Fixed a XSS vulnerability in the /settings/store endpoint. #7282

pgadmin-org · Apr 10, 2024 · e384c96 · e384c96
1 parent 30d2d1b
commit e384c96
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 6 deletions.
diff --git a/web/pgadmin/browser/static/js/node.js b/web/pgadmin/browser/static/js/node.js
@@ -139,7 +139,7 @@ define('pgadmin.browser.node', [
           },
           enable: _.isFunction(self.canEdit) ?
             function() {
-              return !!(self.canEdit(arguments));
+              return !!(self.canEdit(...arguments));
             } : (!!self.canEdit),
         }]);
       }
@@ -159,7 +159,7 @@ define('pgadmin.browser.node', [
           },
           enable: _.isFunction(self.canDrop) ?
             function() {
-              return !!(self.canDrop(arguments));
+              return !!(self.canDrop(...arguments));
             } : (!!self.canDrop),
         }]);
 
@@ -177,7 +177,7 @@ define('pgadmin.browser.node', [
             },
             enable: _.isFunction(self.canDropCascade) ?
               function() {
-                return self.canDropCascade(arguments);
+                return self.canDropCascade(...arguments);
               } : (!!self.canDropCascade),
           }]);
         }

diff --git a/web/pgadmin/browser/templates/browser/js/utils.js b/web/pgadmin/browser/templates/browser/js/utils.js
@@ -38,7 +38,6 @@
 
 define('pgadmin.browser.utils',
   ['sources/pgadmin'], function(pgAdmin) {
-
   let pgBrowser = pgAdmin.Browser = pgAdmin.Browser || {};
 
   pgBrowser['MainMenus'] = [];
@@ -86,7 +85,7 @@ define('pgadmin.browser.utils',
   ];
 
   pgBrowser.utils = {
-    layout: '{{ layout }}',
+    layout: {{ layout|tojson }},
     theme: '{{ theme }}',
     pg_help_path: '{{ pg_help_path }}',
     tabSize: '{{ editor_tab_size }}',

diff --git a/web/pgadmin/static/js/tree/tree.js b/web/pgadmin/static/js/tree/tree.js
@@ -408,7 +408,7 @@ export class Tree {
   }
 
   findNodeByDomElement(domElement) {
-    const path = domElement.path;
+    const path = domElement?.path;
     if (!path?.[0]) {
       return undefined;
     }