From c3bb5e1bec720abb69fff57b2efa33cf911ec5cc Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Fri, 28 Feb 2025 20:33:41 +0100 Subject: [PATCH 1/2] [ticket/security-283] Ensure text is properly handled for responsiveness SECURITY-283 --- phpBB/styles/prosilver/template/forum_fn.js | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/phpBB/styles/prosilver/template/forum_fn.js b/phpBB/styles/prosilver/template/forum_fn.js index 009a9de621..ed273c8da3 100644 --- a/phpBB/styles/prosilver/template/forum_fn.js +++ b/phpBB/styles/prosilver/template/forum_fn.js @@ -650,7 +650,7 @@ function parseDocument($container) { html = $children.html(); } - $block.append((first ? '' : '
') + html); + $block.append((first ? '' : '
') + html); first = false; }); @@ -670,7 +670,7 @@ function parseDocument($container) { // Find all headers, get contents $list.prev('.topiclist').find('li.header dd').not('.mark').each(function() { - headers.push($(this).text()); + headers.push($("
").text($(this).text()).html()); headersLength++; }); @@ -707,7 +707,7 @@ function parseDocument($container) { html = headers[i] + ': ' + html + ''; } - $block.append((first ? '' : '
') + html); + $block.append((first ? '' : '
') + html); first = false; }); @@ -773,7 +773,8 @@ function parseDocument($container) { } if ((text.length && text !== '-') || cell.children().length) { - cell.prepend('' + headers[column] + ''); + const $dfnElement = $("").css('display', 'none').text(headers[column]); + cell.prepend($dfnElement); } else { cell.addClass('empty'); } From 17480d7d073b344792c3a57a613db434f358646b Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 1 Mar 2025 09:22:23 +0100 Subject: [PATCH 2/2] [ticket/security-283] Unify behavior between adm and prosilver, clean up SECURITY-283 --- phpBB/adm/style/admin.js | 14 ++++----- phpBB/adm/style/ajax.js | 33 ++++++++++++++------- phpBB/styles/prosilver/template/forum_fn.js | 5 ++-- 3 files changed, 33 insertions(+), 19 deletions(-) diff --git a/phpBB/adm/style/admin.js b/phpBB/adm/style/admin.js index 23bd4a116b..10d2f398e0 100644 --- a/phpBB/adm/style/admin.js +++ b/phpBB/adm/style/admin.js @@ -5,7 +5,7 @@ /** * Parse document block */ -function parse_document(container) +function parse_document(container) { var test = document.createElement('div'), oldBrowser = (typeof test.style.borderRadius == 'undefined'); @@ -90,7 +90,7 @@ function parse_document(container) } }); } - + headersLength = headers.length; // Add header text to each cell as @@ -121,8 +121,8 @@ function parse_document(container) } if ((text.length && text !== '-') || cell.children().length) { - if (headers[column] != '') { - cell.prepend('' + headers[column] + ''); + if (headers[column].length) { + cell.prepend($("").css('display', 'none').text(headers[column])); } } else { @@ -143,7 +143,7 @@ function parse_document(container) */ container.find('table.responsive > tbody').each(function() { var items = $(this).children('tr'); - if (items.length == 0) + if (!items.length) { $(this).parent('table:first').addClass('responsive-hide'); } @@ -157,7 +157,7 @@ function parse_document(container) if ($this.html() == ' ') { $this.addClass('responsive-hide'); } - + }); /** @@ -184,7 +184,7 @@ function parse_document(container) var width = $body.width(), height = $this.height(); - if (arguments.length == 0 && (!responsive || width <= lastWidth) && height <= maxHeight) { + if (!arguments.length && (!responsive || width <= lastWidth) && height <= maxHeight) { return; } diff --git a/phpBB/adm/style/ajax.js b/phpBB/adm/style/ajax.js index d1007d0173..6d6822df4d 100644 --- a/phpBB/adm/style/ajax.js +++ b/phpBB/adm/style/ajax.js @@ -235,14 +235,20 @@ function submitPermissions() { if ($alertBoxLink) { // Remove forum_id[] from URL $alertBoxLink.attr('href', $alertBoxLink.attr('href').replace(/(&forum_id\[\]=[0-9]+)/g, '')); - var previousPageForm = '
'; - $.each(forumIds, function (key, value) { - previousPageForm += ''; + const $previousPageForm = $('').attr({ + action: $alertBoxLink.attr('href'), + method: 'post' + }); + + $.each(forumIds, function (key, value) { + $previousPageForm.append($('').attr({ + type: 'text', + name: 'forum_id[]', + value: value + })); }); - previousPageForm += '
'; $alertBoxLink.on('click', function (e) { - var $previousPageForm = $(previousPageForm); $('body').append($previousPageForm); e.preventDefault(); $previousPageForm.submit(); @@ -257,12 +263,19 @@ function submitPermissions() { setTimeout(function () { // Create forum to submit using POST. This will prevent // exceeding the maximum length of URLs - var form = '
'; - $.each(forumIds, function (key, value) { - form += ''; + const $form = $('').attr({ + action: res.REFRESH_DATA.url.replace(/(&forum_id\[\]=[0-9]+)/g, ''), + method: 'post' }); - form += '
'; - $form = $(form); + + $.each(forumIds, function (key, value) { + $form.append($('').attr({ + type: 'text', + name: 'forum_id[]', + value: value + })); + }); + $('body').append($form); // Hide the alert even if we refresh the page, in case the user diff --git a/phpBB/styles/prosilver/template/forum_fn.js b/phpBB/styles/prosilver/template/forum_fn.js index ed273c8da3..51478d8641 100644 --- a/phpBB/styles/prosilver/template/forum_fn.js +++ b/phpBB/styles/prosilver/template/forum_fn.js @@ -773,8 +773,9 @@ function parseDocument($container) { } if ((text.length && text !== '-') || cell.children().length) { - const $dfnElement = $("").css('display', 'none').text(headers[column]); - cell.prepend($dfnElement); + if (headers[column].length) { + cell.prepend($("").css('display', 'none').text(headers[column])); + } } else { cell.addClass('empty'); }