External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-19 05:31:22 -03:30
Code Issues Packages Projects Releases Wiki Activity

changed instances of hardcoding xss filtering to using the filter

Browse Source
This commit is contained in:
John Mitchell 2015-05-11 13:39:56 -04:00
parent 23a69995d3
commit 7dd5dd947d
4 changed files with 18 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
awx/ui/static/js/helpers/EventViewer.js
View File

@ -437,8 +437,7 @@ export default
else {
if( typeof itm === "string"){
if(itm.indexOf('<') > -1 || itm.indexOf('>') > -1){
itm = itm.replace(/</g, "&lt;");
itm = itm.replace(/>/g, "&gt;");
itm = $filter('sanitize')(itm);
}
}
html += "<span ng-non-bindable>" + itm + "</span>";
@ -547,15 +546,14 @@ export default
};
}])
.factory('EventAddPreFormattedText', [function() {
.factory('EventAddPreFormattedText', ['$filter', function($filter) {
return function(params) {
var id = params.id,
val = params.val,
html;
if( typeof val === "string"){
if(val.indexOf('<') > -1 || val.indexOf('>') > -1){
val = val.replace(/</g, "&lt;");
val = val.replace(/>/g, "&gt;");
val = $filter('sanitize')(val);
}
}
html = "<pre ng-non-bindable>" + val + "</pre>\n";

13
awx/ui/static/js/helpers/JobSubmission.js
View File

@ -497,9 +497,9 @@ function($compile, Rest, GetBasePath, TextareaResize,CreateDialog, GenerateForm,
};
}])
.factory('PromptForSurvey', ['$compile', 'Wait', 'Alert', 'CredentialForm', 'CreateLaunchDialog', 'SurveyControllerInit' , 'GetBasePath', 'Rest' , 'Empty',
.factory('PromptForSurvey', ['$filter', '$compile', 'Wait', 'Alert', 'CredentialForm', 'CreateLaunchDialog', 'SurveyControllerInit' , 'GetBasePath', 'Rest' , 'Empty',
'GenerateForm', 'ShowSurveyModal', 'ProcessErrors', '$routeParams' ,
function($compile, Wait, Alert, CredentialForm, CreateLaunchDialog, SurveyControllerInit, GetBasePath, Rest, Empty,
function($filter, $compile, Wait, Alert, CredentialForm, CreateLaunchDialog, SurveyControllerInit, GetBasePath, Rest, Empty,
GenerateForm, ShowSurveyModal, ProcessErrors, $routeParams) {
return function(params) {
var html = params.html || "",
@ -519,10 +519,8 @@ function($compile, Rest, GetBasePath, TextareaResize,CreateDialog, GenerateForm,
function buildHtml(question, index){
question.index = index;
question.question_name = question.question_name.replace(/</g, "&lt;");
question.question_name = question.question_name.replace(/>/g, "&gt;");
question.question_description = (question.question_description) ? question.question_description.replace(/</g, "&lt;") : undefined;
question.question_description = (question.question_description) ? question.question_description.replace(/>/g, "&gt;") : undefined;
question.question_name = $filter('sanitize')(question.question_name);
question.question_description = (question.question_description) ? $filter('sanitize')(question.question_description) : undefined;
requiredAsterisk = (question.required===true) ? "prepend-asterisk" : "";
@ -603,8 +601,7 @@ function($compile, Rest, GetBasePath, TextareaResize,CreateDialog, GenerateForm,
html+='<div class="survey_taker_input" > ';
for( j = 0; j<choices.length; j++){
checked = (!Empty(question.default) && question.default.indexOf(choices[j])!==-1) ? "checked" : "";
choices[j] = choices[j].replace(/</g, "&lt;");
choices[j] = choices[j].replace(/>/g, "&gt;");
choices[j] = $filter('sanitize')(choices[j]);
html+= '<input type="'+element+'" class="mc" ng-model="'+question.variable+'" ng-required="'+question.required+'" name="'+question.variable+ ' " id="'+question.variable+'" value=" '+choices[j]+' " '+checked+' >' +
'<span>'+choices[j] +'</span><br>' ;
}

