From 30cb0258b31b773e3ca8ba7242f7549b426190bf Mon Sep 17 00:00:00 2001 From: tgifford-webfirst Date: Thu, 20 Jun 2019 12:12:07 -0400 Subject: [PATCH 1/2] Create SECURITY.md --- SECURITY.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..f467ffc --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,13 @@ +# Security Policy + +## Supported Versions + +Security updates will be released for the two most recent major versions. + +| Version | Supported | +| ------- | ------------------ | +| 1.x | :white_check_mark: | + +## Reporting a Vulnerability + +Please report security vulnerabilities via twitter private message to [John Polacek](https://twitter.com/johnpolacek) From 72cb7a5eebe9d7c5813313fc6358288819d0cfd6 Mon Sep 17 00:00:00 2001 From: Ted Gifford Date: Fri, 21 Jun 2019 12:51:39 -0400 Subject: [PATCH 2/2] Fix XSS in stacktable.js --- .gitignore | 2 ++ README.md | 0 css/style.css | 0 index.html | 0 package.json | 2 +- stacktable.css | 0 stacktable.js | 74 ++++++++++++++++++++++++++++---------------------- 7 files changed, 44 insertions(+), 34 deletions(-) create mode 100644 .gitignore mode change 100755 => 100644 README.md mode change 100755 => 100644 css/style.css mode change 100755 => 100644 index.html mode change 100755 => 100644 stacktable.css mode change 100755 => 100644 stacktable.js diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d5f19d8 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +node_modules +package-lock.json diff --git a/README.md b/README.md old mode 100755 new mode 100644 diff --git a/css/style.css b/css/style.css old mode 100755 new mode 100644 diff --git a/index.html b/index.html old mode 100755 new mode 100644 diff --git a/package.json b/package.json index 5492c91..1aa6dff 100644 --- a/package.json +++ b/package.json @@ -29,4 +29,4 @@ "files": [ "stacktable.js" ] -} \ No newline at end of file +} diff --git a/stacktable.css b/stacktable.css old mode 100755 new mode 100644 diff --git a/stacktable.js b/stacktable.js old mode 100755 new mode 100644 index 82b2524..2037bcc --- a/stacktable.js +++ b/stacktable.js @@ -50,33 +50,38 @@ headMarkup = ''; bodyMarkup = ''; tr_class = $(this).prop('class'); - // for the first row, "headIndex" cell is the head of the table - // for the other rows, put the "headIndex" cell as the head for that row + var $new_table = $('
').addClass(table_css); + + // for the first row, "cellIndex" cell is the head of the table + // for the other rows, put the "cellIndex" cell as the head for that row // then iterate through the key/values - $(this).find('>td,>th').each(function(cellIndex) { - if ($(this).html() !== ''){ - bodyMarkup += ''; - if ($topRow.find('>td,>th').eq(cellIndex).html()){ - bodyMarkup += ''+$topRow.find('>td,>th').eq(cellIndex).html()+''; - } else { - bodyMarkup += ''; - } - bodyMarkup += ''+$(this).html()+''; - bodyMarkup += ''; + + $(this).find('>td,>th').each(function(cellIndex, cellElement) { + if ($(cellElement).html() !== '') { + $new_table.find('tbody').append( + $('').addClass(tr_class).append( + $('').append( + $topRow.find('>td,>th').eq(cellIndex).contents().clone() + ), + $('').addClass($(cellElement).prop('class')).append($(cellElement).contents().clone()) + ) + ) } }); - markup += '' + headMarkup + bodyMarkup + '
'; + $stacktable.append($new_table); + }); - $table.find('>tfoot>tr>td').each(function(rowIndex,value) { - if ($.trim($(value).text()) !== '') { - markup += '
' + $(value).html() + '
'; + $table.find('>tfoot>tr>td').each(function(cellIndex,cellElement) { + if ($.trim($(cellElement).text()) !== '') { + $stacktable.append( + $('
') + .addClass(table_css).find('td').append( $(cellElement).contents().clone() )).end(); } }); $stacktable.prepend($caption); - $stacktable.append($(markup)); $table.before($stacktable); }); }; @@ -95,7 +100,7 @@ return $tables.each(function() { var table_css = $(this).prop('class'); - var $stacktable = $('
'); + var $stacktable = $('
').addClass(table_css); if (typeof settings.myClass !== 'undefined') $stacktable.addClass(settings.myClass); var markup = ''; var $table, $caption, $topRow, headMarkup, bodyMarkup, tr_class, displayHeader; @@ -108,7 +113,7 @@ displayHeader = $table.data('display-header') === undefined ? settings.displayHeader : $table.data('display-header'); // using rowIndex and cellIndex in order to reduce ambiguity - $table.find('>tbody>tr, >thead>tr').each(function(rowIndex) { + $table.find('>tbody>tr, >thead>tr').each(function(rowIndex, rowElement) { // declaring headMarkup and bodyMarkup, to be used for separately head and body of single records headMarkup = ''; @@ -119,34 +124,37 @@ if (rowIndex === 0) { // the main heading goes into the markup variable if (displayHeader) { - markup += ''+$(this).find('>th,>td').eq(headIndex).html()+''; + $stacktable.find('tbody').append( + $('').append( + $('') + .append($(rowElement).find('>th,>td').eq(headIndex).contents().clone()) + ) + ); } } else { // for the other rows, put the "headIndex" cell as the head for that row // then iterate through the key/values - $(this).find('>td,>th').each(function(cellIndex) { + $(rowElement).find('>td,>th').each(function(cellIndex, cellElement) { if (cellIndex === headIndex) { - headMarkup = ''+$(this).html()+''; + $stacktable.find('tbody').append( + $('').addClass(tr_class) + .find('th').append($(cellElement).contents().clone()).end() + ); } else { - if ($(this).html() !== ''){ - bodyMarkup += ''; - if ($topRow.find('>td,>th').eq(cellIndex).html()){ - bodyMarkup += ''+$topRow.find('>td,>th').eq(cellIndex).html()+''; - } else { - bodyMarkup += ''; - } - bodyMarkup += ''+$(this).html()+''; - bodyMarkup += ''; + if ($(cellElement).html() !== '') { + $stacktable.find('tbody').append( + $('').addClass(tr_class) + .append( $('').append($topRow.find('>td,>th').eq(cellIndex).contents().clone()) ) + .append( $('').addClass( $(cellElement).prop('class') ).append($(cellElement).contents().clone()) ) + ); } } }); - markup += headMarkup + bodyMarkup; } }); $stacktable.prepend($caption); - $stacktable.append($(markup)); $table.before($stacktable); }); };