From 4d0a72a2710fd3381574485980f056ac644a10d7 Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Sun, 16 Jan 2022 19:19:26 +0800
Subject: [PATCH] Revert "Prevent possible XSS when using jQuery (#18289)"
 (#18293)

This reverts commit 661d3d28e97bb49bef075c0314edad5879148aaa.
---
 .../doc/developers/guidelines-frontend.md     |  5 ----
 .../js/components/RepoBranchTagDropdown.js    |  2 +-
 web_src/js/features/common-global.js          | 14 ++++-----
 web_src/js/features/comp/LabelEdit.js         |  2 +-
 web_src/js/features/repo-branch.js            |  2 +-
 web_src/js/features/repo-common.js            |  6 ++--
 web_src/js/features/repo-diff.js              |  2 +-
 web_src/js/features/repo-issue.js             |  4 +--
 web_src/js/features/repo-legacy.js            | 30 +++++++++----------
 web_src/js/features/repo-settings.js          |  6 ++--
 10 files changed, 34 insertions(+), 39 deletions(-)

diff --git a/docs/content/doc/developers/guidelines-frontend.md b/docs/content/doc/developers/guidelines-frontend.md
index cbd2ca8a24..9fec5bd17e 100644
--- a/docs/content/doc/developers/guidelines-frontend.md
+++ b/docs/content/doc/developers/guidelines-frontend.md
@@ -127,8 +127,3 @@ We forbid `dataset` usage, its camel-casing behaviour makes it hard to grep for
 ### Vue2/Vue3 and JSX
 
 Gitea is using Vue2 now, we plan to upgrade to Vue3. We decided not to introduce JSX to keep the HTML and the JavaScript code separated.
-
-### jQuery's `$(...)`
-
-jQuery's `$` function has a broad functionality depending on the input. Well, this can be seen as nice, it's also a fallpit for possible XSS attacks when the input is user-controlled.
-The usage of the function can be correct in certain situations, but it is discourage and recommended to use a more specific function of jQuery(e.g. `$.find`, `$.parseHTML`).
diff --git a/web_src/js/components/RepoBranchTagDropdown.js b/web_src/js/components/RepoBranchTagDropdown.js
index 2b260e9399..50c71d5bac 100644
--- a/web_src/js/components/RepoBranchTagDropdown.js
+++ b/web_src/js/components/RepoBranchTagDropdown.js
@@ -2,7 +2,7 @@ import Vue from 'vue';
 import {vueDelimiters} from './VueComponentLoader.js';
 
 export function initRepoBranchTagDropdown(selector) {
-  $.find(selector).each(function () {
+  $(selector).each(function () {
     const $dropdown = $(this);
     const $data = $dropdown.find('.data');
     const data = {
diff --git a/web_src/js/features/common-global.js b/web_src/js/features/common-global.js
index 258a056e32..bf9d21ac49 100644
--- a/web_src/js/features/common-global.js
+++ b/web_src/js/features/common-global.js
@@ -124,7 +124,7 @@ export function initGlobalCommon() {
   $('.tabable.menu .item').tab();
 
   $('.toggle.button').on('click', function () {
-    $.find($(this).data('target')).slideToggle(100);
+    $($(this).data('target')).slideToggle(100);
   });
 
   // make table <tr> and <td> elements clickable like a link
@@ -202,7 +202,7 @@ export function initGlobalLinkActions() {
       closable: false,
       onApprove() {
         if ($this.data('type') === 'form') {
-          $.find($this.data('form')).trigger('submit');
+          $($this.data('form')).trigger('submit');
           return;
         }
 
@@ -240,7 +240,7 @@ export function initGlobalLinkActions() {
       closable: false,
       onApprove() {
         if ($this.data('type') === 'form') {
-          $.find($this.data('form')).trigger('submit');
+          $($this.data('form')).trigger('submit');
           return;
         }
 
@@ -293,7 +293,7 @@ export function initGlobalLinkActions() {
 
 export function initGlobalButtons() {
   $('.show-panel.button').on('click', function () {
-    $.find($(this).data('panel')).show();
+    $($(this).data('panel')).show();
   });
 
   $('.hide-panel.button').on('click', function (event) {
@@ -301,7 +301,7 @@ export function initGlobalButtons() {
     event.preventDefault();
     let sel = $(this).attr('data-panel');
     if (sel) {
-      $.find(sel).hide();
+      $(sel).hide();
       return;
     }
     sel = $(this).attr('data-panel-closest');
@@ -314,8 +314,8 @@ export function initGlobalButtons() {
   });
 
