OS-6: prevent XSS attacks
(ii) use .text() where possible, or fs.sanitize() where not...
Change-Id: I168ec8d275a63ac518ffb00eb9b15701181cb5dd
diff --git a/apps/faultmanagement/fmgui/src/main/resources/app/view/alarmTable/alarmTable.js b/apps/faultmanagement/fmgui/src/main/resources/app/view/alarmTable/alarmTable.js
index a742dae..8e0b341 100644
--- a/apps/faultmanagement/fmgui/src/main/resources/app/view/alarmTable/alarmTable.js
+++ b/apps/faultmanagement/fmgui/src/main/resources/app/view/alarmTable/alarmTable.js
@@ -17,7 +17,7 @@
var tr = tbody.append('tr');
function addCell(cls, txt) {
- tr.append('td').attr('class', cls).html(txt);
+ tr.append('td').attr('class', cls).text(txt);
}
addCell('label', friendlyProps[index] + ' :');
addCell('value', value);
diff --git a/web/gui/src/main/webapp/app/fw/layer/panel.js b/web/gui/src/main/webapp/app/fw/layer/panel.js
index 40fe00e..f2b6bf0 100644
--- a/web/gui/src/main/webapp/app/fw/layer/panel.js
+++ b/web/gui/src/main/webapp/app/fw/layer/panel.js
@@ -37,7 +37,7 @@
function init() {
panelLayer = d3.select('#floatpanels');
- panelLayer.html('');
+ panelLayer.text('');
panels = {};
}
@@ -130,7 +130,7 @@
}
function emptyPanel() {
- return p.el.html('');
+ return p.el.text('');
}
function appendPanel(what) {
diff --git a/web/gui/src/main/webapp/app/fw/widget/listBuilder.js b/web/gui/src/main/webapp/app/fw/widget/listBuilder.js
index dbccf97..edc92e9 100644
--- a/web/gui/src/main/webapp/app/fw/widget/listBuilder.js
+++ b/web/gui/src/main/webapp/app/fw/widget/listBuilder.js
@@ -31,7 +31,7 @@
}
function addCell(cls, txt) {
- tr.append('td').attr('class', cls).html(txt);
+ tr.append('td').attr('class', cls).text(txt);
}
addCell('label', lab + ' :');
diff --git a/web/gui/src/main/webapp/app/fw/widget/toolbar.js b/web/gui/src/main/webapp/app/fw/widget/toolbar.js
index 87252ab..b765208 100644
--- a/web/gui/src/main/webapp/app/fw/widget/toolbar.js
+++ b/web/gui/src/main/webapp/app/fw/widget/toolbar.js
@@ -188,7 +188,7 @@
function rowSetText(text) {
rowClear();
currentRow.append('div').classed('tbar-row-text', true)
- .html(text);
+ .text(text);
}
function rowAddButton(id, gid, cb, tooltip) {
diff --git a/web/gui/src/main/webapp/app/fw/widget/tooltip.js b/web/gui/src/main/webapp/app/fw/widget/tooltip.js
index b982347..beca6f8 100644
--- a/web/gui/src/main/webapp/app/fw/widget/tooltip.js
+++ b/web/gui/src/main/webapp/app/fw/widget/tooltip.js
@@ -36,7 +36,7 @@
function init() {
tooltip = d3.select('#tooltip');
- tooltip.html('');
+ tooltip.text('');
}
function tipStyle(mouseX, mouseY) {
diff --git a/web/gui/src/main/webapp/app/view/app/app.js b/web/gui/src/main/webapp/app/view/app/app.js
index 567ec2c..af25b25 100644
--- a/web/gui/src/main/webapp/app/view/app/app.js
+++ b/web/gui/src/main/webapp/app/view/app/app.js
@@ -126,7 +126,7 @@
bottom = container.append('div').classed('bottom', true);
function nTable(hdr, cls) {
- bottom.append('h2').html(hdr);
+ bottom.append('h2').text(hdr);
bottom.append('div').classed(cls, true).append('table');
}
@@ -139,7 +139,7 @@
var tr = tbody.append('tr');
function addCell(cls, txt) {
- tr.append('td').attr('class', cls).html(txt);
+ tr.append('td').attr('class', cls).text(txt);
}
addCell('label', friendlyProps[index] + ':');
@@ -147,6 +147,7 @@
}
function urlize(u) {
+ u = fs.sanitize(u);
return 'Url:<br/> <a href="' + u + '" target="_blank">' + u + '</a>';
