github/qBittorrent
1
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent synced 2025-07-10 23:42:46 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

WebUI: migrate away from inline HTML code

Browse source 
`innerHTML` &  `outerHTML` setter will more or less evaluate the value which could be used to
inject malicious code. So replace them with safer alternatives.

PR #21163.
This commit is contained in:
Chocobo1 2024-08-10 12:55:48 +08:00 committed by GitHub
parent 4570c0ef9e
commit 5afeecbf18
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 201 additions and 114 deletions
Download patch file Download diff file Expand all files Collapse all files

31
src/webui/www/private/scripts/prop-files.js
View file

@ -165,32 +165,31 @@ window.qBittorrent.PropFiles ??= (() => {
return ($("comboPrio" + id) !== null);
};
const createPriorityOptionElement = function(priority, selected, html) {
const elem = new Element("option");
elem.value = priority.toString();
elem.innerHTML = html;
if (selected)
elem.selected = true;
return elem;
};
const createPriorityCombo = (id, fileId, selectedPriority) => {
const createOption = (priority, isSelected, text) => {
const option = document.createElement("option");
option.value = priority.toString();
option.selected = isSelected;
option.textContent = text;
return option;
};
const createPriorityCombo = function(id, fileId, selectedPriority) {
const select = new Element("select");
const select = document.createElement("select");
select.id = "comboPrio" + id;
select.setAttribute("data-id", id);
select.setAttribute("data-file-id", fileId);
select.addClass("combo_priority");
select.addEventListener("change", fileComboboxChanged);
createPriorityOptionElement(FilePriority.Ignored, (FilePriority.Ignored === selectedPriority), "QBT_TR(Do not download)QBT_TR[CONTEXT=PropListDelegate]").injectInside(select);
createPriorityOptionElement(FilePriority.Normal, (FilePriority.Normal === selectedPriority), "QBT_TR(Normal)QBT_TR[CONTEXT=PropListDelegate]").injectInside(select);
createPriorityOptionElement(FilePriority.High, (FilePriority.High === selectedPriority), "QBT_TR(High)QBT_TR[CONTEXT=PropListDelegate]").injectInside(select);
createPriorityOptionElement(FilePriority.Maximum, (FilePriority.Maximum === selectedPriority), "QBT_TR(Maximum)QBT_TR[CONTEXT=PropListDelegate]").injectInside(select);
select.appendChild(createOption(FilePriority.Ignored, (FilePriority.Ignored === selectedPriority), "QBT_TR(Do not download)QBT_TR[CONTEXT=PropListDelegate]"));
select.appendChild(createOption(FilePriority.Normal, (FilePriority.Normal === selectedPriority), "QBT_TR(Normal)QBT_TR[CONTEXT=PropListDelegate]"));
select.appendChild(createOption(FilePriority.High, (FilePriority.High === selectedPriority), "QBT_TR(High)QBT_TR[CONTEXT=PropListDelegate]"));
select.appendChild(createOption(FilePriority.Maximum, (FilePriority.Maximum === selectedPriority), "QBT_TR(Maximum)QBT_TR[CONTEXT=PropListDelegate]"));
// "Mixed" priority is for display only; it shouldn't be selectable
const mixedPriorityOption = createPriorityOptionElement(FilePriority.Mixed, (FilePriority.Mixed === selectedPriority), "QBT_TR(Mixed)QBT_TR[CONTEXT=PropListDelegate]");
const mixedPriorityOption = createOption(FilePriority.Mixed, (FilePriority.Mixed === selectedPriority), "QBT_TR(Mixed)QBT_TR[CONTEXT=PropListDelegate]");
mixedPriorityOption.disabled = true;
mixedPriorityOption.injectInside(select);
select.appendChild(mixedPriorityOption);
return select;
};