Merge pull request #980 from noobpk/noobpk-fix-xss

Add function `htmlEntities` into template ticket_list.html
django-helpdesk · Nov 12, 2021 · 91b37f6 · 91b37f6
2 parents 3f24587 + 2c7065e
commit 91b37f6
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/helpdesk/templates/helpdesk/ticket_list.html b/helpdesk/templates/helpdesk/ticket_list.html
@@ -330,7 +330,11 @@ <h5 class="mb-0">
         function get_url(row) {
             return "{% url 'helpdesk:view' 1234 %}".replace(/1234/, row.id.toString());
         }
-
+
+        function htmlEntities(str) {
+            return String(str).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+        }
+
         $(document).ready(function () {
             // Ticket DataTable Initialization
             $('#ticketTable').DataTable({
@@ -366,7 +370,7 @@ <h5 class="mb-0">
                             if (type === 'display') {
                                 data = '<div class="tickettitle"><a href="' + get_url(row) + '" >' +
                                     row.id + '. ' +
-                                    row.title + '</a></div>';
+                                    htmlEntities(row.title) + '</a></div>';
                             }
                             return data
                         }