Hi,
Please find the attached patch to fix the RM 1527: XSS vulnerabilities.
Fixed items:
1. Tree Node labels while loading, adding and updating the node
2. Error and Success messages of Alertify dialogue
3. Properties dialogue: un-editable controls
4. SQL Editor title
Please review the patch and let me know if I missed something.
Thanks,
Khushboo
diff --git a/web/pgadmin/browser/templates/browser/js/browser.js b/web/pgadmin/browser/templates/browser/js/browser.js
index 82bed32..5ed582a 100644
--- a/web/pgadmin/browser/templates/browser/js/browser.js
+++ b/web/pgadmin/browser/templates/browser/js/browser.js
@@ -333,8 +333,12 @@ function(require, $, _, S, Bootstrap, pgAdmin, alertify, CodeMirror) {
url: '{{ url_for('browser.get_nodes') }}',
converters: {
'text json': function(payload) {
- return $.parseJSON(payload).data;
- }
+ data = JSON.parse(payload).data;
+ _.each(data, function(d){
+ d.label = _.escape(d.label);
+ })
+ return data;
+ },
}
},
ajaxHook: function(item, settings) {
diff --git a/web/pgadmin/browser/templates/browser/js/node.js b/web/pgadmin/browser/templates/browser/js/node.js
index e116659..494240d 100644
--- a/web/pgadmin/browser/templates/browser/js/node.js
+++ b/web/pgadmin/browser/templates/browser/js/node.js
@@ -1119,10 +1119,10 @@ function($, _, S, pgAdmin, Menu, Backbone, Alertify, pgBrowser, Backform) {
newNodeData = view.model.tnode;
tree.addIcon(item, {icon: newNodeData.icon});
- tree.setLabel(item, {label: newNodeData.label});
+ tree.setLabel(item, {label: _.escape(newNodeData.label)});
_.extend(itemData, newNodeData);
} else if (view.model.get('name')) {
- tree.setLabel(item, {label: view.model.get("name")});
+ tree.setLabel(item, {label: _.escape(view.model.get("name"))});
if (
view.model.get('data').icon && view.model.get('data').icon != ''
)
@@ -1145,6 +1145,7 @@ function($, _, S, pgAdmin, Menu, Backbone, Alertify, pgBrowser, Backform) {
/* TODO:: Create new tree node for this */
if (view.model.tnode && '_id' in view.model.tnode) {
+ view.model.tnode.label = _.escape(view.model.tnode.label);
var d = _.extend({}, view.model.tnode),
func = function(i) {
setTimeout(function() {closePanel();}, 0);
diff --git a/web/pgadmin/static/js/alertifyjs/pgadmin.defaults.js b/web/pgadmin/static/js/alertifyjs/pgadmin.defaults.js
index b5caf77..f1b7472 100644
--- a/web/pgadmin/static/js/alertifyjs/pgadmin.defaults.js
+++ b/web/pgadmin/static/js/alertifyjs/pgadmin.defaults.js
@@ -102,7 +102,7 @@ function(alertify, S) {
onJSONResult && typeof(onJSONResult) == 'function') {
return onJSONResult(resp.result);
}
- msg = resp.result || resp.errormsg || "Unknown error";
+ msg = _.escape(resp.result) || _.escape(resp.errormsg) || "Unknown error";
}
} catch (exc) {
}
diff --git a/web/pgadmin/static/js/backform.pgadmin.js b/web/pgadmin/static/js/backform.pgadmin.js
index 3747fa0..bc7d434 100644
--- a/web/pgadmin/static/js/backform.pgadmin.js
+++ b/web/pgadmin/static/js/backform.pgadmin.js
@@ -162,7 +162,7 @@
'<label class="<%=Backform.controlLabelClassName%>"><%=label%></label>',
'<div class="<%=Backform.controlsClassName%>">',
' <span class="<%=Backform.controlClassName%> uneditable-input" <%=disabled ? "disabled" : ""%>>',
- ' <%=value%>',
+ ' <%-value%>',
' </span>',
'</div>',
'<% if (helpMessage && helpMessage.length) { %>',
diff --git a/web/pgadmin/tools/sqleditor/templates/sqleditor/js/sqleditor.js b/web/pgadmin/tools/sqleditor/templates/sqleditor/js/sqleditor.js
index 58189cc..2be2b49 100644
--- a/web/pgadmin/tools/sqleditor/templates/sqleditor/js/sqleditor.js
+++ b/web/pgadmin/tools/sqleditor/templates/sqleditor/js/sqleditor.js
@@ -190,7 +190,7 @@ define(
render: function() {
var self = this;
- $('.editor-title').text(self.editor_title);
+ $('.editor-title').text(_.unescape(self.editor_title));
var filter = self.$el.find('#sql_filter');
@@ -1108,7 +1108,7 @@ define(
});
self.transId = self.gridView.transId = self.container.data('transId');
- self.gridView.editor_title = editor_title;
+ self.gridView.editor_title = _.unescape(editor_title);
self.gridView.current_file = undefined;
self.gridView.items_per_page = self.items_per_page
--
Sent via pgadmin-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgadmin-hackers
