Skip to content

Commit

Permalink
Fixed jquery-ujs vulnerbility issue
Browse files Browse the repository at this point in the history
  • Loading branch information
Dev authored and Dev committed Jun 5, 2024
1 parent 83b041b commit 1cdb2a3
Showing 1 changed file with 23 additions and 16 deletions.
39 changes: 23 additions & 16 deletions src/rails.js
Original file line number Diff line number Diff line change
Expand Up @@ -212,24 +212,31 @@

// Handles "data-method" on links such as:
// <a href="/users/5" data-method="delete" rel="nofollow" data-confirm="Are you sure?">Delete</a>
handleMethod: function(link) {
var href = rails.href(link),
method = link.data('method'),
target = link.attr('target'),
csrfToken = rails.csrfToken(),
csrfParam = rails.csrfParam(),
form = $('<form method="post" action="' + href + '"></form>'),
metadataInput = '<input name="_method" value="' + method + '" type="hidden" />';

if (csrfParam !== undefined && csrfToken !== undefined && !rails.isCrossDomain(href)) {
metadataInput += '<input name="' + csrfParam + '" value="' + csrfToken + '" type="hidden" />';
}
// Handles "data-method" on links such as:
// <a href="/users/5" data-method="delete" rel="nofollow" data-confirm="Are you sure?">Delete</a>
handleMethod: function(link) {
var href = rails.href(link),
method = link.data('method'),
target = link.attr('target'),
csrfToken = rails.csrfToken(),
csrfParam = rails.csrfParam(),
form = $('<form method="post"></form>'),
metadataInput = '<input name="_method" value="' + method + '" type="hidden" />';

// Ensure href is a valid URL
var parser = document.createElement('a');
parser.href = href;
href = parser.href;

if (csrfParam !== undefined && csrfToken !== undefined && !rails.isCrossDomain(href)) {
metadataInput += '<input name="' + csrfParam + '" value="' + csrfToken + '" type="hidden" />';
}

if (target) { form.attr('target', target); }
if (target) { form.attr('target', target); }

form.hide().append(metadataInput).appendTo('body').attr('action', href).submit();
},

form.hide().append(metadataInput).appendTo('body');
form.submit();
},

// Helper function that returns form elements that match the specified CSS selector
// If form is actually a "form" element this will return associated elements outside the from that have
Expand Down

0 comments on commit 1cdb2a3

Please sign in to comment.