cristiancmoises
/
gophish
mirror of https://github.com/gophish/gophish
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixing some minor xss issues - Fixes #272

pull/284/head
Jordan Wright 2016-05-25 18:35:47 -05:00
parent c8155a59fe
commit 8211116375
2 changed files with 23 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
static/js/app/templates.js
View File

@ -36,7 +36,7 @@ function save(idx) {
// Add the attachments // Add the attachments
$.each($("#attachmentsTable").DataTable().rows().data(), function(i, target) { $.each($("#attachmentsTable").DataTable().rows().data(), function(i, target) {
template.attachments.push({ template.attachments.push({
name: target[1], name: unescapeHtml(target[1]),
content: target[3], content: target[3],
type: target[4], type: target[4],
}) })
@ -108,7 +108,7 @@ function attach(files) {
// Add the record to the modal // Add the record to the modal
attachmentsTable.row.add([ attachmentsTable.row.add([
'<i class="fa ' + icon + '"></i>', '<i class="fa ' + icon + '"></i>',
file.name, escapeHtml(file.name),
'<span class="remove-row"><i class="fa fa-trash-o"></i></span>', '<span class="remove-row"><i class="fa fa-trash-o"></i></span>',
reader.result.split(",")[1], reader.result.split(",")[1],
file.type || "application/octet-stream" file.type || "application/octet-stream"
@ -157,7 +157,7 @@ function edit(idx) {
// Add the record to the modal // Add the record to the modal
attachmentsTable.row.add([ attachmentsTable.row.add([
'<i class="fa ' + icon + '"></i>', '<i class="fa ' + icon + '"></i>',
file.name, escapeHtml(file.name),
'<span class="remove-row"><i class="fa fa-trash-o"></i></span>', '<span class="remove-row"><i class="fa fa-trash-o"></i></span>',
file.content, file.content,
file.type || "application/octet-stream" file.type || "application/octet-stream"
@ -212,7 +212,7 @@ function copy(idx) {
// Add the record to the modal // Add the record to the modal
attachmentsTable.row.add([ attachmentsTable.row.add([
'<i class="fa ' + icon + '"></i>', '<i class="fa ' + icon + '"></i>',
file.name, escapeHtml(file.name),
'<span class="remove-row"><i class="fa fa-trash-o"></i></span>', '<span class="remove-row"><i class="fa fa-trash-o"></i></span>',
file.content, file.content,
file.type || "application/octet-stream" file.type || "application/octet-stream"
@ -279,7 +279,7 @@ function load() {
templateTable.clear() templateTable.clear()
$.each(templates, function(i, template) { $.each(templates, function(i, template) {
templateTable.row.add([ templateTable.row.add([
template.name, escapeHtml(template.name),
moment(template.modified_date).format('MMMM Do YYYY, h:mm:ss a'), moment(template.modified_date).format('MMMM Do YYYY, h:mm:ss a'),
"<div class='pull-right'><span data-toggle='modal' data-target='#modal'><button class='btn btn-primary' data-toggle='tooltip' data-placement='left' title='Edit Template' onclick='edit(" + i + ")'>\ "<div class='pull-right'><span data-toggle='modal' data-target='#modal'><button class='btn btn-primary' data-toggle='tooltip' data-placement='left' title='Edit Template' onclick='edit(" + i + ")'>\
<i class='fa fa-pencil'></i>\ <i class='fa fa-pencil'></i>\

36
static/js/app/users.js
View File

@ -5,10 +5,10 @@ function save(idx) {
var targets = [] var targets = []
$.each($("#targetsTable").DataTable().rows().data(), function(i, target) { $.each($("#targetsTable").DataTable().rows().data(), function(i, target) {
targets.push({ targets.push({
first_name: target[0], first_name: unescapeHtml(target[0]),
last_name: target[1], last_name: unescapeHtml(target[1]),
email: target[2], email: unescapeHtml(target[2]),
position: target[3] position: unescapeHtml(target[3])
}) })
}) })
var group = { var group = {
@ -71,10 +71,10 @@ function edit(idx) {
$.each(group.targets, function(i, record) { $.each(group.targets, function(i, record) {
targets.DataTable() targets.DataTable()
.row.add([ .row.add([
record.first_name, escapeHtml(record.first_name),
record.last_name, escapeHtml(record.last_name),
record.email, escapeHtml(record.email),
record.position, escapeHtml(record.position),
'<span style="cursor:pointer;"><i class="fa fa-trash-o"></i></span>' '<span style="cursor:pointer;"><i class="fa fa-trash-o"></i></span>'
]).draw() ]).draw()
}); });
@ -96,10 +96,10 @@ function edit(idx) {
$.each(data.result, function(i, record) { $.each(data.result, function(i, record) {
targets.DataTable() targets.DataTable()
.row.add([ .row.add([
record.first_name, escapeHtml(record.first_name),
record.last_name, escapeHtml(record.last_name),
record.email, escapeHtml(record.email),
record.position, escapeHtml(record.position),
'<span style="cursor:pointer;"><i class="fa fa-trash-o"></i></span>' '<span style="cursor:pointer;"><i class="fa fa-trash-o"></i></span>'
]).draw() ]).draw()
}); });
@ -146,8 +146,8 @@ function load() {
} }
}) })
groupTable.row.add([ groupTable.row.add([
group.name, escapeHtml(group.name),
targets, escapeHtml(targets),
moment(group.modified_date).format('MMMM Do YYYY, h:mm:ss a'), moment(group.modified_date).format('MMMM Do YYYY, h:mm:ss a'),
"<div class='pull-right'><button class='btn btn-primary' data-toggle='modal' data-target='#modal' onclick='edit(" + i + ")'>\ "<div class='pull-right'><button class='btn btn-primary' data-toggle='modal' data-target='#modal' onclick='edit(" + i + ")'>\
<i class='fa fa-pencil'></i>\ <i class='fa fa-pencil'></i>\
@ -173,10 +173,10 @@ $(document).ready(function() {
$("#targetForm").submit(function() { $("#targetForm").submit(function() {
targets.DataTable() targets.DataTable()
.row.add([ .row.add([
$("#firstName").val(), escapeHtml($("#firstName").val()),
$("#lastName").val(), escapeHtml($("#lastName").val()),
$("#email").val(), escapeHtml($("#email").val()),
$("#position").val(), escapeHtml($("#position").val()),
'<span style="cursor:pointer;"><i class="fa fa-trash-o"></i></span>' '<span style="cursor:pointer;"><i class="fa fa-trash-o"></i></span>'
]) ])
.draw() .draw()