Skip to content

Commit

Permalink
Do some extra sanitization on HTML output..
Browse files Browse the repository at this point in the history
  • Loading branch information
@bitbound
bitbound committed Dec 25, 2020
1 parent 55201c0 commit 7a7f0cd
Show file tree
Hide file tree
Showing 5 changed files with 97 additions and 42 deletions.
11 changes: 4 additions & 7 deletions Server/wwwroot/src/Main/BrowserHubConnection.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import { CommandResult } from "../Shared/Models/CommandResult.js";
import { CreateCommandHarness, AddCommandResultsHarness, AddPSCoreResultsHarness, UpdateResultsCount } from "./ResultsParser.js";
import { UserOptions } from "../Shared/Models/UserOptions.js";
import { MainApp } from "./App.js";
import { AddConsoleOutput, AddConsoleHTML } from "./Console.js";
import { AddConsoleOutput, AddConsoleHTML, AddConsoleElement } from "./Console.js";
import { ReceiveChatText } from "./Chat.js";
import { ShowMessage, ShowModal } from "../Shared/UI.js";
import { EncodeForHTML } from "../Shared/Utilities.js";
Expand Down Expand Up @@ -55,10 +55,10 @@ export var BrowserHubConnection = new class BrowserHubConnection {
hubConnection.on("Chat", (deviceID: string, deviceName: string, message: string, disconnected: boolean) => {
var encodedMessage = EncodeForHTML(message);
if (disconnected) {
AddConsoleHTML(`<span class="text-info font-italic">${deviceName} disconnected from chat.</span>`);
AddConsoleHTML("span", "text-info font-italic", `${deviceName} disconnected from chat.`);
}
else if (message) {
AddConsoleHTML(`<span class="text-info font-weight-bold">Chat from ${deviceName}</span>: ${encodedMessage}`);
AddConsoleHTML("span", "text-info font-weight-bold", `Chat from ${deviceName}:`, message);
}

ReceiveChatText(deviceID, deviceName, encodedMessage, disconnected);
Expand Down Expand Up @@ -106,9 +106,6 @@ export var BrowserHubConnection = new class BrowserHubConnection {
ShowMessage(popupMessage);
}
});
hubConnection.on("DisplayConsoleHTML", (message: string) => {
AddConsoleHTML(message);
});
hubConnection.on("DownloadFile", (fileID: string) => {
location.assign(`/API/FileSharing/${fileID}`);
});
Expand Down Expand Up @@ -169,7 +166,7 @@ export var BrowserHubConnection = new class BrowserHubConnection {
xhr.send();
});
hubConnection.on("CommandResultCreated", (result: CommandResult) => {
AddConsoleHTML(CreateCommandHarness(result).outerHTML);
AddConsoleElement(CreateCommandHarness(result));
});
hubConnection.on("ServiceID", (deviceId: string, serviceConnectionId: string) => {
this.DeviceIdToControlTargetLookup[deviceId].ServiceConnectionId = serviceConnectionId;
Expand Down
80 changes: 53 additions & 27 deletions Server/wwwroot/src/Main/Commands/WebCommands.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import { BrowserHubConnection } from "../BrowserHubConnection.js";
import { CommandLineParameter } from "../../Shared/Models/CommandLineParameter.js";
import { MainApp } from "../App.js";
import * as DataGrid from "../DataGrid.js";
import { AddConsoleHTML, AddConsoleOutput, AddTransferHarness } from "../Console.js";
import { AddConsoleElement, AddConsoleHTML, AddConsoleLineBreak, AddConsoleOutput, AddConsoleTrustedHtml, AddTransferHarness } from "../Console.js";
import { GetSelectedDevices } from "../DataGrid.js";
import { EncodeForHTML } from "../../Shared/Utilities.js";
import { RemoteControlTarget } from "../../Shared/Models/RemoteControlTarget.js";
Expand Down Expand Up @@ -110,23 +110,27 @@ var commands: Array<ConsoleCommand> = [
AddConsoleOutput("No devices are selected.");
return;
};
var output = `<div>Version Results:</div>
<table class="console-device-table table table-responsive">
<thead><tr>
<th>Device Name</th><th>Agent Version</th>
</tr></thead>`;
var title = document.createElement("div");
title.innerText = "Version Results:";
var table = document.createElement("table");
var head = table.createTHead();
var body = table.createTBody();

table.className = "console-device-table table table-responsive";
head.innerHTML = "<tr><th>Device Name</th><th>Agent Version</th></tr>";

var deviceList = selectedDevices.map(x => {
return `<tr>
<td>${x.DeviceName}</td>
<td>
${x.AgentVersion}
</td>
<td>${EncodeForHTML(x.DeviceName)}</td>
<td>${EncodeForHTML(x.AgentVersion)}</td>
</tr>`
});
output += deviceList.join("");
output += "</table>";
AddConsoleOutput(output);
body.innerHTML = deviceList.join();


