External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-23 23:41:23 -03:30
Code Issues Packages Projects Releases Wiki Activity

Host events variable parsing to prevent tag inject

Browse Source 
The host events modal needs to have escape characters for tag elements in case a user tries to inject html code into the arguements of the host events.
This commit is contained in:
Jared Tabor 2014-12-08 12:27:13 -05:00
parent fd86b940e2
commit 9e8ec0ebd0
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
awx/ui/static/js/helpers/EventViewer.js
View File

@ -360,8 +360,6 @@ angular.module('EventViewerHelper', ['ModalDialog', 'Utilities', 'EventsViewerFo
event_data.id = event.id;
event_data.parent = event.parent;
event_data.event = (event.event_display) ? event.event_display : event.event;
event_data.msg = event_data.msg.replace(/</g, "&lt;");
event_data.msg = event_data.msg.replace(/>/g, "&gt;");
results.push(event_data);
});
if (show_event) {
@ -434,6 +432,12 @@ angular.module('EventViewerHelper', ['ModalDialog', 'Utilities', 'EventsViewerFo
">" + itm + "</a>";
}
else {
if( typeof itm === "string"){
if(itm.indexOf('<') > -1 || itm.indexOf('>') > -1){
itm = itm.replace(/</g, "&lt;");
itm = itm.replace(/>/g, "&gt;");
}
}
html += "<span ng-non-bindable>" + itm + "</span>";
}
@ -525,6 +529,12 @@ angular.module('EventViewerHelper', ['ModalDialog', 'Utilities', 'EventsViewerFo
var id = params.id,
val = params.val,
html;
if( typeof val === "string"){
if(val.indexOf('<') > -1 || val.indexOf('>') > -1){
val = val.replace(/</g, "&lt;");
val = val.replace(/>/g, "&gt;");
}
}
html = "<pre ng-non-bindable>" + val + "</pre>\n";
$('#' + id).empty().html(html);
};