Skip to content

Mlite#271

Merged
basoro merged 3 commits intomasterfrom
mlite
Nov 3, 2024
Merged

Mlite#271
basoro merged 3 commits intomasterfrom
mlite

Conversation

@basoro
Copy link
Copy Markdown
Owner

@basoro basoro commented Nov 3, 2024

No description provided.

@basoro basoro merged commit 44ea8ef into master Nov 3, 2024
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 3, 2024
View reviewed changes
plugins/apotek_ralan/view/admin/rincian.html
var jam_peresepan = $(this).attr("data-jam_peresepan");
var tipe = $(this).attr("data-tipe");
$("#cetakEtiket").modal('show').html('<div style="text-align:center;margin:20px auto;width:500px;height:360px;"><iframe src="' + baseURL + '/apotek_ralan/cetaklabel/' + no_rawat +'/' + tipe +'/' + tgl_peresepan + '?t=' + mlite.token + '" frameborder="no" width="100%" height="100%"></iframe></div>');
$("#cetakEtiket").modal('show').html('<div style="text-align:center;margin:20px auto;width:500px;height:360px;"><iframe src="' + baseURL + '/apotek_ralan/cetaklabel/' + kode_brng +'/' + no_rawat +'/' + tgl_peresepan +'/' + jam_peresepan + '/' + tipe +'?t=' + mlite.token + '" frameborder="no" width="100%" height="100%"></iframe></div>');

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML

[DOM text](1) is reinterpreted as HTML without escaping meta-characters. [DOM text](2) is reinterpreted as HTML without escaping meta-characters. [DOM text](3) is reinterpreted as HTML without escaping meta-characters. [DOM text](4) is reinterpreted as HTML without escaping meta-characters. [DOM text](5) is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI over 1 year ago

To fix the problem, we need to ensure that any data inserted into the HTML is properly escaped to prevent XSS attacks. Instead of using .html(), we can use .text() for text content and set attributes directly for other data. For the iframe src, we can construct the URL safely and set it using jQuery's .attr() method.

