Skip to content

Commit c0d132f

Browse files
committed
Fix XSS vulnerability by using DOM-safe methods for user input
Use jQuery's element construction with attributes object and .text() instead of string concatenation when inserting user-controlled values into the DOM. This prevents malicious input from being executed.
1 parent c337cb4 commit c0d132f

File tree

1 file changed

+22
-2
lines changed

1 file changed

+22
-2
lines changed

assets/js/activitypub-moderation-admin.js

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,26 @@
8989
return true;
9090
}
9191

92+
/**
93+
* Create a table row for a blocked term.
94+
*
95+
* @param {string} type - The type of block (domain or keyword)
96+
* @param {string} value - The blocked value
97+
* @param {string} context - The context (user or site)
98+
* @return {jQuery} The constructed table row
99+
*/
100+
function createBlockedTermRow( type, value, context ) {
101+
var $button = $( '<button>', {
102+
type: 'button',
103+
'class': 'button button-small remove-' + context + '-block-btn',
104+
'data-type': type,
105+
'data-value': value,
106+
text: __( 'Remove', 'activitypub' )
107+
} );
108+
109+
return $( '<tr>' ).append( $( '<td>' ).text( value ), $( '<td>' ).append( $button ) );
110+
}
111+
92112
/**
93113
* Helper function to add a blocked term to the UI
94114
*/
@@ -104,7 +124,7 @@
104124
table = $( '<table class="widefat striped activitypub-blocked-' + type + '" role="presentation" style="max-width: 500px; margin: 15px 0;"><tbody></tbody></table>' );
105125
container.find( '#new_user_' + type ).closest( '.add-user-block-form' ).before( table );
106126
}
107-
table.append( '<tr><td>' + value + '</td><td style="width: 80px;"><button type="button" class="button button-small remove-user-block-btn" data-type="' + type + '" data-value="' + value + '">Remove</button></td></tr>' );
127+
table.find( 'tbody' ).append( createBlockedTermRow( type, value, context ) );
108128
} else if ( context === 'site' ) {
109129
// For site moderation, add to the table inside the details element
110130
var details = $( '.activitypub-site-block-details[data-type="' + type + '"]' );
@@ -116,7 +136,7 @@
116136
details.find( 'summary' ).after( table );
117137
}
118138

119-
table.find( 'tbody' ).append( '<tr><td>' + value + '</td><td><button type="button" class="button button-small remove-site-block-btn" data-type="' + type + '" data-value="' + value + '">Remove</button></td></tr>' );
139+
table.find( 'tbody' ).append( createBlockedTermRow( type, value, context ) );
120140

121141
updateSiteBlockSummary( type );
122142
}

0 commit comments

Comments
 (0)