Fixes for XSS attacks

merge-requests/7/head
Rasika Perera 8 years ago
parent 2b46691405
commit 60ac0522d8

@ -24,6 +24,7 @@ var uriMatcher = new URIMatcher(String(uri));
var devicemgtProps = require("/app/modules/conf-reader/main.js")["conf"]; var devicemgtProps = require("/app/modules/conf-reader/main.js")["conf"];
var serviceInvokers = require("/app/modules/oauth/token-protected-service-invokers.js")["invokers"]; var serviceInvokers = require("/app/modules/oauth/token-protected-service-invokers.js")["invokers"];
var utility = require("/app/modules/utility.js")["utility"];
function appendQueryParam (url, queryParam , value) { function appendQueryParam (url, queryParam , value) {
if (url.indexOf("?") > 0) { if (url.indexOf("?") > 0) {
@ -60,7 +61,7 @@ if (uriMatcher.match("/{context}/api/data-tables/invoker")) {
// response callback // response callback
function (backendResponse) { function (backendResponse) {
response["status"] = backendResponse["status"]; response["status"] = backendResponse["status"];
response["content"] = backendResponse["responseText"]; response["content"] = utility.encodeJson(backendResponse["responseText"]);
} }
); );
} }

@ -153,5 +153,24 @@ utility = function () {
return scopesList; return scopesList;
}; };
/**
* Escapes special characters such as <,>,',",...etc
* This will prevent XSS attacks upon JSON.
* @param text
* @returns {*}
*/
publicMethods.encodeJson = function (text) {
return text
.replace(/\\u003c/g, "&lt;")
.replace(/</g, "&lt;")
.replace(/\\u003e/g, "&gt;")
.replace(/>/g, "&gt;")
.replace(/\\u0027/g, "&#39;")
.replace(/'/g, "&#39;")
.replace(/\\"/g, "&quot;")
.replace(/\\u0022/g, "&quot;")
};
return publicMethods; return publicMethods;
}(); }();

Loading…
Cancel
Save