fix(security): address CodeQL and coderabbit review findings

## Security fixes ### pages_v3.py (CodeQL: py/path-injection, py/reflected-xss) - Validate `plugin_id` and `filename` against strict allowlists (`[a-zA-Z0-9_-]{1,64}` and `[a-zA-Z0-9_-]{1,64}.html`) before any path or script operations — satisfies CodeQL path-injection checks - Error responses returned as `text/plain` with no user data in body - HTML-meta-char escaping on PLUGIN_ID value in script tag (defence in depth) ### array-table.js (CodeQL: js/prototype-pollution) - Guard `setNestedValue()` against `__proto__`, `prototype`, and `constructor` keys; silently drops any write targeting those keys ### plugin-file-manager.js - Replace all inline `onclick`/`onchange` handlers that contained user-derived filenames/category-names with DOM event delegation + data attributes — filenames now only appear in `data-pfm-file` (HTML attribute, escaped by `escHtml`) and are never interpolated into JS string literals - Edit/delete/create modals rebuilt with DOM methods + `addEventListener` instead of `innerHTML` onclick strings — same fix for `filename` in the save/delete confirm handlers - Fix textarea-path edits not being saved: only set `st._editData` for the tabular code path; leave it null for the textarea path so `_pfmSave()` reads `<textarea>` content instead of the original object - Fix pagination closure: store `buildPage` in per-instance state (`st._buildPage`); `window._pfmTablePage` dispatches to the correct instance by fieldId — multiple instances no longer clobber each other ### time-picker.js - Call `widget.validate(fieldId)` after `onClear()` to keep required-field error state accurate when the field is cleared ### plugin_config.html - Honor `x_widget` alias (underscore) alongside `x-widget` (hyphen) in the new server-side array-table column rendering branches - Same fix for the `has_file_manager_widget` suppression check ### widget-guide.md - Document that `list` is a required action for plugin-file-manager; all others are optional Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-31 16:13:31 +00:00 · 2026-05-30 19:59:57 -04:00
parent b1af068f7a
commit 98d4b3b55b
6 changed files with 163 additions and 95 deletions
--- a/web_interface/templates/v3/partials/plugin_config.html
+++ b/web_interface/templates/v3/partials/plugin_config.html
@@ -526,7 +526,7 @@
                                    {% for col_name in display_columns %}
                                        {% set col_def = item_properties.get(col_name, {}) %}
                                        {% set col_type = col_def.get('type', 'string') %}
-                                        {% set col_xwidget = col_def.get('x-widget', '') %}
+                                        {% set col_xwidget = col_def.get('x-widget') or col_def.get('x_widget', '') %}
                                        {% set col_enum = col_def.get('enum', []) %}
                                        {% set col_value = item.get(col_name, col_def.get('default', '')) %}
                                        {% if col_xwidget == 'date-picker' %}{% set td_min_w = '140px' %}
@@ -1033,7 +1033,7 @@
           or if every action is marked ui_hidden in the manifest. #}
        {% set has_file_manager_widget = namespace(value=false) %}
        {% for _fk, _fp in schema.get('properties', {}).items() %}
-            {% if _fp.get('x-widget') in ('json-file-manager', 'plugin-file-manager') %}
+            {% if (_fp.get('x-widget') or _fp.get('x_widget')) in ('json-file-manager', 'plugin-file-manager') %}
                {% set has_file_manager_widget.value = true %}
            {% endif %}
        {% endfor %}