External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-12 20:07:37 -02:30
Code Issues Packages Projects Releases Wiki Activity

changed instances of hardcoding xss filtering to using the filter

Browse Source
This commit is contained in:
John Mitchell
2015-05-11 13:39:56 -04:00
parent 23a69995d3
commit 7dd5dd947d
4 changed files with 18 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
awx/ui/static/js/helpers/EventViewer.js
View File

@@ -437,8 +437,7 @@ export default
else { else {
if( typeof itm === "string"){ if( typeof itm === "string"){
if(itm.indexOf('<') > -1 || itm.indexOf('>') > -1){ if(itm.indexOf('<') > -1 || itm.indexOf('>') > -1){
itm = itm.replace(/</g, "&lt;"); itm = $filter('sanitize')(itm);
itm = itm.replace(/>/g, "&gt;");
} }
} }
html += "<span ng-non-bindable>" + itm + "</span>"; html += "<span ng-non-bindable>" + itm + "</span>";
@@ -547,15 +546,14 @@ export default
}; };
}]) }])
.factory('EventAddPreFormattedText', [function() { .factory('EventAddPreFormattedText', ['$filter', function($filter) {
return function(params) { return function(params) {
var id = params.id, var id = params.id,
val = params.val, val = params.val,
html; html;
if( typeof val === "string"){ if( typeof val === "string"){
if(val.indexOf('<') > -1 || val.indexOf('>') > -1){ if(val.indexOf('<') > -1 || val.indexOf('>') > -1){
val = val.replace(/</g, "&lt;"); val = $filter('sanitize')(val);
val = val.replace(/>/g, "&gt;");
} }
} }
html = "<pre ng-non-bindable>" + val + "</pre>\n"; html = "<pre ng-non-bindable>" + val + "</pre>\n";

13
awx/ui/static/js/helpers/JobSubmission.js
View File

@@ -497,9 +497,9 @@ function($compile, Rest, GetBasePath, TextareaResize,CreateDialog, GenerateForm,
}; };
}]) }])
.factory('PromptForSurvey', ['$compile', 'Wait', 'Alert', 'CredentialForm', 'CreateLaunchDialog', 'SurveyControllerInit' , 'GetBasePath', 'Rest' , 'Empty', .factory('PromptForSurvey', ['$filter', '$compile', 'Wait', 'Alert', 'CredentialForm', 'CreateLaunchDialog', 'SurveyControllerInit' , 'GetBasePath', 'Rest' , 'Empty',
'GenerateForm', 'ShowSurveyModal', 'ProcessErrors', '$routeParams' , 'GenerateForm', 'ShowSurveyModal', 'ProcessErrors', '$routeParams' ,
function($compile, Wait, Alert, CredentialForm, CreateLaunchDialog, SurveyControllerInit, GetBasePath, Rest, Empty, function($filter, $compile, Wait, Alert, CredentialForm, CreateLaunchDialog, SurveyControllerInit, GetBasePath, Rest, Empty,
GenerateForm, ShowSurveyModal, ProcessErrors, $routeParams) { GenerateForm, ShowSurveyModal, ProcessErrors, $routeParams) {
return function(params) { return function(params) {
var html = params.html || "", var html = params.html || "",
@@ -519,10 +519,8 @@ function($compile, Rest, GetBasePath, TextareaResize,CreateDialog, GenerateForm,
function buildHtml(question, index){ function buildHtml(question, index){
question.index = index; question.index = index;
question.question_name = question.question_name.replace(/</g, "&lt;"); question.question_name = $filter('sanitize')(question.question_name);
question.question_name = question.question_name.replace(/>/g, "&gt;"); question.question_description = (question.question_description) ? $filter('sanitize')(question.question_description) : undefined;
question.question_description = (question.question_description) ? question.question_description.replace(/</g, "&lt;") : undefined;
question.question_description = (question.question_description) ? question.question_description.replace(/>/g, "&gt;") : undefined;
requiredAsterisk = (question.required===true) ? "prepend-asterisk" : ""; requiredAsterisk = (question.required===true) ? "prepend-asterisk" : "";
@@ -603,8 +601,7 @@ function($compile, Rest, GetBasePath, TextareaResize,CreateDialog, GenerateForm,
html+='<div class="survey_taker_input" > '; html+='<div class="survey_taker_input" > ';
for( j = 0; j<choices.length; j++){ for( j = 0; j<choices.length; j++){
checked = (!Empty(question.default) && question.default.indexOf(choices[j])!==-1) ? "checked" : ""; checked = (!Empty(question.default) && question.default.indexOf(choices[j])!==-1) ? "checked" : "";
choices[j] = choices[j].replace(/</g, "&lt;"); choices[j] = $filter('sanitize')(choices[j]);
choices[j] = choices[j].replace(/>/g, "&gt;");
html+= '<input type="'+element+'" class="mc" ng-model="'+question.variable+'" ng-required="'+question.required+'" name="'+question.variable+ ' " id="'+question.variable+'" value=" '+choices[j]+' " '+checked+' >' + html+= '<input type="'+element+'" class="mc" ng-model="'+question.variable+'" ng-required="'+question.required+'" name="'+question.variable+ ' " id="'+question.variable+'" value=" '+choices[j]+' " '+checked+' >' +
'<span>'+choices[j] +'</span><br>' ; '<span>'+choices[j] +'</span><br>' ;
} }