}
@@ -182,7 +183,7 @@
tbody = table.append('tbody');
items.forEach(function (item) {
- tbody.append('tr').append('td').html(item);
+ tbody.append('tr').append('td').text(item);
});
}
@@ -289,7 +290,8 @@
var content = ds.createDiv();
content.append('p').text(fs.cap(action) + ' ' + itemId);
if (strongWarning[itemId]) {
- content.append('p').html(discouragement).classed('strong', true);
+ content.append('p').html(fs.sanitize(discouragement))
+ .classed('strong', true);
}
return content;
}
diff --git a/web/gui/src/main/webapp/app/view/cluster/cluster.js b/web/gui/src/main/webapp/app/view/cluster/cluster.js
index 887b943..451a067 100644
--- a/web/gui/src/main/webapp/app/view/cluster/cluster.js
+++ b/web/gui/src/main/webapp/app/view/cluster/cluster.js
@@ -98,7 +98,7 @@
top.append('hr');
bottom = container.append('div').classed('bottom', true);
- bottom.append('h2').classed('devices-title', true).html('Devices');
+ bottom.append('h2').classed('devices-title', true).text('Devices');
bottom.append('table');
//ToDo add more details
}
@@ -107,7 +107,7 @@
var tr = tbody.append('tr');
function addCell(cls, txt) {
- tr.append('td').attr('class', cls).html(txt);
+ tr.append('td').attr('class', cls).text(txt);
}
addCell('label', friendlyProps[index] + ' :');
addCell('value', value);
@@ -115,7 +115,7 @@
function populateTop(details) {
is.loadEmbeddedIcon(iconDiv, 'node', 40);
- top.select('h2').html(details.id);
+ top.select('h2').text(details.id);
var tbody = topTable.append('tbody');
@@ -128,7 +128,7 @@
var tr = tbody.append('tr');
deviceCols.forEach(function (col) {
- tr.append('td').html(device[col]);
+ tr.append('td').text(device[col]);
});
}
@@ -139,7 +139,7 @@
tbWidth, tbHeight;
friendlyDeviceCols.forEach(function (col) {
- theader.append('th').html(col);
+ theader.append('th').text(col);
});
devices.forEach(function (device) {
addDeviceRow(tbody, device);
diff --git a/web/gui/src/main/webapp/app/view/device/device.js b/web/gui/src/main/webapp/app/view/device/device.js
index ec8d8b5..e62ba38 100644
--- a/web/gui/src/main/webapp/app/view/device/device.js
+++ b/web/gui/src/main/webapp/app/view/device/device.js
@@ -77,7 +77,7 @@
}
function exitEditMode(nameH2, name) {
- nameH2.html(name);
+ nameH2.text(name);
nameH2.classed('editable clickable', true);
editingName = false;
ks.enableGlobalKeys(true);
@@ -113,7 +113,7 @@
if (!editingName) {
nameH2.classed('editable clickable', false);
- nameH2.html('');
+ nameH2.text('');
tf = nameH2.append('input').classed('name-input', true)
.attr('type', 'text')
.attr('value', $scope.panelData.name);
@@ -148,7 +148,7 @@
top.append('hr');
bottom = container.append('div').classed('bottom', true);
- bottom.append('h2').classed('ports-title', true).html('Ports');
+ bottom.append('h2').classed('ports-title', true).text('Ports');
bottom.append('table');
}
@@ -156,7 +156,7 @@
var tr = tbody.append('tr');
function addCell(cls, txt) {
- tr.append('td').attr('class', cls).html(txt);
+ tr.append('td').attr('class', cls).text(txt);
}
addCell('label', friendlyProps[index] + ' :');
addCell('value', value);
@@ -171,7 +171,7 @@
.append('tbody');
is.loadEmbeddedIcon(iconDiv, details._iconid_type, 40);
- top.select('h2').html(details.name);
+ top.select('h2').text(details.name);
propOrder.forEach(function (prop, i) {
// properties are split into two tables
@@ -183,7 +183,7 @@
var tr = tbody.append('tr');
