From f008c9d307aaa92004cca42f84f57ef6dd0f6273 Mon Sep 17 00:00:00 2001 From: Matt Borland Date: Tue, 6 Sep 2016 11:14:40 -0600 Subject: [PATCH] HTML-escape values written to output The code doesn't currently HTML-escape various outputs, and puts them directly into the raw HTML. This can lead to cross-site scripting exploits. Change-Id: Idef647e7eaf268850dcb7ccff44170ffc5d11878 --- .../freezer/js/freezer.jobs.sortable.js | 26 +++++++++---------- .../static/freezer/js/freezer.restore.js | 17 +++++++----- 2 files changed, 23 insertions(+), 20 deletions(-) diff --git a/disaster_recovery/static/freezer/js/freezer.jobs.sortable.js b/disaster_recovery/static/freezer/js/freezer.jobs.sortable.js index 48b3be7..e2eaf50 100644 --- a/disaster_recovery/static/freezer/js/freezer.jobs.sortable.js +++ b/disaster_recovery/static/freezer/js/freezer.jobs.sortable.js @@ -9,6 +9,7 @@ $(function () { }).disableSelection(); }); +// BAD: This is putting all these members on global scope. var parent = $(".sortable_lists").parent(); parent.removeClass("col-sm-6"); @@ -44,6 +45,12 @@ function actions_url() { return url; } +function freezerLi(item) { + return $('
  • ') + .attr('id', item.action_id) + .text("(" + item.freezer_action.action + ") " + item.freezer_action.backup_name); +} + if (job_id !== "") { $.ajax({ url: actions_in_job_url(), @@ -53,21 +60,15 @@ if (job_id !== "") { contentType: 'application/json; charset=utf-8', success: function (data) { $.each(data.available, function (index, item) { - $("#actions_available").append( - "
  • " + - "(" + item.freezer_action.action + ")" + " " + item.freezer_action.backup_name + "
    • " - ); + $("#actions_available").append(freezerLi(item)); }); $.each(data.selected, function (index, item) { - $("#actions_selected").append( - "
  • " + - "(" + item.freezer_action.action + ")" + " " + item.freezer_action.backup_name + "
    • " - ); + $("#actions_selected").append(freezerLi(item)); }); }, error: function (request, error) { $("#actions_available").append( - 'Error getting action list' + 'Error getting action list' // UNTRANSLATED ); } }); @@ -80,15 +81,12 @@ if (job_id !== "") { contentType: 'application/json; charset=utf-8' , success: function (data) { $.each(data, function (index, item) { - $("#actions_available").append( - "
  • " + - "(" + item.freezer_action.action + ")" + " " + item.freezer_action.backup_name + "
    • " - ); + $("#actions_available").append(freezerLi(item)); }); }, error: function (request, error) { $("#actions_available").append( - 'Error getting action list' + 'Error getting action list' // UNTRANSLATED ); } }); diff --git a/disaster_recovery/static/freezer/js/freezer.restore.js b/disaster_recovery/static/freezer/js/freezer.restore.js index 7c0e265..28e578e 100644 --- a/disaster_recovery/static/freezer/js/freezer.restore.js +++ b/disaster_recovery/static/freezer/js/freezer.restore.js @@ -25,6 +25,15 @@ function get_url() { return url; } +function freezerGetRow(item) { + var tr = $(''); + tr.append($('') + .append($('') + .attr('value', item.client.client_id))); + tr.append($('').text(item.client.hostname)); + return tr; +} + $.ajax({ url: get_url(), type: "GET", @@ -33,16 +42,12 @@ $.ajax({ contentType: 'application/json; charset=utf-8', success: function(data) { $.each(data, function (index, item) { - $("#available_clients").append( - '' + - '' + - '' + item.client.hostname + '' - ); + $("#available_clients").append(freezerGetRow(item)); }); }, error: function (request, error) { $("#available_clients").append( - 'Error getting client list' + 'Error getting client list' // UNTRANSLATED ); } });