AddConsoleElement(title);
AddConsoleElement(table);

}
),
new ConsoleCommand(
Expand Down Expand Up @@ -193,12 +197,12 @@ var commands: Array<ConsoleCommand> = [
"",
(parameters) => {
if (parameters.length == 0) {
var output = `Command List:<br><div class="help-list">`;
var output = `<h5>Command List:</h5><div class="help-list">`;
WebCommands.forEach(x => {
output += `<div>${x.Name}</div><div>${x.Summary}</div>`;
})
output += "</div>";
AddConsoleOutput(output);
AddConsoleTrustedHtml(output);
return;
}
var suppliedCommand = parameters.find(x => x.Name.toLowerCase() == "command") || {} as CommandLineParameter;
Expand All @@ -209,14 +213,16 @@ var commands: Array<ConsoleCommand> = [
AddConsoleOutput("No matching commands found.");
}
else if (result.length == 1) {
AddConsoleHTML("<br>" + result[0].FullHelp);
AddConsoleLineBreak();
AddConsoleTrustedHtml(result[0].FullHelp);
}
else {
var outputText = "Multiple commands found: <br><br>";
AddConsoleOutput("Multiple commands found:");
AddConsoleLineBreak(2);
for (var i = 0; i < result.length; i++) {
outputText += result[i].Name + "<br>";
AddConsoleOutput(result[i].Name);
AddConsoleLineBreak();
}
AddConsoleHTML(outputText);
}
}
),
Expand All @@ -233,11 +239,28 @@ var commands: Array<ConsoleCommand> = [
AddConsoleOutput("No devices are selected.");
return;
}
var output = `<div>Selected Devices:</div>
<table class="console-device-table table table-responsive">
<thead><tr>
<th>Online</th><th>Device Name</th><th>Alias</th><th>Current User</th><th>Last Online</th><th>Platform</th><th>OS Description</th><th>Free Storage</th><th>Total Storage (GB)</th><th>Free Memory</th><th>Total Memory (GB)</th><th>Tags</th>
</tr></thead>`;

var title = document.createElement("div");
title.innerText = "Selected Devices:";

var table = document.createElement("table");
table.className = "console-device-table table table-responsive";

var head = table.createTHead();
head.innerHTML = `<tr>
<th>Online</th>
<th>Device Name</th>
<th>Alias</th>
<th>Current User</th >
<th>Last Online</th>
<th>Platform</th>
<th>OS Description</th>
<th>Free Storage</th>
<th>Total Storage(GB)</th>
<th>Free Memory</th>
<th>Total Memory(GB)</th>
<th>Tags</th >
</tr>`

var deviceList = selectedDevices.map(x => {
return `<tr>
Expand All @@ -257,9 +280,12 @@ var commands: Array<ConsoleCommand> = [
<td>${EncodeForHTML(x.Tags || "")}</td>
</tr>`
});
output += deviceList.join("");
output += "</table>";
AddConsoleOutput(output);

var body = table.createTBody();
body.innerHTML = deviceList.join();

AddConsoleElement(title);
AddConsoleElement(table);
}
),
new ConsoleCommand("Reinstall",
Expand Down
43 changes: 38 additions & 5 deletions Server/wwwroot/src/Main/Console.ts
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,18 @@
import { UserSettings } from "./UserSettings.js";
import { ConsoleOutputDiv, ConsoleFrame, ConsoleTab, ConsoleAlert, ConsoleTextArea } from "./UI.js";
import { EncodeForHTML } from "../Shared/Utilities.js";

export function AddConsoleOutput(strOutputMessage: string) {
var outputBlock = document.createElement("div");
outputBlock.classList.add("console-block");

var prompt = document.createElement("div");
prompt.classList.add("console-prompt");
prompt.innerHTML = UserSettings.PromptString;
prompt.innerText = UserSettings.PromptString;

var output = document.createElement("div");
output.classList.add("console-output");
output.innerHTML = strOutputMessage;
output.innerText = strOutputMessage;

outputBlock.appendChild(prompt);
outputBlock.appendChild(output);
Expand All @@ -22,15 +23,47 @@ export function AddConsoleOutput(strOutputMessage: string) {

