From b14cd8172c9406d588ac49ee20f5ac135dd38c7c Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Sun, 18 Nov 2018 11:54:04 +0100
Subject: [PATCH] assemble breadcrumb html safely
avoids xss from malicious directory names
---
notebook/static/tree/js/notebooklist.js | 63 ++++++++++++++++---------
1 file changed, 40 insertions(+), 23 deletions(-)
diff --git a/notebook/static/tree/js/notebooklist.js b/notebook/static/tree/js/notebooklist.js
index 7d8de52..382c7de 100644
--- a/notebook/static/tree/js/notebooklist.js
+++ b/notebook/static/tree/js/notebooklist.js
@@ -382,18 +382,28 @@ define([
var breadcrumb = $('.breadcrumb');
breadcrumb.empty();
var list_item = $('<li/>');
- var root = $('<li/>').append('<a href="/tree"><i class="fa fa-folder"></i></a>').click(function(e) {
- // Allow the default browser action when the user holds a modifier (e.g., Ctrl-Click)
- if(e.altKey || e.metaKey || e.shiftKey) {
- return true;
- }
- var path = '';
- window.history.pushState({
- path: path
- }, 'Home', utils.url_path_join(that.base_url, 'tree'));
- that.update_location(path);
- return false;
- });
+ var root = $('<li/>').append(
+ $("<a/>")
+ .attr('href', '/tree')
+ .append(
+ $("<i/>")
+ .addClass('fa fa-folder')
+ )
+ .click(function(e) {
+ // Allow the default browser action when the user holds a modifier (e.g., Ctrl-Click)
+ if(e.altKey || e.metaKey || e.shiftKey) {
+ return true;
+ }
+ var path = '';
+ window.history.pushState(
+ {path: path},
+ 'Home',
+ utils.url_path_join(that.base_url, 'tree')
+ );
+ that.update_location(path);
+ return false;
+ })
+ );
breadcrumb.append(root);
var path_parts = [];
this.notebook_path.split('/').forEach(function(path_part) {
@@ -404,17 +414,24 @@ define([
'/tree',
utils.encode_uri_components(path)
);
- var crumb = $('<li/>').append('<a href="' + url + '">' + path_part + '</a>').click(function(e) {
- // Allow the default browser action when the user holds a modifier (e.g., Ctrl-Click)
- if(e.altKey || e.metaKey || e.shiftKey) {
- return true;
- }
- window.history.pushState({
- path: path
- }, path, url);
- that.update_location(path);
- return false;
- });
+ var crumb = $('<li/>').append(
+ $('<a/>')
+ .attr('href', url)
+ .text(path_part)
+ .click(function(e) {
+ // Allow the default browser action when the user holds a modifier (e.g., Ctrl-Click)
+ if(e.altKey || e.metaKey || e.shiftKey) {
+ return true;
+ }
+ window.history.pushState(
+ {path: path},
+ path,
+ url
+ );
+ that.update_location(path);
+ return false;
+ })
+ );
breadcrumb.append(crumb);
});
this.contents.list_contents(that.notebook_path).then(
--
2.19.1