Prevent possible XSS when using jQuery (#18289)

In the case of misuse or misunderstanding from a developer whereby, if `sel` can receive user-controlled data, jQuery `$(sel)` can lead to the creation of a new element. Current usage is using hard-coded selectors in the templates, but nobody prevents that from expanding to user-controlled somehow.
2022-01-16 05:14:32 +00:00
parent 4b4884ce88
commit 661d3d28e9
10 changed files with 39 additions and 34 deletions
--- a/web_src/js/features/repo-diff.js
+++ b/web_src/js/features/repo-diff.js
@ -15,7 +15,7 @@ export function initRepoDiffFileViewToggle() {
    $this.parent().children().removeClass('active');
    $this.addClass('active');

-    const $target = $($this.data('toggle-selector'));
+    const $target = $.find($this.data('toggle-selector'));
    $target.parent().children().addClass('hide');
    $target.removeClass('hide');
  });