rixty/SillyTavern
1
0
Fork 0
mirror of https://github.com/SillyTavern/SillyTavern.git synced 2025-06-05 21:59:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix security from upstream + console error messages

Browse Source
This commit is contained in:
SillyLossy
2023-03-19 20:23:18 +02:00
parent 379207a3d8
commit 006ffec1f9
8 changed files with 34 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
public/index.html
View File

@ -21,6 +21,7 @@
<script src="scripts/jquery-cookie-1.4.1.min.js"></script> <script src="scripts/jquery-cookie-1.4.1.min.js"></script>
<script src="scripts/showdown.min.js"></script> <script src="scripts/showdown.min.js"></script>
<script src="scripts/popper.js"></script> <script src="scripts/popper.js"></script>
<script src="scripts/purify.min.js"></script>
<script type="module" src="scripts/RossAscends-mods.js"></script> <script type="module" src="scripts/RossAscends-mods.js"></script>
<script type="module" src="scripts/swiped-events.js"></script> <script type="module" src="scripts/swiped-events.js"></script>
<link rel="stylesheet" type="text/css" href="style.css"> <link rel="stylesheet" type="text/css" href="style.css">
@ -955,7 +956,7 @@
<div id="message_template"> <div id="message_template">
<div class="mes" mesid="${count_view_mes}" ch_name="${characterName}" is_user="${mes.is_user}"> <div class="mes" mesid="${count_view_mes}" ch_name="${characterName}" is_user="${mes.is_user}">
<div class="for_checkbox"></div><input type="checkbox" class="del_checkbox"> <div class="for_checkbox"></div><input type="checkbox" class="del_checkbox">
<div class="avatar"><img src="${avatarImg}"></div> <div class="avatar"><img src=""></div>
<div class="swipe_left"><img src="img/swipe_left.png"></div> <div class="swipe_left"><img src="img/swipe_left.png"></div>
<div class="mes_block"> <div class="mes_block">
<div class="ch_name"> <div class="ch_name">

1
public/script.js
View File

@ -562,6 +562,7 @@ async function getCharacters() {
for (var i = 0; i < load_ch_count.length; i++) { for (var i = 0; i < load_ch_count.length; i++) {
characters[i] = []; characters[i] = [];
characters[i] = getData[i]; characters[i] = getData[i];
characters[i]['name'] = DOMPurify.sanitize(characters[i]['name']);
//console.log('/getcharacters -- loaded character #'+(i+1)+' ('+characters[i].name+')'); //console.log('/getcharacters -- loaded character #'+(i+1)+' ('+characters[i].name+')');
} }
//RossAscends: updated character sorting to be alphabetical //RossAscends: updated character sorting to be alphabetical

6
public/scripts/extensions.js
View File

@ -201,13 +201,13 @@ function addExtensionScript(name, manifest) {
function showExtensionsDetails() { function showExtensionsDetails() {
let html = '<h3>Modules provided by your Extensions API:</h3>'; let html = '<h3>Modules provided by your Extensions API:</h3>';
html += modules.length ? modules.join(', ') : '<p class="failure">Not connected to the API!</p>'; html += modules.length ? DOMPurify.sanitize(modules.join(', ')) : '<p class="failure">Not connected to the API!</p>';
html += '<h3>Available extensions:</h3>'; html += '<h3>Available extensions:</h3>';
Object.entries(manifests).sort((a, b) => a[1].loading_order - b[1].loading_order).forEach(extension => { Object.entries(manifests).sort((a, b) => a[1].loading_order - b[1].loading_order).forEach(extension => {
const name = extension[0]; const name = extension[0];
const manifest = extension[1]; const manifest = extension[1];
html += `<h4>${manifest.display_name}</h4>`; html += `<h4>${DOMPurify.sanitize(manifest.display_name)}</h4>`;
if (activeExtensions.has(name)) { if (activeExtensions.has(name)) {
html += `<p class="success">Extension is active. <a href="javascript:void" data-name="${name}" class="disable_extension">Disable</a></p>`; html += `<p class="success">Extension is active. <a href="javascript:void" data-name="${name}" class="disable_extension">Disable</a></p>`;
} }
@ -217,7 +217,7 @@ function showExtensionsDetails() {
else { else {
const requirements = new Set(manifest.requires); const requirements = new Set(manifest.requires);
modules.forEach(x => requirements.delete(x)); modules.forEach(x => requirements.delete(x));
const requirementsString = [...requirements].join(', '); const requirementsString = DOMPurify.sanitize([...requirements].join(', '));
html += `<p>Missing modules: <span class="failure">${requirementsString}</span></p>` html += `<p>Missing modules: <span class="failure">${requirementsString}</span></p>`
} }
}); });

