front/lib/datatables/datatables.js: Fix XSS in Alert, Carousel, Collapse, Dropdown and Modal

2026-05-19 14:16:47 -04:00 · 2026-05-18 06:19:59 +08:00
parent 198ca5d410
commit 80c8a66396
1 changed files with 16 additions and 6 deletions
--- a/front/lib/datatables/datatables.js
+++ b/front/lib/datatables/datatables.js
@@ -10832,7 +10832,8 @@ if (typeof jQuery === 'undefined') {
      selector = selector && selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7
    }

-    var $parent = $(selector === '#' ? [] : selector)
+    selector    = selector === '#' ? [] : selector
+    var $parent = $(document).find(selector)

    if (e) e.preventDefault()

@@ -11228,9 +11229,15 @@ if (typeof jQuery === 'undefined') {
  // =================

  var clickHandler = function (e) {
-    var href
    var $this   = $(this)
-    var $target = $($this.attr('data-target') || (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
+    var href    = $this.attr('href')
+    if (href) {
+      href = href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
+    }
+
+    var target  = $this.attr('data-target') || href
+    var $target = $(document).find(target)
+
    if (!$target.hasClass('carousel')) return
    var options = $.extend({}, $target.data(), $this.data())
    var slideIndex = $this.attr('data-slide-to')
@@ -11420,7 +11427,7 @@ if (typeof jQuery === 'undefined') {
    var target = $trigger.attr('data-target')
      || (href = $trigger.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7

-    return $(target)
+    return $(document).find(target)
  }


@@ -11502,7 +11509,7 @@ if (typeof jQuery === 'undefined') {
      selector = selector && /#[A-Za-z]/.test(selector) && selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7
    }

-    var $parent = selector && $(selector)
+    var $parent = selector && $(document).find(selector)

    return $parent && $parent.length ? $parent : $this.parent()
  }
@@ -11961,7 +11968,10 @@ if (typeof jQuery === 'undefined') {
  $(document).on('click.bs.modal.data-api', '[data-toggle="modal"]', function (e) {
    var $this   = $(this)
    var href    = $this.attr('href')
-    var $target = $($this.attr('data-target') || (href && href.replace(/.*(?=#[^\s]+$)/, ''))) // strip for ie7
+    var target  = $this.attr('data-target') ||
+      (href && href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
+
+    var $target = $(document).find(target)
    var option  = $target.data('bs.modal') ? 'toggle' : $.extend({ remote: !/#/.test(href) && href }, $target.data(), $this.data())

    if ($this.is('a')) e.preventDefault()