Merge pull request #250 from AppFlowy-IO/escape-html

feat: add escape for all template output
This commit is contained in:
Zack 2024-01-09 14:54:34 +08:00 committed by GitHub
commit 374338a7c2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 10 additions and 10 deletions

View File

@ -15,13 +15,13 @@
<button <button
class="button cyan" class="button cyan"
hx-target="#sso-list" hx-target="#sso-list"
hx-get="/web/components/admin/sso/{{ sso_provider.id }}" hx-get="/web/components/admin/sso/{{ sso_provider.id|escape }}"
> >
More Info More Info
</button> </button>
<button <button
class="deletUserBtn button red" class="deletUserBtn button red"
hx-delete="/web-api/admin/sso/{{ sso_provider.id }}" hx-delete="/web-api/admin/sso/{{ sso_provider.id|escape }}"
hx-confirm="Are you sure?" hx-confirm="Are you sure?"
hx-target="closest tr" hx-target="closest tr"
hx-swap="delete" hx-swap="delete"

View File

@ -8,7 +8,7 @@
hx-get="/web/components/user/user" hx-get="/web/components/user/user"
class="button red" class="button red"
> >
{{ user.email }} {{ user.email|escape }}
</div> </div>
</div> </div>

View File

@ -14,13 +14,13 @@
<button <button
class="button cyan" class="button cyan"
hx-target="#admin-users" hx-target="#admin-users"
hx-get="/web/components/admin/users/{{ user.id }}" hx-get="/web/components/admin/users/{{ user.id|escape }}"
> >
More Info More Info
</button> </button>
<button <button
class="deletUserBtn button red" class="deletUserBtn button red"
hx-delete="/web-api/admin/user/{{ user.id }}" hx-delete="/web-api/admin/user/{{ user.id|escape }}"
hx-confirm="Are you sure?" hx-confirm="Are you sure?"
hx-target="closest tr" hx-target="closest tr"
hx-swap="delete" hx-swap="delete"

View File

@ -8,7 +8,7 @@
hx-get="/web/components/user/user" hx-get="/web/components/user/user"
class="button cyan" class="button cyan"
> >
{{ user.email }} {{ user.email|escape }}
</div> </div>
</div> </div>

View File

@ -2,7 +2,7 @@
<p>Email: {{ user.email|escape }}</p> <p>Email: {{ user.email|escape }}</p>
<p>Role: {{ user.role|escape }}</p> <p>Role: {{ user.role|escape }}</p>
<p>Phone: {{ user.phone|escape }}</p> <p>Phone: {{ user.phone|escape }}</p>
<p>Email Confirmed At: {{ user.email_confirmed_at|default("-") }}</p> <p>Email Confirmed At: {{ user.email_confirmed_at|default("-")|escape }}</p>
<p>Phone Confirmed At: {{ user.phone_confirmed_at|default("-")|escape }}</p> <p>Phone Confirmed At: {{ user.phone_confirmed_at|default("-")|escape }}</p>
<p>Last Sign In At: {{ user.last_sign_in_at|default("-")|escape }}</p> <p>Last Sign In At: {{ user.last_sign_in_at|default("-")|escape }}</p>
<p>Created At: {{ user.created_at|escape }}</p> <p>Created At: {{ user.created_at|escape }}</p>

View File

@ -4,7 +4,7 @@
<meta name="viewport" content="width=device-width, initial-scale=1" /> <meta name="viewport" content="width=device-width, initial-scale=1" />
<link href="/assets/base.css" rel="stylesheet" /> <link href="/assets/base.css" rel="stylesheet" />
<link href="/assets/message.css" rel="stylesheet" /> <link href="/assets/message.css" rel="stylesheet" />
<title>{% block title %}{{ title }}{% endblock %}</title> <title>{% block title %}{{ title|escape }}{% endblock %}</title>
<script <script
src="https://unpkg.com/htmx.org@1.9.6" src="https://unpkg.com/htmx.org@1.9.6"
integrity="sha384-FhXw7b6AlE/jyjlZH5iHa/tTe9EpJ1Y55RjcgPbjeWMskSxZt1v9qkxLJWNJaGni" integrity="sha384-FhXw7b6AlE/jyjlZH5iHa/tTe9EpJ1Y55RjcgPbjeWMskSxZt1v9qkxLJWNJaGni"

View File

@ -75,10 +75,10 @@
{% for provider in oauth_providers %} {% for provider in oauth_providers %}
<div class="oauth-icon"> <div class="oauth-icon">
<a <a
href="/gotrue/authorize?provider={{ provider }}&redirect_to=/web/login" href="/gotrue/authorize?provider={{ provider|escape }}&redirect_to=/web/login"
> >
<div <div
hx-get="../assets/{{ provider }}/logo.html" hx-get="../assets/{{ provider|escape }}/logo.html"
hx-trigger="load" hx-trigger="load"
hx-swap="outerHTML" hx-swap="outerHTML"
></div> ></div>