mirror of
https://github.com/dani-garcia/vaultwarden
synced 2024-12-13 17:22:58 +01:00
Escape user data from admin panel when calling JS
This commit is contained in:
parent
a744b9437a
commit
d7eeaaf249
2 changed files with 34 additions and 5 deletions
|
@ -423,7 +423,9 @@ fn load_templates(path: &str) -> Handlebars {
|
|||
let mut hb = Handlebars::new();
|
||||
// Error on missing params
|
||||
hb.set_strict_mode(true);
|
||||
// Register helpers
|
||||
hb.register_helper("case", Box::new(CaseHelper));
|
||||
hb.register_helper("jsesc", Box::new(JsEscapeHelper));
|
||||
|
||||
macro_rules! reg {
|
||||
($name:expr) => {{
|
||||
|
@ -455,7 +457,6 @@ fn load_templates(path: &str) -> Handlebars {
|
|||
hb
|
||||
}
|
||||
|
||||
#[derive(Clone, Copy)]
|
||||
pub struct CaseHelper;
|
||||
|
||||
impl HelperDef for CaseHelper {
|
||||
|
@ -479,3 +480,31 @@ impl HelperDef for CaseHelper {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
pub struct JsEscapeHelper;
|
||||
|
||||
impl HelperDef for JsEscapeHelper {
|
||||
fn call<'reg: 'rc, 'rc>(
|
||||
&self,
|
||||
h: &Helper<'reg, 'rc>,
|
||||
_: &'reg Handlebars,
|
||||
_: &Context,
|
||||
_: &mut RenderContext<'reg>,
|
||||
out: &mut Output,
|
||||
) -> HelperResult {
|
||||
let param = h
|
||||
.param(0)
|
||||
.ok_or_else(|| RenderError::new("Param not found for helper \"js_escape\""))?;
|
||||
|
||||
let value = param
|
||||
.value()
|
||||
.as_str()
|
||||
.ok_or_else(|| RenderError::new("Param for helper \"js_escape\" is not a String"))?;
|
||||
|
||||
let escaped_value = value.replace('\\', "").replace('\'', "\\x22").replace('\"', "\\x27");
|
||||
let quoted_value = format!(""{}"", escaped_value);
|
||||
|
||||
out.write("ed_value)?;
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
|
|
@ -27,8 +27,8 @@
|
|||
</span>
|
||||
</div>
|
||||
<div style="flex: 0 0 240px;">
|
||||
<a class="mr-3" href="#" onclick='deauthUser("{{Id}}")'>Deauthorize sessions</a>
|
||||
<a class="mr-3" href="#" onclick='deleteUser("{{Id}}", "{{Email}}")'>Delete User</a>
|
||||
<a class="mr-3" href="#" onclick='deauthUser({{jsesc Id}})'>Deauthorize sessions</a>
|
||||
<a class="mr-3" href="#" onclick='deleteUser({{jsesc Id}}, {{jsesc Email}})'>Delete User</a>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
@ -101,7 +101,7 @@
|
|||
{{/if}}
|
||||
{{/each}}
|
||||
<button type="submit" class="btn btn-primary">Save</button>
|
||||
<button type="button" class="btn btn-danger float-right" onclick="deleteConfig();">Reset defaults</button>
|
||||
<button type="button" class="btn btn-danger float-right" onclick="deleteConf();">Reset defaults</button>
|
||||
</form>
|
||||
</div>
|
||||
</div>
|
||||
|
@ -192,7 +192,7 @@
|
|||
"Error saving config", data);
|
||||
return false;
|
||||
}
|
||||
function deleteConfig() {
|
||||
function deleteConf() {
|
||||
var input = prompt("This will remove all user configurations, and restore the defaults and the " +
|
||||
"values set by the environment. This operation could be dangerous. Type 'DELETE' to proceed:");
|
||||
if (input === "DELETE") {
|
||||
|
|
Loading…
Reference in a new issue