Fixes for XSS attacks

4.x.x
Rasika Perera 8 years ago
parent 2b46691405
commit 60ac0522d8

@ -24,6 +24,7 @@ var uriMatcher = new URIMatcher(String(uri));
var devicemgtProps = require("/app/modules/conf-reader/main.js")["conf"];
var serviceInvokers = require("/app/modules/oauth/token-protected-service-invokers.js")["invokers"];
var utility = require("/app/modules/utility.js")["utility"];
function appendQueryParam (url, queryParam , value) {
if (url.indexOf("?") > 0) {
@ -60,7 +61,7 @@ if (uriMatcher.match("/{context}/api/data-tables/invoker")) {
// response callback
function (backendResponse) {
response["status"] = backendResponse["status"];
response["content"] = backendResponse["responseText"];
response["content"] = utility.encodeJson(backendResponse["responseText"]);
}
);
}

@ -153,5 +153,24 @@ utility = function () {
return scopesList;
};
/**
* Escapes special characters such as <,>,',",...etc
* This will prevent XSS attacks upon JSON.
* @param text
* @returns {*}
*/
publicMethods.encodeJson = function (text) {
return text
.replace(/\\u003c/g, "&lt;")
.replace(/</g, "&lt;")
.replace(/\\u003e/g, "&gt;")
.replace(/>/g, "&gt;")
.replace(/\\u0027/g, "&#39;")
.replace(/'/g, "&#39;")
.replace(/\\"/g, "&quot;")
.replace(/\\u0022/g, "&quot;")
};
return publicMethods;
}();

Loading…
Cancel
Save