etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

cloudstack 3.0 UI - XSS - detailView in Edit mode - fix it to show original value instead of HTML-encoding value.

This commit is contained in:
Jessica Wang 2012-03-14 16:44:21 -07:00
parent 5d96f58814
commit 17bada6a62
2 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
ui/scripts/ui/utils.js
View File

@ -56,7 +56,7 @@
};
/**
* Sanitize user input -- shortcut _s
* Sanitize user input (HTML Encoding) -- shortcut _s
*
* Strip unwanted characters from user-based input
*/
@ -76,7 +76,7 @@
else if(typeof(value) == null || typeof(value) == "undefined") {
return '';
}
var sanitized = value
.replace(/&/g, "&")
.replace(/</g, "&lt;")
@ -84,4 +84,17 @@
return sanitized;
};
/**
* Reverse sanitization (HTML Decoding)
*/
cloudStack.sanitizeReverse = function(value) {
var reversedValue = value
.replace(/&amp;/g, "&")
.replace(/&lt;/g, "<")
.replace(/&gt;/g, ">");
return reversedValue;
};
})(jQuery, cloudStack);

2
ui/scripts/ui/widgets/detailView.js
View File

@ -391,7 +391,7 @@
// Turn into form field
var selectData = $value.data('detail-view-editable-select');
var isBoolean = $value.data('detail-view-editable-boolean');
var data = !isBoolean ? $value.html() : $value.data('detail-view-boolean-value');
var data = !isBoolean ? cloudStack.sanitizeReverse($value.html()) : $value.data('detail-view-boolean-value');
$value.html('');