16
awx/ui/static/js/helpers/Survey.js
View File

@@ -253,8 +253,8 @@ angular.module('SurveyHelper', [ 'Utilities', 'RestServices', 'SchedulesHelper',
* }) * })
* *
*/ */
.factory('FinalizeQuestion', ['GetBasePath','Rest', 'Wait', 'ProcessErrors', '$compile', 'Empty', '$filter', 'sanitizeFilter', .factory('FinalizeQuestion', ['GetBasePath','Rest', 'Wait', 'ProcessErrors', '$compile', 'Empty', '$filter',
function(GetBasePath, Rest, Wait, ProcessErrors, $compile, Empty, $filter, sanitizeFilter) { function(GetBasePath, Rest, Wait, ProcessErrors, $compile, Empty, $filter) {
return function(params) { return function(params) {
var scope = params.scope, var scope = params.scope,
@@ -272,10 +272,8 @@ angular.module('SurveyHelper', [ 'Utilities', 'RestServices', 'SchedulesHelper',
html = ""; html = "";
question.index = index; question.index = index;
question.question_name = question.question_name.replace(/</g, "&lt;"); question.question_name = $filter('sanitize')(question.question_name);
question.question_name = question.question_name.replace(/>/g, "&gt;"); question.question_description = (question.question_description) ? $filter('sanitize')(question.question_description) : undefined;
question.question_description = (question.question_description) ? question.question_description.replace(/</g, "&lt;") : undefined;
question.question_description = (question.question_description) ? question.question_description.replace(/>/g, "&gt;") : undefined;
if(!$('#question_'+question.index+':eq(0)').is('div')){ if(!$('#question_'+question.index+':eq(0)').is('div')){
@@ -291,8 +289,7 @@ angular.module('SurveyHelper', [ 'Utilities', 'RestServices', 'SchedulesHelper',
if(question.type === 'text' ){ if(question.type === 'text' ){
defaultValue = (question.default) ? question.default : ""; defaultValue = (question.default) ? question.default : "";
defaultValue = defaultValue.replace(/</g, "&lt;"); defaultValue = $filter('sanitize')(defaultValue);
defaultValue = defaultValue.replace(/>/g, "&gt;");
defaultValue = scope.serialize(defaultValue); defaultValue = scope.serialize(defaultValue);
html+='<div class="row">'+ html+='<div class="row">'+
'<div class="col-xs-8">'+ '<div class="col-xs-8">'+
@@ -301,8 +298,7 @@ angular.module('SurveyHelper', [ 'Utilities', 'RestServices', 'SchedulesHelper',
} }
if(question.type === "textarea"){ if(question.type === "textarea"){
defaultValue = (question.default) ? question.default : (question.default_textarea) ? question.default_textarea: "" ; defaultValue = (question.default) ? question.default : (question.default_textarea) ? question.default_textarea: "" ;
defaultValue = defaultValue.replace(/</g, "&lt;"); defaultValue = $filter('sanitize')(defaultValue);
defaultValue = defaultValue.replace(/>/g, "&gt;");
defaultValue = scope.serialize(defaultValue); defaultValue = scope.serialize(defaultValue);
html+='<div class="row">'+ html+='<div class="row">'+
'<div class="col-xs-8 input_area">'+ '<div class="col-xs-8 input_area">'+

