mirror of
https://github.com/alextselegidis/easyappointments.git
synced 2024-11-25 17:33:19 +03:00
Escaped the html special characters in the confirmation step of the booking wizard for preventing direct XSS malfunction
This commit is contained in:
parent
644ada0db5
commit
b94d0dc0f3
2 changed files with 41 additions and 19 deletions
|
@ -412,7 +412,8 @@ var FrontendBook = {
|
|||
}
|
||||
});
|
||||
|
||||
$('#appointment-details').html(
|
||||
|
||||
var html =
|
||||
'<h4>' + $('#select-service option:selected').text() + '</h4>' +
|
||||
'<p>'
|
||||
+ '<strong class="text-primary">'
|
||||
|
@ -420,24 +421,35 @@ var FrontendBook = {
|
|||
+ selectedDate + ' ' + $('.selected-hour').text()
|
||||
+ servicePrice + ' ' + serviceCurrency
|
||||
+ '</strong>' +
|
||||
'</p>'
|
||||
);
|
||||
'</p>';
|
||||
|
||||
$('#appointment-details').html(html);
|
||||
|
||||
// Customer Details
|
||||
$('#customer-details').html(
|
||||
'<h4>' + $('#first-name').val() + ' ' + $('#last-name').val() + '</h4>' +
|
||||
|
||||
var firstname = GeneralFunctions.escapeHtml($('#first-name').val()),
|
||||
lastname = GeneralFunctions.escapeHtml($('#last-name').val()),
|
||||
phoneNumber = GeneralFunctions.escapeHtml($('#phone-number').val()),
|
||||
email = GeneralFunctions.escapeHtml($('#email').val()),
|
||||
address = GeneralFunctions.escapeHtml($('#address').val()),
|
||||
city = GeneralFunctions.escapeHtml($('#city').val()),
|
||||
zipCode = GeneralFunctions.escapeHtml($('#zip-code').val()),
|
||||
|
||||
html =
|
||||
'<h4>' + firstname + ' ' + lastname + '</h4>' +
|
||||
'<p>' +
|
||||
EALang['phone'] + ': ' + $('#phone-number').val() +
|
||||
EALang['phone'] + ': ' + phoneNumber +
|
||||
'<br/>' +
|
||||
EALang['email'] + ': ' + $('#email').val() +
|
||||
EALang['email'] + ': ' + email +
|
||||
'<br/>' +
|
||||
EALang['address'] + ': ' + $('#address').val() +
|
||||
EALang['address'] + ': ' + address +
|
||||
'<br/>' +
|
||||
EALang['city'] + ': ' + $('#city').val() +
|
||||
EALang['city'] + ': ' + city +
|
||||
'<br/>' +
|
||||
EALang['zip_code'] + ': ' + $('#zip-code').val() +
|
||||
'</p>'
|
||||
);
|
||||
EALang['zip_code'] + ': ' + zipCode +
|
||||
'</p>';
|
||||
|
||||
$('#customer-details').html(html);
|
||||
|
||||
// Update appointment form data for submission to server when the user confirms
|
||||
// the appointment.
|
||||
|
|
|
@ -355,5 +355,15 @@ var GeneralFunctions = {
|
|||
GeneralFunctions.displayMessageBox(GeneralFunctions.EXCEPTIONS_TITLE,
|
||||
GeneralFunctions.EXCEPTIONS_MESSAGE);
|
||||
$('#message_box').append(GeneralFunctions.exceptionsToHtml(exceptions));
|
||||
},
|
||||
|
||||
/**
|
||||
* Escape JS HTML string values for XSS prevention.
|
||||
*
|
||||
* @param {string} str String to be escaped.
|
||||
* @returns {string} Returns the escaped string.
|
||||
*/
|
||||
escapeHtml: function(str) {
|
||||
return $('<div/>').text(str).html();
|
||||
}
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue