lkva/NDOJ
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Avoid XSS

Browse source
This commit is contained in:
thanhluong 2020-05-17 18:01:59 +00:00
parent 49de777c9f
commit a86a2b25e0
1 changed files with 12 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
templates/chat/chat.html
View file

@ -12,14 +12,16 @@
$('#loader').hide(); $('#loader').hide();
chatSocket.onmessage = function(e) { chatSocket.onmessage = function(e) {
let data = JSON.parse(e.data) let data = JSON.parse(e.data);
data = data['message'] console.log(data);
data = data['message'];
loadMessage(data['body'], loadMessage(data['body'],
data['author'], data['author'],
data['time'], data['time'],
data['id'], data['id'],
data['image'], data['image'],
true) true);
// console.log(data);
$('#chat-box').scrollTop($('#chat-box')[0].scrollHeight); $('#chat-box').scrollTop($('#chat-box')[0].scrollHeight);
}; };
@ -30,7 +32,8 @@
} }
function loadMessage(content, user, time, messid, image, isNew) { function loadMessage(content, user, time, messid, image, isNew) {
if (isNew) content = encodeHTML(content) // if (isNew) content = encodeHTML(content)
content = encodeHTML(content);
li = `<li class="message"> li = `<li class="message">
<img src="${image}" class="profile-pic"> <img src="${image}" class="profile-pic">
<div class="body-message"> <div class="body-message">
@ -58,9 +61,11 @@
(function init_chatlog() { (function init_chatlog() {
ul = $('#chat-log') ul = $('#chat-log')
{% autoescape on %}
{% for msg in message %} {% for msg in message %}
loadMessage(`{{msg.body}}`, `{{msg.author}}`, `{{msg.time}}`, `{{msg.id}}`, `{{gravatar(msg.author, 32)}}`) loadMessage("{{msg.body|safe|escapejs}}", `{{msg.author}}`, `{{msg.time}}`, `{{msg.id}}`, `{{gravatar(msg.author, 32)}}`);
{% endfor %} {% endfor %}
{% endautoescape %}
$('#chat-box').scrollTop($('#chat-box')[0].scrollHeight); $('#chat-box').scrollTop($('#chat-box')[0].scrollHeight);
})() })()
@ -101,21 +106,21 @@
scrollContainer($('#chat-box'), $('#loader')) scrollContainer($('#chat-box'), $('#loader'))
{% if request.user.is_staff %}
$(document).on("click", ".chatbtn_remove_mess", function() { $(document).on("click", ".chatbtn_remove_mess", function() {
var elt = $(this); var elt = $(this);
console.log(elt.data());
$.ajax({ $.ajax({
url: 'delete/', url: 'delete/',
type: 'post', type: 'post',
data: elt.data(), data: elt.data(),
dataType: 'json', dataType: 'json',
success: function(data){ success: function(data){
console.log(data);
console.log('delete ajax call success!'); console.log('delete ajax call success!');
location.reload(); location.reload();
} }
}); });
}); });
{% endif %}
$("#chat-submit").click(function() { $("#chat-submit").click(function() {
if ($("#chat-input").val().trim()) { if ($("#chat-input").val().trim()) {