Mirrors/Stirling-PDF
Mirrors/Stirling-PDF
1
0
Fork 0
mirror of https://github.com/Frooodle/Stirling-PDF.git synced 2025-02-21 00:17:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Added input sanitization to fix self-xss issue (#2189)

Browse Source
This commit is contained in:
ninjat 2024-11-06 10:44:24 +13:00 committed by GitHub
parent 0c0f61aa0d
commit 404e31468e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 41 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
src/main/resources/static/js/merge.js
View File

@ -21,27 +21,55 @@ async function displayFiles(files) {
for (let i = 0; i < files.length; i++) { for (let i = 0; i < files.length; i++) {
const pageCount = await getPDFPageCount(files[i]); const pageCount = await getPDFPageCount(files[i]);
const pageLabel = pageCount === 1 ? pageTranslation : pagesTranslation; const pageLabel = pageCount === 1 ? pageTranslation : pagesTranslation;
// Create list item
const item = document.createElement("li"); const item = document.createElement("li");
item.className = "list-group-item"; item.className = "list-group-item";
item.innerHTML = `
<div class="d-flex justify-content-between align-items-center w-100"> // Create filename div and set textContent to sanitize
<div class="filename">${files[i].name}</div> const fileNameDiv = document.createElement("div");
<div class="page-info"> fileNameDiv.className = "filename";
<span class="page-count">${pageCount} ${pageLabel}</span> fileNameDiv.textContent = files[i].name;
</div>
<div class="arrows d-flex"> // Create page info div and set textContent to sanitize
<button class="btn btn-secondary move-up"><span>&uarr;</span></button> const pageInfoDiv = document.createElement("div");
<button class="btn btn-secondary move-down"><span>&darr;</span></button> pageInfoDiv.className = "page-info";
<button class="btn btn-danger remove-file"><span>&times;</span></button> const pageCountSpan = document.createElement("span");
</div> pageCountSpan.className = "page-count";
</div> pageCountSpan.textContent = `${pageCount} ${pageLabel}`;
`; pageInfoDiv.appendChild(pageCountSpan);
// Create arrows div with buttons
const arrowsDiv = document.createElement("div");
arrowsDiv.className = "arrows d-flex";
const moveUpButton = document.createElement("button");
moveUpButton.className = "btn btn-secondary move-up";
moveUpButton.innerHTML = "<span>&uarr;</span>";
const moveDownButton = document.createElement("button");
moveDownButton.className = "btn btn-secondary move-down";
moveDownButton.innerHTML = "<span>&darr;</span>";
const removeButton = document.createElement("button");
removeButton.className = "btn btn-danger remove-file";
removeButton.innerHTML = "<span>&times;</span>";
arrowsDiv.append(moveUpButton, moveDownButton, removeButton);
// Append elements to item and then to list
const itemContainer = document.createElement("div");
itemContainer.className = "d-flex justify-content-between align-items-center w-100";
itemContainer.append(fileNameDiv, pageInfoDiv, arrowsDiv);
item.appendChild(itemContainer);
list.appendChild(item); list.appendChild(item);
} }
attachMoveButtons(); attachMoveButtons();
} }
async function getPDFPageCount(file) { async function getPDFPageCount(file) {
const blobUrl = URL.createObjectURL(file); const blobUrl = URL.createObjectURL(file);
const pdf = await pdfjsLib.getDocument(blobUrl).promise; const pdf = await pdfjsLib.getDocument(blobUrl).promise;