Skip to content


Subversion checkout URL

You can clone with
Download ZIP


escape rendered npm package info #2086

merged 1 commit into from

2 participants


I noticed a template bug in admin/plugins - npm package info sometimes contains html tags, but it is unescaped before output.

This patch uses jQuery.text() instaed of jQuery.html() to output the npm values.

I didn't look through the codebase to see if there are other instances when remote data is rendered using html() - this is a potential attack vector, right?

@JohnMcLear JohnMcLear merged commit ca8dce1 into ether:develop

1 check was pending

Details default The Travis CI build is in progress
@bnchdrff bnchdrff deleted the unknown repository branch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 17, 2014
  1. @bnchdrff
This page is out of date. Refresh to see the latest.
Showing with 1 addition and 1 deletion.
  1. +1 −1  src/static/js/admin/plugins.js
2  src/static/js/admin/plugins.js
@@ -81,7 +81,7 @@ $(document).ready(function () {
if(attr == "name"){ // Hack to rewrite URLS into name
row.find(".name").html("<a target='_blank' title='Plugin details' href='"+plugin['name']+"'>"+plugin['name'].substr(3)+"</a>"); // remove 'ep_'
- row.find("." + attr).html(plugin[attr]);
+ row.find("." + attr).text(plugin[attr]);
row.find(".version").html( plugin.version );
Something went wrong with that request. Please try again.