in commit
d0f4b94 (fix regression in api/html (bootstrap) viewer)
the $unsafe parameter of uri_escape_utf8 was corrected. This
unintentionally also escapes the 'onclick' content of the logout button,
making it not valid javascript code and thus would not execute.
The commit talks about it being broken since URI::Escape v5.13, but it
was seemingly broken before that too (tested on a PVE 7.x install with
URI::Escape version 5.08) in that it did not escape anything on PVE 7.
To fix the unintentional escape here, add 'onclick' to the exemptions of
the escaped attributes. This should be safe since we don't add any user
supplied value into these.
While at it, rename 'onClick' to 'onclick' to be consistent with the
other attribute names we use.
Signed-off-by: Dominik Csapak <d.csa...@proxmox.com>
---
src/PVE/APIServer/Formatter/Bootstrap.pm | 1 +
src/PVE/APIServer/Formatter/HTML.pm | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/PVE/APIServer/Formatter/Bootstrap.pm
b/src/PVE/APIServer/Formatter/Bootstrap.pm
index be37441..0055d64 100644
--- a/src/PVE/APIServer/Formatter/Bootstrap.pm
+++ b/src/PVE/APIServer/Formatter/Bootstrap.pm
@@ -113,6 +113,7 @@ sub el {
my $noescape = {
placeholder => 1,
+ onclick => 1,
};
foreach my $attr (keys %param) {
diff --git a/src/PVE/APIServer/Formatter/HTML.pm
b/src/PVE/APIServer/Formatter/HTML.pm
index 80617ca..2ce0723 100644
--- a/src/PVE/APIServer/Formatter/HTML.pm
+++ b/src/PVE/APIServer/Formatter/HTML.pm
@@ -34,7 +34,7 @@ sub render_page {
cn => {
tag => 'a',
href => $get_portal_login_url->($config),
- onClick => "PVE.delete_auth_cookie();",
+ onclick => "PVE.delete_auth_cookie();",
text => "Logout",
}};
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
