commit 1733ec7fd0b5d7b03c4c184ac8e3b9ec7376e50c
author Dave Brondsema <dbrondsema@slashdotmedia.com> Fri Jan 05 13:26:16 2024 -0500
committer Guillermo Cruz <guillermo.cruz@slashdotmedia.com> Tue Jan 09 11:32:26 2024 -0700
tree 91453555160155762974809ab2913b70979ece02
parent ab11a7ca1d610e9c4cfbfe553107ed42b0896a36

[#8534] fix some codeql warnings

Allura/allura/lib/widgets/resources/js/jquery.colorPicker.js

diff --git a/Allura/allura/lib/widgets/resources/js/jquery.colorPicker.js b/Allura/allura/lib/widgets/resources/js/jquery.colorPicker.js
index 78bb129..3a3088a 100644
--- a/Allura/allura/lib/widgets/resources/js/jquery.colorPicker.js
+++ b/Allura/allura/lib/widgets/resources/js/jquery.colorPicker.js
@@ -179,7 +179,7 @@
             var selector = activePalette,
                 selectorParent = $(event.target).parents("#" + selector.attr('id')).length;
 
-            if (event.target === $(selector)[0] || event.target === selectorOwner || selectorParent > 0) {
+            if (event.target === $.find(selector)[0] || event.target === selectorOwner || selectorParent > 0) {
                 return;
             }
 

Allura/allura/templates/repo/commit.html

diff --git a/Allura/allura/templates/repo/commit.html b/Allura/allura/templates/repo/commit.html
index f924838..630a1aa 100644
--- a/Allura/allura/templates/repo/commit.html
+++ b/Allura/allura/templates/repo/commit.html
@@ -49,9 +49,10 @@
 {{ super() }}
   <script type="text/javascript">
     function color_diff(selector) {
-      var overflow = $(selector).find("pre").get(0);
+      var $selected = $('body').find(selector);
+      var overflow = $selected.find("pre").get(0);
       var len = overflow.scrollWidth - 5;
-      $(selector).find(".gi, .gd, .gu").width(len);
+      $selected.find(".gi, .gd, .gu").width(len);
     }
 
     function ld(diff, callback) {

ForgeImporters/forgeimporters/github/tracker.py

diff --git a/ForgeImporters/forgeimporters/github/tracker.py b/ForgeImporters/forgeimporters/github/tracker.py
index 3348435..26f6655 100644
--- a/ForgeImporters/forgeimporters/github/tracker.py
+++ b/ForgeImporters/forgeimporters/github/tracker.py
@@ -248,7 +248,7 @@
         # at github, attachments are images only and are included into comment's body
         # usual syntax is
         # ![cdbpzjc5ex4](https://f.cloud.github.com/assets/979771/1027411/a393ab5e-0e70-11e3-8a38-b93a3df904cf.jpg)\r\n
-        REGEXP = r'!\[[\w0-9]+?\]\(((?:https?:\/\/)?[\da-z\.-]+\.[a-z\.]{2,6}'\
+        REGEXP = r'!\[[\w]+?\]\(((?:https?:\/\/)?[\da-z\.-]+\.[a-z\.]{2,6}'\
             '[\\/%\\w\\.-]*.(jpg|jpeg|png|gif))\\)[\r\n]*'
         attachments = []
 

ForgeTracker/forgetracker/widgets/resources/js/mass-edit.js

diff --git a/ForgeTracker/forgetracker/widgets/resources/js/mass-edit.js b/ForgeTracker/forgetracker/widgets/resources/js/mass-edit.js
index 886f973..d0fa82e 100644
--- a/ForgeTracker/forgetracker/widgets/resources/js/mass-edit.js
+++ b/ForgeTracker/forgetracker/widgets/resources/js/mass-edit.js
@@ -44,7 +44,7 @@
         }
 
         $checked.each(function() {
-            $form.append('<input type="hidden" name="__ticket_ids" value="'+$(this).val()+'"/>');
+            $form.append('<input type="hidden" name="__ticket_ids" value="'+escape_html($(this).val())+'"/>');
         });
     });
 });