Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtp (Exim 4.84_2)
	(envelope-from
 <pgadmin-hackers-owner+M26202=pgadmin-hackers-arka@postgresql.org>)
	id 1bVbTz-0007ld-TJ
	for pgadmin-hackers@arkaria.postgresql.org; Fri, 05 Aug 2016 09:32:00 +0000
Received: from localhost ([127.0.0.1] helo=postgresql.org)
	by malur.postgresql.org with smtp (Exim 4.84_2)
	(envelope-from
 <pgadmin-hackers-owner+M26202=pgadmin-hackers-arka@postgresql.org>)
	id 1bVbTz-0005ah-6l
	for pgadmin-hackers@arkaria.postgresql.org; Fri, 05 Aug 2016 09:31:59 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256)
	(Exim 4.84_2)
	(envelope-from <khushboo.vashi@enterprisedb.com>)
	id 1bVbTy-0005ab-PP
	for pgadmin-hackers@postgresql.org; Fri, 05 Aug 2016 09:31:58 +0000
Received: from mail-lf0-x229.google.com ([2a00:1450:4010:c07::229])
	by magus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.84_2)
	(envelope-from <khushboo.vashi@enterprisedb.com>)
	id 1bVbTu-0007rh-Np
	for pgadmin-hackers@postgresql.org; Fri, 05 Aug 2016 09:31:57 +0000
Received: by mail-lf0-x229.google.com with SMTP id f93so199930926lfi.2
        for <pgadmin-hackers@postgresql.org>;
 Fri, 05 Aug 2016 02:31:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=enterprisedb-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:from:date:message-id:subject:to;
        bh=NzXb7QjOYjAh0xKvltJEMbfd22Tqtz0TDmOhqWg8Wgk=;
        b=BXBr7tV7SV+HoLdp4SemhzTaDanMNBCJOE0wCn56aT3EmYDVCMUMVNnSORKA79ZNdR
         DM3f3mRc013/sxKtL8xtfv9I/SnPIlaNfhvV9d6dWUOmStk0YM957xjF/iwO9GUe5Tl0
         4uMNaqr15Av3LFtqwuHpzcu470pO59F4btwJul6jr3iwEWgMmDujunbo0LlXCiKHzKsc
         Ci1ZOLRkAtRNd1moSmz2WXcxJfr1tSr1BigkEZV/bzjdZbxO/2jh9+UvkeMzVNf3QWHj
         Xlq/iXafA1MfTnZSHH2U7p0EetOZxjlfFv3i7rIb+zYQxffrD5yTJbfI45IMrnecKsY8
         728w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=NzXb7QjOYjAh0xKvltJEMbfd22Tqtz0TDmOhqWg8Wgk=;
        b=cgQ2WHDtjW6T5FT4Z5aHZcEL8cnSM/rbKF2NV4MwmSG7Zdh98T7Lhn49knYGQqOm6i
         F9N4KGTVvE89W4yx+LZmH0LhBITLxp5MTGkT588m3aJcT1bJtOcmoB+dPprFQi/MPDiY
         ecMMxduQ4e9UR/VoC/UMInM1Kl8LadfxBDazEi0Q+9kn2beN6s/7F+o/SVdSjBhkHqiP
         iWDOcSqJwOq5GRFOVX4XwD5TB8g+OyHi5Rdz7K/hZAfJR6vYoQgWZxnmpNwjl8QLqULG
         IcYiohpvpa+v2ptSwru1TnjEiZf6UM9gy8ISY2ijW+fH+yoZlcoiWFbw9VBkYFASVg9s
         wv8Q==
X-Gm-Message-State: 
 AEkoouthRWeftg6yO/YlGyOMIyAN9JbxdAlomv3ktDkT8r0jcMYuRjG9RwOxngMMVhVoRlSjKTleCxiubeLYDlwf
X-Received: by 10.46.32.68 with SMTP id g65mr23524513ljg.51.1470389513167;
 Fri, 05 Aug 2016 02:31:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.27.75 with HTTP; Fri, 5 Aug 2016 02:31:52 -0700 (PDT)
From: Khushboo Vashi <khushboo.vashi@enterprisedb.com>
Date: Fri, 5 Aug 2016 15:01:52 +0530
Message-ID: 
 <CAFOhELde+D1fo__aTwU8GfoLRsXZTyixb7gngZHmo-_ByaQBrQ@mail.gmail.com>
Subject: [pgAdmin4][Patch]: RM 1527: XSS vulnerabilities
To: pgadmin-hackers <pgadmin-hackers@postgresql.org>
Content-Type: multipart/mixed; boundary=001a1142c2369d511205394fbc31
X-Pg-Spam-Score: -2.6 (--)
List-Archive: <http://archives.postgresql.org/pgadmin-hackers>
List-Help: <mailto:majordomo@postgresql.org?body=help>
List-ID: <pgadmin-hackers.postgresql.org>
List-Owner: <mailto:pgadmin-hackers-owner@postgresql.org>
List-Post: <mailto:pgadmin-hackers@postgresql.org>
List-Subscribe: <mailto:majordomo@postgresql.org?body=sub%20pgadmin-hackers>
List-Unsubscribe: 
 <mailto:majordomo@postgresql.org?body=unsub%20pgadmin-hackers>
X-Mailing-List: pgadmin-hackers
Precedence: bulk
Sender: pgadmin-hackers-owner@postgresql.org

