NoLog.cz/etherpad
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity

ace.js: use URL encoding when building an URL via string concatenation

Browse source 
Not performing encoding/decoding when traversing logical domains is a security
risk.
String concatenation is not great, too, but this change is just focused on
allowing the implementation of skin support.
This commit is contained in:
muxator 2018-08-26 02:40:36 +02:00
parent 2cc32d7fe9
commit 6c56e7ca7a
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/static/js/ace.js
View file

@ -186,7 +186,7 @@ function Ace2Editor()
} }
for (var i = 0, ii = remoteFiles.length; i < ii; i++) { for (var i = 0, ii = remoteFiles.length; i < ii; i++) {
var file = remoteFiles[i]; var file = remoteFiles[i];
buffer.push('<link rel="stylesheet" type="text/css" href="' + file + '"\/>'); buffer.push('<link rel="stylesheet" type="text/css" href="' + encodeURI(file) + '"\/>');
} }
} }