For bug 77918 (fix feedback & support menu item) + Fix XSS-injection in plugin name

2026-02-10 18:05:32 +08:00 · 2025-10-28 16:09:30 +03:00
parent 304d708edb
commit bf84857cf1
5 changed files with 15 additions and 9 deletions
--- a/apps/common/main/lib/component/SideMenu.js
+++ b/apps/common/main/lib/component/SideMenu.js
@ -121,12 +121,12 @@ define([
                        if (index >= last) {
                            if (btn.options.iconImg) {
                                arrMore.push({
-                                    caption: Common.Utils.String.htmlEncode(btn.hint),
+                                    caption: btn.hint,
                                    iconImg: btn.options.iconImg,
                                    template: _.template([
                                        '<a id="<%= id %>" class="menu-item" tabindex="-1" type="menuitem">',
                                        '<img class="menu-item-icon" src="<%= options.iconImg %>">',
-                                        '<%= caption %>',
+                                        '<%- caption %>',
                                        '</a>'
                                    ].join('')),
                                    value: index,
@ -136,7 +136,7 @@ define([
                                })
                            } else if (btn.options.iconsSet) {
                                arrMore.push(new Common.UI.MenuItemCustom({
-                                    caption: Common.Utils.String.htmlEncode(btn.hint),
+                                    caption: btn.hint,
                                    iconsSet: btn.options.iconsSet,
                                    baseUrl: btn.options.baseUrl,
                                    value: index,
@ -147,7 +147,7 @@ define([
                                }));
                            } else {
                                arrMore.push({
-                                    caption: Common.Utils.String.htmlEncode(btn.hint),
+                                    caption: btn.hint,
                                    iconCls: 'menu__icon ' + btn.iconCls,
                                    value: index,
                                    disabled: btn.isDisabled(),
--- a/apps/common/main/lib/controller/Plugins.js
+++ b/apps/common/main/lib/controller/Plugins.js
@ -327,7 +327,7 @@ define([
                    template: _.template([
                        '<div id="<%= id %>" class="menu-item" <% if(!_.isUndefined(options.stopPropagation)) { %> data-stopPropagation="true" <% } %> >',
                            '<img class="menu-item-icon" src="<%= options.iconImg %>">',
-                            '<div class="plugin-caption"><%= caption %></div>',
+                            '<div class="plugin-caption"><%- caption %></div>',
                            '<div class="plugin-tools">',
                                '<div class="plugin-toggle"></div>',
                                '<div class="plugin-settings"></div>',
@ -1189,7 +1189,7 @@ define([
            me.customPluginsDlg[frameId] = new Common.Views.PluginDlg({
                cls: (isCustomWindow ? 'plain' : '') + (variation.transparent ? ' ' + 'no-background' : ''),
                header: !isCustomWindow,
-                title: description,
+                title: Common.Utils.String.htmlEncode(description),
                width: size[0], // inner width
                height: size[1], // inner height
                url: variation.url,
--- a/apps/common/main/lib/view/PluginPanel.js
+++ b/apps/common/main/lib/view/PluginPanel.js
@ -82,17 +82,22 @@ define([], function () {
                hint: this.textClosePanel
            });

-            if (this.sideMenuButton)
+            var xpadding = 1;
+            if (this.sideMenuButton) {
                this.pluginHide = new Common.UI.Button({
                    parentEl: this.$el.find('.plugin-hide'),
                    cls: 'btn-toolbar',
                    iconCls: 'toolbar__icon btn-panel-left-collapse',
                    hint: this.textHidePanel
                });
+                xpadding++;
+            }

            if(this.isCanDocked) {
                this.showDockedButton();
+                xpadding++;
            }
+            this.pluginName.css(Common.UI.isRTL() ? 'padding-left' : 'padding-right', (parseInt(Common.UI.Themes.getThemeProps('small-btn-size')) * xpadding + 5) + 'px');

            this.trigger('render:after', this);
            return this;
--- a/apps/common/main/resources/less/plugins.less
+++ b/apps/common/main/resources/less/plugins.less
@ -92,7 +92,8 @@
        label {
            width: 100%;
            margin-top: 2px;
-            .padding-right-20();
+            .padding-right(@x-small-btn-size-ie);
+            .padding-right(@x-small-btn-size);
            .font-size-medium();
            .font-weight-bold();
            overflow: hidden;
--- a/apps/documenteditor/forms/app/controller/Plugins.js
+++ b/apps/documenteditor/forms/app/controller/Plugins.js
@ -165,7 +165,7 @@ define([
                me.pluginDlg = new Common.Views.PluginDlg({
                    cls: isCustomWindow ? 'plain' : '',
                    header: !isCustomWindow,
-                    title: plugin.get_Name(lang),
+                    title: Common.Utils.String.htmlEncode(plugin.get_Name(lang)),
                    width: size[0], // inner width
                    height: size[1], // inner height
                    url: url,