Fix potential XSS issue from unsplash data

2026-02-01 12:09:08 +01:00 · 2023-04-19 13:12:53 +01:00
parent d90ac8eb89
commit 67b156ed5e
8 changed files with 11 additions and 6 deletions
--- a/jumpapp/.jump-version
+++ b/jumpapp/.jump-version
@@ -1 +1 @@
-v1.3.2 (1681425251)
+v1.3.2 (1681906304)
--- a/jumpapp/assets/js/index.5624957f74a0b466666a.min.js
+++ b/jumpapp/assets/js/index.5624957f74a0b466666a.min.js
--- a/jumpapp/assets/js/src/classes/Main.js
+++ b/jumpapp/assets/js/src/classes/Main.js
@@ -78,7 +78,9 @@ export default class Main {
                    return;
                }
                backgroundelm.style.backgroundImage = 'url("' + data.imagedatauri + '")';
-                document.querySelector('.unsplash').innerHTML = data.attribution;
+                let unsplashlink = document.querySelector('.unsplash a');
+                unsplashlink.textContent = data.attribution;
+                unsplashlink.href = data.link;
            });
        }

--- a/jumpapp/classes/Pages/HomePage.php
+++ b/jumpapp/classes/Pages/HomePage.php
@@ -81,6 +81,7 @@ class HomePage extends AbstractPage {
                'showclock' => $this->config->parse_bool($this->config->get('showclock')),
                'showsearch' => $this->config->parse_bool($this->config->get('showsearch', false)),
                'wwwurl' => $this->config->get_wwwurl(),
+                'unsplash' => !!$this->config->get('unsplashapikey', false),
            ]);
        });
    }
--- a/jumpapp/classes/Pages/TagPage.php
+++ b/jumpapp/classes/Pages/TagPage.php
@@ -87,6 +87,7 @@ class TagPage extends AbstractPage {
                'showclock' => $this->config->parse_bool($this->config->get('showclock')),
                'showsearch' => $this->config->parse_bool($this->config->get('showsearch', false)),
                'wwwurl' => $this->config->get_wwwurl(),
+                'unsplash' => !!$this->config->get('unsplashapikey', false),
            ]);
        });
    }
--- a/jumpapp/classes/Unsplash.php
+++ b/jumpapp/classes/Unsplash.php
@@ -44,7 +44,8 @@ class Unsplash {
        }
        $unsplashdata = new \stdClass();
        $unsplashdata->color = $photo->color;
-        $unsplashdata->attribution = '<a target="_blank" rel="noopener" href="'.$photo->links['html'].'">'.$description.'</a>';
+        $unsplashdata->attribution = htmlentities($description);
+        $unsplashdata->link = strip_tags($photo->links['html']);
        $unsplashdata->imagedatauri = 'data: '.(new \finfo(FILEINFO_MIME_TYPE))->buffer($response).';base64,'.base64_encode($response);
        return $unsplashdata;
    }
--- a/jumpapp/templates/footer.mustache
+++ b/jumpapp/templates/footer.mustache
@@ -31,7 +31,7 @@
            </ul>
        </div>
        {{/ hastags}}
-        <span class="unsplash"></span>
+        {{# unsplash}}<span class="unsplash"><a target="_blank" rel="noopener"></a></span>{{/ unsplash}}
        <div class="background fixed"></div>
        {{> partials/jsbundle}}
    </body>
--- a/jumpapp/templates/partials/jsbundle.mustache
+++ b/jumpapp/templates/partials/jsbundle.mustache
@@ -1 +1 @@
-<script defer src="{{{wwwurl}}}/assets/js/index.f2468ba60142a7aa8d24.min.js"></script>
+<script defer src="{{{wwwurl}}}/assets/js/index.5624957f74a0b466666a.min.js"></script>