Replace usage of .html(...) with .text(...) where possible;
Wrap input with fs.sanitize(...) where .html() must be used.
Change-Id: I39e20b6fb561b3a1801579ca6a86a5f94483e4a9
diff --git a/web/gui/src/main/webapp/app/fw/layer/panel.js b/web/gui/src/main/webapp/app/fw/layer/panel.js
index 40fe00e..f2b6bf0 100644
--- a/web/gui/src/main/webapp/app/fw/layer/panel.js
+++ b/web/gui/src/main/webapp/app/fw/layer/panel.js
@@ -37,7 +37,7 @@
function init() {
panelLayer = d3.select('#floatpanels');
- panelLayer.html('');
+ panelLayer.text('');
panels = {};
}
@@ -130,7 +130,7 @@
}
function emptyPanel() {
- return p.el.html('');
+ return p.el.text('');
}
function appendPanel(what) {
diff --git a/web/gui/src/main/webapp/app/fw/util/fn.js b/web/gui/src/main/webapp/app/fw/util/fn.js
index 2d55623..153ca3b 100644
--- a/web/gui/src/main/webapp/app/fw/util/fn.js
+++ b/web/gui/src/main/webapp/app/fw/util/fn.js
@@ -435,7 +435,7 @@
// to be loaded via a .html() function call.
var matcher = /<\/?([a-zA-Z0-9]+)*(.*?)\/?>/igm,
- whitelist = ['b', 'i', 'p', 'em', 'strong'],
+ whitelist = ['b', 'i', 'p', 'em', 'strong', 'br'],
evillist = ['script', 'style', 'iframe'];
// Returns true if the tag is in the evil list, (and is not an end-tag)
@@ -487,7 +487,6 @@
return html;
}
-
angular.module('onosUtil')
.factory('FnService',
['$window', '$location', '$log', function (_$window_, $loc, _$log_) {
diff --git a/web/gui/src/main/webapp/app/fw/widget/listBuilder.js b/web/gui/src/main/webapp/app/fw/widget/listBuilder.js
index dbccf97..edc92e9 100644
--- a/web/gui/src/main/webapp/app/fw/widget/listBuilder.js
+++ b/web/gui/src/main/webapp/app/fw/widget/listBuilder.js
@@ -31,7 +31,7 @@
}
function addCell(cls, txt) {
- tr.append('td').attr('class', cls).html(txt);
+ tr.append('td').attr('class', cls).text(txt);
}
addCell('label', lab + ' :');
diff --git a/web/gui/src/main/webapp/app/fw/widget/toolbar.js b/web/gui/src/main/webapp/app/fw/widget/toolbar.js
index 87252ab..b765208 100644
--- a/web/gui/src/main/webapp/app/fw/widget/toolbar.js
+++ b/web/gui/src/main/webapp/app/fw/widget/toolbar.js
@@ -188,7 +188,7 @@
function rowSetText(text) {
rowClear();
currentRow.append('div').classed('tbar-row-text', true)
- .html(text);
+ .text(text);
}
function rowAddButton(id, gid, cb, tooltip) {
diff --git a/web/gui/src/main/webapp/app/fw/widget/tooltip.js b/web/gui/src/main/webapp/app/fw/widget/tooltip.js
index b982347..beca6f8 100644
--- a/web/gui/src/main/webapp/app/fw/widget/tooltip.js
+++ b/web/gui/src/main/webapp/app/fw/widget/tooltip.js
@@ -36,7 +36,7 @@
function init() {
tooltip = d3.select('#tooltip');
- tooltip.html('');
+ tooltip.text('');
}
function tipStyle(mouseX, mouseY) {
diff --git a/web/gui/src/main/webapp/app/view/app/app.js b/web/gui/src/main/webapp/app/view/app/app.js
index 131c56f..a71cb2d 100644
--- a/web/gui/src/main/webapp/app/view/app/app.js
+++ b/web/gui/src/main/webapp/app/view/app/app.js
@@ -126,7 +126,7 @@
bottom = container.append('div').classed('bottom', true);
function nTable(hdr, cls) {
- bottom.append('h2').html(hdr);
+ bottom.append('h2').text(hdr);
bottom.append('div').classed(cls, true).append('table');
}
@@ -139,7 +139,7 @@
var tr = tbody.append('tr');
function addCell(cls, txt) {
- tr.append('td').attr('class', cls).html(txt);
+ tr.append('td').attr('class', cls).text(txt);
}
addCell('label', friendlyProps[index] + ':');
@@ -147,6 +147,7 @@
}
function urlize(u) {
