From bd3e12d3ac2c9ed5d005ce8d63647a2377a30d4a Mon Sep 17 00:00:00 2001 From: LordGrey <48840279+Lord-Grey@users.noreply.github.com> Date: Thu, 19 Aug 2021 08:52:17 +0200 Subject: [PATCH] Fix 1292 - Avoid XSS (#1297) * Fix 1292 - Avoid XSS * Fix XSS on EffectConfiguration --- assets/webconfig/js/content_effectsconfigurator.js | 6 +++--- assets/webconfig/js/content_general.js | 4 ++-- assets/webconfig/js/content_logging.js | 2 +- assets/webconfig/js/content_network.js | 2 +- assets/webconfig/js/ui_utils.js | 4 ++++ 5 files changed, 11 insertions(+), 7 deletions(-) diff --git a/assets/webconfig/js/content_effectsconfigurator.js b/assets/webconfig/js/content_effectsconfigurator.js index 3c774ce1..74dc16c2 100644 --- a/assets/webconfig/js/content_effectsconfigurator.js +++ b/assets/webconfig/js/content_effectsconfigurator.js @@ -1,8 +1,8 @@ $(document).ready(function () { performTranslation(); - // update instance listing - updateHyperionInstanceListing(); + // update instance listing + updateHyperionInstanceListing(); var oldDelList = []; var effectName = ""; @@ -120,7 +120,7 @@ $(document).ready(function () { // disable or enable control elements $("#name-input").on('change keyup', function (event) { - effectName = $(this).val(); + effectName = encodeHTML($(this).val()); if ($(this).val() == '') { effects_editor.disable(); $("#eff_footer").children().attr('disabled', true); diff --git a/assets/webconfig/js/content_general.js b/assets/webconfig/js/content_general.js index c8f68d5d..da972ba6 100644 --- a/assets/webconfig/js/content_general.js +++ b/assets/webconfig/js/content_general.js @@ -37,7 +37,7 @@ $(document).ready(function () { showInfoDialog('renInst', $.i18n('conf_general_inst_renreq_t'), getInstanceNameByIndex(inst)); $("#id_btn_ok").off().on('click', function () { - requestInstanceRename(inst, $('#renInst_name').val()) + requestInstanceRename(inst, encodeHTML($('#renInst_name').val())) }); $('#renInst_name').off().on('input', function (e) { @@ -94,7 +94,7 @@ $(document).ready(function () { }); $('#btn_create_inst').off().on('click', function (e) { - requestInstanceCreate($('#inst_name').val()); + requestInstanceCreate(encodeHTML($('#inst_name').val())); $('#inst_name').val(""); $('#btn_create_inst').attr('disabled', true) }); diff --git a/assets/webconfig/js/content_logging.js b/assets/webconfig/js/content_logging.js index 6acd7677..39876984 100644 --- a/assets/webconfig/js/content_logging.js +++ b/assets/webconfig/js/content_logging.js @@ -125,7 +125,7 @@ $(document).ready(function () { var function_ = messages[idx].function; var line = messages[idx].line; var file_name = messages[idx].fileName; - var msg = messages[idx].message; + var msg = encodeHTML(messages[idx].message); var level_string = messages[idx].levelString; var utime = messages[idx].utime; diff --git a/assets/webconfig/js/content_network.js b/assets/webconfig/js/content_network.js index 46284d11..8397a01c 100644 --- a/assets/webconfig/js/content_network.js +++ b/assets/webconfig/js/content_network.js @@ -210,7 +210,7 @@ $(document).ready( function() { } $('#btn_create_tok').off().on('click',function() { - requestToken($('#tok_comment').val()) + requestToken(encodeHTML($('#tok_comment').val())) $('#tok_comment').val("") $('#btn_create_tok').attr('disabled', true) }); diff --git a/assets/webconfig/js/ui_utils.js b/assets/webconfig/js/ui_utils.js index f8f46844..76a0d160 100644 --- a/assets/webconfig/js/ui_utils.js +++ b/assets/webconfig/js/ui_utils.js @@ -1206,3 +1206,7 @@ function showInputOptionsForKey(editor, item, showForKeys, state) { } showInputOptions(item, elements, state); } + +function encodeHTML(s) { + return s.replace(/&/g, '&').replace(/