3.0.10

Fix possible xss in folder page

Author: nilsteampassnet

includes/js/functions.js

@@ -397,22 +397,26 @@ function simplePurifier(
     bSvgFilters = false
 ) 
 {
-    return DOMPurify.sanitize(
-        sanitizeDom(text)
-            .replaceAll('&lt;', '<')
-            .replaceAll('&#x3C;', '<')
-            .replaceAll('&#60;', '<')
-            .replaceAll('&gt;', '>')
-            .replaceAll('&#x3E;', '>')
-            .replaceAll('&#62;', '>')
-            .replaceAll('&amp;', '&')
-            .replaceAll('&#38;', '&')
-            .replaceAll('&#x26;', '&')
-            .replaceAll('&quot;', '"')
-            .replaceAll('&#34;;', '"')
-            .replaceAll('&#x22;', '"')
-            .replaceAll('&#39;', "'"),
-        {USE_PROFILES: {html:bHtml, svg:bSvg, svgFilters: bSvgFilters}}
+    return sanitizeDom(
+        DOMPurify.sanitize(
+            text
+                .replaceAll('&lt;', '<')
+                .replaceAll('&#x3C;', '<')
+                .replaceAll('&#x3c;', '<')
+                .replaceAll('&#60;', '<')
+                .replaceAll('&gt;', '>')
+                .replaceAll('&#x3E;', '>')
+                .replaceAll('&#x3e;', '>')
+                .replaceAll('&#62;', '>')
+                .replaceAll('&amp;', '&')
+                .replaceAll('&#38;', '&')
+                .replaceAll('&#x26;', '&')
+                .replaceAll('&quot;', '"')
+                .replaceAll('&#34;;', '"')
+                .replaceAll('&#x22;', '"')
+                .replaceAll('&#39;', "'"),
+            {USE_PROFILES: {html:bHtml, svg:bSvg, svgFilters: bSvgFilters}}
+        )
     );
 }
 

pages/folders.js.php

@@ -117,6 +117,7 @@
                 'iconSelected': purifyRes.arrFields['iconSelected'],
             }
             console.log(data)
+            return false;
             // Launch action
             $.post(
                 'sources/folders.queries.php', {