Escaped the html special characters in the confirmation step of the booking wizard for preventing direct XSS malfunction
This commit is contained in:
parent
644ada0db5
commit
b94d0dc0f3
2 changed files with 41 additions and 19 deletions
|
@ -412,7 +412,8 @@ var FrontendBook = {
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
$('#appointment-details').html(
|
|
||||||
|
var html =
|
||||||
'<h4>' + $('#select-service option:selected').text() + '</h4>' +
|
'<h4>' + $('#select-service option:selected').text() + '</h4>' +
|
||||||
'<p>'
|
'<p>'
|
||||||
+ '<strong class="text-primary">'
|
+ '<strong class="text-primary">'
|
||||||
|
@ -420,24 +421,35 @@ var FrontendBook = {
|
||||||
+ selectedDate + ' ' + $('.selected-hour').text()
|
+ selectedDate + ' ' + $('.selected-hour').text()
|
||||||
+ servicePrice + ' ' + serviceCurrency
|
+ servicePrice + ' ' + serviceCurrency
|
||||||
+ '</strong>' +
|
+ '</strong>' +
|
||||||
'</p>'
|
'</p>';
|
||||||
);
|
|
||||||
|
$('#appointment-details').html(html);
|
||||||
|
|
||||||
// Customer Details
|
// Customer Details
|
||||||
$('#customer-details').html(
|
|
||||||
'<h4>' + $('#first-name').val() + ' ' + $('#last-name').val() + '</h4>' +
|
var firstname = GeneralFunctions.escapeHtml($('#first-name').val()),
|
||||||
|
lastname = GeneralFunctions.escapeHtml($('#last-name').val()),
|
||||||
|
phoneNumber = GeneralFunctions.escapeHtml($('#phone-number').val()),
|
||||||
|
email = GeneralFunctions.escapeHtml($('#email').val()),
|
||||||
|
address = GeneralFunctions.escapeHtml($('#address').val()),
|
||||||
|
city = GeneralFunctions.escapeHtml($('#city').val()),
|
||||||
|
zipCode = GeneralFunctions.escapeHtml($('#zip-code').val()),
|
||||||
|
|
||||||
|
html =
|
||||||
|
'<h4>' + firstname + ' ' + lastname + '</h4>' +
|
||||||
'<p>' +
|
'<p>' +
|
||||||
EALang['phone'] + ': ' + $('#phone-number').val() +
|
EALang['phone'] + ': ' + phoneNumber +
|
||||||
'<br/>' +
|
'<br/>' +
|
||||||
EALang['email'] + ': ' + $('#email').val() +
|
EALang['email'] + ': ' + email +
|
||||||
'<br/>' +
|
'<br/>' +
|
||||||
EALang['address'] + ': ' + $('#address').val() +
|
EALang['address'] + ': ' + address +
|
||||||
'<br/>' +
|
'<br/>' +
|
||||||
EALang['city'] + ': ' + $('#city').val() +
|
EALang['city'] + ': ' + city +
|
||||||
'<br/>' +
|
'<br/>' +
|
||||||
EALang['zip_code'] + ': ' + $('#zip-code').val() +
|
EALang['zip_code'] + ': ' + zipCode +
|
||||||
'</p>'
|
'</p>';
|
||||||
);
|
|
||||||
|
$('#customer-details').html(html);
|
||||||
|
|
||||||
// Update appointment form data for submission to server when the user confirms
|
// Update appointment form data for submission to server when the user confirms
|
||||||
// the appointment.
|
// the appointment.
|
||||||
|
|
|
@ -355,5 +355,15 @@ var GeneralFunctions = {
|
||||||
GeneralFunctions.displayMessageBox(GeneralFunctions.EXCEPTIONS_TITLE,
|
GeneralFunctions.displayMessageBox(GeneralFunctions.EXCEPTIONS_TITLE,
|
||||||
GeneralFunctions.EXCEPTIONS_MESSAGE);
|
GeneralFunctions.EXCEPTIONS_MESSAGE);
|
||||||
$('#message_box').append(GeneralFunctions.exceptionsToHtml(exceptions));
|
$('#message_box').append(GeneralFunctions.exceptionsToHtml(exceptions));
|
||||||
|
},
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Escape JS HTML string values for XSS prevention.
|
||||||
|
*
|
||||||
|
* @param {string} str String to be escaped.
|
||||||
|
* @returns {string} Returns the escaped string.
|
||||||
|
*/
|
||||||
|
escapeHtml: function(str) {
|
||||||
|
return $('<div/>').text(str).html();
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue