SSF-31 XSS and link injection on "role" param of /roles/edit_users and /roles/edit_groups

diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/views/roles/_edit_groups.html.erb b/server/sonar-web/src/main/webapp/WEB-INF/app/views/roles/_edit_groups.html.erb
index 186d8b2da2698031bbd9b07b018e1adfe824b829..a6ce4faf81642ca267861d6abdbdc264a037a10c 100644 (file)
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/views/roles/_edit_groups.html.erb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/views/roles/_edit_groups.html.erb
@@ -1,5 +1,5 @@
 <div class="modal-head">
-  <h2><%= @project ? "Edit Permission #{message("projects_role.#{@role}")} For: " + h(@project.name) : "Edit Global Permission: #{message("global_permissions.#{@role}")}" -%></h2>
+  <h2><%= @project ? "Edit Permission #{message("projects_role.#{h @role}")} For: " + h(@project.name) : "Edit Global Permission: #{message("global_permissions.#{h @role}")}" -%></h2>
 </div>
 
 <div class="modal-body">
@@ -21,12 +21,12 @@
       }
       return label;
     },
-    searchUrl: baseUrl + '/permissions/search_groups?permission=<%= @role -%><%= @project ? "&component=" + @project.key : "" -%>',
+    searchUrl: baseUrl + '/permissions/search_groups?permission=<%= u @role -%><%= @project ? "&component=" + u(@project.key) : "" -%>',
     selectUrl: baseUrl + '/api/permissions/add',
     deselectUrl: baseUrl + '/api/permissions/remove',
     extra: {
-      permission: '<%= @role -%>'
-      <%= @project ? ", component: '" + @project.key + "'" : "" %>
+      permission: '<%= escape_javascript @role -%>'
+      <%= @project ? ", component: '" + escape_javascript(@project.key) + "'" : "" %>
     },
     selectParameter: 'group',
     selectParameterValue: 'name',

diff --git a/server/sonar-web/src/main/webapp/WEB-INF/app/views/roles/_edit_users.html.erb b/server/sonar-web/src/main/webapp/WEB-INF/app/views/roles/_edit_users.html.erb
index 3e2bad239c8c4b9975dbccdb93df6251cf5d5734..52cea1e90a213255a89ddb928f6e504f3bd64737 100644 (file)
--- a/server/sonar-web/src/main/webapp/WEB-INF/app/views/roles/_edit_users.html.erb
+++ b/server/sonar-web/src/main/webapp/WEB-INF/app/views/roles/_edit_users.html.erb
@@ -1,5 +1,5 @@
 <div class="modal-head">
-  <h2><%= @project ? "Edit Permission #{message("projects_role.#{@role}")} For: " + h(@project.name) : "Edit Global Permission: #{message("global_permissions.#{@role}")}" -%></h2>
+  <h2><%= @project ? "Edit Permission #{message("projects_role.#{h @role}")} For: " + h(@project.name) : "Edit Global Permission: #{message("global_permissions.#{h @role}")}" -%></h2>
 </div>
 
 <div class="modal-body">
@@ -15,12 +15,12 @@
     el: '#select-users-permissions',
     width: '100%',
     format: function (item) { return item.name + ' <div class="subtitle">' + item.login + '</div>'; },
-    searchUrl: baseUrl + '/permissions/search_users?permission=<%= @role -%><%= @project ? "&component=" + @project.key : "" -%>',
+    searchUrl: baseUrl + '/permissions/search_users?permission=<%= u @role -%><%= @project ? "&component=" + u(@project.key) : "" -%>',
     selectUrl: baseUrl + '/api/permissions/add',
     deselectUrl: baseUrl + '/api/permissions/remove',
     extra: {
-      permission: '<%= @role -%>'
-      <%= @project ? ", component: '" + @project.key + "'" : "" %>
+      permission: '<%= escape_javascript @role -%>'
+      <%= @project ? ", component: '" + escape_javascript(@project.key) + "'" : "" %>
     },
     selectParameter: 'user',
     selectParameterValue: 'login',