all lists on lists.proxmox.com
 help / color / mirror / Atom feed
From: Dominik Csapak <d.csapak@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH http-server 2/3] formatter: html: fix logout button
Date: Tue,  3 Jun 2025 15:04:25 +0200	[thread overview]
Message-ID: <20250603130426.2575764-2-d.csapak@proxmox.com> (raw)
In-Reply-To: <20250603130426.2575764-1-d.csapak@proxmox.com>

in commit
 d0f4b94 (fix regression in api/html (bootstrap) viewer)

the $unsafe parameter of uri_escape_utf8 was corrected. This
unintentionally also escapes the 'onclick' content of the logout button,
making it not valid javascript code and thus would not execute.

The commit talks about it being broken since URI::Escape v5.13, but it
was seemingly broken before that too (tested on a PVE 7.x install with
URI::Escape version 5.08) in that it did not escape anything on PVE 7.

To fix the unintentional escape here, add 'onclick' to the exemptions of
the escaped attributes. This should be safe since we don't add any user
supplied value into these.

While at it, rename 'onClick' to 'onclick' to be consistent with the
other attribute names we use.

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
 src/PVE/APIServer/Formatter/Bootstrap.pm | 1 +
 src/PVE/APIServer/Formatter/HTML.pm      | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/PVE/APIServer/Formatter/Bootstrap.pm b/src/PVE/APIServer/Formatter/Bootstrap.pm
index be37441..0055d64 100644
--- a/src/PVE/APIServer/Formatter/Bootstrap.pm
+++ b/src/PVE/APIServer/Formatter/Bootstrap.pm
@@ -113,6 +113,7 @@ sub el {
 
     my $noescape = {
 	placeholder => 1,
+	onclick => 1,
     };
 
     foreach my $attr (keys %param)  {
diff --git a/src/PVE/APIServer/Formatter/HTML.pm b/src/PVE/APIServer/Formatter/HTML.pm
index 80617ca..2ce0723 100644
--- a/src/PVE/APIServer/Formatter/HTML.pm
+++ b/src/PVE/APIServer/Formatter/HTML.pm
@@ -34,7 +34,7 @@ sub render_page {
 	cn => {
 	    tag => 'a',
 	    href => $get_portal_login_url->($config),
-	    onClick => "PVE.delete_auth_cookie();",
+	    onclick => "PVE.delete_auth_cookie();",
 	    text => "Logout",
 	}};
 
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


  reply	other threads:[~2025-06-03 13:04 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-06-03 13:04 [pve-devel] [PATCH http-server 1/3] formatter: html: remove unused code Dominik Csapak
2025-06-03 13:04 ` Dominik Csapak [this message]
2025-06-03 13:04 ` [pve-devel] [PATCH http-server 3/3] formatter: html: update to bootstrap 5 Dominik Csapak
2025-06-04 17:33   ` Thomas Lamprecht
2025-06-05  8:07     ` Dominik Csapak
2025-06-04 17:26 ` [pve-devel] partially-applied: [PATCH http-server 1/3] formatter: html: remove unused code Thomas Lamprecht

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250603130426.2575764-2-d.csapak@proxmox.com \
    --to=d.csapak@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal