public inbox for [email protected]
help / color / mirror / Atom feed[pgAdmin4][Patch]: RM 1527: XSS vulnerabilities
2+ messages / 2 participants
[nested] [flat]
* [pgAdmin4][Patch]: RM 1527: XSS vulnerabilities
@ 2016-08-05 09:31 Khushboo Vashi <[email protected]>
2016-08-05 11:20 ` Re: [pgAdmin4][Patch]: RM 1527: XSS vulnerabilities Dave Page <[email protected]>
0 siblings, 1 reply; 2+ messages in thread
From: Khushboo Vashi @ 2016-08-05 09:31 UTC (permalink / raw)
To: pgadmin-hackers
Hi,
Please find the attached patch to fix the RM 1527: XSS vulnerabilities.
Fixed items:
1. Tree Node labels while loading, adding and updating the node
2. Error and Success messages of Alertify dialogue
3. Properties dialogue: un-editable controls
4. SQL Editor title
Please review the patch and let me know if I missed something.
Thanks,
Khushboo
--
Sent via pgadmin-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgadmin-hackers
Attachments:
[text/x-patch] RM_1527.patch (4.4K, 3-RM_1527.patch)
download | inline diff:
diff --git a/web/pgadmin/browser/templates/browser/js/browser.js b/web/pgadmin/browser/templates/browser/js/browser.js
index 82bed32..5ed582a 100644
--- a/web/pgadmin/browser/templates/browser/js/browser.js
+++ b/web/pgadmin/browser/templates/browser/js/browser.js
@@ -333,8 +333,12 @@ function(require, $, _, S, Bootstrap, pgAdmin, alertify, CodeMirror) {
url: '{{ url_for('browser.get_nodes') }}',
converters: {
'text json': function(payload) {
- return $.parseJSON(payload).data;
- }
+ data = JSON.parse(payload).data;
+ _.each(data, function(d){
+ d.label = _.escape(d.label);
+ })
+ return data;
+ },
}
},
ajaxHook: function(item, settings) {
diff --git a/web/pgadmin/browser/templates/browser/js/node.js b/web/pgadmin/browser/templates/browser/js/node.js
index e116659..494240d 100644
--- a/web/pgadmin/browser/templates/browser/js/node.js
+++ b/web/pgadmin/browser/templates/browser/js/node.js
@@ -1119,10 +1119,10 @@ function($, _, S, pgAdmin, Menu, Backbone, Alertify, pgBrowser, Backform) {
newNodeData = view.model.tnode;
tree.addIcon(item, {icon: newNodeData.icon});
- tree.setLabel(item, {label: newNodeData.label});
+ tree.setLabel(item, {label: _.escape(newNodeData.label)});
_.extend(itemData, newNodeData);
} else if (view.model.get('name')) {
- tree.setLabel(item, {label: view.model.get("name")});
+ tree.setLabel(item, {label: _.escape(view.model.get("name"))});
if (
view.model.get('data').icon && view.model.get('data').icon != ''
)
@@ -1145,6 +1145,7 @@ function($, _, S, pgAdmin, Menu, Backbone, Alertify, pgBrowser, Backform) {
/* TODO:: Create new tree node for this */
if (view.model.tnode && '_id' in view.model.tnode) {
+ view.model.tnode.label = _.escape(view.model.tnode.label);
var d = _.extend({}, view.model.tnode),
func = function(i) {
setTimeout(function() {closePanel();}, 0);
diff --git a/web/pgadmin/static/js/alertifyjs/pgadmin.defaults.js b/web/pgadmin/static/js/alertifyjs/pgadmin.defaults.js
index b5caf77..f1b7472 100644
--- a/web/pgadmin/static/js/alertifyjs/pgadmin.defaults.js
+++ b/web/pgadmin/static/js/alertifyjs/pgadmin.defaults.js
@@ -102,7 +102,7 @@ function(alertify, S) {
onJSONResult && typeof(onJSONResult) == 'function') {
return onJSONResult(resp.result);
}
- msg = resp.result || resp.errormsg || "Unknown error";
+ msg = _.escape(resp.result) || _.escape(resp.errormsg) || "Unknown error";
}
} catch (exc) {
}
diff --git a/web/pgadmin/static/js/backform.pgadmin.js b/web/pgadmin/static/js/backform.pgadmin.js
index 3747fa0..bc7d434 100644
--- a/web/pgadmin/static/js/backform.pgadmin.js
+++ b/web/pgadmin/static/js/backform.pgadmin.js
@@ -162,7 +162,7 @@
'<label class="<%=Backform.controlLabelClassName%>"><%=label%></label>',
'<div class="<%=Backform.controlsClassName%>">',
' <span class="<%=Backform.controlClassName%> uneditable-input" <%=disabled ? "disabled" : ""%>>',
- ' <%=value%>',
+ ' <%-value%>',
' </span>',
'</div>',
'<% if (helpMessage && helpMessage.length) { %>',
diff --git a/web/pgadmin/tools/sqleditor/templates/sqleditor/js/sqleditor.js b/web/pgadmin/tools/sqleditor/templates/sqleditor/js/sqleditor.js
index 58189cc..2be2b49 100644
--- a/web/pgadmin/tools/sqleditor/templates/sqleditor/js/sqleditor.js
+++ b/web/pgadmin/tools/sqleditor/templates/sqleditor/js/sqleditor.js
@@ -190,7 +190,7 @@ define(
render: function() {
var self = this;
- $('.editor-title').text(self.editor_title);
+ $('.editor-title').text(_.unescape(self.editor_title));
var filter = self.$el.find('#sql_filter');
@@ -1108,7 +1108,7 @@ define(
});
self.transId = self.gridView.transId = self.container.data('transId');
- self.gridView.editor_title = editor_title;
+ self.gridView.editor_title = _.unescape(editor_title);
self.gridView.current_file = undefined;
self.gridView.items_per_page = self.items_per_page
^ permalink raw reply [nested|flat] 2+ messages in thread
* Re: [pgAdmin4][Patch]: RM 1527: XSS vulnerabilities
2016-08-05 09:31 [pgAdmin4][Patch]: RM 1527: XSS vulnerabilities Khushboo Vashi <[email protected]>
@ 2016-08-05 11:20 ` Dave Page <[email protected]>
0 siblings, 0 replies; 2+ messages in thread
From: Dave Page @ 2016-08-05 11:20 UTC (permalink / raw)
To: Khushboo Vashi <[email protected]>; +Cc: pgadmin-hackers
Thanks, applied.
On Fri, Aug 5, 2016 at 10:31 AM, Khushboo Vashi
<[email protected]> wrote:
> Hi,
>
> Please find the attached patch to fix the RM 1527: XSS vulnerabilities.
>
> Fixed items:
>
> 1. Tree Node labels while loading, adding and updating the node
> 2. Error and Success messages of Alertify dialogue
> 3. Properties dialogue: un-editable controls
> 4. SQL Editor title
>
> Please review the patch and let me know if I missed something.
>
> Thanks,
> Khushboo
>
>
>
> --
> Sent via pgadmin-hackers mailing list ([email protected])
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgadmin-hackers
>
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
--
Sent via pgadmin-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgadmin-hackers
^ permalink raw reply [nested|flat] 2+ messages in thread
end of thread, other threads:[~2016-08-05 11:20 UTC | newest]
Thread overview: 2+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2016-08-05 09:31 [pgAdmin4][Patch]: RM 1527: XSS vulnerabilities Khushboo Vashi <[email protected]>
2016-08-05 11:20 ` Dave Page <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox