Migrate away from unsafe function

MooTools More has CVE-2021-20088 and qbt is affected by it by using the unsafe function call `String.parseQueryString()`, so migrate away from it. PR #18554.
2 years ago · 6a4bb5c1b7
1 changed files with 4 additions and 9 deletions
--- a/src/webui/www/private/scripts/client.js
+++ b/src/webui/www/private/scripts/client.js
@ -1387,11 +1387,11 @@ function registerMagnetHandler() {
        return;
    }
-    const hashParams = getHashParamsFromUrl();
+    const hashString = location.hash ? location.hash.replace(/^#/, '') : '';
-    hashParams.download = '';
+    const hashParams = new URLSearchParams(hashString);
-
+    hashParams.set('download', '');
    const templateHashString = Object.toQueryString(hashParams).replace('download=', 'download=%s');
    const templateHashString = hashParams.toString().replace('download=', 'download=%s');
    const templateUrl = location.origin + location.pathname
        + location.search + '#' + templateHashString;
@ -1411,11 +1411,6 @@ function handleDownloadParam() {
    showDownloadPage([url]);
 }
 function getHashParamsFromUrl() {
    const hashString = location.hash ? location.hash.replace(/^#/, '') : '';
    return (hashString.length > 0) ? String.parseQueryString(hashString) : {};
 }
 function closeWindows() {
    MochaUI.closeAll();
 }