From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <pve-devel-bounces@lists.proxmox.com> Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 950371FF15E for <inbox@lore.proxmox.com>; Tue, 3 Jun 2025 15:04:48 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 706561972B; Tue, 3 Jun 2025 15:05:00 +0200 (CEST) From: Dominik Csapak <d.csapak@proxmox.com> To: pve-devel@lists.proxmox.com Date: Tue, 3 Jun 2025 15:04:25 +0200 Message-Id: <20250603130426.2575764-2-d.csapak@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250603130426.2575764-1-d.csapak@proxmox.com> References: <20250603130426.2575764-1-d.csapak@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.022 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [html.pm, bootstrap.pm] Subject: [pve-devel] [PATCH http-server 2/3] formatter: html: fix logout button X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com> List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe> List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/> List-Post: <mailto:pve-devel@lists.proxmox.com> List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help> List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe> Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com> in commit d0f4b94 (fix regression in api/html (bootstrap) viewer) the $unsafe parameter of uri_escape_utf8 was corrected. This unintentionally also escapes the 'onclick' content of the logout button, making it not valid javascript code and thus would not execute. The commit talks about it being broken since URI::Escape v5.13, but it was seemingly broken before that too (tested on a PVE 7.x install with URI::Escape version 5.08) in that it did not escape anything on PVE 7. To fix the unintentional escape here, add 'onclick' to the exemptions of the escaped attributes. This should be safe since we don't add any user supplied value into these. While at it, rename 'onClick' to 'onclick' to be consistent with the other attribute names we use. Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> --- src/PVE/APIServer/Formatter/Bootstrap.pm | 1 + src/PVE/APIServer/Formatter/HTML.pm | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/PVE/APIServer/Formatter/Bootstrap.pm b/src/PVE/APIServer/Formatter/Bootstrap.pm index be37441..0055d64 100644 --- a/src/PVE/APIServer/Formatter/Bootstrap.pm +++ b/src/PVE/APIServer/Formatter/Bootstrap.pm @@ -113,6 +113,7 @@ sub el { my $noescape = { placeholder => 1, + onclick => 1, }; foreach my $attr (keys %param) { diff --git a/src/PVE/APIServer/Formatter/HTML.pm b/src/PVE/APIServer/Formatter/HTML.pm index 80617ca..2ce0723 100644 --- a/src/PVE/APIServer/Formatter/HTML.pm +++ b/src/PVE/APIServer/Formatter/HTML.pm @@ -34,7 +34,7 @@ sub render_page { cn => { tag => 'a', href => $get_portal_login_url->($config), - onClick => "PVE.delete_auth_cookie();", + onclick => "PVE.delete_auth_cookie();", text => "Logout", }}; -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel