From f1c7bf393aec88c387c035a4886cf60723e38e13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anton=20Luka=20=C5=A0ijanec?= Date: Fri, 13 Mar 2020 14:46:13 +0100 Subject: xss fropm gimsis fix --- js/gsec.js | 26 +++++++++++++------------- sw.js | 2 +- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/js/gsec.js b/js/gsec.js index 8d02d44..b8533af 100644 --- a/js/gsec.js +++ b/js/gsec.js @@ -1,6 +1,6 @@ // tab = 2 || any spaces; use tabs -// not tested yet -function stripHtml(html) { // xss! itaK zaupamo zgimsisext responsem +// not tested yet -- NOTE: any javascript in GSE_URL that will get parsed will be executed! +function stripHtml(html) { var tmp = document.createElement("DIV"); tmp.innerHTML = html; return tmp.textContent || tmp.innerText || ""; @@ -21,8 +21,8 @@ class gsec { type: "GET", dataType: "html", success: (getData) => { - var parsed = document.createElement("template"); - parsed.innerHTML = getData; + let parser = new DOMParser(); + let parsed = parser.parseFromString(getData, "text/html"); if(formId == null) { var form = parsed.getElementsByTagName("form")[0]; } else { @@ -62,9 +62,9 @@ class gsec { login(usernameToLogin, passwordToLogin) { return new Promise((resolve, reject) => { var dataToSend = {"edtGSEUserId": usernameToLogin, "edtGSEUserPassword": passwordToLogin, "btnLogin": "Prijava"}; - this.postback(GSE_URL+"Logon.aspx", dataToSend).then( (response) => { - var parsed = document.createElement("template"); - parsed.innerHTML = response.data; + this.postback(GSE_URL+"Logon.aspx", dataToSend, null, true).then( (response) => { + let parser = new DOMParser(); + let parsed = parser.parseFromString(getData, "text/html"); if(response.code == 302) { resolve(true); } else { @@ -150,8 +150,8 @@ class gsec { return new Promise((resolve, reject) => { var urnik = { 0: {}, 1: {}, 2: {}, 3: {}, 4: {}, 5: {}, 6:{} } ; this.postback(GSE_URL+"Page_Gim/Ucenec/DnevnikUcenec.aspx", dataToSend, null, true).then( (response) => { - var parsed = document.createElement("template"); - parsed.innerHTML = response.data; + let parser = new DOMParser(); + let parsed = parser.parseFromString(getData, "text/html"); for(const urnikElement of parsed.querySelectorAll('*[id^="ctl00_ContentPlaceHolder1_wkgDnevnik_btnCell_"]')) { var subFields = urnikElement.id.split("_"); var period = subFields[4]; @@ -172,8 +172,8 @@ class gsec { return new Promise((resolve, reject) => { var gradings = []; this.postback(GSE_URL+"Page_Gim/Ucenec/IzpitiUcenec.aspx", {}, null, true).then( (response) => { - var parsed = document.createElement("template"); - parsed.innerHTML = response.data; + let parser = new DOMParser(); + let parsed = parser.parseFromString(getData, "text/html"); var rowElements = parsed.getElementsByTagName("table")[0].getElementsByTagName("tbody")[0].getElementsByTagName("tr"); for (const row of rowElements) { var subFields = row.getElementsByTagName("td"); @@ -197,8 +197,8 @@ class gsec { return new Promise((resolve, reject) => { var Teachers = {}; this.postback(GSE_URL+"Page_Gim/Ucenec/UciteljskiZbor.aspx", {}, null, true).then((response)=>{ - var parsed = document.createElement("template"); - parsed.innerHTML = response.data; + let parser = new DOMParser(); + let parsed = parser.parseFromString(getData, "text/html"); var rowElements = parsed.getElementsByTagName("table")[0].getElementsByTagName("tbody")[0].getElementsByTagName("tr"); for(const row of rowElements) { var subFields = row.getElementsByTagName("td"); diff --git a/sw.js b/sw.js index 371523c..d59a946 100644 --- a/sw.js +++ b/sw.js @@ -1,5 +1,5 @@ // Change version to cause cache refresh -const static_cache_name = "site-static-v1.0.12.55"; +const static_cache_name = "site-static-v1.0.12.56"; // Got them with find . -not -path '*/\.*' | sed "s/.*/\"&\",/" | grep -v sw.js // sw.js NE SME BITI CACHAN, ker vsebuje verzijo! -- cgit v1.2.3