pengjunjie/web-apps
1
0
Fork 1
mirror of https://github.com/ONLYOFFICE/web-apps.git synced 2026-02-10 18:05:32 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request '[wopi] Replace vulnerable "<%-" with "<%="; Fix bug 73470' (#324) from fix/ejs-vuln into hotfix/v8.3.2

Browse Source 
Reviewed-on: https://git.onlyoffice.com/ONLYOFFICE/web-apps/pulls/324
This commit is contained in:
Sergey Konovalov
2025-03-10 09:50:36 +00:00
parent 1e28ca77b4 f1522e0294
commit 56164ec6d1
1 changed files with 12 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
apps/api/wopi/editor-wopi.ejs
View File

@ -91,6 +91,11 @@ div {
<div id="iframeEditor">
</div>
</div>
<div id="keyData" style="display:none;" data-json="<%= key %>"></div>
<div id="fileInfoJsonData" style="display:none;" data-json="<%= JSON.stringify(fileInfo) %>"></div>
<div id="userAuthJsonData" style="display:none;" data-json="<%= JSON.stringify(userAuth) %>"></div>
<div id="queryParamsJsonData" style="display:none;" data-json="<%= JSON.stringify(queryParams) %>"></div>
<div id="docsApiConfigJsonData" style="display:none;" data-json="<%= JSON.stringify(docs_api_config) %>"></div>
<script type="text/javascript" src="../../../web-apps/apps/api/documents/api.js<%- apiQuery %>"></script>
<script type="text/javascript" language="javascript">
@ -283,14 +288,14 @@ div {
var connectEditor = function () {
fileInfo = <%- JSON.stringify(fileInfo) %>;
fileInfo = JSON.parse(document.getElementById('fileInfoJsonData').getAttribute('data-json'));
var key = "<%- key %>";
var documentType = "<%- documentType %>";
var userAuth = <%- JSON.stringify(userAuth) %>;
var token = "<%- token %>";
var queryParams = <%- JSON.stringify(queryParams) %>;
var docs_api_config = <%- JSON.stringify(docs_api_config) %>;
var key = document.getElementById('keyData').getAttribute('data-json');
var documentType = "<%= documentType %>";
var userAuth = JSON.parse(document.getElementById('userAuthJsonData').getAttribute('data-json'));
var token = "<%= token %>";
var queryParams = JSON.parse(document.getElementById('queryParamsJsonData').getAttribute('data-json'));
var docs_api_config = JSON.parse(document.getElementById('docsApiConfigJsonData').getAttribute('data-json'));
if (!fileInfo.BaseFileName) {
showError();