portCols.forEach(function (col) {
- tr.append('td').html(port[col]);
+ tr.append('td').text(port[col]);
});
}
@@ -193,7 +193,7 @@
tbWidth, tbHeight;
friendlyPortCols.forEach(function (col) {
- theader.append('th').html(col);
+ theader.append('th').text(col);
});
ports.forEach(function (port) {
addPortRow(tbody, port);
@@ -240,7 +240,7 @@
function respNameCb(data) {
if (data.warn) {
$log.warn(data.warn, data.id);
- top.select('h2').html(data.id);
+ top.select('h2').text(data.id);
}
}
diff --git a/web/gui/src/main/webapp/app/view/flow/flow.js b/web/gui/src/main/webapp/app/view/flow/flow.js
index c0f0346..182b57a 100644
--- a/web/gui/src/main/webapp/app/view/flow/flow.js
+++ b/web/gui/src/main/webapp/app/view/flow/flow.js
@@ -94,11 +94,11 @@
topTable = top.append('div').classed('top-content', true)
.append('table');
top.append('hr');
- trmtDiv.append('h2').html('Treatment');
+ trmtDiv.append('h2').text('Treatment');
topTrmtTable = trmtDiv.append('div').classed('top-content', true)
.append('table');
trmtDiv.append('hr');
- selDiv.append('h2').html('Selector');
+ selDiv.append('h2').text('Selector');
topSelTable = selDiv.append('div').classed('top-content', true)
.append('table');
@@ -110,7 +110,7 @@
var tr = tbody.append('tr');
function addCell(cls, txt) {
- tr.append('td').attr('class', cls).html(txt);
+ tr.append('td').attr('class', cls).text(txt);
}
addCell('label', friendlyProps[index] + ' :');
addCell('value', value);
@@ -120,7 +120,7 @@
var tr = tbody.append('tr');
function addCell(cls, txt) {
- tr.append('td').attr('class', cls).html(txt);
+ tr.append('td').attr('class', cls).text(txt);
}
addCell('label', label + ' :');
addCell('value', value);
@@ -128,7 +128,7 @@
function populateTop(details) {
is.loadEmbeddedIcon(iconDiv, 'flowTable', 40);
- top.select('h2').html(details.flowId);
+ top.select('h2').text(details.flowId);
var tbody = topTable.append('tbody');
diff --git a/web/gui/src/main/webapp/app/view/settings/settings.js b/web/gui/src/main/webapp/app/view/settings/settings.js
index e5a3eba..ce3caa1 100644
--- a/web/gui/src/main/webapp/app/view/settings/settings.js
+++ b/web/gui/src/main/webapp/app/view/settings/settings.js
@@ -102,7 +102,7 @@
var tr = tbody.append('tr');
function addCell(cls, txt) {
- tr.append('td').attr('class', cls).html(txt);
+ tr.append('td').attr('class', cls).text(txt);
}
addCell('label', friendlyProps[index] + ':');
diff --git a/web/gui/src/main/webapp/app/view/topo/topoPanel.js b/web/gui/src/main/webapp/app/view/topo/topoPanel.js
index f5d1cbd..358df86 100644
--- a/web/gui/src/main/webapp/app/view/topo/topoPanel.js
+++ b/web/gui/src/main/webapp/app/view/topo/topoPanel.js
@@ -167,7 +167,7 @@
}
function addCell(cls, txt) {
- tr.append('td').attr('class', cls).html(txt);
+ tr.append('td').attr('class', cls).text(txt);
}
addCell('label', lab + ' :');
addCell('value', value);
diff --git a/web/gui/src/main/webapp/app/view/topo2/topo2DeviceDetailsPanel.js b/web/gui/src/main/webapp/app/view/topo2/topo2DeviceDetailsPanel.js
index e8778ed..41ecc8b 100644
--- a/web/gui/src/main/webapp/app/view/topo2/topo2DeviceDetailsPanel.js
+++ b/web/gui/src/main/webapp/app/view/topo2/topo2DeviceDetailsPanel.js
@@ -128,7 +128,7 @@
}
function addCell(cls, txt) {
- tr.append('td').attr('class', cls).html(txt);
+ tr.append('td').attr('class', cls).text(txt);
}
addCell('label', lab + ' :');
addCell('value', value);