public inbox for [email protected]
help / color / mirror / Atom feedFrom: Andrei Antonov <[email protected]>
To: [email protected]
Subject: security bug (with patch-fix) -- need more HTML-escaping for working with tree-nodes
Date: Tue, 09 May 2017 22:36:48 +0300
Message-ID: <[email protected]> (raw)
List-Unsubscribe: <mailto:[email protected]?body=unsub%20pgadmin-hackers>
good day!
i fixed tiny errors (html-escaping) , but it has security effects.
see file
"0001-escape-label-of-node-of-tree-when-events-add-remove-.patch" [
https://github.com/postgres-impulsm/pgadmin4/commit/f993513d148fc6dd7e0196261f847e668d5e2c6c
]
--
Андрей Антонов,
инженер-программист Отдела информационных технологий и программирования,
компания «Импульс М»
--
Sent via pgadmin-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgadmin-hackers
Attachments:
[text/x-diff] 0001-escape-label-of-node-of-tree-when-events-add-remove-.patch (1.7K, 2-0001-escape-label-of-node-of-tree-when-events-add-remove-.patch)
download | inline diff:
From f993513d148fc6dd7e0196261f847e668d5e2c6c Mon Sep 17 00:00:00 2001
From: Andrei Antonov <[email protected]>
Date: Tue, 9 May 2017 22:18:54 +0300
Subject: [PATCH] escape label of node of tree, when events: add\remove\unload
---
web/pgadmin/browser/templates/browser/js/node.js | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/web/pgadmin/browser/templates/browser/js/node.js b/web/pgadmin/browser/templates/browser/js/node.js
index e337fec0..ff8bc09f 100644
--- a/web/pgadmin/browser/templates/browser/js/node.js
+++ b/web/pgadmin/browser/templates/browser/js/node.js
@@ -743,7 +743,7 @@ function($, _, S, pgAdmin, Menu, Backbone, Alertify, pgBrowser, Backform) {
t.setLabel(
pItem, {
label: (
- pData._label + ' <span>(' + pData.collection_count + ')</span>'
+ _.escape(pData._label) + ' <span>(' + pData.collection_count + ')</span>'
)
}
);
@@ -821,7 +821,7 @@ function($, _, S, pgAdmin, Menu, Backbone, Alertify, pgBrowser, Backform) {
t.setLabel(
pItem, {
label: (
- pData._label + ' <span>(' + pData.collection_count + ')</span>'
+ _.escape(pData._label) + ' <span>(' + pData.collection_count + ')</span>'
)
}
);
@@ -838,7 +838,7 @@ function($, _, S, pgAdmin, Menu, Backbone, Alertify, pgBrowser, Backform) {
if (self.is_collection && 'collection_count' in data)
{
delete data.collection_count;
- t.setLabel(item, {label: data._label});
+ t.setLabel(item, {label: _.escape(data._label)});
}
},
refresh: function(cmd, i) {
--
2.12.2
view thread (7+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected]
Subject: Re: security bug (with patch-fix) -- need more HTML-escaping for working with tree-nodes
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox