Skip to content

Commit bf26611

Browse files
stevespringettstevespringett
authored
Merge pull request from GHSA-4gqv-hcmg-jw33
Added output encoding to a few fields
2 parents 9a06b36 + c2d6162 commit bf26611

File tree

1 file changed

+46
-41
lines changed

1 file changed

+46
-41
lines changed

src/main/webapp/admin/functions.js

+46-41
Original file line numberDiff line numberDiff line change
@@ -451,7 +451,7 @@ function notificationTemplateDetailFormatter(index, row) {
451451
*/
452452
function teamDetailFormatter(index, row) {
453453
let html = [];
454-
454+
let escapedTeamName = filterXSS.escapeAttrValue(row.name);
455455
let apiKeysHtml = "";
456456
if (!(row.apiKeys === undefined)) {
457457
for (let i = 0; i < row.apiKeys.length; i++) {
@@ -498,23 +498,25 @@ function teamDetailFormatter(index, row) {
498498
let membersHtml = "";
499499
if (!(row.ldapUsers === undefined)) {
500500
for (let i = 0; i < row.ldapUsers.length; i++) {
501+
let escapedUsername = filterXSS.escapeAttrValue(row.ldapUsers[i].username);
501502
membersHtml += `
502-
<li class="list-group-item" id="container-${row.uuid}-${row.ldapUsers[i].username}-membership">
503-
<a href="#" onclick="removeTeamMembership('${row.uuid}', '${row.ldapUsers[i].username}')" data-toggle="tooltip" title="Remove User From Team">
503+
<li class="list-group-item" id="container-${row.uuid}-${escapedUsername}-membership">
504+
<a href="#" onclick="removeTeamMembership('${row.uuid}', '${escapedUsername}')" data-toggle="tooltip" title="Remove User From Team">
504505
<span class="glyphicon glyphicon-trash glyphicon-input-form pull-right"></span>
505506
</a>
506-
${row.ldapUsers[i].username}
507+
${escapedUsername}
507508
</li>`;
508509
}
509510
}
510511
if (!(row.managedUsers === undefined)) {
511512
for (let i = 0; i < row.managedUsers.length; i++) {
513+
let escapedUsername = filterXSS.escapeAttrValue(row.managedUsers[i].username);
512514
membersHtml += `
513-
<li class="list-group-item" id="container-${row.uuid}-${row.managedUsers[i].username}-membership">
514-
<a href="#" onclick="removeTeamMembership('${row.uuid}', '${row.managedUsers[i].username}')" data-toggle="tooltip" title="Remove User From Team">
515+
<li class="list-group-item" id="container-${row.uuid}-${escapedUsername}-membership">
516+
<a href="#" onclick="removeTeamMembership('${row.uuid}', '${escapedUsername}')" data-toggle="tooltip" title="Remove User From Team">
515517
<span class="glyphicon glyphicon-trash glyphicon-input-form pull-right"></span>
516518
</a>
517-
${row.managedUsers[i].username}
519+
${escapedUsername}
518520
</li>`;
519521
}
520522
}
@@ -544,7 +546,7 @@ function teamDetailFormatter(index, row) {
544546
<form id="form-${row.uuid}">
545547
<div class="form-group">
546548
<label for="inputTeamName">Team Name</label>
547-
<input type="text" class="form-control" id="inputTeamName-${row.uuid}" placeholder="Name" value="${row.name}" data-team-uuid="${row.uuid}">
549+
<input type="text" class="form-control" id="inputTeamName-${row.uuid}" placeholder="Name" value="${escapedTeamName}" data-team-uuid="${row.uuid}">
548550
</div>
549551
<div class="form-group">
550552
<label for="inputApiKeys">API Keys</label>
@@ -597,22 +599,22 @@ function teamDetailFormatter(index, row) {
597599
*/
598600
function ldapUserDetailFormatter(index, row) {
599601
let html = [];
600-
602+
let escapedUsername = filterXSS.escapeAttrValue(row.username);
601603
let teamsHtml = "";
602604
if (!(row.teams === undefined)) {
603605
for (let i = 0; i < row.teams.length; i++) {
604606
teamsHtml += `
605607
<li class="list-group-item" id="container-apikey-${row.teams[i].key}">
606-
<a href="#" id="delete-${row.teams[i].uuid}" onclick="removeTeamMembership('${row.teams[i].uuid}', '${row.username}')" data-toggle="tooltip" title="Remove from Team">
608+
<a href="#" id="delete-${row.teams[i].uuid}" onclick="removeTeamMembership('${row.teams[i].uuid}', '${escapedUsername}')" data-toggle="tooltip" title="Remove from Team">
607609
<span class="glyphicon glyphicon-trash glyphicon-input-form pull-right"></span>
608610
</a>
609-
<span id="${row.username}-team-${row.teams[i].uuid}">${row.teams[i].name}</span>
