add todo comments for html unescaped strings

atk4 · Mar 6, 2025 · 52e6ac9 · 52e6ac9
1 parent 105dd78
commit 52e6ac9
Show file tree

Hide file tree

Showing 8 changed files with 19 additions and 12 deletions.
diff --git a/js/src/JqueryPlugin/ConfirmPlugin.js b/js/src/JqueryPlugin/ConfirmPlugin.js
@@ -44,6 +44,7 @@ export default class AtkConfirmPlugin extends AbstractPlugin {
     }
 
     getDialogHtml(message) {
+        // TODO: HTML escape
         return `
           <div class=" content">${message}</div>
           <div class="actions">

diff --git a/js/src/JqueryPlugin/CreateModalPlugin.js b/js/src/JqueryPlugin/CreateModalPlugin.js
@@ -28,6 +28,7 @@ export default class AtkCreateModalPlugin extends AbstractPlugin {
     }
 
     getDialogHtml(title) {
+        // TODO: HTML escape
         return `<i class="close icon"></i>
           ` + (title ? `<div class="${this.settings.headerClass}">${title}</div>
           ` : '') + `<div class="${this.settings.contentClass} content atk-dialog-content">

diff --git a/js/src/JqueryPlugin/JsSortablePlugin.js b/js/src/JqueryPlugin/JsSortablePlugin.js
@@ -107,7 +107,7 @@ export default class AtkJsSortablePlugin extends AbstractPlugin {
     }
 
     injectStyles(style) {
-        $('head').append('<style>' + style + '</style>');
+        $('head').append('<style>' + style + '</style>'); // TODO: prevent HTML injection
     }
 }
 

diff --git a/js/src/Service/apiService.js b/js/src/Service/apiService.js
@@ -232,12 +232,13 @@ class ApiService {
         m.data('needRemove', true).modal().modal('show');
     }
 
-    getErrorHtml(titleHtml, messageHtml) {
+    getErrorHtml(title, message) {
+        // TODO: HTML escape
         return `<div class="ui negative icon message" style="margin: 0px;">
               <i class="warning sign icon"></i>
               <div class="content">
-                <div class="header">${titleHtml}</div>
-                <div>${messageHtml}</div>
+                <div class="header">${title}</div>
+                <div>${message}</div>
               </div>
             </div>`;
     }

diff --git a/js/src/Service/modalService.js b/js/src/Service/modalService.js
@@ -141,7 +141,7 @@ class ModalService {
 
     getLoaderHtml(loaderText) {
         return '<div class="ui active inverted dimmer">'
-            + '<div class="ui text loader">' + loaderText + '</div>'
+            + '<div class="ui text loader">' + loaderText + '</div>' // TODO: HTML escape
             + '</div>';
     }
 }

diff --git a/public/js/atkjs-ui.js b/public/js/atkjs-ui.js
@@ -1217,6 +1217,7 @@ class AtkConfirmPlugin extends _AbstractPlugin__WEBPACK_IMPORTED_MODULE_1__["def
     $m.data('needRemove', true).modal(options).modal('show');
   }
   getDialogHtml(message) {
+    // TODO: HTML escape
     return `
           <div class=" content">${message}</div>
           <div class="actions">
@@ -1285,6 +1286,7 @@ class AtkCreateModalPlugin extends _AbstractPlugin__WEBPACK_IMPORTED_MODULE_1__[
     $m.addClass(this.settings.modalCss);
   }
   getDialogHtml(title) {
+    // TODO: HTML escape
     return `<i class="close icon"></i>
           ` + (title ? `<div class="${this.settings.headerClass}">${title}</div>
           ` : '') + `<div class="${this.settings.contentClass} content atk-dialog-content">
@@ -1897,7 +1899,7 @@ class AtkJsSortablePlugin extends _AbstractPlugin__WEBPACK_IMPORTED_MODULE_6__["
     return url;
   }
   injectStyles(style) {
-    external_jquery__WEBPACK_IMPORTED_MODULE_4___default()('head').append('<style>' + style + '</style>');
+    external_jquery__WEBPACK_IMPORTED_MODULE_4___default()('head').append('<style>' + style + '</style>'); // TODO: prevent HTML injection
   }
 }
 AtkJsSortablePlugin.DEFAULTS = {
@@ -2713,12 +2715,13 @@ class ApiService {
     const m = external_jquery__WEBPACK_IMPORTED_MODULE_2___default()('<div>').appendTo('body').addClass('ui scrolling modal').css('padding', '1em').html(contentHtml);
     m.data('needRemove', true).modal().modal('show');
   }
-  getErrorHtml(titleHtml, messageHtml) {
+  getErrorHtml(title, message) {
+    // TODO: HTML escape
     return `<div class="ui negative icon message" style="margin: 0px;">
               <i class="warning sign icon"></i>
               <div class="content">
-                <div class="header">${titleHtml}</div>
-                <div>${messageHtml}</div>
+                <div class="header">${title}</div>
+                <div>${message}</div>
               </div>
             </div>`;
   }
@@ -3234,7 +3237,8 @@ class ModalService {
     }
   }
   getLoaderHtml(loaderText) {
-    return '<div class="ui active inverted dimmer">' + '<div class="ui text loader">' + loaderText + '</div>' + '</div>';
+    return '<div class="ui active inverted dimmer">' + '<div class="ui text loader">' + loaderText + '</div>' // TODO: HTML escape
+    + '</div>';
   }
 }
 /* harmony default export */ const __WEBPACK_DEFAULT_EXPORT__ = (Object.freeze(new ModalService()));

diff --git a/public/js/atkjs-ui.js.map b/public/js/atkjs-ui.js.map
diff --git a/public/js/atkjs-ui.min.js.map b/public/js/atkjs-ui.min.js.map
-Original file line number
+Diff line change
@@ Expand Up @@
         }
         injectStyles(style) {
-            $('head').append('<style>' + style + '</style>');
+            $('head').append('<style>' + style + '</style>'); // TODO: prevent HTML injection
         }
     }
@@ Expand Down @@