   $('.show-modal.button').on('click', function () {
-    $.find($(this).data('modal')).modal('show');
-    const colorPickers = $.find($(this).data('modal')).find('.color-picker');
+    $($(this).data('modal')).modal('show');
+    const colorPickers = $($(this).data('modal')).find('.color-picker');
     if (colorPickers.length > 0) {
       initCompColorPicker();
     }
diff --git a/web_src/js/features/comp/LabelEdit.js b/web_src/js/features/comp/LabelEdit.js
index 7c31080be8..7d71e6effa 100644
--- a/web_src/js/features/comp/LabelEdit.js
+++ b/web_src/js/features/comp/LabelEdit.js
@@ -1,7 +1,7 @@
 import {initCompColorPicker} from './ColorPicker.js';
 
 export function initCompLabelEdit(selector) {
-  if (!$.find(selector).length) return;
+  if (!$(selector).length) return;
   // Create label
   const $newLabelPanel = $('.new-label.segment');
   $('.new-label.button').on('click', () => {
diff --git a/web_src/js/features/repo-branch.js b/web_src/js/features/repo-branch.js
index 1dddbf7276..4402411bfd 100644
--- a/web_src/js/features/repo-branch.js
+++ b/web_src/js/features/repo-branch.js
@@ -2,6 +2,6 @@ export function initRepoBranchButton() {
   $('.show-create-branch-modal.button').on('click', function () {
     $('#create-branch-form')[0].action = $('#create-branch-form').data('base-action') + $(this).data('branch-from-urlcomponent');
     $('#modal-create-branch-from-span').text($(this).data('branch-from'));
-    $.find($(this).data('modal')).modal('show');
+    $($(this).data('modal')).modal('show');
   });
 }
diff --git a/web_src/js/features/repo-common.js b/web_src/js/features/repo-common.js
index 712086952d..3ddabe10f1 100644
--- a/web_src/js/features/repo-common.js
+++ b/web_src/js/features/repo-common.js
@@ -65,18 +65,18 @@ export function initRepoClone() {
 }
 
 export function initRepoCommonBranchOrTagDropdown(selector) {
-  $.find(selector).each(function () {
+  $(selector).each(function () {
     const $dropdown = $(this);
     $dropdown.find('.reference.column').on('click', function () {
       $dropdown.find('.scrolling.reference-list-menu').hide();
-      $.find($(this).data('target')).show();
+      $($(this).data('target')).show();
       return false;
     });
   });
 }
 
 export function initRepoCommonFilterSearchDropdown(selector) {
-  const $dropdown = $.find(selector);
+  const $dropdown = $(selector);
   $dropdown.dropdown({
     fullTextSearch: true,
     selectOnKeydown: false,
diff --git a/web_src/js/features/repo-diff.js b/web_src/js/features/repo-diff.js
index 4f16133b5f..3d937bbdb1 100644
--- a/web_src/js/features/repo-diff.js
+++ b/web_src/js/features/repo-diff.js
@@ -15,7 +15,7 @@ export function initRepoDiffFileViewToggle() {
     $this.parent().children().removeClass('active');
     $this.addClass('active');
 
-    const $target = $.find($this.data('toggle-selector'));
+    const $target = $($this.data('toggle-selector'));
     $target.parent().children().addClass('hide');
     $target.removeClass('hide');
   });
diff --git a/web_src/js/features/repo-issue.js b/web_src/js/features/repo-issue.js
index b062c44675..6e57facfd2 100644
--- a/web_src/js/features/repo-issue.js
+++ b/web_src/js/features/repo-issue.js
@@ -28,7 +28,7 @@ export function initRepoIssueTimeTracking() {
   });
   $(document).on('click', 'button.issue-delete-time', function () {
     const sel = `.issue-delete-time-modal[data-id="${$(this).data('id')}"]`;
-    $.find(sel).modal({
+    $(sel).modal({
       duration: 200,
       onApprove() {
         $(`${sel} form`).trigger('submit');
@@ -535,7 +535,7 @@ export function initRepoIssueReferenceIssue() {
     const content = $(`#comment-${$this.data('target')}`).text();
     const poster = $this.data('poster-username');
     const reference = $this.data('reference');
-    const $modal = $.find($this.data('modal'));
+    const $modal = $($this.data('modal'));
     $modal.find('textarea[name="content"]').val(`${content}\n\n_Originally posted by @${poster} in ${reference}_`);
     $modal.modal('show');
 
