135/netdisco
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

avoid CSS vulnerability in Find Anything

Browse Source
This commit is contained in:
Oliver Gorwits
2023-06-28 12:06:11 +01:00
parent 39562e0633
commit 9f4401f2fb
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
lib/App/Netdisco/Web/TypeAhead.pm
View File

@@ -6,6 +6,7 @@ use Dancer::Plugin::DBIC;
use Dancer::Plugin::Auth::Extensible; use Dancer::Plugin::Auth::Extensible;
use App::Netdisco::Util::Web (); # for sort_port use App::Netdisco::Util::Web (); # for sort_port
use HTML::Entities 'encode_entities';
ajax '/ajax/data/devicename/typeahead' => require_login sub { ajax '/ajax/data/devicename/typeahead' => require_login sub {
return '[]' unless setting('navbar_autocomplete'); return '[]' unless setting('navbar_autocomplete');
@@ -14,7 +15,7 @@ ajax '/ajax/data/devicename/typeahead' => require_login sub {
my $set = schema(vars->{'tenant'})->resultset('Device')->search_fuzzy($q); my $set = schema(vars->{'tenant'})->resultset('Device')->search_fuzzy($q);
content_type 'application/json'; content_type 'application/json';
to_json [map {$_->dns || $_->name || $_->ip} $set->all]; to_json [map {encode_entities($_->dns || $_->name || $_->ip)} $set->all];
}; };
ajax '/ajax/data/deviceip/typeahead' => require_login sub { ajax '/ajax/data/deviceip/typeahead' => require_login sub {