscapeHelper;
+
+impl HelperDef for JsEscapeHelper {
+ fn call<'reg: 'rc, 'rc>(
+ &self,
+ h: &Helper<'reg, 'rc>,
+ _: &'reg Handlebars,
+ _: &Context,
+ _: &mut RenderContext<'reg>,
+ out: &mut Output,
+ ) -> HelperResult {
+ let param = h
+ .param(0)
+ .ok_or_else(|| RenderError::new("Param not found for helper \"js_escape\""))?;
+
+ let value = param
+ .value()
+ .as_str()
+ .ok_or_else(|| RenderError::new("Param for helper \"js_escape\" is not a String"))?;
+
+ let escaped_value = value.replace('\\', "").replace('\'', "\\x22").replace('\"', "\\x27");
+ let quoted_value = format!(""{}"", escaped_value);
+
+ out.write("ed_value)?;
+ Ok(())
+ }
+}
diff --git a/src/static/templates/admin/page.hbs b/src/static/templates/admin/page.hbs
@@ -27,8 +27,8 @@
</span>
</div>
<div style="flex: 0 0 240px;">
- <a class="mr-3" href="#" onclick='deauthUser("{{Id}}")'>Deauthorize sessions</a>
- <a class="mr-3" href="#" onclick='deleteUser("{{Id}}", "{{Email}}")'>Delete User</a>
+ <a class="mr-3" href="#" onclick='deauthUser({{jsesc Id}})'>Deauthorize sessions</a>
+ <a class="mr-3" href="#" onclick='deleteUser({{jsesc Id}}, {{jsesc Email}})'>Delete User</a>
</div>
</div>
</div>
@@ -101,7 +101,7 @@
{{/if}}
{{/each}}
<button type="submit" class="btn btn-primary">Save</button>
- <button type="button" class="btn btn-danger float-right" onclick="deleteConfig();">Reset defaults</button>
+ <button type="button" class="btn btn-danger float-right" onclick="deleteConf();">Reset defaults</button>
</form>
</div>
</div>
@@ -192,7 +192,7 @@
"Error saving config", data);
return false;
}
- function deleteConfig() {
+ function deleteConf() {
var input = prompt("This will remove all user configurations, and restore the defaults and the " +
"values set by the environment. This operation could be dangerous. Type 'DELETE' to proceed:");
if (input === "DELETE") {
