Restore FA icons in guac session-ended dialog#3032
Conversation
Extends the dialog rendering in guac-main.js so the heading shows a Font Awesome icon alongside the title, replacing the previous static 'Session Error' heading that was retained verbatim regardless of why the session ended. - Introduce _showDialog(title, detail, icon) and thin _showError / _showWarning / _showSuccess wrappers around it. Each wrapper passes its corresponding module-level ICON_* constant. - Route 514 (server timeout) and the default branch to _showError (red exclamation-circle), 522 (idle timeout) to _showWarning (amber exclamation-triangle), and 515 (backing VM disconnected = normal completion) to _showSuccess (green check-circle). - Simplify the dialog markup: drop the unused .message paragraph and the dead error_msg class; give the surviving body paragraph an id (#dialog-message) to mirror #dialog-heading. - Keep 'Session Ended' as a neutral static heading so the dialog still reads sensibly if JS fails to populate it before the dialog is shown. - Drive-by: remove a duplicate `var apiUrl` declaration in stopTask() left over from the master merge in 1230fa0 — it was a SyntaxError under strict mode.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request refactors the session dialog system to support multiple notification types (Error, Warning, Success) with specific icons, updating both the HTML template and the JavaScript logic. It also removes a redundant variable declaration in the stopTask function. A security concern was identified regarding the use of .html() for injecting dialog content, which poses a risk of Cross-Site Scripting (XSS); using .text() or createTextNode is recommended instead.
| dialog.find('#dialog-heading').html(`${iconHtml}${title}`); | ||
| dialog.find('#dialog-message').html(detail); |
There was a problem hiding this comment.
Using .html() to inject title and detail can lead to Cross-Site Scripting (XSS) vulnerabilities. This is particularly concerning for the detail parameter, which can contain error messages originating from the server (e.g., via the Guacamole protocol). It is safer to use .text() for text content. For the heading, you can set the icon HTML and then append the title as a text node to ensure any malicious characters in the title are not executed.
| dialog.find('#dialog-heading').html(`${iconHtml}${title}`); | |
| dialog.find('#dialog-message').html(detail); | |
| dialog.find('#dialog-heading').html(iconHtml).append(document.createTextNode(title)); | |
| dialog.find('#dialog-message').text(detail); |
1 participant
Extends the dialog rendering in guac-main.js so the heading shows a Font Awesome icon alongside the title, replacing the previous static 'Session Error' heading that was retained verbatim regardless of why the session ended.
var apiUrldeclaration in stopTask() left over from the master merge in 1230fa0 — it was a SyntaxError under strict mode.