5
public/scripts/extensions/floating-prompt/index.js
View File

@ -38,6 +38,11 @@ function saveSettings() {
async function moduleWorker() { async function moduleWorker() {
const context = getContext(); const context = getContext();
if (!context.groupId && !context.characterId) {
return;
}
loadSettings(); loadSettings();
// take the count of messages // take the count of messages

7
public/scripts/group-chats.js
View File

@ -178,7 +178,7 @@ function printGroups() {
for (let group of groups) { for (let group of groups) {
const template = $("#group_list_template .group_select").clone(); const template = $("#group_list_template .group_select").clone();
template.data("id", group.id); template.data("id", group.id);
template.find(".ch_name").html(group.name); template.find(".ch_name").text(group.name);
$("#rm_print_characters_block").prepend(template); $("#rm_print_characters_block").prepend(template);
updateGroupAvatar(group); updateGroupAvatar(group);
} }
@ -437,6 +437,9 @@ async function deleteGroup(id) {
$("#rm_info_block").transition({ opacity: 0, duration: 0 }); $("#rm_info_block").transition({ opacity: 0, duration: 0 });
select_rm_info("Group deleted!"); select_rm_info("Group deleted!");
$("#rm_info_block").transition({ opacity: 1.0, duration: 2000 }); $("#rm_info_block").transition({ opacity: 1.0, duration: 2000 });
$("#rm_button_selected_ch").children("h2").text('');
setRightTabSelectedClass();
} }
} }
@ -535,7 +538,7 @@ function select_group_chats(chat_id) {
const template = $("#group_member_template .group_member").clone(); const template = $("#group_member_template .group_member").clone();
template.data("id", character.name); template.data("id", character.name);
template.find(".avatar img").attr("src", avatar); template.find(".avatar img").attr("src", avatar);
template.find(".ch_name").html(character.name); template.find(".ch_name").text(character.name);
template.click(memberClickHandler); template.click(memberClickHandler);
if ( if (

3
public/scripts/purify.min.js vendored Normal file
View File

File diff suppressed because one or more lines are too long

4
public/style.css
View File

@ -125,7 +125,7 @@ code {
} }
#bg1 { #bg1 {
background: url(backgrounds/tavern.png); background: url(backgrounds/tavern.jpg);
background-repeat: no-repeat; background-repeat: no-repeat;
background-attachment: fixed; background-attachment: fixed;
background-size: cover; background-size: cover;
@ -137,7 +137,7 @@ code {
} }
#bg2 { #bg2 {
background: url(backgrounds/tavern.png); background: url(backgrounds/tavern.jpg);
background-repeat: no-repeat; background-repeat: no-repeat;
background-attachment: fixed; background-attachment: fixed;
filter: blur(2px); filter: blur(2px);

25
server.js
View File

@ -612,24 +612,25 @@ app.post("/editcharacter", urlencodedParser, async function (request, response)
} }
}); });
app.post("/deletecharacter", urlencodedParser, function (request, response) { app.post("/deletecharacter", urlencodedParser, function (request, response) {
if (!request.body) return response.sendStatus(400); if (!request.body || !request.body.avatar_url) {
rimraf(charactersPath + request.body.avatar_url, (err) => { return response.sendStatus(400);
}
const avatarPath = charactersPath + request.body.avatar_url;
if (!fs.existsSync(avatarPath)) {
return response.sendStatus(400);
}
fs.rmSync(avatarPath);
let dir_name = request.body.avatar_url;
rimraf(chatsPath + dir_name.replace('.png', ''), (err) => {
if (err) { if (err) {
response.send(err); response.send(err);
return console.log(err); return console.log(err);
} else { } else {
//response.redirect("/"); //response.redirect("/");
let dir_name = request.body.avatar_url;
rimraf(chatsPath + dir_name.replace('.png', ''), (err) => {
if (err) {
response.send(err);
return console.log(err);
} else {
//response.redirect("/");
response.send('ok'); response.send('ok');
}
});
} }
}); });
}); });