defend against XSS in Monitor Name
This commit is contained in:
parent
aad0b9362c
commit
e9430d48a7
|
@ -151,6 +151,11 @@ function deleteFilter( element ) {
|
|||
form.submit();
|
||||
}
|
||||
}
|
||||
var escape = document.createElement('textarea');
|
||||
function escapeHTML(html) {
|
||||
escape.textContent = html;
|
||||
return escape.innerHTML;
|
||||
}
|
||||
|
||||
function parseRows(rows) {
|
||||
for ( var rowNum = 0; rowNum < rows.length; rowNum++ ) { //Each row is a term
|
||||
|
@ -245,7 +250,7 @@ function parseRows(rows) {
|
|||
} else if ( attr == 'MonitorName' ) { //Monitor names
|
||||
var monitorSelect = $j('<select></select>').attr('name', queryPrefix + rowNum + '][val]').attr('id', queryPrefix + rowNum + '][val]');
|
||||
for ( var monitor_id in monitors ) {
|
||||
monitorSelect.append('<option value="' + monitors[monitor_id].Name + '">' + monitors[monitor_id].Name + '</option>');
|
||||
monitorSelect.append('<option value="' + monitors[monitor_id].Name + '">' + escapeHTML(monitors[monitor_id].Name) + '</option>');
|
||||
}
|
||||
var monitorVal = inputTds.eq(4).children().val();
|
||||
inputTds.eq(4).html(monitorSelect).children().val(monitorVal);
|
||||
|
|
Loading…
Reference in New Issue