IncrementMissedMessageCount();
}
export function AddConsoleHTML(html: string) {

export function AddConsoleHTML(elementTag: string, className: string, content: string, extraContent: string = null) {
var innerEle = document.createElement(elementTag);
innerEle.className = className;
innerEle.innerText = content;

var contentWrapper = document.createElement("div");
contentWrapper.appendChild(innerEle);

if (extraContent) {
var extra = document.createElement("span");
extra.innerText = extraContent;
contentWrapper.appendChild(extra);
}

ConsoleOutputDiv.appendChild(contentWrapper);

ConsoleFrame.scrollTop = ConsoleFrame.scrollHeight;

IncrementMissedMessageCount();
}

export function AddConsoleTrustedHtml(trustedHtml: string) {
var contentWrapper = document.createElement("div");
contentWrapper.innerHTML = html;
contentWrapper.innerHTML = trustedHtml;
ConsoleOutputDiv.appendChild(contentWrapper);

ConsoleFrame.scrollTop = ConsoleFrame.scrollHeight;

IncrementMissedMessageCount();
}
export function AddConsoleLineBreak(count: number = 1) {
for (var i = 0; i < count; i++) {
ConsoleOutputDiv.appendChild(document.createElement("br"));
}
}
export function AddConsoleElement(element: HTMLElement) {
ConsoleOutputDiv.appendChild(element);
ConsoleFrame.scrollTop = ConsoleFrame.scrollHeight;
IncrementMissedMessageCount();
}
export function AddTransferHarness(transferID: string, totalDevices: number) {
var transferHarness = document.createElement("div");
transferHarness.id = transferID;
Expand All @@ -41,7 +74,7 @@ export function AddTransferHarness(transferID: string, totalDevices: number) {
Total Devices: ${totalDevices} |
Completed: <span id="${transferID}-completed">0</span>
</div>`;
AddConsoleHTML(transferHarness.outerHTML);
AddConsoleElement(transferHarness);
}
export function AutoSizeTextArea() {
ConsoleTextArea.style.height = "1px";
Expand Down
1 change: 0 additions & 1 deletion Server/wwwroot/src/Main/DataGrid.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ import { BrowserHubConnection } from "./BrowserHubConnection.js"
import { ShowModal } from "../Shared/UI.js";
import { Device } from "../Shared/Models/Device.js";
import { EncodeForHTML } from "../Shared/Utilities.js";
import { RemoteControlTarget } from "../Shared/Models/RemoteControlTarget.js";

export const DataSource: Array<Device> = new Array<Device>();
export const FilteredDevices: Array<Device> = new Array<Device>();
Expand Down
4 changes: 2 additions & 2 deletions Server/wwwroot/src/Main/InputEventHandlers.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ import * as UI from "./UI.js";
import * as CommandProcessor from "./CommandProcessor.js";
import * as DataGrid from "./DataGrid.js";
import { BrowserHubConnection } from "./BrowserHubConnection.js";
import { AddConsoleOutput } from "./Console.js";
import { AddConsoleHTML, AddConsoleOutput } from "./Console.js";
import { ShowModal, ShowMessage } from "../Shared/UI.js";


Expand Down Expand Up @@ -201,7 +201,7 @@ function keyDownOnInputTextArea() {
}
UI.CommandCompletionDiv.classList.add("hidden");
UI.CommandInfoDiv.classList.add("hidden");
AddConsoleOutput(`<span class="echo-input">${UI.ConsoleTextArea.value}</span>`);
AddConsoleHTML("span", "echo-input", UI.ConsoleTextArea.value);
if (!BrowserHubConnection.Connected) {
AddConsoleOutput("Not connected. Reconnecting...");
BrowserHubConnection.Connect();
Expand Down

0 comments on commit 7a7f0cd

Please sign in to comment.