diff --git a/web_src/js/features/repo-legacy.js b/web_src/js/features/repo-legacy.js
index 5a42ac7620..f30345bfee 100644
--- a/web_src/js/features/repo-legacy.js
+++ b/web_src/js/features/repo-legacy.js
@@ -42,7 +42,7 @@ export function initRepoCommentForm() {
     $branchMenu.find('.item:not(.no-select)').click(function () {
       const selectedValue = $(this).data('id');
       const editMode = $('#editing_mode').val();
-      $.find($(this).data('id-selector')).val(selectedValue);
+      $($(this).data('id-selector')).val(selectedValue);
       if ($isNewIssue) {
         $selectBranch.find('.ui .branch-name').text($(this).data('name'));
         return;
@@ -58,7 +58,7 @@ export function initRepoCommentForm() {
     $selectBranch.find('.reference.column').on('click', function () {
       $selectBranch.find('.scrolling.reference-list-menu').css('display', 'none');
       $selectBranch.find('.reference .text').removeClass('black');
-      $.find($(this).data('target')).css('display', 'block');
+      $($(this).data('target')).css('display', 'block');
       $(this).find('.text').addClass('black');
       return false;
     });
@@ -145,9 +145,9 @@ export function initRepoCommentForm() {
       $(this).parent().find('.item').each(function () {
         if ($(this).hasClass('checked')) {
           listIds.push($(this).data('id'));
-          $.find($(this).data('id-selector')).removeClass('hide');
+          $($(this).data('id-selector')).removeClass('hide');
         } else {
-          $.find($(this).data('id-selector')).addClass('hide');
+          $($(this).data('id-selector')).addClass('hide');
         }
       });
       if (listIds.length === 0) {
@@ -155,7 +155,7 @@ export function initRepoCommentForm() {
       } else {
         $noSelect.addClass('hide');
       }
-      $.find($(this).parent().data('id')).val(listIds.join(','));
+      $($(this).parent().data('id')).val(listIds.join(','));
       return false;
     });
     $listMenu.find('.no-select.item').on('click', function (e) {
@@ -182,7 +182,7 @@ export function initRepoCommentForm() {
         $(this).addClass('hide');
       });
       $noSelect.removeClass('hide');
-      $.find($(this).parent().data('id')).val('');
+      $($(this).parent().data('id')).val('');
     });
   }
 
@@ -247,7 +247,7 @@ export function initRepoCommentForm() {
 
       $list.find('.selected').html('');
       $list.find('.no-select').removeClass('hide');
-      $.find(input_id).val('');
+      $(input_id).val('');
     });
   }
 
@@ -450,20 +450,20 @@ export function initRepository() {
     // Enable or select internal/external wiki system and issue tracker.
     $('.enable-system').on('change', function () {
       if (this.checked) {
-        $.find($(this).data('target')).removeClass('disabled');
-        if (!$(this).data('context')) $.find($(this).data('context')).addClass('disabled');
+        $($(this).data('target')).removeClass('disabled');
+        if (!$(this).data('context')) $($(this).data('context')).addClass('disabled');
       } else {
-        $.find($(this).data('target')).addClass('disabled');
-        if (!$(this).data('context')) $.find($(this).data('context')).removeClass('disabled');
+        $($(this).data('target')).addClass('disabled');
+        if (!$(this).data('context')) $($(this).data('context')).removeClass('disabled');
       }
     });
     $('.enable-system-radio').on('change', function () {
       if (this.value === 'false') {
-        $.find($(this).data('target')).addClass('disabled');
-        if (typeof $(this).data('context') !== 'undefined') $.find($(this).data('context')).removeClass('disabled');
+        $($(this).data('target')).addClass('disabled');
+        if (typeof $(this).data('context') !== 'undefined') $($(this).data('context')).removeClass('disabled');
       } else if (this.value === 'true') {
-        $.find($(this).data('target')).removeClass('disabled');
-        if (typeof $(this).data('context') !== 'undefined') $.find($(this).data('context')).addClass('disabled');
+        $($(this).data('target')).removeClass('disabled');
+        if (typeof $(this).data('context') !== 'undefined') $($(this).data('context')).addClass('disabled');
       }
     });
   }
diff --git a/web_src/js/features/repo-settings.js b/web_src/js/features/repo-settings.js
index 9568d1e80d..b0d43bd487 100644
--- a/web_src/js/features/repo-settings.js
+++ b/web_src/js/features/repo-settings.js
@@ -52,14 +52,14 @@ export function initRepoSettingBranches() {
     initRepoCommonFilterSearchDropdown('.protected-branches .dropdown');
     $('.enable-protection, .enable-whitelist, .enable-statuscheck').on('change', function () {
       if (this.checked) {
-        $.find($(this).data('target')).removeClass('disabled');
+        $($(this).data('target')).removeClass('disabled');
       } else {
-        $.find($(this).data('target')).addClass('disabled');
+        $($(this).data('target')).addClass('disabled');
       }
     });
     $('.disable-whitelist').on('change', function () {
       if (this.checked) {
-        $.find($(this).data('target')).addClass('disabled');
+        $($(this).data('target')).addClass('disabled');
       }
     });
   }