From 3b23bdc378b6b5a7a5d254e3b4a35bcc10b7e81a Mon Sep 17 00:00:00 2001 From: Ondrej Mular Date: Sat, 4 Mar 2017 14:01:43 +0100 Subject: [PATCH] web UI: fixed XSS vulnerability CVE-2017-2661 --- pcsd/public/js/nodes-ember.js | 4 ++-- pcsd/public/js/pcsd.js | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pcsd/public/js/nodes-ember.js b/pcsd/public/js/nodes-ember.js index cb2f4d16..41fede89 100644 --- a/pcsd/public/js/nodes-ember.js +++ b/pcsd/public/js/nodes-ember.js @@ -75,7 +75,7 @@ Pcs = Ember.Application.createWithMixins({ var banned_options = ["SBD_OPTS", "SBD_WATCHDOG_DEV", "SBD_PACEMAKER"]; $.each(this.get("sbd_config"), function(opt, val) { if (banned_options.indexOf(opt) == -1) { - out += '' + opt + '' + val + '\n'; + out += '' + htmlEncode(opt) + '' + htmlEncode(val) + '\n'; } }); return out + ''; @@ -879,7 +879,7 @@ Pcs.ResourceObj = Ember.Object.extend({ }.property("status_val"), show_status: function() { return '' - + this.get('status') + (this.get("is_unmanaged") ? " (unmanaged)" : "") + + htmlEncode(this.get('status')) + (this.get("is_unmanaged") ? " (unmanaged)" : "") + ''; }.property("status_style", "disabled"), status_class: function() { diff --git a/pcsd/public/js/pcsd.js b/pcsd/public/js/pcsd.js index c96f9baa..6f57de0f 100644 --- a/pcsd/public/js/pcsd.js +++ b/pcsd/public/js/pcsd.js @@ -821,7 +821,7 @@ function auth_nodes_dialog(unauth_nodes, callback_success, callback_success_one) dialog_obj.find('#auth_nodes_list').empty(); unauth_nodes.forEach(function(node) { - dialog_obj.find('#auth_nodes_list').append("\t\t\t" + node + '\n'); + dialog_obj.find('#auth_nodes_list').append("\t\t\t" + htmlEncode(node) + '\n'); }); } -- 2.11.0