cristiancmoises
/
gophish
mirror of https://github.com/gophish/gophish
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixing some minor xss issues - Fixes #272

pull/284/head
Jordan Wright 2016-05-25 18:35:47 -05:00
parent c8155a59fe
commit 8211116375
2 changed files with 23 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
static/js/app/templates.js
View File

@ -36,7 +36,7 @@ function save(idx) {
// Add the attachments
$.each($("#attachmentsTable").DataTable().rows().data(), function(i, target) {
template.attachments.push({
name: target[1],
name: unescapeHtml(target[1]),
content: target[3],
type: target[4],
})
@ -108,7 +108,7 @@ function attach(files) {
// Add the record to the modal
attachmentsTable.row.add([
'<i class="fa ' + icon + '"></i>',
file.name,
escapeHtml(file.name),
'<span class="remove-row"><i class="fa fa-trash-o"></i></span>',
reader.result.split(",")[1],
file.type || "application/octet-stream"
@ -157,7 +157,7 @@ function edit(idx) {
// Add the record to the modal
attachmentsTable.row.add([
'<i class="fa ' + icon + '"></i>',
file.name,
escapeHtml(file.name),
'<span class="remove-row"><i class="fa fa-trash-o"></i></span>',
file.content,
file.type || "application/octet-stream"
@ -212,7 +212,7 @@ function copy(idx) {
// Add the record to the modal
attachmentsTable.row.add([
'<i class="fa ' + icon + '"></i>',
file.name,
escapeHtml(file.name),
'<span class="remove-row"><i class="fa fa-trash-o"></i></span>',
file.content,
file.type || "application/octet-stream"
@ -279,7 +279,7 @@ function load() {
templateTable.clear()
$.each(templates, function(i, template) {
templateTable.row.add([
template.name,
escapeHtml(template.name),
moment(template.modified_date).format('MMMM Do YYYY, h:mm:ss a'),
"<div class='pull-right'><span data-toggle='modal' data-target='#modal'><button class='btn btn-primary' data-toggle='tooltip' data-placement='left' title='Edit Template' onclick='edit(" + i + ")'>\
<i class='fa fa-pencil'></i>\

36
static/js/app/users.js
View File

@ -5,10 +5,10 @@ function save(idx) {
var targets = []
$.each($("#targetsTable").DataTable().rows().data(), function(i, target) {
targets.push({
first_name: target[0],
last_name: target[1],
email: target[2],
position: target[3]
first_name: unescapeHtml(target[0]),
last_name: unescapeHtml(target[1]),
email: unescapeHtml(target[2]),
position: unescapeHtml(target[3])
})
})
var group = {
@ -71,10 +71,10 @@ function edit(idx) {
$.each(group.targets, function(i, record) {
targets.DataTable()
.row.add([
record.first_name,
record.last_name,
record.email,
record.position,
escapeHtml(record.first_name),
escapeHtml(record.last_name),
escapeHtml(record.email),
escapeHtml(record.position),
'<span style="cursor:pointer;"><i class="fa fa-trash-o"></i></span>'
]).draw()
});
@ -96,10 +96,10 @@ function edit(idx) {
$.each(data.result, function(i, record) {
targets.DataTable()
.row.add([
record.first_name,
record.last_name,
record.email,
record.position,
escapeHtml(record.first_name),
escapeHtml(record.last_name),
escapeHtml(record.email),
escapeHtml(record.position),
'<span style="cursor:pointer;"><i class="fa fa-trash-o"></i></span>'
]).draw()
});
@ -146,8 +146,8 @@ function load() {
}
})
groupTable.row.add([
group.name,
targets,
escapeHtml(group.name),
escapeHtml(targets),
moment(group.modified_date).format('MMMM Do YYYY, h:mm:ss a'),
"<div class='pull-right'><button class='btn btn-primary' data-toggle='modal' data-target='#modal' onclick='edit(" + i + ")'>\
<i class='fa fa-pencil'></i>\
@ -173,10 +173,10 @@ $(document).ready(function() {
$("#targetForm").submit(function() {
targets.DataTable()
.row.add([
$("#firstName").val(),
$("#lastName").val(),
$("#email").val(),
$("#position").val(),
escapeHtml($("#firstName").val()),
escapeHtml($("#lastName").val()),
escapeHtml($("#email").val()),
escapeHtml($("#position").val()),
'<span style="cursor:pointer;"><i class="fa fa-trash-o"></i></span>'
])
.draw()