You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by lo...@apache.org on 2023/02/22 08:25:12 UTC
[myfaces-tobago] branch main updated: fix: avoid GitHubs code scanning alert (#3782)
This is an automated email from the ASF dual-hosted git repository.
lofwyr pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/myfaces-tobago.git
The following commit(s) were added to refs/heads/main by this push:
new 1ef23d906e fix: avoid GitHubs code scanning alert (#3782)
1ef23d906e is described below
commit 1ef23d906ecdf051dd36c4d5253ce3400d36d780
Author: Udo Schnurpfeil <lo...@apache.org>
AuthorDate: Wed Feb 22 09:25:05 2023 +0100
fix: avoid GitHubs code scanning alert (#3782)
* DOM text reinterpreted as HTML
---
.../src/main/webapp/script/tobago-testAll.js | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/tobago-example/tobago-example-demo/src/main/webapp/script/tobago-testAll.js b/tobago-example/tobago-example-demo/src/main/webapp/script/tobago-testAll.js
index 9760b33b06..2fc3d160b6 100644
--- a/tobago-example/tobago-example-demo/src/main/webapp/script/tobago-testAll.js
+++ b/tobago-example/tobago-example-demo/src/main/webapp/script/tobago-testAll.js
@@ -36,7 +36,7 @@ function testAll() {
function cycle() {
const iframe = document.getElementById("page:tp" + count);
const url = iframe.getAttribute("name");
- iframe.setAttribute("src", url);
+ iframe.setAttribute("src", sanitizeUrl(url));
const tpWindow = document.getElementById("page:tp" + count).contentWindow;
@@ -54,6 +54,16 @@ function testAll() {
});
}
+ // to avoid GitHubs code scanning alert: DOM text reinterpreted as HTML
+ function sanitizeUrl(url) {
+ if (url.startsWith("test.xhtml?base=") && url.indexOf("\"") < 0 && url.indexOf("\'") < 0) {
+ return url;
+ } else {
+ console.warn("Problem with url detected!", url);
+ return "";
+ }
+ }
+
cycle();
}