16
awx/ui/static/js/helpers/Survey.js
View File

@ -253,8 +253,8 @@ angular.module('SurveyHelper', [ 'Utilities', 'RestServices', 'SchedulesHelper',
* })
*
*/
.factory('FinalizeQuestion', ['GetBasePath','Rest', 'Wait', 'ProcessErrors', '$compile', 'Empty', '$filter', 'sanitizeFilter',
function(GetBasePath, Rest, Wait, ProcessErrors, $compile, Empty, $filter, sanitizeFilter) {
.factory('FinalizeQuestion', ['GetBasePath','Rest', 'Wait', 'ProcessErrors', '$compile', 'Empty', '$filter',
function(GetBasePath, Rest, Wait, ProcessErrors, $compile, Empty, $filter) {
return function(params) {
var scope = params.scope,
@ -272,10 +272,8 @@ angular.module('SurveyHelper', [ 'Utilities', 'RestServices', 'SchedulesHelper',
html = "";
question.index = index;
question.question_name = question.question_name.replace(/</g, "&lt;");
question.question_name = question.question_name.replace(/>/g, "&gt;");
question.question_description = (question.question_description) ? question.question_description.replace(/</g, "&lt;") : undefined;
question.question_description = (question.question_description) ? question.question_description.replace(/>/g, "&gt;") : undefined;
question.question_name = $filter('sanitize')(question.question_name);
question.question_description = (question.question_description) ? $filter('sanitize')(question.question_description) : undefined;
if(!$('#question_'+question.index+':eq(0)').is('div')){
@ -291,8 +289,7 @@ angular.module('SurveyHelper', [ 'Utilities', 'RestServices', 'SchedulesHelper',
if(question.type === 'text' ){
defaultValue = (question.default) ? question.default : "";
defaultValue = defaultValue.replace(/</g, "&lt;");
defaultValue = defaultValue.replace(/>/g, "&gt;");
defaultValue = $filter('sanitize')(defaultValue);
defaultValue = scope.serialize(defaultValue);
html+='<div class="row">'+
'<div class="col-xs-8">'+
@ -301,8 +298,7 @@ angular.module('SurveyHelper', [ 'Utilities', 'RestServices', 'SchedulesHelper',
}
if(question.type === "textarea"){
defaultValue = (question.default) ? question.default : (question.default_textarea) ? question.default_textarea: "" ;
defaultValue = defaultValue.replace(/</g, "&lt;");
defaultValue = defaultValue.replace(/>/g, "&gt;");
defaultValue = $filter('sanitize')(defaultValue);
defaultValue = scope.serialize(defaultValue);
html+='<div class="row">'+
'<div class="col-xs-8 input_area">'+

11
awx/ui/static/js/widgets/Stream.js
View File

@ -176,8 +176,8 @@ angular.module('StreamWidget', ['RestServices', 'Utilities', 'StreamListDefiniti
}
])
.factory('BuildDescription', ['FixUrl', 'BuildUrl','$sce',
function (FixUrl, BuildUrl, $sce) {
.factory('BuildDescription', ['$filter', 'FixUrl', 'BuildUrl','$sce',
function ($filter, FixUrl, BuildUrl, $sce) {
return function (activity) {
function stripDeleted(s) {
@ -210,9 +210,7 @@ angular.module('StreamWidget', ['RestServices', 'Utilities', 'StreamListDefiniti
// The block until line 221 is for associative/disassociative operations, such as adding/removing a user to a team or vise versa
if (obj2_obj && obj2_obj.name && !/^_delete/.test(obj2_obj.name)) {
obj2_obj.base = obj2;
obj2_obj.name = obj2_obj.name.replace(/</g, "&lt;");
obj2_obj.name = obj2_obj.name.replace(/>/g, "&gt;");
obj2_obj.name = $sce.getTrustedHtml(obj2_obj.name);
obj2_obj.name = $filter('sanitize')(obj2_obj.name);
descr += obj2 + " <a href=\"" + BuildUrl(obj2_obj) + "\">" + obj2_obj.name + '</a>' + ((activity.operation === 'disassociate') ? ' from ' : ' to ');
descr_nolink += obj2 + ' ' + obj2_obj.name + ((activity.operation === 'disassociate') ? ' from ' : ' to ');
} else if (obj2) {
@ -227,8 +225,7 @@ angular.module('StreamWidget', ['RestServices', 'Utilities', 'StreamListDefiniti
obj1_obj.base = obj1;
// Need to character escape the link names, as a malicious url or piece of html could be inserted here that could take the
// user to a unknown location.
obj1_obj.name = obj1_obj.name.replace(/</g, "&lt;");
obj1_obj.name = obj1_obj.name.replace(/>/g, "&gt;");
obj1_obj.name = $filter('sanitize')(obj1_obj.name);
obj1_obj.name = $sce.getTrustedHtml(obj1_obj.name);
descr += obj1 + " <a href=\"" + BuildUrl(obj1_obj) + "\" >" + obj1_obj.name + '</a>';
descr_nolink += obj1 + ' ' + obj1_obj.name;