dubey/spectra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

Fix CSP Error
All checks were successful
Docker Build and Publish / build (push) Successful in 6s
Details
Docker Build and Publish / build (release) Successful in 7s
Details

Browse Source 
Getting rid of inline onclick calls and registering the handler in the
primary script ensure securty (XSS).
This commit is contained in:
Tanishq Dubey 2024-12-08 18:03:44 -05:00
parent 9022facac5
commit 5b0b30d69c
1 changed files with 35 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
templates/admin.html
View File

@ -203,8 +203,8 @@
<td class="editable" data-field="iso">{{ photo.iso }}</td> <td class="editable" data-field="iso">{{ photo.iso }}</td>
<td>{{ photo.width }}x{{ photo.height }}</td> <td>{{ photo.width }}x{{ photo.height }}</td>
<td> <td>
<button onclick="saveChanges(this)">Save</button> <button id="save-btn">Save</button>
<button onclick="deletePhoto(this)" class="delete-btn">Delete</button> <button class="delete-btn" id="delete-btn">Delete</button>
</td> </td>
</tr> </tr>
{% endfor %} {% endfor %}
@ -241,8 +241,11 @@
<input type="text" id="about.location" name="about.location" value="{{ config.about.location }}"> <input type="text" id="about.location" name="about.location" value="{{ config.about.location }}">
</div> </div>
<div class="form-group"> <div class="form-group">
<label for="about.profile_image">Profile Image Path:</label> <label for="about.profile_image">Profile Image:</label>
<input type="text" id="about.profile_image" name="about.profile_image" value="{{ config.about.profile_image }}"> <div style="display: flex; align-items: center; gap: 1rem;">
<img id="profile-preview" src="/static/profile.jpeg" alt="Profile" style="width: 100px; height: 100px; object-fit: cover; border-radius: 50%;">
<input type="file" id="profile_image_upload" accept="image/jpeg,image/png" style="flex: 1;">
</div>
</div> </div>
<div class="form-group"> <div class="form-group">
<label for="about.bio">Bio (Markdown):</label> <label for="about.bio">Bio (Markdown):</label>
@ -335,11 +338,38 @@
} }
} }
document.getElementById('delete-btn').addEventListener('click', deletePhoto);
document.getElementById('save-btn').addEventListener('click', saveChanges);
document.getElementById('profile_image_upload').addEventListener('change', async (e) => {
const file = e.target.files[0];
if (!file) return;
const formData = new FormData();
formData.append('profile_image', file);
try {
const response = await fetch('/admin/upload_profile', {
method: 'POST',
body: formData
});
const result = await response.json();
if (result.success) {
document.getElementById('profile-preview').src = '/static/profile.jpeg?' + new Date().getTime();
} else {
alert('Error uploading profile image: ' + result.error);
}
} catch (error) {
alert('Error uploading profile image: ' + error);
}
});
document.getElementById('configForm').addEventListener('submit', async (e) => { document.getElementById('configForm').addEventListener('submit', async (e) => {
e.preventDefault(); e.preventDefault();
const formData = {}; const formData = {};
const inputs = e.target.querySelectorAll('input, textarea'); const inputs = e.target.querySelectorAll('input:not([type="file"]), textarea');
inputs.forEach(input => { inputs.forEach(input => {
formData[input.name] = input.value; formData[input.name] = input.value;