Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor header CSS and HTML #1417

Closed
wants to merge 10 commits into from
Closed

Refactor header CSS and HTML #1417

wants to merge 10 commits into from

Conversation

HEIGE-PCloud
Copy link
Owner

@HEIGE-PCloud HEIGE-PCloud commented Dec 30, 2024
edited
Loading

  • Fix theme switch and theme select
  • Searchbox
  • Fix auto toc
  • Check categories-card, author-card, series-card, card-item, copyright, icp

@vercel Vercel
Copy link

vercel bot commented Dec 30, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated (UTC)
do-it ✅ Ready (Inspect) Visit Preview Dec 31, 2024 1:26am

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 30, 2024
View reviewed changes
layouts/partials/header.html
<button class="tw-relative" {{ printf "aria-label=%q" (T "selectLanguage") | safeHTMLAttr }}>
{{- .Language.LanguageName -}}
{{ partial "plugin/fontawesome.html" (dict "Style" "solid" "Icon" "chevron-right") }}
<select class="tw-absolute tw-top-0 tw-left-0 tw-opacity-0 tw-w-full tw-h-full" {{ printf "aria-label=%q" (T "selectLanguage") | safeHTMLAttr }} id="language-select-desktop" onchange="location = this.value;">

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix AI about 1 month ago

To fix the problem, we need to ensure that the value taken from the select element is properly sanitized before being used to set the location property. One way to achieve this is by using a whitelist of allowed URLs or by validating the URL format before redirecting.

The best way to fix this without changing existing functionality is to introduce a function that validates the URL before setting the location property. This function will check if the URL is within the allowed list of URLs or matches a specific pattern.

Suggested changeset 1
layouts/partials/header.html

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/layouts/partials/header.html b/layouts/partials/header.html
--- a/layouts/partials/header.html
+++ b/layouts/partials/header.html
@@ -46,3 +46,3 @@
             {{ partial "plugin/fontawesome.html" (dict "Style" "solid" "Icon" "chevron-right") }}
-            <select class="tw-absolute tw-top-0 tw-left-0 tw-opacity-0 tw-w-full tw-h-full" {{ printf "aria-label=%q" (T "selectLanguage") | safeHTMLAttr }} id="language-select-desktop" onchange="location = this.value;">
+            <select class="tw-absolute tw-top-0 tw-left-0 tw-opacity-0 tw-w-full tw-h-full" {{ printf "aria-label=%q" (T "selectLanguage") | safeHTMLAttr }} id="language-select-desktop" onchange="validateAndRedirect(this.value);">
                 {{- if eq .Kind "404" -}}
@@ -97,2 +97,17 @@
     </div>
+    <script>
+        function validateAndRedirect(url) {
+            const allowedUrls = [
+                // Add allowed URLs here
+                {{ range .AllTranslations -}}
+                    "{{ .RelPermalink }}",
+                {{- end }}
+            ];
+            if (allowedUrls.includes(url)) {
+                location = url;
+            } else {
+                console.error("Invalid URL:", url);
+            }
+        }
+    </script>
 </header>
EOF
@@ -46,3 +46,3 @@
{{ partial "plugin/fontawesome.html" (dict "Style" "solid" "Icon" "chevron-right") }}
<select class="tw-absolute tw-top-0 tw-left-0 tw-opacity-0 tw-w-full tw-h-full" {{ printf "aria-label=%q" (T "selectLanguage") | safeHTMLAttr }} id="language-select-desktop" onchange="location = this.value;">
<select class="tw-absolute tw-top-0 tw-left-0 tw-opacity-0 tw-w-full tw-h-full" {{ printf "aria-label=%q" (T "selectLanguage") | safeHTMLAttr }} id="language-select-desktop" onchange="validateAndRedirect(this.value);">
{{- if eq .Kind "404" -}}
@@ -97,2 +97,17 @@
</div>
<script>
function validateAndRedirect(url) {
const allowedUrls = [
// Add allowed URLs here
{{ range .AllTranslations -}}
"{{ .RelPermalink }}",
{{- end }}
];
if (allowedUrls.includes(url)) {
location = url;
} else {
console.error("Invalid URL:", url);
}
}
</script>
</header>
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
layouts/partials/header.html
{{- .Language.LanguageName -}}
{{ partial "plugin/fontawesome.html" (dict "Style" "solid" "Icon" "chevron-right") }}
<select class="language-select" title="{{ T " selectLanguage" }}" onchange="location = this.value;">
<select class="tw-absolute tw-w-full tw-h-full tw-left-0 tw-top-0 tw-opacity-0" title="{{ T " selectLanguage" }}" onchange="location = this.value;">

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix AI about 1 month ago

To fix the problem, we need to ensure that the value used in location = this.value is properly sanitized and validated to prevent XSS attacks. One way to achieve this is by using a whitelist of allowed URLs or by encoding the value before using it. In this case, we will use a whitelist approach to ensure that only predefined URLs can be used.

  • Create a whitelist of allowed URLs.
  • Check if the selected value is in the whitelist before changing the location.
  • Update the onchange event handler to include this validation.
Suggested changeset 1
layouts/partials/header.html

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/layouts/partials/header.html b/layouts/partials/header.html
--- a/layouts/partials/header.html
+++ b/layouts/partials/header.html
@@ -212,3 +212,3 @@
                 {{ partial "plugin/fontawesome.html" (dict "Style" "solid" "Icon" "chevron-right") }}
-                <select class="tw-absolute tw-w-full tw-h-full tw-left-0 tw-top-0 tw-opacity-0" title="{{ T " selectLanguage" }}" onchange="location = this.value;">
+                <select class="tw-absolute tw-w-full tw-h-full tw-left-0 tw-top-0 tw-opacity-0" title="{{ T " selectLanguage" }}" onchange="changeLanguage(this.value);">
                     {{- if eq .Kind "404" -}}
@@ -234 +234,18 @@
 </header>
+<script>
+    function changeLanguage(value) {
+        var allowedUrls = [
+            {{- range .Sites -}}
+            "{{ printf "%v/404.html" .LanguagePrefix }}",
+            {{- end -}}
+            {{- range .AllTranslations -}}
+            "{{ .RelPermalink }}",
+            {{- end -}}
+        ];
+        if (allowedUrls.includes(value)) {
+            location = value;
+        } else {
+            console.error("Invalid URL selected");
+        }
+    }
+</script>
EOF
@@ -212,3 +212,3 @@
{{ partial "plugin/fontawesome.html" (dict "Style" "solid" "Icon" "chevron-right") }}
<select class="tw-absolute tw-w-full tw-h-full tw-left-0 tw-top-0 tw-opacity-0" title="{{ T " selectLanguage" }}" onchange="location = this.value;">
<select class="tw-absolute tw-w-full tw-h-full tw-left-0 tw-top-0 tw-opacity-0" title="{{ T " selectLanguage" }}" onchange="changeLanguage(this.value);">
{{- if eq .Kind "404" -}}
@@ -234 +234,18 @@
</header>
<script>
function changeLanguage(value) {
var allowedUrls = [
{{- range .Sites -}}
"{{ printf "%v/404.html" .LanguagePrefix }}",
{{- end -}}
{{- range .AllTranslations -}}
"{{ .RelPermalink }}",
{{- end -}}
];
if (allowedUrls.includes(value)) {
location = value;
} else {
console.error("Invalid URL selected");
}
}
</script>
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@HEIGE-PCloud HEIGE-PCloud deleted the refactor/header branch January 12, 2025 15:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@HEIGE-PCloud