SONAR-9003 Fix Xss vulnerability

author: Grégoire Aubert <gregoire.aubert@sonarsource.com> 2017-04-27 16:17:21 +0200
committer: Grégoire Aubert <gregaubert@users.noreply.github.com> 2017-04-28 15:32:07 +0200
commit: 5d361e9ec5437d9402d95939b630796494416021 (patch)
tree: 23fb2533e30dca5aef84c14e91f069490d1cfd41 /server/sonar-web/src/main/js/apps/permission-templates/views
parent: 56194c84a561bfb8b446bf5d87c73f41e8822dab (diff)
download: sonarqube-5d361e9ec5437d9402d95939b630796494416021.tar.gz
sonarqube-5d361e9ec5437d9402d95939b630796494416021.zip
2 files changed, 6 insertions, 4 deletions
diff --git a/server/sonar-web/src/main/js/apps/permission-templates/views/GroupsView.js b/server/sonar-web/src/main/js/apps/permission-templates/views/GroupsView.js
index 8c91e8784a7..ca357a43d77 100644
--- a/server/sonar-web/src/main/js/apps/permission-templates/views/GroupsView.js
+++ b/server/sonar-web/src/main/js/apps/permission-templates/views/GroupsView.js
@@ -17,6 +17,7 @@
  * along with this program; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
+import escapeHtml from 'escape-html';
 import Modal from '../../../components/common/modals';
 import Template from '../templates/permission-templates-groups.hbs';
 import '../../../components/SelectList';
@@ -38,8 +39,8 @@ export default Modal.extend({
       width: '100%',
       readOnly: false,
       focusSearch: false,
-      format(item) {
-        return item.name;
+      dangerouslyUnescapedHtmlFormat(item) {
+        return escapeHtml(item.name);
       },
       queryParam: 'q',
       searchUrl: getSearchUrl(this.options.permission, this.options.permissionTemplate),
diff --git a/server/sonar-web/src/main/js/apps/permission-templates/views/UsersView.js b/server/sonar-web/src/main/js/apps/permission-templates/views/UsersView.js
index 6dde7ba5d71..9992398ba55 100644
--- a/server/sonar-web/src/main/js/apps/permission-templates/views/UsersView.js
+++ b/server/sonar-web/src/main/js/apps/permission-templates/views/UsersView.js
@@ -17,6 +17,7 @@
  * along with this program; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
+import escapeHtml from 'escape-html';
 import Modal from '../../../components/common/modals';
 import Template from '../templates/permission-templates-users.hbs';
 import '../../../components/SelectList';
@@ -65,8 +66,8 @@ export default Modal.extend({
       width: '100%',
       readOnly: false,
       focusSearch: false,
-      format(item) {
-        return `${item.name}<br><span class="note">${item.login}</span>`;
+      dangerouslyUnescapedHtmlFormat(item) {
+        return `${escapeHtml(item.name)}<br><span class="note">${escapeHtml(item.login)}</span>`;
       },
       queryParam: 'q',
       selectUrl: window.baseUrl + '/api/permissions/add_user_to_template',
author	Grégoire Aubert <gregoire.aubert@sonarsource.com>	2017-04-27 16:17:21 +0200
committer	Grégoire Aubert <gregaubert@users.noreply.github.com>	2017-04-28 15:32:07 +0200
commit	5d361e9ec5437d9402d95939b630796494416021 (patch)
tree	23fb2533e30dca5aef84c14e91f069490d1cfd41 /server/sonar-web/src/main/js/apps/permission-templates/views
parent	56194c84a561bfb8b446bf5d87c73f41e8822dab (diff)
download	sonarqube-5d361e9ec5437d9402d95939b630796494416021.tar.gz sonarqube-5d361e9ec5437d9402d95939b630796494416021.zip