aboutsummaryrefslogtreecommitdiffstats
path: root/server/sonar-web
diff options
context:
space:
mode:
authorGrégoire Aubert <gregoire.aubert@sonarsource.com>2017-04-27 16:17:21 +0200
committerGrégoire Aubert <gregaubert@users.noreply.github.com>2017-04-28 15:32:07 +0200
commit5d361e9ec5437d9402d95939b630796494416021 (patch)
tree23fb2533e30dca5aef84c14e91f069490d1cfd41 /server/sonar-web
parent56194c84a561bfb8b446bf5d87c73f41e8822dab (diff)
downloadsonarqube-5d361e9ec5437d9402d95939b630796494416021.tar.gz
sonarqube-5d361e9ec5437d9402d95939b630796494416021.zip
SONAR-9003 Fix Xss vulnerability
Diffstat (limited to 'server/sonar-web')
-rw-r--r--server/sonar-web/src/main/js/apps/groups/users-view.js5
-rw-r--r--server/sonar-web/src/main/js/apps/permission-templates/views/GroupsView.js5
-rw-r--r--server/sonar-web/src/main/js/apps/permission-templates/views/UsersView.js5
-rw-r--r--server/sonar-web/src/main/js/apps/quality-gates/views/gate-projects-view.js5
-rw-r--r--server/sonar-web/src/main/js/apps/quality-profiles/views/ChangeProjectsView.js2
-rw-r--r--server/sonar-web/src/main/js/apps/users/groups-view.js8
-rw-r--r--server/sonar-web/src/main/js/components/SelectList/index.js7
7 files changed, 23 insertions, 14 deletions
diff --git a/server/sonar-web/src/main/js/apps/groups/users-view.js b/server/sonar-web/src/main/js/apps/groups/users-view.js
index 558be7d4160..1342c0685ab 100644
--- a/server/sonar-web/src/main/js/apps/groups/users-view.js
+++ b/server/sonar-web/src/main/js/apps/groups/users-view.js
@@ -17,6 +17,7 @@
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
+import escapeHtml from 'escape-html';
import Modal from '../../components/common/modals';
import '../../components/SelectList';
import Template from './templates/groups-users.hbs';
@@ -31,8 +32,8 @@ export default Modal.extend({
width: '100%',
readOnly: false,
focusSearch: false,
- format(item) {
- return `${item.name}<br><span class="note">${item.login}</span>`;
+ dangerouslyUnescapedHtmlFormat(item) {
+ return `${escapeHtml(item.name)}<br><span class="note">${escapeHtml(item.login)}</span>`;
},
queryParam: 'q',
searchUrl: window.baseUrl + '/api/user_groups/users?ps=100&id=' + this.model.id,
diff --git a/server/sonar-web/src/main/js/apps/permission-templates/views/GroupsView.js b/server/sonar-web/src/main/js/apps/permission-templates/views/GroupsView.js
index 8c91e8784a7..ca357a43d77 100644
--- a/server/sonar-web/src/main/js/apps/permission-templates/views/GroupsView.js
+++ b/server/sonar-web/src/main/js/apps/permission-templates/views/GroupsView.js
@@ -17,6 +17,7 @@
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
+import escapeHtml from 'escape-html';
import Modal from '../../../components/common/modals';
import Template from '../templates/permission-templates-groups.hbs';
import '../../../components/SelectList';
@@ -38,8 +39,8 @@ export default Modal.extend({
width: '100%',
readOnly: false,
focusSearch: false,
- format(item) {
- return item.name;
+ dangerouslyUnescapedHtmlFormat(item) {
+ return escapeHtml(item.name);
},
queryParam: 'q',
searchUrl: getSearchUrl(this.options.permission, this.options.permissionTemplate),
diff --git a/server/sonar-web/src/main/js/apps/permission-templates/views/UsersView.js b/server/sonar-web/src/main/js/apps/permission-templates/views/UsersView.js
index 6dde7ba5d71..9992398ba55 100644
--- a/server/sonar-web/src/main/js/apps/permission-templates/views/UsersView.js
+++ b/server/sonar-web/src/main/js/apps/permission-templates/views/UsersView.js
@@ -17,6 +17,7 @@
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
+import escapeHtml from 'escape-html';
import Modal from '../../../components/common/modals';
import Template from '../templates/permission-templates-users.hbs';
import '../../../components/SelectList';
@@ -65,8 +66,8 @@ export default Modal.extend({
width: '100%',
readOnly: false,
focusSearch: false,
- format(item) {
- return `${item.name}<br><span class="note">${item.login}</span>`;
+ dangerouslyUnescapedHtmlFormat(item) {
+ return `${escapeHtml(item.name)}<br><span class="note">${escapeHtml(item.login)}</span>`;
