make use of utils.escapeHtml on the JS side of things, and html_entity_decode/htmlentities in PHP

Signed-off-by: Adam Warner <me@adamwarner.co.uk>
2025-12-24 12:48:29 +00:00 · 2020-06-13 18:50:36 +01:00
parent 557bd85814
commit c949516ee1
11 changed files with 67 additions and 58 deletions
--- a/scripts/pi-hole/js/groups-clients.js
+++ b/scripts/pi-hole/js/groups-clients.js
@@ -246,9 +246,9 @@ function initTable() {

 function addClient() {
  var ip = $("#select").val();
-  var comment = $("#new_comment").val();
+  var comment = utils.escapeHtml($("#new_comment").val());
  if (ip === "custom") {
-    ip = $("#ip-custom").val().trim();
+    ip = utils.escapeHtml($("#ip-custom").val().trim());
  }

  utils.disableAll();
@@ -303,9 +303,9 @@ function editClient() {
  var tr = $(this).closest("tr");
  var id = tr.attr("data-id");
  var groups = tr.find("#multiselect_" + id).val();
-  var ip = tr.find("#ip_" + id).text();
-  var name = tr.find("#name_" + id).text();
-  var comment = tr.find("#comment_" + id).val();
+  var ip = utils.escapeHtml(tr.find("#ip_" + id).text());
+  var name = utils.escapeHtml(tr.find("#name_" + id).text());
+  var comment = utils.escapeHtml(tr.find("#comment_" + id).val());

  var done = "edited";
  var notDone = "editing";
@@ -370,7 +370,7 @@ function deleteClient() {
  var tr = $(this).closest("tr");
  var id = tr.attr("data-id");
  var ip = tr.find("#ip_" + id).text();
-  var name = tr.find("#name_" + id).text();
+  var name = utils.escapeHtml(tr.find("#name_" + id).text());

  if (name.length > 0) {
    ip += " (" + name + ")";