Learn_System

maxim.dolgolyov/Learn_System

Fork 0

Commit Graph

Author	SHA1	Message	Date
Maxim Dolgolyov	bf70c3d7d7	fix(admin-redesign): security — stored XSS via user name in onclick Security review caught: per-row hover actions (users.js) and async user picker (shop.js, gam.js) interpolated user-controlled name into JS string literals inside onclick. LS.esc() escapes & < > " but NOT backslash; the .replace(/'/g, '\'') fallback was broken. Attack: any authenticated user could set their name to a\'); alert(1); // via PATCH /api/auth/profile (stripTags doesn't strip \) — admin viewing the users/shop/gam picker would execute arbitrary JS. Fix: switch from JS-string interpolation to data-uid/data-name attributes, read via dataset in handler. esc() correctly escapes for HTML-attribute context; dataset returns the raw string with zero parse re-entry. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-17 00:30:34 +03:00
Maxim Dolgolyov	92030b462c	feat(admin): phase 2 — split admin.js into 13 section modules Replace ~3500L admin.js monolith with thin orchestrator (~700L) + 14 IIFE-wrapped per-section modules under /js/admin/sections/. Section modules expose AdminSections.<name>.init/reload (lazy init via switchTab/router) and re-expose onclick handlers via window.X for backward compat. Shared helpers (MODES/DIFFS, fmtDate, pctClass, renderMath, qTypeBadge, pagination) live in /js/admin/_shared.js exposed on window.AdminCtx. switchTab now dispatches to AdminSections via ROUTE_TO_SECTION map; non-extracted system tabs (topics/audit/errors/health/classroom/avatars) remain inline in admin.js. user-panel overlay markup untouched — Phase 6 will remove it.	2026-05-16 22:50:14 +03:00

Author

SHA1

Message

Date

Maxim Dolgolyov

bf70c3d7d7

fix(admin-redesign): security — stored XSS via user name in onclick

Security review caught: per-row hover actions (users.js) and async

user picker (shop.js, gam.js) interpolated user-controlled name into

JS string literals inside onclick. LS.esc() escapes & < > " but

NOT backslash; the .replace(/'/g, '\'') fallback was broken.

Attack: any authenticated user could set their name to

  a\'); alert(1); //

via PATCH /api/auth/profile (stripTags doesn't strip \) — admin

viewing the users/shop/gam picker would execute arbitrary JS.

Fix: switch from JS-string interpolation to data-uid/data-name

attributes, read via dataset in handler. esc() correctly escapes

for HTML-attribute context; dataset returns the raw string with

zero parse re-entry.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-17 00:30:34 +03:00

Maxim Dolgolyov

92030b462c

feat(admin): phase 2 — split admin.js into 13 section modules

Replace ~3500L admin.js monolith with thin orchestrator (~700L) +

14 IIFE-wrapped per-section modules under /js/admin/sections/.

Section modules expose AdminSections.<name>.init/reload (lazy init via

switchTab/router) and re-expose onclick handlers via window.X for

backward compat. Shared helpers (MODES/DIFFS, fmtDate, pctClass,

renderMath, qTypeBadge, pagination) live in /js/admin/_shared.js

exposed on window.AdminCtx.

switchTab now dispatches to AdminSections via ROUTE_TO_SECTION map;

non-extracted system tabs (topics/audit/errors/health/classroom/avatars)

remain inline in admin.js. user-panel overlay markup untouched — Phase 6

will remove it.

2026-05-16 22:50:14 +03:00

2 Commits