Overview

File fix-xss-in-generated-frames.html-of-default-yard-template.patch of Package rubygem-yard.36404

diff -ru yard-0.8.7.3.orig/templates/default/fulldoc/html/frames.erb yard-0.8.7.3/templates/default/fulldoc/html/frames.erb
--- yard-0.8.7.3.orig/templates/default/fulldoc/html/frames.erb	2024-10-08 17:20:13.346438991 +0200
+++ yard-0.8.7.3/templates/default/fulldoc/html/frames.erb	2024-10-08 17:21:11.007445557 +0200
@@ -7,14 +7,14 @@
 	<title><%= options.title %></title>
 </head>
 <script type="text/javascript" charset="utf-8">
-window.onload = function() {
-  var match = unescape(window.location.hash).match(/^#!(.+)/);
-  var name = match ? match[1] : '<%= url_for_main %>';
-  name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, '');
-  document.writeln('<frameset cols="20%,*">' +
-    '<frame name="list" src="<%= url_for_list('class') %>" />' +
-    '<frame name="main" src="' + escape(name) + '" />' +
-    '</frameset>');
+var mainUrl = '<%= url_for_main %>';
+try {
+    var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/);
+    var name = match ? match[1] : mainUrl;
+    var url = new URL(name, location.href);
+    window.top.location.replace(url.origin === location.origin ? name : mainUrl);
+} catch (e) {
+    window.top.location.replace(mainUrl);
 }
 </script>
 <noscript>
openSUSE Build Service is sponsored by
Places