--001a1142c2369d511205394fbc31
Content-Type: multipart/alternative; boundary=001a1142c2369d511005394fbc2f

--001a1142c2369d511005394fbc2f
Content-Type: text/plain; charset=UTF-8

Hi,

Please find the attached patch to fix the RM 1527: XSS vulnerabilities.

Fixed items:

1. Tree Node labels while loading, adding and updating the node
2. Error and Success messages of Alertify dialogue
3. Properties dialogue: un-editable controls
4. SQL Editor title

Please review the patch and let me know if I missed something.

Thanks,
Khushboo

--001a1142c2369d511005394fbc2f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi,<div><br></div><div>Please find the attached patch to f=
ix the RM 1527: XSS vulnerabilities.</div><div><br></div><div>Fixed items:<=
/div><div><br></div><div>1. Tree Node labels while loading, adding and upda=
ting the node</div><div>2. Error and Success messages of Alertify dialogue=
=C2=A0</div><div>3. Properties dialogue: un-editable controls</div><div>4. =
SQL Editor title</div><div><br></div><div>Please review the patch and let m=
e know if I missed something.</div><div><br></div><div>Thanks,</div><div>Kh=
ushboo</div><div><br></div></div>

--001a1142c2369d511005394fbc2f--

--001a1142c2369d511205394fbc31
Content-Type: text/x-patch; charset=US-ASCII; name="RM_1527.patch"
Content-Disposition: attachment; filename="RM_1527.patch"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_irhjv8cd0

