49 lines
2.1 KiB
Diff
49 lines
2.1 KiB
Diff
From 3b23bdc378b6b5a7a5d254e3b4a35bcc10b7e81a Mon Sep 17 00:00:00 2001
|
|
From: Ondrej Mular <omular@redhat.com>
|
|
Date: Sat, 4 Mar 2017 14:01:43 +0100
|
|
Subject: [PATCH] web UI: fixed XSS vulnerability CVE-2017-2661
|
|
|
|
---
|
|
pcsd/public/js/nodes-ember.js | 4 ++--
|
|
pcsd/public/js/pcsd.js | 2 +-
|
|
2 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/pcsd/public/js/nodes-ember.js b/pcsd/public/js/nodes-ember.js
|
|
index cb2f4d16..41fede89 100644
|
|
--- a/pcsd/public/js/nodes-ember.js
|
|
+++ b/pcsd/public/js/nodes-ember.js
|
|
@@ -75,7 +75,7 @@ Pcs = Ember.Application.createWithMixins({
|
|
var banned_options = ["SBD_OPTS", "SBD_WATCHDOG_DEV", "SBD_PACEMAKER"];
|
|
$.each(this.get("sbd_config"), function(opt, val) {
|
|
if (banned_options.indexOf(opt) == -1) {
|
|
- out += '<tr><td>' + opt + '</td><td>' + val + '</td></tr>\n';
|
|
+ out += '<tr><td>' + htmlEncode(opt) + '</td><td>' + htmlEncode(val) + '</td></tr>\n';
|
|
}
|
|
});
|
|
return out + '</table>';
|
|
@@ -879,7 +879,7 @@ Pcs.ResourceObj = Ember.Object.extend({
|
|
}.property("status_val"),
|
|
show_status: function() {
|
|
return '<span style="' + this.get('status_style') + '">'
|
|
- + this.get('status') + (this.get("is_unmanaged") ? " (unmanaged)" : "")
|
|
+ + htmlEncode(this.get('status')) + (this.get("is_unmanaged") ? " (unmanaged)" : "")
|
|
+ '</span>';
|
|
}.property("status_style", "disabled"),
|
|
status_class: function() {
|
|
diff --git a/pcsd/public/js/pcsd.js b/pcsd/public/js/pcsd.js
|
|
index c96f9baa..6f57de0f 100644
|
|
--- a/pcsd/public/js/pcsd.js
|
|
+++ b/pcsd/public/js/pcsd.js
|
|
@@ -821,7 +821,7 @@ function auth_nodes_dialog(unauth_nodes, callback_success, callback_success_one)
|
|
|
|
dialog_obj.find('#auth_nodes_list').empty();
|
|
unauth_nodes.forEach(function(node) {
|
|
- dialog_obj.find('#auth_nodes_list').append("\t\t\t<tr><td>" + node + '</td><td><input type="password" name="' + node + '-pass"></td></tr>\n');
|
|
+ dialog_obj.find('#auth_nodes_list').append("\t\t\t<tr><td>" + htmlEncode(node) + '</td><td><input type="password" name="' + htmlEncode(node) + '-pass"></td></tr>\n');
|
|
});
|
|
|
|
}
|
|
--
|
|
2.11.0
|
|
|