+ u = fs.sanitize(u);
return '<a href="' + u + '" target="_blank">' + u + '</a>';
}
@@ -182,7 +183,7 @@
tbody = table.append('tbody');
items.forEach(function (item) {
- tbody.append('tr').append('td').html(item);
+ tbody.append('tr').append('td').text(item);
});
}
@@ -289,7 +290,8 @@
var content = ds.createDiv();
content.append('p').text(fs.cap(action) + ' ' + itemId);
if (strongWarning[itemId]) {
- content.append('p').html(discouragement).classed('strong', true);
+ content.append('p').html(fs.sanitize(discouragement))
+ .classed('strong', true);
}
return content;
}
diff --git a/web/gui/src/main/webapp/app/view/cluster/cluster.js b/web/gui/src/main/webapp/app/view/cluster/cluster.js
index 887b943..451a067 100644
--- a/web/gui/src/main/webapp/app/view/cluster/cluster.js
+++ b/web/gui/src/main/webapp/app/view/cluster/cluster.js
@@ -98,7 +98,7 @@
top.append('hr');
bottom = container.append('div').classed('bottom', true);
- bottom.append('h2').classed('devices-title', true).html('Devices');
+ bottom.append('h2').classed('devices-title', true).text('Devices');
bottom.append('table');
//ToDo add more details
}
@@ -107,7 +107,7 @@
var tr = tbody.append('tr');
function addCell(cls, txt) {
- tr.append('td').attr('class', cls).html(txt);
+ tr.append('td').attr('class', cls).text(txt);
}
addCell('label', friendlyProps[index] + ' :');
addCell('value', value);
@@ -115,7 +115,7 @@
function populateTop(details) {
is.loadEmbeddedIcon(iconDiv, 'node', 40);
- top.select('h2').html(details.id);
+ top.select('h2').text(details.id);
var tbody = topTable.append('tbody');
@@ -128,7 +128,7 @@
var tr = tbody.append('tr');
deviceCols.forEach(function (col) {
- tr.append('td').html(device[col]);
+ tr.append('td').text(device[col]);
});
}
@@ -139,7 +139,7 @@
tbWidth, tbHeight;
friendlyDeviceCols.forEach(function (col) {
- theader.append('th').html(col);
+ theader.append('th').text(col);
});
devices.forEach(function (device) {
addDeviceRow(tbody, device);
diff --git a/web/gui/src/main/webapp/app/view/device/device.js b/web/gui/src/main/webapp/app/view/device/device.js
index 303e425..f7ec45b 100644
--- a/web/gui/src/main/webapp/app/view/device/device.js
+++ b/web/gui/src/main/webapp/app/view/device/device.js
@@ -78,7 +78,7 @@
}
function exitEditMode(nameH2, name) {
- nameH2.html(name);
+ nameH2.text(name);
nameH2.classed('editable clickable', true);
editingName = false;
ks.enableGlobalKeys(true);
@@ -114,7 +114,7 @@
if (!editingName) {
nameH2.classed('editable clickable', false);
- nameH2.html('');
+ nameH2.text('');
tf = nameH2.append('input').classed('name-input', true)
.attr('type', 'text')
.attr('value', $scope.panelData.name);
@@ -149,7 +149,7 @@
top.append('hr');
bottom = container.append('div').classed('bottom', true);
- bottom.append('h2').classed('ports-title', true).html('Ports');
+ bottom.append('h2').classed('ports-title', true).text('Ports');
bottom.append('table');
}
@@ -157,7 +157,7 @@
var tr = tbody.append('tr');
function addCell(cls, txt) {
- tr.append('td').attr('class', cls).html(txt);
+ tr.append('td').attr('class', cls).text(txt);
}
addCell('label', friendlyProps[index] + ' :');
addCell('value', value);
@@ -172,7 +172,7 @@
.append('tbody');
is.loadEmbeddedIcon(iconDiv, details._iconid_type, 40);
- top.select('h2').html(details.name);
+ top.select('h2').text(details.name);
// === demonstrate use of JsonCodec object see ONOS-5976
addProp(leftTbl, 0, device.id);
@@ -195,7 +195,7 @@
