Magic-Mirror/radare2
1
0
Fork 0
mirror of https://github.com/radareorg/radare2.git synced 2024-10-08 02:53:29 +00:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity

radare2_fix_xss (#10077)

Browse Source 
This is reflected when the web service is used.

I have added an input filter for the invalid characters in the names of the files to analyze, using the encodeHtmlEntity() function, applied in the variable x[0].uri
This commit is contained in:
s1kr10s 2018-05-12 09:01:42 -03:00 committed by radare
parent f271f86a38
commit b3e726d734
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
shlr/www/index.html
View File

@ -115,6 +115,11 @@
});
});
$(document).ready( function() {
function encodeHtmlEntity(str) {
return str.replace(/[\u00A0-\u9999\<\>\(\)\{\}\[\]\%\#\&\'\"\\\/]/gim, function(c){
return '&#' + c.charCodeAt(0) + ';' ;
});
}
function updateProjectList() {
window.location.assign("/");
}
@ -135,11 +140,12 @@
r2.cmdj("oj", function(x) {
if(x) {
if(x[0].uri.indexOf("malloc://") !== -1) {
if(encodeHtmlEntity(x[0].uri).indexOf("malloc://") !== -1) {
$("#openfile").html('<input type="file" id="filename" name="filename">');
} else {
$("#openfile").html(x[0].uri);
filename = x[0].uri;
$("#openfile").html(encodeHtmlEntity(x[0].uri));
filename = encodeHtmlEntity(x[0].uri);
}
}
});