ZGlmZiAtLWdpdCBhL3dlYi9wZ2FkbWluL2Jyb3dzZXIvdGVtcGxhdGVzL2Jy
b3dzZXIvanMvYnJvd3Nlci5qcyBiL3dlYi9wZ2FkbWluL2Jyb3dzZXIvdGVt
cGxhdGVzL2Jyb3dzZXIvanMvYnJvd3Nlci5qcwppbmRleCA4MmJlZDMyLi41
ZWQ1ODJhIDEwMDY0NAotLS0gYS93ZWIvcGdhZG1pbi9icm93c2VyL3RlbXBs
YXRlcy9icm93c2VyL2pzL2Jyb3dzZXIuanMKKysrIGIvd2ViL3BnYWRtaW4v
YnJvd3Nlci90ZW1wbGF0ZXMvYnJvd3Nlci9qcy9icm93c2VyLmpzCkBAIC0z
MzMsOCArMzMzLDEyIEBAIGZ1bmN0aW9uKHJlcXVpcmUsICQsIF8sIFMsIEJv
b3RzdHJhcCwgcGdBZG1pbiwgYWxlcnRpZnksIENvZGVNaXJyb3IpIHsKICAg
ICAgICAgICB1cmw6ICd7eyB1cmxfZm9yKCdicm93c2VyLmdldF9ub2Rlcycp
IH19JywKICAgICAgICAgICBjb252ZXJ0ZXJzOiB7CiAgICAgICAgICAgICAn
dGV4dCBqc29uJzogZnVuY3Rpb24ocGF5bG9hZCkgewotICAgICAgICAgICAg
ICByZXR1cm4gJC5wYXJzZUpTT04ocGF5bG9hZCkuZGF0YTsKLSAgICAgICAg
ICAgIH0KKyAgICAgICAgICAgICAgZGF0YSA9IEpTT04ucGFyc2UocGF5bG9h
ZCkuZGF0YTsKKyAgICAgICAgICAgICAgXy5lYWNoKGRhdGEsIGZ1bmN0aW9u
KGQpeworICAgICAgICAgICAgICAgIGQubGFiZWwgPSBfLmVzY2FwZShkLmxh
YmVsKTsKKyAgICAgICAgICAgICAgfSkKKyAgICAgICAgICAgICAgcmV0dXJu
IGRhdGE7CisgICAgICAgICAgICB9LAogICAgICAgICAgIH0KICAgICAgICAg
fSwKICAgICAgICAgYWpheEhvb2s6IGZ1bmN0aW9uKGl0ZW0sIHNldHRpbmdz
KSB7CmRpZmYgLS1naXQgYS93ZWIvcGdhZG1pbi9icm93c2VyL3RlbXBsYXRl
cy9icm93c2VyL2pzL25vZGUuanMgYi93ZWIvcGdhZG1pbi9icm93c2VyL3Rl
bXBsYXRlcy9icm93c2VyL2pzL25vZGUuanMKaW5kZXggZTExNjY1OS4uNDk0
MjQwZCAxMDA2NDQKLS0tIGEvd2ViL3BnYWRtaW4vYnJvd3Nlci90ZW1wbGF0
ZXMvYnJvd3Nlci9qcy9ub2RlLmpzCisrKyBiL3dlYi9wZ2FkbWluL2Jyb3dz
ZXIvdGVtcGxhdGVzL2Jyb3dzZXIvanMvbm9kZS5qcwpAQCAtMTExOSwxMCAr
MTExOSwxMCBAQCBmdW5jdGlvbigkLCBfLCBTLCBwZ0FkbWluLCBNZW51LCBC
YWNrYm9uZSwgQWxlcnRpZnksIHBnQnJvd3NlciwgQmFja2Zvcm0pIHsKICAg
ICAgICAgICAgICAgICBuZXdOb2RlRGF0YSA9IHZpZXcubW9kZWwudG5vZGU7
CiAKICAgICAgICAgICAgIHRyZWUuYWRkSWNvbihpdGVtLCB7aWNvbjogbmV3
Tm9kZURhdGEuaWNvbn0pOwotICAgICAgICAgICAgdHJlZS5zZXRMYWJlbChp
dGVtLCB7bGFiZWw6IG5ld05vZGVEYXRhLmxhYmVsfSk7CisgICAgICAgICAg
ICB0cmVlLnNldExhYmVsKGl0ZW0sIHtsYWJlbDogXy5lc2NhcGUobmV3Tm9k
ZURhdGEubGFiZWwpfSk7CiAgICAgICAgICAgICBfLmV4dGVuZChpdGVtRGF0
YSwgbmV3Tm9kZURhdGEpOwogICAgICAgICAgIH0gZWxzZSBpZiAodmlldy5t
b2RlbC5nZXQoJ25hbWUnKSkgewotICAgICAgICAgICAgdHJlZS5zZXRMYWJl
bChpdGVtLCB7bGFiZWw6IHZpZXcubW9kZWwuZ2V0KCJuYW1lIil9KTsKKyAg
