Dasko/GoNtech
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Bezbednost: ntechToast koristi textContent za tekst poruke (XSS zaštita)

Browse Source 
CodeQL js/xss-through-dom — flash poruku server HTML-escape-uje, ali textContent
je dekodira, pa bi innerHTML ponovo interpretirao sadržaj kao HTML. Sada tekst
ide kroz textContent, a samo statički SVG kroz innerHTML.
This commit is contained in:
Dalibor Marković
2026-06-20 14:12:13 +02:00
parent 1068bb12e0
commit 064d6dfa2a
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
web/templates/teme/podrazumevana/base.html
+6 -1
View File
@@ -289,7 +289,12 @@
var svg = tip === 'greska'
? '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" viewBox="0 0 24 24"><circle cx="12" cy="12" r="10"/><line x1="12" y1="8" x2="12" y2="12"/><line x1="12" y1="16" x2="12.01" y2="16"/></svg>'
: '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round" viewBox="0 0 24 24"><polyline points="20 6 9 17 4 12"/></svg>';
t.innerHTML = svg + '<span>' + tekst + '</span>';
// SVG je statički literal (bezbedan za innerHTML); korisnički tekst ide
// preko textContent da se ne reinterpretira kao HTML (XSS zaštita)
t.innerHTML = svg;
var tekstSpan = document.createElement('span');
tekstSpan.textContent = tekst;
t.appendChild(tekstSpan);
// prilagođavamo poziciju za mobilne uređaje
t.style.bottom = '24px';
t.style.right = '16px';