611+
<span id="${escapedUsername}-team-${row.teams[i].uuid}">${row.teams[i].name}</span>
610612
</li>`;
611613
}
612614
}
613615
teamsHtml += `
614616
<li class="list-group-item" id="container-no-apikey">
615-
<a href="#" id="add-user-${row.username}-to-team" data-toggle="modal" data-target="#modalAssignTeamToUser" data-username="${row.username}" title="Add to Team">
617+
<a href="#" id="add-user-${escapedUsername}-to-team" data-toggle="modal" data-target="#modalAssignTeamToUser" data-username="${escapedUsername}" title="Add to Team">
616618
<span class="glyphicon glyphicon-plus-sign glyphicon-input-form pull-right"></span>
617619
</a>
618620
<span>&nbsp;</span>
@@ -623,16 +625,16 @@ function ldapUserDetailFormatter(index, row) {
623625
for (let i = 0; i < row.permissions.length; i++) {
624626
permissionsHtml += `
625627
<li class="list-group-item" id="container-permission-${row.permissions[i].name}">
626-
<a href="#" id="delete-${row.permissions[i].name}" onclick="removePermission('${row.permissions[i].name}', '${row.username}')" data-toggle="tooltip" title="Remove Permission">
628+
<a href="#" id="delete-${row.permissions[i].name}" onclick="removePermission('${row.permissions[i].name}', '${escapedUsername}')" data-toggle="tooltip" title="Remove Permission">
627629
<span class="glyphicon glyphicon-trash glyphicon-input-form pull-right"></span>
628630
</a>
629-
<span id="${row.username}-permission-${row.permissions[i].name}">${row.permissions[i].name}</span>
631+
<span id="${escapedUsername}-permission-${row.permissions[i].name}">${row.permissions[i].name}</span>
630632
</li>`;
631633
}
632634
}
633635
permissionsHtml += `
634636
<li class="list-group-item" id="container-no-permission">
635-
<a href="#" id="add-permission-to-${row.username}" data-toggle="modal" data-target="#modalAssignPermission" data-username="${row.username}" title="Add Permission">
637+
<a href="#" id="add-permission-to-${escapedUsername}" data-toggle="modal" data-target="#modalAssignPermission" data-username="${escapedUsername}" title="Add Permission">
636638
<span class="glyphicon glyphicon-plus-sign glyphicon-input-form pull-right"></span>
637639
</a>
638640
<span>&nbsp;</span>
@@ -656,15 +658,15 @@ function ldapUserDetailFormatter(index, row) {
656658
</div>
657659
<div class="col-sm-6 col-md-6">
658660
<!-- Perhaps other fields here in the future? -->
659-
<button type="button" class="btn btn-danger pull-right" id="deleteUser-${row.username}" data-user-username="${row.username}">Delete User</button>
661+
<button type="button" class="btn btn-danger pull-right" id="deleteUser-${escapedUsername}" data-user-username="${escapedUsername}">Delete User</button>
660662
</form>
661663
</div>
662664
<script type="text/javascript">
663-
$("#" + $.escapeSelector("deleteUser-${row.username}")).on("click", deleteLdapUser);
664-
$("#" + $.escapeSelector("add-user-${row.username}-to-team")).on("click", function () {
665+
$("#" + $.escapeSelector("deleteUser-${escapedUsername}")).on("click", deleteLdapUser);
666+
$("#" + $.escapeSelector("add-user-${escapedUsername}-to-team")).on("click", function () {
665667
$("#assignTeamToUser").attr("data-username", $(this).data("username")); // Assign the username to the data-username attribute of the 'Update' button
666668
});
667-
$("#" + $.escapeSelector("add-permission-to-${row.username}")).on("click", function () {
669+
$("#" + $.escapeSelector("add-permission-to-${escapedUsername}")).on("click", function () {
668670
$("#assignPermission").attr("data-username", $(this).data("username")); // Assign the username to the data-username attribute of the 'Update' button
669671
});
670672
</script>
@@ -680,22 +682,25 @@ function ldapUserDetailFormatter(index, row) {
680682
*/
681683
function managedUserDetailFormatter(index, row) {
682684
let html = [];
683-
685+
let escapedUsername = filterXSS.escapeAttrValue(row.username);
686+
let escapedFullname = (row.fullname) ? filterXSS.escapeAttrValue(row.fullname) : null;
687+
let escapedEmail = (row.email) ? filterXSS.escapeAttrValue(row.email) : null;
684688
let teamsHtml = "";
685689