Suggested changeset 1
plugins/apotek_ralan/view/admin/rincian.html

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/plugins/apotek_ralan/view/admin/rincian.html b/plugins/apotek_ralan/view/admin/rincian.html
--- a/plugins/apotek_ralan/view/admin/rincian.html
+++ b/plugins/apotek_ralan/view/admin/rincian.html
@@ -214,3 +214,5 @@
       var tipe = $(this).attr("data-tipe");
-      $("#cetakEtiket").modal('show').html('<div style="text-align:center;margin:20px auto;width:500px;height:360px;"><iframe src="' + baseURL + '/apotek_ralan/cetaklabel/' + kode_brng +'/' + no_rawat +'/' + tgl_peresepan +'/' + jam_peresepan + '/' + tipe +'?t=' + mlite.token + '" frameborder="no" width="100%" height="100%"></iframe></div>');
+      var iframeSrc = baseURL + '/apotek_ralan/cetaklabel/' + encodeURIComponent(kode_brng) + '/' + encodeURIComponent(no_rawat) + '/' + encodeURIComponent(tgl_peresepan) + '/' + encodeURIComponent(jam_peresepan) + '/' + encodeURIComponent(tipe) + '?t=' + encodeURIComponent(mlite.token);
+      $("#cetakEtiket").modal('show').find('.modal-body .cetak-kartu').html('<div style="text-align:center;margin:20px auto;width:500px;height:360px;"><iframe frameborder="no" width="100%" height="100%"></iframe></div>');
+      $("#cetakEtiket").find('iframe').attr('src', iframeSrc);
   })
@@ -222,3 +224,5 @@
       var tipe = $(this).attr("data-tipe");
-      $("#cetakEtiket").modal('show').html('<div style="text-align:center;margin:20px auto;width:700px;height:900px;"><iframe src="' + baseURL + '/apotek_ralan/cetakeresep/' + no_rawat +'/' + tipe +'/' + tgl_peresepan + '/' + jam_peresepan + '?t=' + mlite.token + '" frameborder="no" width="100%" height="100%"></iframe></div>');
+      var iframeSrc = baseURL + '/apotek_ralan/cetakeresep/' + encodeURIComponent(no_rawat) + '/' + encodeURIComponent(tipe) + '/' + encodeURIComponent(tgl_peresepan) + '/' + encodeURIComponent(jam_peresepan) + '?t=' + encodeURIComponent(mlite.token);
+      $("#cetakEtiket").modal('show').find('.modal-body .cetak-kartu').html('<div style="text-align:center;margin:20px auto;width:700px;height:900px;"><iframe frameborder="no" width="100%" height="100%"></iframe></div>');
+      $("#cetakEtiket").find('iframe').attr('src', iframeSrc);
   })
EOF
@@ -214,3 +214,5 @@
var tipe = $(this).attr("data-tipe");
$("#cetakEtiket").modal('show').html('<div style="text-align:center;margin:20px auto;width:500px;height:360px;"><iframe src="' + baseURL + '/apotek_ralan/cetaklabel/' + kode_brng +'/' + no_rawat +'/' + tgl_peresepan +'/' + jam_peresepan + '/' + tipe +'?t=' + mlite.token + '" frameborder="no" width="100%" height="100%"></iframe></div>');
var iframeSrc = baseURL + '/apotek_ralan/cetaklabel/' + encodeURIComponent(kode_brng) + '/' + encodeURIComponent(no_rawat) + '/' + encodeURIComponent(tgl_peresepan) + '/' + encodeURIComponent(jam_peresepan) + '/' + encodeURIComponent(tipe) + '?t=' + encodeURIComponent(mlite.token);
$("#cetakEtiket").modal('show').find('.modal-body .cetak-kartu').html('<div style="text-align:center;margin:20px auto;width:500px;height:360px;"><iframe frameborder="no" width="100%" height="100%"></iframe></div>');
$("#cetakEtiket").find('iframe').attr('src', iframeSrc);
})
@@ -222,3 +224,5 @@
var tipe = $(this).attr("data-tipe");
$("#cetakEtiket").modal('show').html('<div style="text-align:center;margin:20px auto;width:700px;height:900px;"><iframe src="' + baseURL + '/apotek_ralan/cetakeresep/' + no_rawat +'/' + tipe +'/' + tgl_peresepan + '/' + jam_peresepan + '?t=' + mlite.token + '" frameborder="no" width="100%" height="100%"></iframe></div>');
var iframeSrc = baseURL + '/apotek_ralan/cetakeresep/' + encodeURIComponent(no_rawat) + '/' + encodeURIComponent(tipe) + '/' + encodeURIComponent(tgl_peresepan) + '/' + encodeURIComponent(jam_peresepan) + '?t=' + encodeURIComponent(mlite.token);
$("#cetakEtiket").modal('show').find('.modal-body .cetak-kartu').html('<div style="text-align:center;margin:20px auto;width:700px;height:900px;"><iframe frameborder="no" width="100%" height="100%"></iframe></div>');
$("#cetakEtiket").find('iframe').attr('src', iframeSrc);
})
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
plugins/apotek_ranap/view/admin/rincian.html
var tipe = $(this).attr("data-tipe");
$("#cetakEtiket").modal('show').html('<div style="text-align:center;margin:20px auto;width:500px;height:360px;"><iframe src="' + baseURL + '/apotek_ranap/cetaklabel/' + no_rawat +'/' + tipe +'/' + tgl_peresepan + '?t=' + mlite.token + '" frameborder="no" width="100%" height="100%"></iframe></div>');
// alert(baseURL + '/apotek_ranap/cetaklabel/' + kode_brng +'/' + no_rawat +'/' + tgl_peresepan +'/' + jam_peresepan + '/' + tipe +'?t=' + mlite.token);
$("#cetakEtiket").modal('show').html('<div style="text-align:center;margin:20px auto;width:500px;height:360px;"><iframe src="' + baseURL + '/apotek_ranap/cetaklabel/' + kode_brng +'/' + no_rawat +'/' + tgl_peresepan +'/' + jam_peresepan + '/' + tipe +'?t=' + mlite.token + '" frameborder="no" width="100%" height="100%"></iframe></div>');

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML

[DOM text](1) is reinterpreted as HTML without escaping meta-characters. [DOM text](2) is reinterpreted as HTML without escaping meta-characters. [DOM text](3) is reinterpreted as HTML without escaping meta-characters. [DOM text](4) is reinterpreted as HTML without escaping meta-characters. [DOM text](5) is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI over 1 year ago

To fix the problem, we need to ensure that any user-controlled data is properly sanitized or escaped before being inserted into the HTML. Instead of using the .html() method, which can interpret the string as HTML, we should use the .text() method for text content or construct the DOM elements in a safer way.

In this case, we can create the iframe element using jQuery and set its attributes directly, which avoids the need to construct an HTML string and reduces the risk of XSS.

