scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2024-09-20 14:45:56 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7197 from G-Chubinidze/gc_SCI_10237

Browse source 
HTML report from exported project security issue [SCI-10237]
This commit is contained in:
Martin Artnik 2024-03-12 11:01:22 +01:00 committed by GitHub
parent e7bd0d5764 48b4dbe1fe
commit 1209bb8615
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 12 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
app/models/my_module.rb
View file

@ -349,15 +349,15 @@ class MyModule < ApplicationRecord
rows.find_each do |row|
row_json = []
row_json << row.code
row_json << (row.archived ? "#{row.name} [#{I18n.t('general.archived')}]" : row.name)
row_json << (row.archived ? "#{escape_script_tag(row.name)} [#{I18n.t('general.archived')}]" : escape_script_tag(row.name))
row_json << I18n.l(row.created_at, format: :full)
row_json << row.created_by.full_name
row_json << escape_script_tag(row.created_by.full_name)
if repository.has_stock_management?
if repository.is_a?(RepositorySnapshot)
consumed_stock = row.repository_stock_consumption_cell&.value&.formatted
consumed_stock = escape_script_tag(row.repository_stock_consumption_cell&.value&.formatted)
row_json << (consumed_stock || 0)
else
row_json << row.row_consumption(row.stock_consumption)
row_json << escape_script_tag(row.row_consumption(row.stock_consumption))
end
end
data << row_json
@ -484,6 +484,10 @@ class MyModule < ApplicationRecord
protocols << Protocol.new_blank_for_module(self)
end
def escape_script_tag(value)
value&.gsub(/\</, '&lt;')&.gsub(/\>/, '&gt;')
end
def coordinates_uniqueness_check
if experiment && experiment.my_modules.active.where(x: x, y: y).where.not(id: id).any?
errors.add(:position, I18n.t('activerecord.errors.models.my_module.attributes.position.not_unique'))

4
app/views/reports/elements/_my_module_result_table_element.html.erb
View file

@ -26,8 +26,8 @@
</div>
</div>
<div class="report-element-body">
<input type="hidden" class="hot-table-contents" value="<%= table.contents_utf_8 %>" />
<input type="hidden" class="hot-table-metadata" value="<%= table.metadata.to_json %>" />
<input type="hidden" class="hot-table-contents" value="<%= table.contents_utf_8.gsub(/\</, '&lt;').gsub(/\>/, '&gt;') %>" />
<input type="hidden" class="hot-table-metadata" value="<%= table.metadata.to_json.gsub(/\</, '&lt;').gsub(/\>/, '&gt;') %>" />
<div class="hot-table-container"></div>
<table class="report-common-table-format"></table>
</div>

4
app/views/reports/elements/_step_table_element.html.erb
View file

@ -23,8 +23,8 @@
</div>
</div>
<div class="report-element-body">
<input type="hidden" class="hot-table-contents" value="<%= table.contents_utf_8 %>" />
<input type="hidden" class="hot-table-metadata" value="<%= table.metadata.to_json %>" />
<input type="hidden" class="hot-table-contents" value="<%= table.contents_utf_8.gsub(/\</, '&lt;').gsub(/\>/, '&gt;') %>" />
<input type="hidden" class="hot-table-metadata" value="<%= table.metadata.to_json.gsub(/\</, '&lt;').gsub(/\>/, '&gt;') %>" />
<div class="hot-table-container"></div>
<table class="report-common-table-format"></table>
</div>