ICAgICAgICAgIHRyZWUuc2V0TGFiZWwoaXRlbSwge2xhYmVsOiBfLmVzY2Fw
ZSh2aWV3Lm1vZGVsLmdldCgibmFtZSIpKX0pOwogICAgICAgICAgICAgaWYg
KAogICAgICAgICAgICAgICB2aWV3Lm1vZGVsLmdldCgnZGF0YScpLmljb24g
JiYgdmlldy5tb2RlbC5nZXQoJ2RhdGEnKS5pY29uICE9ICcnCiAgICAgICAg
ICAgICApCkBAIC0xMTQ1LDYgKzExNDUsNyBAQCBmdW5jdGlvbigkLCBfLCBT
LCBwZ0FkbWluLCBNZW51LCBCYWNrYm9uZSwgQWxlcnRpZnksIHBnQnJvd3Nl
ciwgQmFja2Zvcm0pIHsKIAogICAgICAgICAgIC8qIFRPRE86OiBDcmVhdGUg
bmV3IHRyZWUgbm9kZSBmb3IgdGhpcyAqLwogICAgICAgICAgIGlmICh2aWV3
Lm1vZGVsLnRub2RlICYmICdfaWQnIGluIHZpZXcubW9kZWwudG5vZGUpIHsK
KyAgICAgICAgICAgIHZpZXcubW9kZWwudG5vZGUubGFiZWwgPSBfLmVzY2Fw
ZSh2aWV3Lm1vZGVsLnRub2RlLmxhYmVsKTsKICAgICAgICAgICAgIHZhciBk
ID0gXy5leHRlbmQoe30sIHZpZXcubW9kZWwudG5vZGUpLAogICAgICAgICAg
ICAgICBmdW5jID0gZnVuY3Rpb24oaSkgewogICAgICAgICAgICAgICAgIHNl
dFRpbWVvdXQoZnVuY3Rpb24oKSB7Y2xvc2VQYW5lbCgpO30sIDApOwpkaWZm
IC0tZ2l0IGEvd2ViL3BnYWRtaW4vc3RhdGljL2pzL2FsZXJ0aWZ5anMvcGdh
ZG1pbi5kZWZhdWx0cy5qcyBiL3dlYi9wZ2FkbWluL3N0YXRpYy9qcy9hbGVy
dGlmeWpzL3BnYWRtaW4uZGVmYXVsdHMuanMKaW5kZXggYjVjYWY3Ny4uZjFi
NzQ3MiAxMDA2NDQKLS0tIGEvd2ViL3BnYWRtaW4vc3RhdGljL2pzL2FsZXJ0
aWZ5anMvcGdhZG1pbi5kZWZhdWx0cy5qcworKysgYi93ZWIvcGdhZG1pbi9z
dGF0aWMvanMvYWxlcnRpZnlqcy9wZ2FkbWluLmRlZmF1bHRzLmpzCkBAIC0x
MDIsNyArMTAyLDcgQEAgZnVuY3Rpb24oYWxlcnRpZnksIFMpIHsKICAgICAg
ICAgICAgICAgICBvbkpTT05SZXN1bHQgJiYgdHlwZW9mKG9uSlNPTlJlc3Vs
dCkgPT0gJ2Z1bmN0aW9uJykgewogICAgICAgICAgICAgICByZXR1cm4gb25K
U09OUmVzdWx0KHJlc3AucmVzdWx0KTsKICAgICAgICAgICAgIH0KLSAgICAg
ICAgICAgIG1zZyA9IHJlc3AucmVzdWx0IHx8IHJlc3AuZXJyb3Jtc2cgfHwg
IlVua25vd24gZXJyb3IiOworICAgICAgICAgICAgbXNnID0gXy5lc2NhcGUo
cmVzcC5yZXN1bHQpIHx8IF8uZXNjYXBlKHJlc3AuZXJyb3Jtc2cpIHx8ICJV
bmtub3duIGVycm9yIjsKICAgICAgICAgICB9CiAgICAgICAgIH0gY2F0Y2gg
KGV4YykgewogICAgICAgICB9CmRpZmYgLS1naXQgYS93ZWIvcGdhZG1pbi9z
dGF0aWMvanMvYmFja2Zvcm0ucGdhZG1pbi5qcyBiL3dlYi9wZ2FkbWluL3N0
YXRpYy9qcy9iYWNrZm9ybS5wZ2FkbWluLmpzCmluZGV4IDM3NDdmYTAuLmJj
N2Q0MzQgMTAwNjQ0Ci0tLSBhL3dlYi9wZ2FkbWluL3N0YXRpYy9qcy9iYWNr
Zm9ybS5wZ2FkbWluLmpzCisrKyBiL3dlYi9wZ2FkbWluL3N0YXRpYy9qcy9i
YWNrZm9ybS5wZ2FkbWluLmpzCkBAIC0xNjIsNyArMTYyLDcgQEAKICAgICAg
