Skip to content

Commit

Permalink
Remove unsafe script tag replace (#1716)
Browse files Browse the repository at this point in the history
  • Loading branch information
@mvorisek
mvorisek authored Dec 9, 2021
1 parent 987c9f2 commit a1eacc7
Show file tree
Hide file tree
Showing 6 changed files with 16 additions and 20 deletions.
2 changes: 1 addition & 1 deletion js/src/services/api.service.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ class ApiService {
}
if (response && response.atkjs) {
// Call evalResponse with proper context, js code and jQuery as $ var.
atk.apiService.evalResponse.call(this, response.atkjs.replace(/<\/?script>/g, ''), jQuery);
atk.apiService.evalResponse.call(this, response.atkjs, jQuery);
}
if (atk.apiService.afterSuccessCallbacks.length > 0) {
const self = this;
Expand Down
2 changes: 1 addition & 1 deletion public/atkjs-ui.min.js
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/App.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -576,7 +576,7 @@ public function run()

$this->html->template->set('title', $this->title);
$this->html->renderAll();
$this->html->template->dangerouslyAppendHtml('HEAD', $this->html->getJs());
$this->html->template->dangerouslyAppendHtml('HEAD', $this->getTag('script', null, $this->html->getJs()));
$this->is_rendering = false;

if (isset($_GET[Callback::URL_QUERY_TARGET]) && $this->catch_runaway_callbacks) {
Expand Down
8 changes: 5 additions & 3 deletions src/View.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -743,7 +743,9 @@ public function render(bool $forceReturn = true): string
{
$this->renderAll();

return $this->getJs($forceReturn)
$js = $this->getJs($forceReturn);

return ($js !== '' ? $this->getApp()->getTag('script', null, $js) : '')
. $this->renderTemplateToHtml();
}

Expand Down Expand Up @@ -1199,7 +1201,7 @@ public function getJs(bool $forceReturn = false)
}
}

if (!$actions) {
if (count($actions) === 0) {
return '';
}

Expand All @@ -1218,7 +1220,7 @@ public function getJs(bool $forceReturn = false)

$ready = new JsFunction($actions);

return '<script>' . "\n" . (new Jquery($ready))->jsRender() . "\n" . '</script>';
return (new Jquery($ready))->jsRender();
}

// }}}
Expand Down
4 changes: 2 additions & 2 deletions src/VirtualPage.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ public function getHtml()
if ($mode === 'popup') {
$this->getApp()->html->template->set('title', $this->getApp()->title);
$this->getApp()->html->template->dangerouslySetHtml('Content', parent::getHtml());
$this->getApp()->html->template->dangerouslyAppendHtml('HEAD', $this->getJs());
$this->getApp()->html->template->dangerouslyAppendHtml('HEAD', $this->getApp()->getTag('script', null, $this->getJs()));

$this->getApp()->terminateHtml($this->getApp()->html->template);
}
Expand Down Expand Up @@ -142,7 +142,7 @@ public function getHtml()

$this->getApp()->html->template->dangerouslySetHtml('Content', $this->getApp()->layout->template->renderToHtml());

$this->getApp()->html->template->dangerouslyAppendHtml('HEAD', $this->getApp()->layout->getJs());
$this->getApp()->html->template->dangerouslyAppendHtml('HEAD', $this->getApp()->getTag('script', null, $this->getApp()->layout->getJs()));

$this->getApp()->terminateHtml($this->getApp()->html->template);
}
Expand Down
18 changes: 6 additions & 12 deletions tests/JsIntegrationTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,11 +50,9 @@ public function testBasicChain2(): void
$j = $v->js(true)->hide();
$v->getHtml();

$this->assertSame('<script>
$(function() {
$this->assertSame('$(function() {
$("#b").hide();
})
</script>', $v->getJs());
})', $v->getJs());
}

/**
Expand All @@ -66,13 +64,11 @@ public function testBasicChain3(): void
$v->js('click')->hide();
$v->getHtml();

$this->assertSame('<script>
$(function() {
$this->assertSame('$(function() {
$("#b").bind("click",function() {
$("#b").hide();
});
})
</script>', $v->getJs());
})', $v->getJs());
}

/**
Expand All @@ -87,14 +83,12 @@ public function testBasicChain4(): void
$b1->on('click', $b2->js()->hide());
$bb->getHtml();

$this->assertSame('<script>
$(function() {
$this->assertSame('$(function() {
$("#b1").on("click",function(event) {
event.preventDefault();
event.stopPropagation();
$("#b2").hide();
});
})
</script>', $bb->getJs());
})', $bb->getJs());
}
}

0 comments on commit a1eacc7

Please sign in to comment.