if (!(row.teams === undefined)) {
686690
for (let i = 0; i < row.teams.length; i++) {
691+
let escapedTeamname = filterXSS(row.teams[i].name);
687692
teamsHtml += `
688693
<li class="list-group-item" id="container-apikey-${row.teams[i].key}">
689-
<a href="#" id="delete-${row.teams[i].uuid}" onclick="removeTeamMembership('${row.teams[i].uuid}', '${row.username}')" data-toggle="tooltip" title="Remove from Team">
694+
<a href="#" id="delete-${row.teams[i].uuid}" onclick="removeTeamMembership('${row.teams[i].uuid}', '${escapedUsername}')" data-toggle="tooltip" title="Remove from Team">
690695
<span class="glyphicon glyphicon-trash glyphicon-input-form pull-right"></span>
691696
</a>
692-
<span id="${row.username}-team-${row.teams[i].uuid}">${row.teams[i].name}</span>
697+
<span id="${escapedUsername}-team-${row.teams[i].uuid}">${escapedTeamname}</span>
693698
</li>`;
694699
}
695700
}
696701
teamsHtml += `
697702
<li class="list-group-item" id="container-no-apikey">
698-
<a href="#" id="add-user-${row.username}-to-team" data-toggle="modal" data-target="#modalAssignTeamToUser" data-username="${row.username}" title="Add to Team">
703+
<a href="#" id="add-user-${escapedUsername}-to-team" data-toggle="modal" data-target="#modalAssignTeamToUser" data-username="${escapedUsername}" title="Add to Team">
699704
<span class="glyphicon glyphicon-plus-sign glyphicon-input-form pull-right"></span>
700705
</a>
701706
<span>&nbsp;</span>
@@ -706,16 +711,16 @@ function managedUserDetailFormatter(index, row) {
706711
for (let i = 0; i < row.permissions.length; i++) {
707712
permissionsHtml += `
708713
<li class="list-group-item" id="container-permission-${row.permissions[i].name}">
709-
<a href="#" id="delete-${row.permissions[i].name}" onclick="removePermission('${row.permissions[i].name}', '${row.username}')" data-toggle="tooltip" title="Remove Permission">
714+
<a href="#" id="delete-${row.permissions[i].name}" onclick="removePermission('${row.permissions[i].name}', '${escapedUsername}')" data-toggle="tooltip" title="Remove Permission">
710715
<span class="glyphicon glyphicon-trash glyphicon-input-form pull-right"></span>
711716
</a>
712-
<span id="${row.username}-permission-${row.permissions[i].name}">${row.permissions[i].name}</span>
717+
<span id="${escapedUsername}-permission-${row.permissions[i].name}">${row.permissions[i].name}</span>
713718
</li>`;
714719
}
715720
}
716721
permissionsHtml += `
717722
<li class="list-group-item" id="container-no-permission">
718-
<a href="#" id="add-permission-to-${row.username}" data-toggle="modal" data-target="#modalAssignPermission" data-username="${row.username}" title="Add Permission">
723+
<a href="#" id="add-permission-to-${escapedUsername}" data-toggle="modal" data-target="#modalAssignPermission" data-username="${escapedUsername}" title="Add Permission">
719724
<span class="glyphicon glyphicon-plus-sign glyphicon-input-form pull-right"></span>
720725
</a>
721726
<span>&nbsp;</span>
@@ -745,39 +750,39 @@ function managedUserDetailFormatter(index, row) {
745750
<div class="col-md-6">
746751
<div class="form-group">
747752
<label class="required" for="updateManagedUserFullnameInput">Full Name</label>
748-
<input type="text" class="form-control required" value="${row.fullname}" id="updateManagedUserFullnameInput-${row.username}" data-username="${row.username}">
753+
<input type="text" class="form-control required" value="${escapedFullname}" id="updateManagedUserFullnameInput-${escapedUsername}" data-username="${escapedUsername}">
749754
</div>
750755
<div class="form-group">
751756
<label class="required" for="updateManagedUserEmailInput">Email</label>
752-
<input type="email" class="form-control required" value="${row.email}" id="updateManagedUserEmailInput-${row.username}" data-username="${row.username}">
757+
<input type="email" class="form-control required" value="${escapedEmail}" id="updateManagedUserEmailInput-${escapedUsername}" data-username="${escapedUsername}">
753758
</div>
754759
<div class="checkbox inDetailFormatterForm">
755-
