apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-11-02 11:52:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

cross-site scripting - sanitize only value whose type is string.

Browse Source
This commit is contained in:
Jessica Wang 2010-09-21 17:38:41 -07:00
parent 272d419d3a
commit 4e9b1239ce
3 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ui/new/scripts/cloud.core2.js
View File

@ -1250,7 +1250,7 @@ function noNull(val) {
// Prevent cross-site-script(XSS) attack.
// used right before adding user input to the DOM tree. e.g. DOM_element.html(sanitizeXSS(user_input));
function sanitizeXSS(val) {
if(val == null)
if(val == null || typeof(val) != "string")
return val;
val = val.replace(/</g, "&lt;"); //replace < whose unicode is \u003c
val = val.replace(/>/g, "&gt;"); //replace > whose unicode is \u003e

2
ui/scripts/cloud.core.js
View File

@ -626,7 +626,7 @@ function noNull(val) {
// Prevent cross-site-script(XSS) attack.
// used right before adding user input to the DOM tree. e.g. DOM_element.html(sanitizeXSS(user_input));
function sanitizeXSS(val) {
if(val == null)
if(val == null || typeof(val) != "string")
return val;
val = val.replace(/</g, "&lt;"); //replace < whose unicode is \u003c
val = val.replace(/>/g, "&gt;"); //replace > whose unicode is \u003e

2
ui/test/scripts/cloud.core.test.js
View File

@ -102,7 +102,7 @@ function trim(val) {
// Prevent cross-site-script(XSS) attack.
// used right before adding user input to the DOM tree. e.g. DOM_element.html(sanitizeXSS(user_input));
function sanitizeXSS(val) {
if(val == null)
if(val == null || typeof(val) != "string")
return val;
val = val.replace(/</g, "&lt;"); //replace < whose unicode is \u003c
val = val.replace(/>/g, "&gt;"); //replace > whose unicode is \u003e