lba.gitea/WLED
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(settings): mitigate xss

Browse Source 
Mitigate XSS on wifi scanning from injecting arbitrary code by using
`textConent` instead of `innerHTML`.

Partially Fixes #3233
This commit is contained in:
Jason Kölker 2023-06-10 23:39:48 +00:00
parent 999bec19f1
commit d18d800947
No known key found for this signature in database
GPG Key ID: 2401AB361DA4156A
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
wled00/data/settings_wifi.htm
View File

@ -19,7 +19,7 @@
const button = gId("scan");
button.disabled = true;
button.innerHTML = "Scanning...";
button.textContent = "Scanning...";
fetch(url).then((response) => {
return response.json();
@ -70,7 +70,7 @@
const option = cE("option");
option.setAttribute("value", networks[i].ssid);
option.innerHTML = `${networks[i].ssid} (${networks[i].rssi} dBm)`;
option.textContent = `${networks[i].ssid} (${networks[i].rssi} dBm)`;
if (networks[i].ssid === cs.value) {
option.setAttribute("selected", "selected");
@ -81,14 +81,14 @@
const option = cE("option");
option.setAttribute("value", "!Cs");
option.innerHTML = `Other network...`;
option.textContent = `Other network...`;
select.appendChild(option);
cs.replaceWith(select);
}
button.disabled = false;
button.innerHTML = "Scan";
button.textContent = "Scan";
});
}
// replace WiFi select with custom SSID input field again