From a86a2b25e00dc3e1994eadf303811ffed1289475 Mon Sep 17 00:00:00 2001 From: thanhluong Date: Sun, 17 May 2020 18:01:59 +0000 Subject: [PATCH] Avoid XSS --- templates/chat/chat.html | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/templates/chat/chat.html b/templates/chat/chat.html index 748242a..52e94e5 100644 --- a/templates/chat/chat.html +++ b/templates/chat/chat.html @@ -12,14 +12,16 @@ $('#loader').hide(); chatSocket.onmessage = function(e) { - let data = JSON.parse(e.data) - data = data['message'] + let data = JSON.parse(e.data); + console.log(data); + data = data['message']; loadMessage(data['body'], data['author'], data['time'], data['id'], data['image'], - true) + true); + // console.log(data); $('#chat-box').scrollTop($('#chat-box')[0].scrollHeight); }; @@ -30,7 +32,8 @@ } function loadMessage(content, user, time, messid, image, isNew) { - if (isNew) content = encodeHTML(content) + // if (isNew) content = encodeHTML(content) + content = encodeHTML(content); li = `
  • @@ -58,9 +61,11 @@ (function init_chatlog() { ul = $('#chat-log') + {% autoescape on %} {% for msg in message %} - loadMessage(`{{msg.body}}`, `{{msg.author}}`, `{{msg.time}}`, `{{msg.id}}`, `{{gravatar(msg.author, 32)}}`) + loadMessage("{{msg.body|safe|escapejs}}", `{{msg.author}}`, `{{msg.time}}`, `{{msg.id}}`, `{{gravatar(msg.author, 32)}}`); {% endfor %} + {% endautoescape %} $('#chat-box').scrollTop($('#chat-box')[0].scrollHeight); })() @@ -101,21 +106,21 @@ scrollContainer($('#chat-box'), $('#loader')) + {% if request.user.is_staff %} $(document).on("click", ".chatbtn_remove_mess", function() { var elt = $(this); - console.log(elt.data()); $.ajax({ url: 'delete/', type: 'post', data: elt.data(), dataType: 'json', success: function(data){ - console.log(data); console.log('delete ajax call success!'); location.reload(); } }); }); + {% endif %} $("#chat-submit").click(function() { if ($("#chat-input").val().trim()) {