Fix a xss and clean up some js

- Fix a stupid self-XSS. I doubt that there are ways to
  use it against other users, but well, better safe than sorry
- Replace the javascript-on-focus hacks with the `autofocus` attribute
master
jvoisin 6 years ago
parent e330eeb864
commit 2f9046d6b4
  1. 2
      airsonic-main/src/main/webapp/WEB-INF/jsp/avatarUploadResult.jsp
  2. 4
      airsonic-main/src/main/webapp/WEB-INF/jsp/login.jsp
  3. 4
      airsonic-main/src/main/webapp/WEB-INF/jsp/recover.jsp

@ -14,7 +14,7 @@
<c:choose>
<c:when test="${empty model.error}">
<p>
<fmt:message key="avataruploadresult.success"><fmt:param value="${model.avatar.name}"/></fmt:message>
<fmt:message key="avataruploadresult.success"><fmt:param value="${fn:escapeXml(model.avatar.name)}"/></fmt:message>
<sub:url value="avatar.view" var="avatarUrl">
<sub:param name="username" value="${model.username}"/>
<sub:param name="forceCustom" value="true"/>

@ -10,7 +10,7 @@
</script>
</head>
<body style="min-width:550px" class="mainframe bgcolor1" onload="document.getElementById('j_username').focus()">
<body style="min-width:550px" class="mainframe bgcolor1">
<form action="<c:url value="/login"/>" method="POST">
<sec:csrfInput />
@ -21,7 +21,7 @@
<div class="loginmessagetop"><sub:wiki text="${model.loginMessage}"/></div>
<input type="text" id="j_username" name="j_username" tabindex="1" placeholder="<fmt:message key="login.username"/>">
<input type="text" autofocus id="j_username" name="j_username" tabindex="1" placeholder="<fmt:message key="login.username"/>">
<input type="password" name="j_password" tabindex="2" placeholder="<fmt:message key="login.password"/>">

@ -5,7 +5,7 @@
<head>
<%@ include file="head.jsp" %>
</head>
<body class="mainframe bgcolor1" onload="document.getElementById('usernameOrEmail').focus()">
<body class="mainframe bgcolor1">
<form action="recover.view" method="POST">
<sec:csrfInput />
@ -17,7 +17,7 @@
<p style="padding-top: 1em; padding-bottom: 0.5em"><fmt:message key="recover.text"/></p>
<c:if test="${empty model.sentTo}">
<input type="text" id="usernameOrEmail" name="usernameOrEmail" style="width:18em;margin-right: 1em">
<input type="text" id="usernameOrEmail" autofocus name="usernameOrEmail" style="width:18em;margin-right: 1em">
<input name="submit" type="submit" value="<fmt:message key="recover.send"/>">
</c:if>

Loading…
Cancel
Save