External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-11 10:00:01 -03:30
Code Issues Packages Projects Releases Wiki Activity

More escaping of malicious html/js in Activity Stream

Browse Source 
I had to move the escaping functions to happen earlier in the URL creation for activity streams
This commit is contained in:
Jared Tabor 2015-02-03 14:01:38 -05:00
parent 6e6a709165
commit 3d07e09aeb
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
awx/ui/static/js/widgets/Stream.js
View File

@ -206,9 +206,12 @@ angular.module('StreamWidget', ['RestServices', 'Utilities', 'StreamListDefiniti
if (obj1 === 'user' || obj2 === 'user') {
activity.summary_fields.user[0].name = activity.summary_fields.user[0].username;
}
// The block until line 221 is for associative/disassociative operations, such as adding/removing a user to a team or vise versa
if (obj2_obj && obj2_obj.name && !/^_delete/.test(obj2_obj.name)) {
obj2_obj.base = obj2;
obj2_obj.name = obj2_obj.name.replace(/</g, "&lt;");
obj2_obj.name = obj2_obj.name.replace(/>/g, "&gt;");
obj2_obj.name = $sce.getTrustedHtml(obj2_obj.name);
descr += obj2 + " <a href=\"" + BuildUrl(obj2_obj) + "\">" + obj2_obj.name + '</a>' + ((activity.operation === 'disassociate') ? ' from ' : ' to ');
descr_nolink += obj2 + ' ' + obj2_obj.name + ((activity.operation === 'disassociate') ? ' from ' : ' to ');
} else if (obj2) {
@ -221,6 +224,11 @@ angular.module('StreamWidget', ['RestServices', 'Utilities', 'StreamListDefiniti
}
if (obj1_obj && obj1_obj.name && !/^\_delete/.test(obj1_obj.name)) {
obj1_obj.base = obj1;
// Need to character escape the link names, as a malicious url or piece of html could be inserted here that could take the
// user to a unknown location.
obj1_obj.name = obj1_obj.name.replace(/</g, "&lt;");
obj1_obj.name = obj1_obj.name.replace(/>/g, "&gt;");
obj1_obj.name = $sce.getTrustedHtml(obj1_obj.name);
descr += obj1 + " <a href=\"" + BuildUrl(obj1_obj) + "\" >" + obj1_obj.name + '</a>';
descr_nolink += obj1 + ' ' + obj1_obj.name;
} else if (obj1) {
@ -264,9 +272,7 @@ angular.module('StreamWidget', ['RestServices', 'Utilities', 'StreamListDefiniti
descr += obj1 + name;
descr_nolink += obj1 + name_nolink;
}
descr = descr.replace(/</g, "&lt;");
descr = descr.replace(/>/g, "&gt;");
activity.description = $sce.getTrustedHtml(descr);
activity.description = descr;
activity.description_nolink = descr_nolink;
};
}