var tr = tbody.append('tr');
portCols.forEach(function (col) {
- tr.append('td').html(port[col]);
+ tr.append('td').text(port[col]);
});
}
@@ -205,7 +205,7 @@
tbWidth, tbHeight;
friendlyPortCols.forEach(function (col) {
- theader.append('th').html(col);
+ theader.append('th').text(col);
});
ports.forEach(function (port) {
addPortRow(tbody, port);
@@ -253,7 +253,7 @@
function respNameCb(data) {
if (data.warn) {
$log.warn(data.warn, data.id);
- top.select('h2').html(data.id);
+ top.select('h2').text(data.id);
}
}
diff --git a/web/gui/src/main/webapp/app/view/flow/flow.js b/web/gui/src/main/webapp/app/view/flow/flow.js
index 1d2ceaa..a48c63e 100644
--- a/web/gui/src/main/webapp/app/view/flow/flow.js
+++ b/web/gui/src/main/webapp/app/view/flow/flow.js
@@ -94,11 +94,11 @@
topTable = top.append('div').classed('top-content', true)
.append('table');
top.append('hr');
- trmtDiv.append('h2').html('Treatment');
+ trmtDiv.append('h2').text('Treatment');
topTrmtTable = trmtDiv.append('div').classed('top-content', true)
.append('table');
trmtDiv.append('hr');
- selDiv.append('h2').html('Selector');
+ selDiv.append('h2').text('Selector');
topSelTable = selDiv.append('div').classed('top-content', true)
.append('table');
@@ -110,7 +110,7 @@
var tr = tbody.append('tr');
function addCell(cls, txt) {
- tr.append('td').attr('class', cls).html(txt);
+ tr.append('td').attr('class', cls).text(txt);
}
addCell('label', friendlyProps[index] + ' :');
addCell('value', value);
@@ -120,7 +120,7 @@
var tr = tbody.append('tr');
function addCell(cls, txt) {
- tr.append('td').attr('class', cls).html(txt);
+ tr.append('td').attr('class', cls).text(txt);
}
addCell('label', label + ' :');
addCell('value', value);
@@ -128,7 +128,7 @@
function populateTop(details) {
is.loadEmbeddedIcon(iconDiv, 'flowTable', 40);
- top.select('h2').html(details.flowId);
+ top.select('h2').text(details.flowId);
var tbody = topTable.append('tbody');
diff --git a/web/gui/src/main/webapp/app/view/settings/settings.js b/web/gui/src/main/webapp/app/view/settings/settings.js
index e5a3eba..ce3caa1 100644
--- a/web/gui/src/main/webapp/app/view/settings/settings.js
+++ b/web/gui/src/main/webapp/app/view/settings/settings.js
@@ -102,7 +102,7 @@
var tr = tbody.append('tr');
function addCell(cls, txt) {
- tr.append('td').attr('class', cls).html(txt);
+ tr.append('td').attr('class', cls).text(txt);
}
addCell('label', friendlyProps[index] + ':');
diff --git a/web/gui/src/main/webapp/app/view/topo/topoPanel.js b/web/gui/src/main/webapp/app/view/topo/topoPanel.js
index 32d3420..100cd96 100644
--- a/web/gui/src/main/webapp/app/view/topo/topoPanel.js
+++ b/web/gui/src/main/webapp/app/view/topo/topoPanel.js
@@ -167,7 +167,7 @@
}
function addCell(cls, txt) {
- tr.append('td').attr('class', cls).html(txt);
+ tr.append('td').attr('class', cls).text(txt);
}
addCell('label', lab + ' :');
addCell('value', value);
diff --git a/web/gui/src/main/webapp/app/view/topo2/topo2DeviceDetailsPanel.js b/web/gui/src/main/webapp/app/view/topo2/topo2DeviceDetailsPanel.js
index 0a60da7..3cacf8b 100644
--- a/web/gui/src/main/webapp/app/view/topo2/topo2DeviceDetailsPanel.js
+++ b/web/gui/src/main/webapp/app/view/topo2/topo2DeviceDetailsPanel.js
@@ -139,7 +139,7 @@
}
function addCell(cls, txt) {
- tr.append('td').attr('class', cls).html(txt);
+ tr.append('td').attr('class', cls).text(txt);
}
addCell('label', lab + ' :');
addCell('value', value);