ICAgICAgICAgICAgICc8bGFiZWwgY2xhc3M9IjwlPUJhY2tmb3JtLmNvbnRy
b2xMYWJlbENsYXNzTmFtZSU+Ij48JT1sYWJlbCU+PC9sYWJlbD4nLAogICAg
ICAgICAgICAgICAgICAgJzxkaXYgY2xhc3M9IjwlPUJhY2tmb3JtLmNvbnRy
b2xzQ2xhc3NOYW1lJT4iPicsCiAgICAgICAgICAgICAgICAgICAnICA8c3Bh
biBjbGFzcz0iPCU9QmFja2Zvcm0uY29udHJvbENsYXNzTmFtZSU+IHVuZWRp
dGFibGUtaW5wdXQiIDwlPWRpc2FibGVkID8gImRpc2FibGVkIiA6ICIiJT4+
JywKLSAgICAgICAgICAgICAgICAgICcgICAgPCU9dmFsdWUlPicsCisgICAg
ICAgICAgICAgICAgICAnICAgIDwlLXZhbHVlJT4nLAogICAgICAgICAgICAg
ICAgICAgJyAgPC9zcGFuPicsCiAgICAgICAgICAgICAgICAgICAnPC9kaXY+
JywKICAgICAgICAgICAgICAgICAgICc8JSBpZiAoaGVscE1lc3NhZ2UgJiYg
aGVscE1lc3NhZ2UubGVuZ3RoKSB7ICU+JywKZGlmZiAtLWdpdCBhL3dlYi9w
Z2FkbWluL3Rvb2xzL3NxbGVkaXRvci90ZW1wbGF0ZXMvc3FsZWRpdG9yL2pz
L3NxbGVkaXRvci5qcyBiL3dlYi9wZ2FkbWluL3Rvb2xzL3NxbGVkaXRvci90
ZW1wbGF0ZXMvc3FsZWRpdG9yL2pzL3NxbGVkaXRvci5qcwppbmRleCA1ODE4
OWNjLi4yYmUyYjQ5IDEwMDY0NAotLS0gYS93ZWIvcGdhZG1pbi90b29scy9z
cWxlZGl0b3IvdGVtcGxhdGVzL3NxbGVkaXRvci9qcy9zcWxlZGl0b3IuanMK
KysrIGIvd2ViL3BnYWRtaW4vdG9vbHMvc3FsZWRpdG9yL3RlbXBsYXRlcy9z
cWxlZGl0b3IvanMvc3FsZWRpdG9yLmpzCkBAIC0xOTAsNyArMTkwLDcgQEAg
ZGVmaW5lKAogICAgICAgcmVuZGVyOiBmdW5jdGlvbigpIHsKICAgICAgICAg
dmFyIHNlbGYgPSB0aGlzOwogCi0gICAgICAgICQoJy5lZGl0b3ItdGl0bGUn
KS50ZXh0KHNlbGYuZWRpdG9yX3RpdGxlKTsKKyAgICAgICAgJCgnLmVkaXRv
ci10aXRsZScpLnRleHQoXy51bmVzY2FwZShzZWxmLmVkaXRvcl90aXRsZSkp
OwogCiAgICAgICAgIHZhciBmaWx0ZXIgPSBzZWxmLiRlbC5maW5kKCcjc3Fs
X2ZpbHRlcicpOwogCkBAIC0xMTA4LDcgKzExMDgsNyBAQCBkZWZpbmUoCiAg
ICAgICAgICAgfSk7CiAgICAgICAgICAgc2VsZi50cmFuc0lkID0gc2VsZi5n
cmlkVmlldy50cmFuc0lkID0gc2VsZi5jb250YWluZXIuZGF0YSgndHJhbnNJ
ZCcpOwogCi0gICAgICAgICAgc2VsZi5ncmlkVmlldy5lZGl0b3JfdGl0bGUg
PSBlZGl0b3JfdGl0bGU7CisgICAgICAgICAgc2VsZi5ncmlkVmlldy5lZGl0
b3JfdGl0bGUgPSBfLnVuZXNjYXBlKGVkaXRvcl90aXRsZSk7CiAgICAgICAg
ICAgc2VsZi5ncmlkVmlldy5jdXJyZW50X2ZpbGUgPSB1bmRlZmluZWQ7CiAg
ICAgICAgICAgc2VsZi5ncmlkVmlldy5pdGVtc19wZXJfcGFnZSA9IHNlbGYu
aXRlbXNfcGVyX3BhZ2UKIAo=

--001a1142c2369d511205394fbc31
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgadmin-hackers mailing list (pgadmin-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgadmin-hackers

--001a1142c2369d511205394fbc31--