<label><input type="checkbox" ${forcePasswordChange} id="updateManagedUserForcePasswordChangeInput-${row.username}" data-username="${row.username}"> User must change password at next login</label>
760+
<label><input type="checkbox" ${forcePasswordChange} id="updateManagedUserForcePasswordChangeInput-${escapedUsername}" data-username="${escapedUsername}"> User must change password at next login</label>
756761
</div>
757762
<div class="checkbox inDetailFormatterForm">
758-
<label><input type="checkbox" ${nonExpiryPassword} id="updateManagedUserNonExpiryPasswordInput-${row.username}" data-username="${row.username}"> Password never expires</label>
763+
<label><input type="checkbox" ${nonExpiryPassword} id="updateManagedUserNonExpiryPasswordInput-${escapedUsername}" data-username="${escapedUsername}"> Password never expires</label>
759764
</div>
760765
<div class="checkbox inDetailFormatterForm">
761-
<label><input type="checkbox" ${suspended} id="updateManagedUserSuspendedInput-${row.username}" data-username="${row.username}"> Suspended</label>
766+
<label><input type="checkbox" ${suspended} id="updateManagedUserSuspendedInput-${escapedUsername}" data-username="${escapedUsername}"> Suspended</label>
762767
</div>
763768
<div class="inDetailFormatterForm">
764-
<button type="button" class="btn btn-danger pull-right" id="deleteUser-${row.username}" data-user-username="${row.username}">Delete User</button>
769+
<button type="button" class="btn btn-danger pull-right" id="deleteUser-${escapedUsername}" data-user-username="${escapedUsername}">Delete User</button>
765770
</div>
766771
</form>
767772
</div>
768773
<script type="text/javascript">
769-
$("#" + $.escapeSelector("deleteUser-${row.username}")).on("click", deleteManagedUser);
770-
$("#" + $.escapeSelector("add-user-${row.username}-to-team")).on("click", function () {
774+
$("#" + $.escapeSelector("deleteUser-${escapedUsername}")).on("click", deleteManagedUser);
775+
$("#" + $.escapeSelector("add-user-${escapedUsername}-to-team")).on("click", function () {
771776
$("#assignTeamToUser").attr("data-username", $(this).data("username")); // Assign the username to the data-username attribute of the 'Update' button
772777
});
773-
$("#" + $.escapeSelector("add-permission-to-${row.username}")).on("click", function () {
778+
$("#" + $.escapeSelector("add-permission-to-${escapedUsername}")).on("click", function () {
774779
$("#assignPermission").attr("data-username", $(this).data("username")); // Assign the username to the data-username attribute of the 'Update' button
775780
});
776-
$("#" + $.escapeSelector("updateManagedUserFullnameInput-${row.username}")).keydown($common.debounce(updateManagedUser, 750));
777-
$("#" + $.escapeSelector("updateManagedUserEmailInput-${row.username}")).keydown($common.debounce(updateManagedUser, 750));
778-
$("#" + $.escapeSelector("updateManagedUserForcePasswordChangeInput-${row.username}")).change($common.debounce(updateManagedUser, 750));
779-
$("#" + $.escapeSelector("updateManagedUserNonExpiryPasswordInput-${row.username}")).change($common.debounce(updateManagedUser, 750));
780-
$("#" + $.escapeSelector("updateManagedUserSuspendedInput-${row.username}")).change($common.debounce(updateManagedUser, 750));
781+
$("#" + $.escapeSelector("updateManagedUserFullnameInput-${escapedUsername}")).keydown($common.debounce(updateManagedUser, 750));
782+
$("#" + $.escapeSelector("updateManagedUserEmailInput-${escapedUsername}")).keydown($common.debounce(updateManagedUser, 750));
783+
$("#" + $.escapeSelector("updateManagedUserForcePasswordChangeInput-${escapedUsername}")).change($common.debounce(updateManagedUser, 750));
784+
$("#" + $.escapeSelector("updateManagedUserNonExpiryPasswordInput-${escapedUsername}")).change($common.debounce(updateManagedUser, 750));
785+
$("#" + $.escapeSelector("updateManagedUserSuspendedInput-${escapedUsername}")).change($common.debounce(updateManagedUser, 750));
781786
</script>
782787
`;
783788
html.push(template);
@@ -1354,4 +1359,4 @@ $(document).ready(function () {
13541359
$rest.updateConfigProperty($(this).data("group-name"), $(this).data("property-name"), propertyValue);
13551360
});
13561361

1357-
});
1362+
});

0 commit comments

Comments
 (0)