Version 0.9.49

- Bump `pixl-server-web` to v2.0.0 to prevent XSS reflection style attacks on APIs. - Misc fixes to remove legacy JSONP-style APIs. - Fixes #755
jhuckaby · May 10, 2024 · db3b4b8 · db3b4b8
1 parent 813f401
commit db3b4b8
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 15 deletions.
diff --git a/htdocs/js/app.js b/htdocs/js/app.js
@@ -22,7 +22,7 @@ app.extend({
 		// receive config from server
 		if (resp.code) {
 			app.showProgress( 1.0, "Waiting for master server..." );
-			setTimeout( function() { load_script( '/api/app/config?callback=app.receiveConfig' ); }, 1000 );
+			setTimeout( function() { load_script( '/api/app/config' ); }, 1000 );
 			return;
 		}
 		delete resp.code;

diff --git a/htdocs/js/pages/Login.class.js b/htdocs/js/pages/Login.class.js
@@ -31,8 +31,6 @@ Class.subclass( Page.Base, "Page.Login", {
 
 		this.div.css({ 'padding-top':'75px', 'padding-bottom':'75px' });
 		var html = '';
-		// html += '<iframe name="i_login" id="i_login" src="blank.html" width="1" height="1" style="display:none"></iframe>';
-		// html += '<form id="f_login" method="post" action="/api/user/login?format=jshtml&callback=window.parent.%24P%28%29.doFrameLogin" target="i_login">';
 
 		html += '<div class="inline_dialog_container">';
 			html += '<div class="dialog_title shade-light">User Login</div>';

diff --git a/lib/api/config.js b/lib/api/config.js
@@ -15,9 +15,6 @@ module.exports = Class.create({
 		// send config to client
 		var self = this;
 
-		// prevent XSS
-		args.query.callback = 'app.receiveConfig';
-
 		// do not cache this API response
 		this.forceNoCacheResponse(args);
 
@@ -54,7 +51,9 @@ module.exports = Class.create({
 			};
 		}
 
-		callback(resp);
+		// wrap response in JavaScript
+		var payload = 'app.receiveConfig(' + JSON.stringify(resp) + ');' + "\n";
+		callback( "200 OK", { 'Content-Type': 'text/javascript' }, payload );
 	}
 
 } );
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "Cronicle",
-	"version": "0.9.48",
+	"version": "0.9.49",
 	"description": "A simple, distributed task scheduler and runner with a web based UI.",
 	"author": "Joseph Huckaby <[email protected]>",
 	"homepage": "https://github.com/jhuckaby/Cronicle",
@@ -52,7 +52,7 @@
 		"pixl-server-api": "^1.0.2",
 		"pixl-server-storage": "^3.1.18",
 		"pixl-server-user": "^1.0.22",
-		"pixl-server-web": "^1.3.30",
+		"pixl-server-web": "^2.0.0",
 		"pixl-tools": "^1.1.1",
 		"pixl-webapp": "^2.0.2",
 		"shell-quote": "1.7.3",