DGNum/demarches-normaliennes
15
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

fix(xss): injection from pj malicious filename would trick browser and lead to XSS injection

Browse source
This commit is contained in:
Colin Darie 2024-08-20 15:51:54 +02:00
parent e4d460965f
commit e6c2926426
No known key found for this signature in database
GPG key ID: 4FB865FDBCA4BCC4
2 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
app/views/instructeurs/dossiers/pieces_jointes.html.haml
View file

@ -8,7 +8,7 @@
.gallery-item .gallery-item
- blob = attachment.blob - blob = attachment.blob
- if displayable_pdf?(blob) - if displayable_pdf?(blob)
= link_to blob.url, id: blob.id, data: { iframe: true, src: blob.url }, class: 'gallery-link', type: blob.content_type, title: "#{libelle} -- #{blob.filename}" do = link_to blob.url, id: blob.id, data: { iframe: true, src: blob.url }, class: 'gallery-link', type: blob.content_type, title: "#{libelle} -- #{sanitize(blob.filename.to_s)}" do
.thumbnail .thumbnail
= image_tag(preview_url_for(attachment), loading: :lazy) = image_tag(preview_url_for(attachment), loading: :lazy)
.fr-btn.fr-btn--tertiary.fr-btn--icon-left.fr-icon-eye{ role: :button } .fr-btn.fr-btn--tertiary.fr-btn--icon-left.fr-icon-eye{ role: :button }
@ -18,7 +18,7 @@
= render Attachment::ShowComponent.new(attachment: attachment, truncate: true) = render Attachment::ShowComponent.new(attachment: attachment, truncate: true)
- elsif displayable_image?(blob) - elsif displayable_image?(blob)
= link_to image_url(blob_url(attachment)), title: "#{libelle} -- #{blob.filename}", data: { src: blob.url }, class: 'gallery-link' do = link_to image_url(blob_url(attachment)), title: "#{libelle} -- #{sanitize(blob.filename.to_s)}", data: { src: blob.url }, class: 'gallery-link' do
.thumbnail .thumbnail
= image_tag(variant_url_for(attachment), loading: :lazy) = image_tag(variant_url_for(attachment), loading: :lazy)
.fr-btn.fr-btn--tertiary.fr-btn--icon-left.fr-icon-eye{ role: :button } .fr-btn.fr-btn--tertiary.fr-btn--icon-left.fr-icon-eye{ role: :button }

4
app/views/shared/champs/piece_justificative/_show.html.haml
View file

@ -5,14 +5,14 @@
.gallery-item .gallery-item
- blob = attachment.blob - blob = attachment.blob
- if displayable_pdf?(blob) - if displayable_pdf?(blob)
= link_to blob.url, id: blob.id, data: { iframe: true, src: blob.url }, class: 'gallery-link', type: blob.content_type, title: "#{champ.libelle} -- #{blob.filename}" do = link_to blob.url, id: blob.id, data: { iframe: true, src: blob.url }, class: 'gallery-link', type: blob.content_type, title: "#{champ.libelle} -- #{sanitize(blob.filename.to_s)}" do
.thumbnail .thumbnail
= image_tag(preview_url_for(attachment), loading: :lazy) = image_tag(preview_url_for(attachment), loading: :lazy)
.fr-btn.fr-btn--tertiary.fr-btn--icon-left.fr-icon-eye{ role: :button } .fr-btn.fr-btn--tertiary.fr-btn--icon-left.fr-icon-eye{ role: :button }
= 'Visualiser' = 'Visualiser'
- elsif displayable_image?(blob) - elsif displayable_image?(blob)
= link_to image_url(blob_url(attachment)), title: "#{champ.libelle} -- #{blob.filename}", data: { src: blob.url }, class: 'gallery-link' do = link_to image_url(blob_url(attachment)), title: "#{champ.libelle} -- #{sanitize(blob.filename.to_s)}", data: { src: blob.url }, class: 'gallery-link' do
.thumbnail .thumbnail
= image_tag(variant_url_for(attachment), loading: :lazy) = image_tag(variant_url_for(attachment), loading: :lazy)
.fr-btn.fr-btn--tertiary.fr-btn--icon-left.fr-icon-eye{ role: :button } .fr-btn.fr-btn--tertiary.fr-btn--icon-left.fr-icon-eye{ role: :button }