security: fix vulnerabilities and harden code (2026-03-12)
Path traversal fixes: - DeleteFile.js: use path.resolve() + symlink protection (CRITICAL) - DeleteFileFolder.js: add path.resolve() validation + symlink check (CRITICAL) - RenameFile.js: use path.resolve() with proper prefix check + symlink guard (HIGH) - attachments.js: add baseDir validation + skip symlinks in recursive search (MEDIUM) XSS fixes: - dashboard.js: escape user input in onerror/onclick inline attributes (HIGH) - paramadminsettingsetup.script.js: escape values in innerHTML template (MEDIUM) Input validation: - inputValidationMiddleware.js: block suspicious requests instead of logging only (MEDIUM) Version bump: 1.2.2-beta → 1.2.3-beta
This commit is contained in:
@@ -1,3 +1,8 @@
|
||||
function escapeAttr(str) {
|
||||
if (typeof str !== 'string') return '';
|
||||
return str.replace(/&/g, '&').replace(/'/g, ''').replace(/"/g, '"').replace(/</g, '<').replace(/>/g, '>');
|
||||
}
|
||||
|
||||
const body = document.body;
|
||||
const themeSwitcher = document.getElementById('themeSwitcher');
|
||||
|
||||
@@ -319,11 +324,11 @@ function addPath(type) {
|
||||
const div = document.createElement('div');
|
||||
div.className = 'flex items-center space-x-2 py-2 px-3 bg-gray-800 rounded-lg animate';
|
||||
div.innerHTML = `
|
||||
<span class="flex-1">${value}</span>
|
||||
<span class="flex-1">${escapeAttr(value)}</span>
|
||||
<button type="button" onclick="removePath(this)" class="text-gray-400 hover:text-red-500">
|
||||
<i class="fas fa-times"></i>
|
||||
</button>
|
||||
<input type="hidden" name="logs[${type === 'exclude' ? 'excludePaths' : 'includeOnly'}][]" value="${value}">
|
||||
<input type="hidden" name="logs[${type === 'exclude' ? 'excludePaths' : 'includeOnly'}][]" value="${escapeAttr(value)}">
|
||||
`;
|
||||
list.appendChild(div);
|
||||
input.value = '';
|
||||
|
||||
Reference in New Issue
Block a user