Patched a few security holes.

Where users could inject HTML into the browser.
jhuckaby · May 15, 2021 · 546c7f6 · 546c7f6
1 parent bba7b01
commit 546c7f6
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 5 deletions.
diff --git a/htdocs/js/pages/admin/APIKeys.js b/htdocs/js/pages/admin/APIKeys.js
@@ -54,7 +54,7 @@ Class.add( Page.Admin, {
 			];
 			return [
 				'<div class="td_big">' + self.getNiceAPIKey(item, true, col_width) + '</div>',
-				'<div style="">' + item.key + '</div>',
+				'<div style="">' + encode_entities(item.key) + '</div>',
 				item.active ? '<span class="color_label green"><i class="fa fa-check">&nbsp;</i>Active</span>' : '<span class="color_label red"><i class="fa fa-warning">&nbsp;</i>Suspended</span>',
 				self.getNiceUsername(item.username, true, col_width),
 				'<span title="'+get_nice_date_time(item.created, true)+'">'+get_nice_date(item.created, true)+'</span>',

diff --git a/htdocs/js/pages/admin/Categories.js b/htdocs/js/pages/admin/Categories.js
@@ -51,7 +51,7 @@ Class.add( Page.Admin, {
 
 			var tds = [
 				'<div class="td_big"><span class="link" onMouseUp="$P().edit_category('+idx+')">' + self.getNiceCategory(cat, col_width) + '</span></div>',
-				'<div class="ellip" style="max-width:'+col_width+'px;">' + (cat.description || '(No description)') + '</div>',
+				'<div class="ellip" style="max-width:'+col_width+'px;">' + encode_entities(cat.description || '(No description)') + '</div>',
 				num_events ? commify( num_events ) : '(None)',
 				cat.max_children ? commify(cat.max_children) : '(No limit)',
 				actions.join(' | ')

diff --git a/htdocs/js/pages/admin/Servers.js b/htdocs/js/pages/admin/Servers.js
@@ -161,7 +161,7 @@ Class.add( Page.Admin, {
 
 			return [
 				'<div class="td_big" style="white-space:nowrap;"><span class="link" onMouseUp="$P().edit_group('+idx+')">' + self.getNiceGroup(group, null, col_width) + '</span></div>',
-				'<div class="ellip" style="font-family:monospace; max-width:'+col_width+'px;">/' + group.regexp + '/</div>',
+				'<div class="ellip" style="font-family:monospace; max-width:'+col_width+'px;">/' + encode_entities(group.regexp) + '/</div>',
 				// group.description || '(No description)',
 				num_servers ? commify( num_servers) : '(None)',
 				num_events ? commify( num_events ) : '(None)',

diff --git a/htdocs/js/pages/admin/Users.js b/htdocs/js/pages/admin/Users.js
@@ -55,8 +55,8 @@ Class.add( Page.Admin, {
 			];
 			return [
 				'<div class="td_big">' + self.getNiceUsername(user, true, col_width) + '</div>',
-				'<div class="ellip" style="max-width:'+col_width+'px;">' + user.full_name + '</div>',
-				'<div class="ellip" style="max-width:'+col_width+'px;"><a href="mailto:'+user.email+'">'+user.email+'</a></div>',
+				'<div class="ellip" style="max-width:'+col_width+'px;">' + encode_entities(user.full_name) + '</div>',
+				'<div class="ellip" style="max-width:'+col_width+'px;"><a href="mailto:'+user.email+'">'+encode_entities(user.email)+'</a></div>',
 				user.active ? '<span class="color_label green"><i class="fa fa-check">&nbsp;</i>Active</span>' : '<span class="color_label red"><i class="fa fa-warning">&nbsp;</i>Suspended</span>',
 				user.privileges.admin ? '<span class="color_label purple"><i class="fa fa-lock">&nbsp;</i>Admin</span>' : '<span class="color_label gray">Standard</span>',
 				'<span title="'+get_nice_date_time(user.created, true)+'">'+get_nice_date(user.created, true)+'</span>',