sami7777/dashcaddy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix remaining frontend security issues (3 medium, 2 low)

Browse Source 
- Escape user-input port number in app-selector innerHTML
- Replace inline onclick with addEventListener in backup history (HTML entity decode bypass)
- Add Content-Security-Policy meta tag with script hash
- Replace document.write with textContent for footer year
- Filter __proto__/constructor/prototype in Object.assign calls

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Sami
2026-03-07 02:06:55 -08:00
parent 52577b11ed
commit 9a0abc02d1
4 changed files with 20 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
status/js/backup-restore.js
View File

@@ -381,7 +381,7 @@
<span style="font-weight: 500;">${escapeHtml(bk.name || 'backup')}</span>
<div style="display: flex; align-items: center; gap: 8px;">
<span class="status-badge ${bk.status === 'success' ? 'success' : 'down'}">${escapeHtml(bk.status)}</span>
${bk.status === 'success' ? `<button onclick="window.__restoreServerBackup('${escapeHtml(bk.id)}')" style="padding: 3px 8px; font-size: 0.75rem;">Restore</button>` : ''}
${bk.status === 'success' ? `<button class="backup-restore-btn" data-backup-id="${escapeHtml(bk.id)}" style="padding: 3px 8px; font-size: 0.75rem;">Restore</button>` : ''}
</div>
</div>
<div style="font-size: 0.75rem; color: var(--muted);">
@@ -392,6 +392,10 @@
}
html += '</div>';
historyContainer.innerHTML = html;
// Wire restore buttons with addEventListener (not inline onclick — HTML entity decode bypass)
historyContainer.querySelectorAll('.backup-restore-btn').forEach(btn => {
btn.addEventListener('click', () => window.__restoreServerBackup(btn.dataset.backupId));
});
} catch (e) {
historyContainer.innerHTML = `<div class="panel-empty" style="color: var(--bad-fg);">Failed: ${escapeHtml(e.message)}</div>`;
}