rick/LEDMatrix
1
0
Fork 0
mirror of https://github.com/ChuckBuilds/LEDMatrix.git synced 2026-05-31 16:13:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
98d4b3b55b38de38277398db89a6edd593029764
LEDMatrix/web_interface/static/v3/js/widgets/time-picker.js
Chuck 98d4b3b55b fix(security): address CodeQL and coderabbit review findings 
## Security fixes

### pages_v3.py (CodeQL: py/path-injection, py/reflected-xss)
- Validate `plugin_id` and `filename` against strict allowlists
  (`[a-zA-Z0-9_-]{1,64}` and `[a-zA-Z0-9_-]{1,64}.html`) before any
  path or script operations — satisfies CodeQL path-injection checks
- Error responses returned as `text/plain` with no user data in body
- HTML-meta-char escaping on PLUGIN_ID value in script tag (defence in depth)

### array-table.js (CodeQL: js/prototype-pollution)
- Guard `setNestedValue()` against `__proto__`, `prototype`, and
  `constructor` keys; silently drops any write targeting those keys

### plugin-file-manager.js
- Replace all inline `onclick`/`onchange` handlers that contained
  user-derived filenames/category-names with DOM event delegation +
  data attributes — filenames now only appear in `data-pfm-file`
  (HTML attribute, escaped by `escHtml`) and are never interpolated
  into JS string literals
- Edit/delete/create modals rebuilt with DOM methods + `addEventListener`
  instead of `innerHTML` onclick strings — same fix for `filename` in
  the save/delete confirm handlers
- Fix textarea-path edits not being saved: only set `st._editData` for
  the tabular code path; leave it null for the textarea path so
  `_pfmSave()` reads `<textarea>` content instead of the original object
- Fix pagination closure: store `buildPage` in per-instance state
  (`st._buildPage`); `window._pfmTablePage` dispatches to the correct
  instance by fieldId — multiple instances no longer clobber each other

### time-picker.js
- Call `widget.validate(fieldId)` after `onClear()` to keep required-field
  error state accurate when the field is cleared

### plugin_config.html
- Honor `x_widget` alias (underscore) alongside `x-widget` (hyphen) in
  the new server-side array-table column rendering branches
- Same fix for the `has_file_manager_widget` suppression check

### widget-guide.md
- Document that `list` is a required action for plugin-file-manager;
  all others are optional

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-30 19:59:57 -04:00

159 lines
6.1 KiB
JavaScript
Raw Blame History

/**
* LEDMatrix Time Picker Widget
*
* Single time selection using the browser's native time input.
* Returns a string in HH:MM (24-hour) format.
*
* Schema example:
* {
* "target_time": {
* "type": "string",
* "x-widget": "time-picker",
* "default": "00:00",
* "x-options": {
* "placeholder": "Select time",
* "clearable": true
* }
* }
* }
*
* @module TimePickerWidget
*/
(function() {
'use strict';
const base = window.BaseWidget ? new window.BaseWidget('TimePicker', '1.0.0') : null;
function escapeHtml(text) {
if (base) return base.escapeHtml(text);
const div = document.createElement('div');
div.textContent = String(text);
return div.innerHTML.replace(/"/g, '&quot;').replace(/'/g, '&#39;');
}
function sanitizeId(id) {
if (base) return base.sanitizeId(id);
return String(id).replace(/[^a-zA-Z0-9_-]/g, '_');
}
function triggerChange(fieldId, value) {
if (base) {
base.triggerChange(fieldId, value);
} else {
document.dispatchEvent(new CustomEvent('widget-change', {
detail: { fieldId, value },
bubbles: true,
cancelable: true
}));
}
}
window.LEDMatrixWidgets.register('time-picker', {
name: 'Time Picker Widget',
version: '1.0.0',
render: function(container, config, value, options) {
const fieldId = sanitizeId(options.fieldId || container.id || 'time_picker');
const xOptions = config['x-options'] || config['x_options'] || {};
const placeholder = xOptions.placeholder || '';
const clearable = xOptions.clearable === true;
const disabled = xOptions.disabled === true;
const required = xOptions.required === true;
const currentValue = value || '';
let html = `<div id="${fieldId}_widget" class="time-picker-widget" data-field-id="${fieldId}">`;
html += '<div class="flex items-center">';
html += `
<div class="relative flex-1">
<input type="time"
id="${fieldId}_input"
name="${escapeHtml(options.name || fieldId)}"
value="${escapeHtml(currentValue)}"
${placeholder ? `placeholder="${escapeHtml(placeholder)}"` : ''}
${disabled ? 'disabled' : ''}
${required ? 'required' : ''}
onchange="window.LEDMatrixWidgets.getHandlers('time-picker').onChange('${fieldId}')"
class="form-input w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 ${disabled ? 'bg-gray-100 cursor-not-allowed' : 'bg-white'} text-black pr-10">
<div class="absolute inset-y-0 right-0 flex items-center pr-3 pointer-events-none">
<i class="fas fa-clock text-gray-400"></i>
</div>
</div>
`;
if (clearable && !disabled) {
html += `
<button type="button"
id="${fieldId}_clear"
onclick="window.LEDMatrixWidgets.getHandlers('time-picker').onClear('${fieldId}')"
class="ml-2 inline-flex items-center px-2 py-2 text-gray-400 hover:text-gray-600 ${currentValue ? '' : 'hidden'}"
title="Clear">
<i class="fas fa-times"></i>
</button>
`;
}
html += '</div>';
html += `<div id="${fieldId}_error" class="text-sm text-red-600 mt-1 hidden"></div>`;
html += '</div>';
container.innerHTML = html;
},
getValue: function(fieldId) {
const safeId = sanitizeId(fieldId);
const input = document.getElementById(`${safeId}_input`);
return input ? input.value : '';
},
setValue: function(fieldId, value) {
const safeId = sanitizeId(fieldId);
const input = document.getElementById(`${safeId}_input`);
const clearBtn = document.getElementById(`${safeId}_clear`);
if (input) input.value = value || '';
if (clearBtn) clearBtn.classList.toggle('hidden', !value);
},
validate: function(fieldId) {
const safeId = sanitizeId(fieldId);
const input = document.getElementById(`${safeId}_input`);
const errorEl = document.getElementById(`${safeId}_error`);
if (!input) return { valid: true, errors: [] };
const isValid = input.checkValidity();
if (errorEl) {
if (!isValid) {
errorEl.textContent = input.validationMessage;
errorEl.classList.remove('hidden');
input.classList.add('border-red-500');
} else {
errorEl.classList.add('hidden');
input.classList.remove('border-red-500');
}
}
return { valid: isValid, errors: isValid ? [] : [input.validationMessage] };
},
handlers: {
onChange: function(fieldId) {
const widget = window.LEDMatrixWidgets.get('time-picker');
const safeId = sanitizeId(fieldId);
const clearBtn = document.getElementById(`${safeId}_clear`);
const value = widget.getValue(fieldId);
if (clearBtn) clearBtn.classList.toggle('hidden', !value);
widget.validate(fieldId);
triggerChange(fieldId, value);
},
onClear: function(fieldId) {
const widget = window.LEDMatrixWidgets.get('time-picker');
widget.setValue(fieldId, '');
widget.validate(fieldId); // refresh required/error state
triggerChange(fieldId, '');
}
}
});
console.log('[TimePickerWidget] Time picker widget registered');
})();
Reference in New Issue View Git Blame Copy Permalink