Skip to content

Commit

Permalink
fix(Admin): Escape fields to prevent cross-site scripting (#206)
Browse files Browse the repository at this point in the history
  • Loading branch information
@geoffreykwan
geoffreykwan authored Feb 7, 2023
1 parent 4acf909 commit ea7f7fa
Show file tree
Hide file tree
Showing 5 changed files with 19 additions and 10 deletions.
4 changes: 2 additions & 2 deletions src/main/webapp/portal/admin/news/managenewsitems.jsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,8 +108,8 @@ function editNewsItem(newsItemId) {
<tr>
<td><fmt:formatDate value="${news.date}" type="both" dateStyle="short" timeStyle="short" /></td>
<td>${news.type}</td>
<td>${news.title}</td>
<td>${news.news}</td>
<td>${fn:escapeXml(news.title)}</td>
<td>${fn:escapeXml(news.news)}</td>
<td>
<a onclick="editNewsItem('${news.id}');"><spring:message code="edit" /></a>
<a onclick="removeNewsItem('${news.id}','${news.title}');"><spring:message code="remove" /></a>
Expand Down
19 changes: 14 additions & 5 deletions src/main/webapp/portal/admin/project/import.jsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,20 @@
importableProjects.map(function(importableProject) {
$("#importableWISEProjects").append(
"<option value='" + importableProject.id + "'>"
+ importableProject.name
+ escapeCharacters(importableProject.name)
+ "</option>");
});
});
});
function escapeCharacters(str) {
return str
.replaceAll("<", "&lt;")
.replaceAll(">", "&gt;")
.replaceAll('"', "&quot;")
.replaceAll("'", "&apos;")
}
function importableWISEProjectSubmit() {
var importableWISEProjectId = $("#importableWISEProjects option:selected").attr("id");
$.ajax({});
Expand All @@ -55,16 +64,16 @@
<c:if test="${msg != null}">
<div style="width:500px;font-size:1.2em;font-weight:bold;border:2px solid lightgreen">
${msg}<br/><br/>
Project Name: ${newProject.name}<br/>
Project Name: ${fn:escapeXml(newProject.name)}<br/>
Project ID: ${newProject.id}<br/>
<c:if test="${newProject.metadata != null && newProject.metadata.author != null}">
Author: ${newProject.metadata.author}<br/>
Author: ${fn:escapeXml(newProject.metadata.author)}<br/>
</c:if>
<c:if test="${newProject.metadata != null && newProject.metadata.subject != null}">
Subject: ${newProject.metadata.subject}<br/>
Subject: ${fn:escapeXml(newProject.metadata.subject)}<br/>
</c:if>
<c:if test="${newProject.metadata != null && newProject.metadata.keywords != null}">
Keywords: ${newProject.metadata.keywords}<br/>
Keywords: ${fn:escapeXml(newProject.metadata.keywords)}<br/>
</c:if>
<br/><br/>
<a href="${contextPath}/admin/project/manageallprojects.html?projectLookupType=id&projectLookupValue=${newProject.id}">Manage Project</a>
Expand Down
2 changes: 1 addition & 1 deletion src/main/webapp/portal/admin/project/manageallprojects.jsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ function updateMaxTotalAssetsSize(projectId, newMaxTotalAssetsSize) {
<c:forEach var="project" items="${internal_project_list}">
<tr>
<td>${project.id}</td>
<td><a target=_blank href="${contextPath}/previewproject.html?projectId=${project.id}">${project.name}</a><br/>
<td><a target=_blank href="${contextPath}/previewproject.html?projectId=${project.id}">${fn:escapeXml(project.name)}</a><br/>
<span style="font-size:.4em">${project.modulePath}</span>
</td>
<td>Is Current:
Expand Down
2 changes: 1 addition & 1 deletion src/main/webapp/portal/admin/run/manageprojectruns.jsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -302,7 +302,7 @@
<c:forEach var="run" items="${runList}">
<tr id="runTitleRow_${run.id}" class="runRow">
<td>
<div class="runTitle">${run.name}</div>
<div class="runTitle">${fn:escapeXml(run.name)}</div>
<c:set var="ownership" value="owned" />
<c:forEach var="sharedowner" items="${run.sharedowners}">
<c:if test="${sharedowner == user}">
Expand Down
2 changes: 1 addition & 1 deletion src/main/webapp/portal/projectInfo.jsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@
<body style="background:#FFFFFF;">
<div class="projectSummary">
<div class="projectInfoDisplay">
<div class="panelHeader">${project.name} (<spring:message code="id_label" /> ${project.id})
<div class="panelHeader">${fn:escapeXml(project.name)} (<spring:message code="id_label" /> ${project.id})
<span class="basicPreview"><a href="<c:url value="/previewproject.html"><c:param name="projectId" value="${project.id}"/></c:url>" target="_blank"><img class="icon" alt="preview" src="${contextPath}/<spring:theme code="screen"/>" /><span><spring:message code="preview"/></span></a></span>
</div>
<div class="projectThumb" thumbUrl="${projectThumbPath}"><img src='${contextPath}/<spring:theme code="project_thumb"/>' alt='thumb'></div>
Expand Down

0 comments on commit ea7f7fa

Please sign in to comment.