},
queryParam: 'q',
selectUrl: window.baseUrl + '/api/permissions/add_user_to_template',
diff --git a/server/sonar-web/src/main/js/apps/quality-gates/views/gate-projects-view.js b/server/sonar-web/src/main/js/apps/quality-gates/views/gate-projects-view.js
index fa9d4cc1aba..7366f2533aa 100644
--- a/server/sonar-web/src/main/js/apps/quality-gates/views/gate-projects-view.js
+++ b/server/sonar-web/src/main/js/apps/quality-gates/views/gate-projects-view.js
@@ -18,6 +18,7 @@
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
import Marionette from 'backbone.marionette';
+import escapeHtml from 'escape-html';
import Template from '../templates/quality-gate-detail-projects.hbs';
import '../../../components/SelectList';
import { translate } from '../../../helpers/l10n';
@@ -33,8 +34,8 @@ export default Marionette.ItemView.extend({
width: '100%',
readOnly: !this.options.edit,
focusSearch: false,
- format(item) {
- return item.name;
+ dangerouslyUnescapedHtmlFormat(item) {
+ return escapeHtml(item.name);
},
searchUrl: window.baseUrl + '/api/qualitygates/search?gateId=' + qualityGate.id,
selectUrl: window.baseUrl + '/api/qualitygates/select',
diff --git a/server/sonar-web/src/main/js/apps/quality-profiles/views/ChangeProjectsView.js b/server/sonar-web/src/main/js/apps/quality-profiles/views/ChangeProjectsView.js
index 9e9fc5d79f3..b9601e3eb5c 100644
--- a/server/sonar-web/src/main/js/apps/quality-profiles/views/ChangeProjectsView.js
+++ b/server/sonar-web/src/main/js/apps/quality-profiles/views/ChangeProjectsView.js
@@ -43,7 +43,7 @@ export default ModalFormView.extend({
width: '100%',
readOnly: false,
focusSearch: false,
- format(item) {
+ dangerouslyUnescapedHtmlFormat(item) {
return escapeHtml(item.name);
},
selectUrl: window.baseUrl + '/api/qualityprofiles/add_project',
diff --git a/server/sonar-web/src/main/js/apps/users/groups-view.js b/server/sonar-web/src/main/js/apps/users/groups-view.js
index f3afe2de43f..d1ea9ba765c 100644
--- a/server/sonar-web/src/main/js/apps/users/groups-view.js
+++ b/server/sonar-web/src/main/js/apps/users/groups-view.js
@@ -17,6 +17,7 @@
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
+import escapeHtml from 'escape-html';
import Modal from '../../components/common/modals';
import '../../components/SelectList';
import Template from './templates/users-groups.hbs';
@@ -31,8 +32,11 @@ export default Modal.extend({
width: '100%',
readOnly: false,
focusSearch: false,
- format(item) {
- return `${item.name}<br><span class="note">${item.description}</span>`;
+ dangerouslyUnescapedHtmlFormat(item) {
+ return (
+ `${escapeHtml(item.name)}<br>` +
+ `<span class="note">${escapeHtml(item.description)}</span>`
+ );
},
queryParam: 'q',
searchUrl: window.baseUrl + '/api/users/groups?ps=100&login=' + this.model.id,
diff --git a/server/sonar-web/src/main/js/components/SelectList/index.js b/server/sonar-web/src/main/js/components/SelectList/index.js
index 07beda9b92a..cc162f93d95 100644
--- a/server/sonar-web/src/main/js/components/SelectList/index.js
+++ b/server/sonar-web/src/main/js/components/SelectList/index.js
@@ -20,6 +20,7 @@
import $ from 'jquery';
import Backbone from 'backbone';
import { debounce, throttle } from 'lodash';
+import escapeHtml from 'escape-html';
import { translate } from '../../helpers/l10n';
import ItemTemplate from './templates/item.hbs';
import ListTemplate from './templates/list.hbs';
@@ -89,7 +90,7 @@ const SelectListItemView = Backbone.View.extend({
},
render() {
- this.$el.html(this.template(this.settings.format(this.model.toJSON())));
+ this.$el.html(this.template(this.settings.dangerouslyUnescapedHtmlFormat(this.model.toJSON())));
this.$('input').prop('name', this.model.get('name'));
this.$el.toggleClass('selected', this.model.get('selected'));
this.$('.select-list-list-checkbox')
@@ -412,8 +413,8 @@ window.SelectList.defaults = {
readOnly: false,
focusSearch: true,
- format(item) {
- return item.value;
+ dangerouslyUnescapedHtmlFormat(item) {
+ return escapeHtml(item.value);
},
parse(r) {