Skip to content

Instantly share code, notes, and snippets.

@yamaryu0508
Last active November 22, 2017 01:57
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save yamaryu0508/8a9403ccf3f8cc47b5874a21e58b0c24 to your computer and use it in GitHub Desktop.
Save yamaryu0508/8a9403ccf3f8cc47b5874a21e58b0c24 to your computer and use it in GitHub Desktop.
テンプレートエンジンを用いた「フィールドのラベルにスクリプトが仕込まれる(kintone-xss-sample-1.js)」への対策
/*
* global.$
* global._
*/
jQuery.noConflict();
(function ($) {
'use strict';
kintone.events.on(['app.record.index.show'], function (event) {
// テンプレートエンジンを使った例
kintone.api(kintone.api.url('/k/v1/preview/app/form/fields', true), 'GET', {
app: kintone.app.getId()
}).then(function (r) {
var props = r.properties;
var string =
'<div class="kintoneplugin-select-outer">'+
' <div class="kintoneplugin-select">'+
' <select id="select2">'+
' <% _.forEach(fields, function(field) { %>'+
' <option value="<%- field.label %>"><%- field.label %> [<%- field.type %>/<%- field.code %>]</option>'+
' <% }); %>'+
' </select>'+
' </div>'+
'</div>';
var html = _.template(string)({fields: props});
$(kintone.app.getHeaderMenuSpaceElement()).append(html);
}).catch(function (e) {
console.log(e);
});
return event;
});
})(jQuery);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment