This is an automated email from the ASF dual-hosted git repository. alexantonenko pushed a commit to branch branch-2.7 in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/branch-2.7 by this push: new a9cfdb9 AMBARI-25329. Ambari breadcrumbs xss vulnerability new a2c06bd Merge pull request #3040 from hiveww/AMBARI-25329-branch-2.7 a9cfdb9 is described below commit a9cfdb9dcce63a3494c07c81ebb2cf8da218a210 Author: Alex Antonenko <aantone...@hortonworks.com> AuthorDate: Mon Jul 1 14:43:05 2019 +0300 AMBARI-25329. Ambari breadcrumbs xss vulnerability --- ambari-web/app/views/common/breadcrumbs_view.js | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/ambari-web/app/views/common/breadcrumbs_view.js b/ambari-web/app/views/common/breadcrumbs_view.js index ec6e6a6..31190c5 100644 --- a/ambari-web/app/views/common/breadcrumbs_view.js +++ b/ambari-web/app/views/common/breadcrumbs_view.js @@ -149,8 +149,16 @@ App.BreadcrumbItem = Em.Object.extend({ createLabel() { let label = this.get('label'); let labelBindingPath = this.get('labelBindingPath'); + let formattedLabel; + + if (labelBindingPath) { + formattedLabel = Ember.Handlebars.Utils.escapeExpression(App.get(_getLabelPathWithoutApp(labelBindingPath))); + } else{ + formattedLabel = label; + } + + - let formattedLabel = labelBindingPath ? App.get(_getLabelPathWithoutApp(labelBindingPath)) : label; this.set('formattedLabel', this.labelPostFormat(formattedLabel)); }, @@ -216,7 +224,9 @@ App.BreadcrumbsView = Em.View.extend({ } currentState = currentState.get('parentState'); } - items = items.reverse().map(item => App.BreadcrumbItem.extend(item).create()); + items.reverse(); + items.slice(1).forEach(item => item.label = Ember.Handlebars.Utils.escapeExpression(item.label)); + items = items.map(item => App.BreadcrumbItem.extend(item).create()); if (items.length) { items.get('lastObject').setProperties({ disabled: true,