formatter: html: fix logout button

in commit d0f4b94 (fix regression in api/html (bootstrap) viewer) the $unsafe parameter of uri_escape_utf8 was corrected. This unintentionally also escapes the 'onclick' content of the logout button, making it not valid javascript code and thus would not execute. The commit talks about it being broken since URI::Escape v5.13, but it was seemingly broken before that too (tested on a PVE 7.x install with URI::Escape version 5.08) in that it did not escape anything on PVE 7. To fix the unintentional escape here, add 'onclick' to the exemptions of the escaped attributes. This should be safe since we don't add any user supplied value into these. While at it, rename 'onClick' to 'onclick' to be consistent with the other attribute names we use. Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> Link: https://lore.proxmox.com/20250603130426.2575764-2-d.csapak@proxmox.com
2025-08-03 20:21:56 +03:00 · 2025-06-03 15:04:25 +02:00
parent 08f6effe2b
commit f10efa82d0
2 changed files with 2 additions and 1 deletions
--- a/src/PVE/APIServer/Formatter/Bootstrap.pm
+++ b/src/PVE/APIServer/Formatter/Bootstrap.pm
@ -113,6 +113,7 @@ sub el {

    my $noescape = {
 	placeholder => 1,
+	onclick => 1,
    };

    foreach my $attr (keys %param)  {
--- a/src/PVE/APIServer/Formatter/HTML.pm
+++ b/src/PVE/APIServer/Formatter/HTML.pm
@ -34,7 +34,7 @@ sub render_page {
 	cn => {
 	    tag => 'a',
 	    href => $get_portal_login_url->($config),
-	    onClick => "PVE.delete_auth_cookie();",
+	    onclick => "PVE.delete_auth_cookie();",
 	    text => "Logout",
 	}};