Merge commit from fork

(security) XSS Vulnerabilities in Admin Settings Panel
yogeshojha · Feb 4, 2025 · b77d1e0 · b77d1e0
2 parents 911196d + 635890d
commit b77d1e0
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/web/dashboard/templates/dashboard/admin.html b/web/dashboard/templates/dashboard/admin.html
@@ -67,9 +67,9 @@ <h4>Users</h4>
                 </th>
                 <th>
                   {% if muser.get_full_name %}
-                  {{muser.get_full_name}}
+                  {{muser.get_full_name|escape}}
                   {% else %}
-                  {{muser.username}}
+                  {{muser.username|escape}}
                   {% endif %}
                 </th>
                 <th>
@@ -128,7 +128,7 @@ <h4>Users</h4>
 function delete_user(id, username) {
   const delAPI = "./update?mode=delete&user=" + id;
   swal.queue([{
-    title: 'Are you sure you want to delete user '+ username +'?',
+    title: 'Are you sure you want to delete user '+ htmlEncode(username) +'?',
     text: "You won't be able to revert this!",
     type: 'warning',
     showCancelButton: true,
@@ -313,7 +313,7 @@ <h4>Users</h4>
               Swal.fire({
                 title: "Oops! Can't create user!",
                 icon: 'error',
-                text: 'Error: ' + data.error,
+                text: 'Error: ' + htmlEncode(data.error),
               })
             }