11
awx/ui/static/js/widgets/Stream.js
View File

@@ -176,8 +176,8 @@ angular.module('StreamWidget', ['RestServices', 'Utilities', 'StreamListDefiniti
} }
]) ])
.factory('BuildDescription', ['FixUrl', 'BuildUrl','$sce', .factory('BuildDescription', ['$filter', 'FixUrl', 'BuildUrl','$sce',
function (FixUrl, BuildUrl, $sce) { function ($filter, FixUrl, BuildUrl, $sce) {
return function (activity) { return function (activity) {
function stripDeleted(s) { function stripDeleted(s) {
@@ -210,9 +210,7 @@ angular.module('StreamWidget', ['RestServices', 'Utilities', 'StreamListDefiniti
// The block until line 221 is for associative/disassociative operations, such as adding/removing a user to a team or vise versa // The block until line 221 is for associative/disassociative operations, such as adding/removing a user to a team or vise versa
if (obj2_obj && obj2_obj.name && !/^_delete/.test(obj2_obj.name)) { if (obj2_obj && obj2_obj.name && !/^_delete/.test(obj2_obj.name)) {
obj2_obj.base = obj2; obj2_obj.base = obj2;
obj2_obj.name = obj2_obj.name.replace(/</g, "&lt;"); obj2_obj.name = $filter('sanitize')(obj2_obj.name);
obj2_obj.name = obj2_obj.name.replace(/>/g, "&gt;");
obj2_obj.name = $sce.getTrustedHtml(obj2_obj.name);
descr += obj2 + " <a href=\"" + BuildUrl(obj2_obj) + "\">" + obj2_obj.name + '</a>' + ((activity.operation === 'disassociate') ? ' from ' : ' to '); descr += obj2 + " <a href=\"" + BuildUrl(obj2_obj) + "\">" + obj2_obj.name + '</a>' + ((activity.operation === 'disassociate') ? ' from ' : ' to ');
descr_nolink += obj2 + ' ' + obj2_obj.name + ((activity.operation === 'disassociate') ? ' from ' : ' to '); descr_nolink += obj2 + ' ' + obj2_obj.name + ((activity.operation === 'disassociate') ? ' from ' : ' to ');
} else if (obj2) { } else if (obj2) {
@@ -227,8 +225,7 @@ angular.module('StreamWidget', ['RestServices', 'Utilities', 'StreamListDefiniti
obj1_obj.base = obj1; obj1_obj.base = obj1;
// Need to character escape the link names, as a malicious url or piece of html could be inserted here that could take the // Need to character escape the link names, as a malicious url or piece of html could be inserted here that could take the
// user to a unknown location. // user to a unknown location.
obj1_obj.name = obj1_obj.name.replace(/</g, "&lt;"); obj1_obj.name = $filter('sanitize')(obj1_obj.name);
obj1_obj.name = obj1_obj.name.replace(/>/g, "&gt;");
obj1_obj.name = $sce.getTrustedHtml(obj1_obj.name); obj1_obj.name = $sce.getTrustedHtml(obj1_obj.name);
descr += obj1 + " <a href=\"" + BuildUrl(obj1_obj) + "\" >" + obj1_obj.name + '</a>'; descr += obj1 + " <a href=\"" + BuildUrl(obj1_obj) + "\" >" + obj1_obj.name + '</a>';
descr_nolink += obj1 + ' ' + obj1_obj.name; descr_nolink += obj1 + ' ' + obj1_obj.name;