From 75cfe801fb55fc6dc8c2f565a6b5bf0452549365 Mon Sep 17 00:00:00 2001 From: Alexander Moisseev Date: Sun, 23 Jul 2017 12:59:57 +0300 Subject: [WebUI] Escape strings inside HTML in history --- interface/js/app/history.js | 43 +++++++++++++++++++++++++++++++++++-------- 1 file changed, 35 insertions(+), 8 deletions(-) diff --git a/interface/js/app/history.js b/interface/js/app/history.js index 378c3cf7b..381c01d0d 100644 --- a/interface/js/app/history.js +++ b/interface/js/app/history.js @@ -36,20 +36,49 @@ function($, _, Humanize) { '`': '`', '=': '=' }; - var htmlEscaper = /[&<>"'\/]/g; - + var htmlEscaper = /[&<>"'\/`=]/g; + EscapeHTML = function(string) { return ('' + string).replace(htmlEscaper, function(match) { return htmlEscapes[match]; }); }; - + + escape_HTML_array = function (arr) { + arr.forEach(function (d, i) { arr[i] = EscapeHTML(d) }); + }; + function unix_time_format(tm) { var date = new Date(tm ? tm * 1000 : 0); return date.toLocaleString(); } function preprocess_item(item) { + for (var prop in item) { + switch (prop) { + case "rcpt_mime": + case "rcpt_smtp": + escape_HTML_array(item[prop]); + break; + case "symbols": + Object.keys(item.symbols).map(function(key) { + var sym = item.symbols[key]; + + sym.name = EscapeHTML(sym.name); + sym.description = EscapeHTML(sym.description); + + if (sym.options) { + escape_HTML_array(sym.options); + } + }); + break; + default: + if (typeof (item[prop]) == "string") { + item[prop] = EscapeHTML(item[prop]); + } + } + } + if (item.action === 'clean' || item.action === 'no action') { item.action = "
" + item.action + "
"; } else if (item.action === 'rewrite subject' || item.action === 'add header' || item.action === 'probable spam') { @@ -88,7 +117,7 @@ function($, _, Humanize) { preprocess_item(item); Object.keys(item.symbols).map(function(key) { var sym = item.symbols[key]; - var str = '' + key + '' + "(" + sym.score + ")"; + var str = '' + sym.name + '' + "(" + sym.score + ")"; if (sym.options) { str += '[' + sym.options.join(",") + "]"; @@ -162,8 +191,7 @@ function($, _, Humanize) { "textOverflow": "ellipsis", "wordBreak": "break-all", "whiteSpace": "normal" - }, - "formatter": EscapeHTML + } }, { "name": "ip", "title": "IP address", @@ -196,8 +224,7 @@ function($, _, Humanize) { "font-size": "11px", "word-break": "break-all", "minWidth": 150 - }, - "formatter": EscapeHTML + } }, { "name": "action", "title": "Action", -- cgit v1.2.3