Suggested changeset 1
plugins/apotek_ranap/view/admin/rincian.html

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/plugins/apotek_ranap/view/admin/rincian.html b/plugins/apotek_ranap/view/admin/rincian.html
--- a/plugins/apotek_ranap/view/admin/rincian.html
+++ b/plugins/apotek_ranap/view/admin/rincian.html
@@ -215,3 +215,13 @@
       // alert(baseURL + '/apotek_ranap/cetaklabel/' + kode_brng +'/' + no_rawat +'/' + tgl_peresepan +'/' + jam_peresepan + '/' + tipe +'?t=' + mlite.token);
-      $("#cetakEtiket").modal('show').html('<div style="text-align:center;margin:20px auto;width:500px;height:360px;"><iframe src="' + baseURL + '/apotek_ranap/cetaklabel/' + kode_brng +'/' + no_rawat +'/' + tgl_peresepan +'/' + jam_peresepan + '/' + tipe +'?t=' + mlite.token + '" frameborder="no" width="100%" height="100%"></iframe></div>');
+      var iframeSrc = baseURL + '/apotek_ranap/cetaklabel/' + encodeURIComponent(kode_brng) + '/' + encodeURIComponent(no_rawat) + '/' + encodeURIComponent(tgl_peresepan) + '/' + encodeURIComponent(jam_peresepan) + '/' + encodeURIComponent(tipe) + '?t=' + encodeURIComponent(mlite.token);
+      var iframe = $('<iframe>', {
+          src: iframeSrc,
+          frameborder: 'no',
+          width: '100%',
+          height: '100%'
+      });
+      var div = $('<div>', {
+          style: 'text-align:center;margin:20px auto;width:500px;height:360px;'
+      }).append(iframe);
+      $("#cetakEtiket").modal('show').html(div);
   })
@@ -223,3 +233,13 @@
       var tipe = $(this).attr("data-tipe");
-      $("#cetakEtiket").modal('show').html('<div style="text-align:center;margin:20px auto;width:700px;height:900px;"><iframe src="' + baseURL + '/apotek_ranap/cetakeresep/' + no_rawat +'/' + tipe +'/' + tgl_peresepan + '/' + jam_peresepan + '?t=' + mlite.token + '" frameborder="no" width="100%" height="100%"></iframe></div>');
+      var iframeSrc = baseURL + '/apotek_ranap/cetakeresep/' + encodeURIComponent(no_rawat) + '/' + encodeURIComponent(tipe) + '/' + encodeURIComponent(tgl_peresepan) + '/' + encodeURIComponent(jam_peresepan) + '?t=' + encodeURIComponent(mlite.token);
+      var iframe = $('<iframe>', {
+          src: iframeSrc,
+          frameborder: 'no',
+          width: '100%',
+          height: '100%'
+      });
+      var div = $('<div>', {
+          style: 'text-align:center;margin:20px auto;width:700px;height:900px;'
+      }).append(iframe);
+      $("#cetakEtiket").modal('show').html(div);
   })
EOF
@@ -215,3 +215,13 @@
// alert(baseURL + '/apotek_ranap/cetaklabel/' + kode_brng +'/' + no_rawat +'/' + tgl_peresepan +'/' + jam_peresepan + '/' + tipe +'?t=' + mlite.token);
$("#cetakEtiket").modal('show').html('<div style="text-align:center;margin:20px auto;width:500px;height:360px;"><iframe src="' + baseURL + '/apotek_ranap/cetaklabel/' + kode_brng +'/' + no_rawat +'/' + tgl_peresepan +'/' + jam_peresepan + '/' + tipe +'?t=' + mlite.token + '" frameborder="no" width="100%" height="100%"></iframe></div>');
var iframeSrc = baseURL + '/apotek_ranap/cetaklabel/' + encodeURIComponent(kode_brng) + '/' + encodeURIComponent(no_rawat) + '/' + encodeURIComponent(tgl_peresepan) + '/' + encodeURIComponent(jam_peresepan) + '/' + encodeURIComponent(tipe) + '?t=' + encodeURIComponent(mlite.token);
var iframe = $('<iframe>', {
src: iframeSrc,
frameborder: 'no',
width: '100%',
height: '100%'
});
var div = $('<div>', {
style: 'text-align:center;margin:20px auto;width:500px;height:360px;'
}).append(iframe);
$("#cetakEtiket").modal('show').html(div);
})
@@ -223,3 +233,13 @@
var tipe = $(this).attr("data-tipe");
$("#cetakEtiket").modal('show').html('<div style="text-align:center;margin:20px auto;width:700px;height:900px;"><iframe src="' + baseURL + '/apotek_ranap/cetakeresep/' + no_rawat +'/' + tipe +'/' + tgl_peresepan + '/' + jam_peresepan + '?t=' + mlite.token + '" frameborder="no" width="100%" height="100%"></iframe></div>');
var iframeSrc = baseURL + '/apotek_ranap/cetakeresep/' + encodeURIComponent(no_rawat) + '/' + encodeURIComponent(tipe) + '/' + encodeURIComponent(tgl_peresepan) + '/' + encodeURIComponent(jam_peresepan) + '?t=' + encodeURIComponent(mlite.token);
var iframe = $('<iframe>', {
src: iframeSrc,
frameborder: 'no',
width: '100%',
height: '100%'
});
var div = $('<div>', {
style: 'text-align:center;margin:20px auto;width:700px;height:900px;'
}).append(iframe);
$("#cetakEtiket").modal('show').html(div);
})
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@basoro @github-advanced-security