This is an automated email from the ASF dual-hosted git repository.
alexantonenko pushed a commit to branch branch-2.7
in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/branch-2.7 by this push:
new a9cfdb9 AMBARI-25329. Ambari breadcrumbs xss vulnerability
new a2c06bd Merge pull request #3040 from hiveww/AMBARI-25329-branch-2.7
a9cfdb9 is described below
commit a9cfdb9dcce63a3494c07c81ebb2cf8da218a210
Author: Alex Antonenko <aantone...@hortonworks.com>
AuthorDate: Mon Jul 1 14:43:05 2019 +0300
AMBARI-25329. Ambari breadcrumbs xss vulnerability
---
ambari-web/app/views/common/breadcrumbs_view.js | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/ambari-web/app/views/common/breadcrumbs_view.js
b/ambari-web/app/views/common/breadcrumbs_view.js
index ec6e6a6..31190c5 100644
--- a/ambari-web/app/views/common/breadcrumbs_view.js
+++ b/ambari-web/app/views/common/breadcrumbs_view.js
@@ -149,8 +149,16 @@ App.BreadcrumbItem = Em.Object.extend({
createLabel() {
let label = this.get('label');
let labelBindingPath = this.get('labelBindingPath');
+ let formattedLabel;
+
+ if (labelBindingPath) {
+ formattedLabel =
Ember.Handlebars.Utils.escapeExpression(App.get(_getLabelPathWithoutApp(labelBindingPath)));
+ } else{
+ formattedLabel = label;
+ }
+
+
- let formattedLabel = labelBindingPath ?
App.get(_getLabelPathWithoutApp(labelBindingPath)) : label;
this.set('formattedLabel', this.labelPostFormat(formattedLabel));
},
@@ -216,7 +224,9 @@ App.BreadcrumbsView = Em.View.extend({
}
currentState = currentState.get('parentState');
}
- items = items.reverse().map(item =>
App.BreadcrumbItem.extend(item).create());
+ items.reverse();
+ items.slice(1).forEach(item => item.label =
Ember.Handlebars.Utils.escapeExpression(item.label));
+ items = items.map(item => App.BreadcrumbItem.extend(item).create());
if (items.length) {
items.get('lastObject').setProperties({
disabled: true,
