Univention Bugzilla – Attachment 9870 Details for
Bug 48812
Cross Site Scripting in Portal allows session fixation of Administrators and other attacks
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
possible patch
purify_editor.patch (text/plain), 1.02 KB, created by
Johannes Keiser
on 2019-02-27 19:18:47 CET
(
hide
)
Description:
possible patch
Filename:
MIME Type:
Creator:
Johannes Keiser
Created:
2019-02-27 19:18:47 CET
Size:
1.02 KB
patch
obsolete
>diff --git a/management/univention-web/js/widgets/Editor.js b/management/univention-web/js/widgets/Editor.js >index d9c40abd54..7c5c5de86b 100644 >--- a/management/univention-web/js/widgets/Editor.js >+++ b/management/univention-web/js/widgets/Editor.js >@@ -32,14 +32,25 @@ define([ > "dojo/_base/declare", > "dijit/Editor", > "umc/widgets/_FormWidgetMixin", >+ "dompurify/purify", > "dijit/_editor/plugins/ViewSource", > "dijit/_editor/plugins/FullScreen", > "dojox/editor/plugins/PrettyPrint" >-], function(declare, Editor, _FormWidgetMixin) { >+], function(declare, Editor, _FormWidgetMixin, purify) { > return declare("umc.widgets.Editor", [ Editor, _FormWidgetMixin ], { > labelPosition: 'top', > extraPlugins: ['viewSource', 'fullscreen', 'prettyprint'], > >+ _setValueAttr: function(value) { >+ value = purify.sanitize(value); >+ this.inherited(arguments); >+ }, >+ >+ _getValueAttr: function() { >+ var value = this.inherited(arguments); >+ return purify.sanitize(value); >+ }, >+ > ready: function() { > return this.onLoadDeferred; > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=9870">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 48812
:
9869
|
9870
|
9948