Possible XSS Vulnerability by using eval() #1374

2022-06-21 10:20:51 +02:00 · 2022-06-21 10:20:51 +02:00 · ebc941b633
commit ebc941b633
parent b9388f652f
1 changed files with 2 additions and 2 deletions
--- a/assets/javascripts/redmine_dmsf.js
+++ b/assets/javascripts/redmine_dmsf.js
@ -133,7 +133,7 @@ function dmsfExpandRows(project_id, folder_id, parentRow, url) {
      if( m && (data.indexOf(' ' +  m[1] + ' ') < 0)) {

        $(parentRow).removeClass('dmsf-expanded');
-	$(parentRow).find('div.dmsf-row-control').removeClass('row-control dmsf-row-control');
+	    $(parentRow).find('div.dmsf-row-control').removeClass('row-control dmsf-row-control');

        if(!$(parentRow).hasClass('dmsf-child')) {

@ -142,7 +142,7 @@ function dmsfExpandRows(project_id, folder_id, parentRow, url) {
      }
      else {
        // Add child rows
-        eval(data);
+        return Function('"use strict";' + data)();
      }
  })
  .fail(function() {