From 8b204b3d49b43a786e4e7ab8bc4594182f4552ab Mon Sep 17 00:00:00 2001 From: Thomas Lallement Date: Thu, 20 Jun 2024 16:33:57 +0200 Subject: [PATCH 1/2] Fix sending of multiple update queries --- Resources/public/js/grid.js | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/Resources/public/js/grid.js b/Resources/public/js/grid.js index 06315ed2..51eb4c7d 100644 --- a/Resources/public/js/grid.js +++ b/Resources/public/js/grid.js @@ -21,6 +21,9 @@ function enableMode(mode, lexikTranslationId, locales, url, csrfToken) { document.getElementById('inputContent-' + lexikTranslationId + '-' + locales[i]).style.display = 'block'; } } else if (mode == 'view') { + + let update = false; + editButton.style.display = 'block'; deleteButton.style.display = 'block'; saveButton.style.display = 'none'; @@ -30,7 +33,8 @@ function enableMode(mode, lexikTranslationId, locales, url, csrfToken) { var newValue = document.getElementById('inputContent-' + lexikTranslationId + '-' + locales[i]).value; if (oldValue !== newValue) { - saveUpdatedLexikTranslations(lexikTranslationId, locales[i], newValue, url, csrfToken); + update = true; + document.getElementById('content-' + lexikTranslationId + '-' + locales[i]).innerText = newValue; } document.getElementById('content-' + lexikTranslationId + '-' + locales[i]).style.display = 'block'; @@ -38,6 +42,9 @@ function enableMode(mode, lexikTranslationId, locales, url, csrfToken) { document.getElementById('btnDelete-' + lexikTranslationId + '-' + locales[i]).style.display = 'none'; document.getElementById('btnKeyDelete-' + lexikTranslationId).style.display = 'none'; } + if (update) { + saveUpdatedLexikTranslations(lexikTranslationId, locales[i], url, csrfToken); + } } else if (mode == 'delete') { editButton.style.display = 'none'; deleteButton.style.display = 'none'; @@ -49,11 +56,9 @@ function enableMode(mode, lexikTranslationId, locales, url, csrfToken) { } } -function saveUpdatedLexikTranslations(lexikTranslationId, locale, newValue, url, csrfToken) { +function saveUpdatedLexikTranslations(lexikTranslationId, locale, url, csrfToken) { let params = []; - document.getElementById('inputContent-' + lexikTranslationId + '-' + locale).value = newValue; - document.getElementById('content-' + lexikTranslationId + '-' + locale).innerText = newValue; var saveButton = document.getElementById('saveButton-' + lexikTranslationId); var trElement = saveButton.closest('tr.content'); var tdElements = trElement.querySelectorAll('td'); @@ -457,4 +462,4 @@ function displayNoTranslations() `; return div; -} \ No newline at end of file +} From a2e0a30b7db7cf4d2444e1f0862f1d7be8ea0260 Mon Sep 17 00:00:00 2001 From: Thomas Lallement Date: Thu, 20 Jun 2024 16:42:04 +0200 Subject: [PATCH 2/2] Escape HTML to avoid injection --- Resources/public/js/grid.js | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/Resources/public/js/grid.js b/Resources/public/js/grid.js index 51eb4c7d..8d5471e1 100644 --- a/Resources/public/js/grid.js +++ b/Resources/public/js/grid.js @@ -421,7 +421,7 @@ function constructHtmlTr(item) { ${Object.keys(item).filter(key => key !== '_id' && key !== '_domain' && key !== '_key').map(locale => ` - ${item[locale]} + ${escapeHtml(item[locale])}
@@ -454,6 +454,16 @@ function constructHtmlTr(item) { return tr; } +function escapeHtml(unsafe) +{ + return unsafe + .replace(/&/g, "&") + .replace(//g, ">") + .replace(/"/g, """) + .replace(/'/g, "'"); +} + function displayNoTranslations() { let div =