Update admin interface (#4737)

- Updated datatables - Set Cookie Secure flag if the connection is https - Prevent possible XSS via Organization Name Converted all `innerHTML` and `innerText` to the Safe Sink version `textContent` - Removed `jsesc` function as handlebars escapes all these chars already and more by default
2025-09-10 18:55:57 +03:00 · 2024-07-12 22:59:48 +02:00
parent 035f694d2f
commit 54bfcb8bc3
11 changed files with 95 additions and 67 deletions
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -379,8 +379,6 @@ impl<'r> FromRequest<'r> for Host {
            referer.to_string()
        } else {
            // Try to guess from the headers
-            use std::env;
-
            let protocol = if let Some(proto) = headers.get_one("X-Forwarded-Proto") {
                proto
            } else if env::var("ROCKET_TLS").is_ok() {
@@ -806,6 +804,7 @@ impl<'r> FromRequest<'r> for OwnerHeaders {
 // Client IP address detection
 //
 use std::{
+    env,
    fs::File,
    io::{Read, Write},
    net::IpAddr,
@@ -842,6 +841,35 @@ impl<'r> FromRequest<'r> for ClientIp {
    }
 }

+pub struct Secure {
+    pub https: bool,
+}
+
+#[rocket::async_trait]
+impl<'r> FromRequest<'r> for Secure {
+    type Error = ();
+
+    async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
+        let headers = request.headers();
+
+        // Try to guess from the headers
+        let protocol = match headers.get_one("X-Forwarded-Proto") {
+            Some(proto) => proto,
+            None => {
+                if env::var("ROCKET_TLS").is_ok() {
+                    "https"
+                } else {
+                    "http"
+                }
+            }
+        };
+
+        Outcome::Success(Secure {
+            https: protocol == "https",
+        })
+    }
+}
+
 pub struct WsAccessTokenHeader {
    pub access_token: Option<String>,
 }