From 2354d7e7986915713d76ccb7c96d3dcec6c2a38c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Anton=20Luka=20=C5=A0ijanec?= <sijanecantonluka@gmail.com>
Date: Fri, 13 Mar 2020 14:27:34 +0100
Subject: fix xss from gse

---
 js/gsec.js | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'js')

diff --git a/js/gsec.js b/js/gsec.js
index 6e59db7..8d02d44 100644
--- a/js/gsec.js
+++ b/js/gsec.js
@@ -21,7 +21,7 @@ class gsec {
 				type: "GET",
 				dataType: "html",
 				success: (getData) => {
-					var parsed = document.createElement("html");
+					var parsed = document.createElement("template");
 					parsed.innerHTML = getData;
 					if(formId == null) {
 						var form = parsed.getElementsByTagName("form")[0];
@@ -63,7 +63,7 @@ class gsec {
 		return new Promise((resolve, reject) => {
 		var dataToSend = {"edtGSEUserId": usernameToLogin, "edtGSEUserPassword": passwordToLogin, "btnLogin": "Prijava"};
 			this.postback(GSE_URL+"Logon.aspx", dataToSend).then( (response) => {
-				var parsed = document.createElement("html");
+				var parsed = document.createElement("template");
 				parsed.innerHTML = response.data;
 				if(response.code == 302) {
 					resolve(true);
@@ -150,7 +150,7 @@ class gsec {
 		return new Promise((resolve, reject) => {
 			var urnik = { 0: {}, 1: {}, 2: {}, 3: {}, 4: {}, 5: {}, 6:{} } ;
 			this.postback(GSE_URL+"Page_Gim/Ucenec/DnevnikUcenec.aspx", dataToSend, null, true).then( (response) => {
-				var parsed = document.createElement("html");
+				var parsed = document.createElement("template");
 				parsed.innerHTML = response.data;
 				for(const urnikElement of parsed.querySelectorAll('*[id^="ctl00_ContentPlaceHolder1_wkgDnevnik_btnCell_"]')) {
 					var subFields = urnikElement.id.split("_");
@@ -172,7 +172,7 @@ class gsec {
 		return new Promise((resolve, reject) => {
 			var gradings = [];
 			this.postback(GSE_URL+"Page_Gim/Ucenec/IzpitiUcenec.aspx", {}, null, true).then( (response) => {
-				var parsed = document.createElement("html");
+				var parsed = document.createElement("template");
 				parsed.innerHTML = response.data;
 				var rowElements = parsed.getElementsByTagName("table")[0].getElementsByTagName("tbody")[0].getElementsByTagName("tr");
 				for (const row of rowElements) {
@@ -197,7 +197,7 @@ class gsec {
 		return new Promise((resolve, reject) => {
 			var Teachers = {};
 			this.postback(GSE_URL+"Page_Gim/Ucenec/UciteljskiZbor.aspx", {}, null, true).then((response)=>{
-				var parsed = document.createElement("html");
+				var parsed = document.createElement("template");
 				parsed.innerHTML = response.data;
 				var rowElements = parsed.getElementsByTagName("table")[0].getElementsByTagName("tbody")[0].getElementsByTagName("tr");
 				for(const row of rowElements) {
-- 
cgit v1.2.3