From 5de2a233d7647d7efd04599514f61aeef75a213c Mon Sep 17 00:00:00 2001 From: kamidu Date: Wed, 18 Jan 2017 00:16:18 +0530 Subject: [PATCH] Recomended security fixes for data tables --- .../cdmf.page.devices/public/js/listing.js | 22 +++++++++++-------- .../cdmf.page.groups/public/js/listing.js | 12 ++++++---- .../public/js/policy-list.js | 4 ++++ .../cdmf.page.roles/public/js/role-listing.js | 8 +++++-- .../cdmf.page.users/public/js/listing.js | 14 +++++++----- .../public/js/listing.js | 16 ++++++++++---- 6 files changed, 52 insertions(+), 24 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.devices/public/js/listing.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.devices/public/js/listing.js index bae88512d5..51c9d92625 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.devices/public/js/listing.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.devices/public/js/listing.js @@ -375,15 +375,15 @@ function loadDevices(searchType, searchParam) { var fnCreatedRow = function (row, data, dataIndex) { $(row).attr('data-type', 'selectable'); - $(row).attr('data-deviceid', data.deviceIdentifier); - $(row).attr('data-devicetype', data.deviceType); - $(row).attr('data-url', context + '/device/' + data.deviceType + '?id=' + data.deviceIdentifier); - var model = getPropertyValue(data.properties, 'DEVICE_MODEL'); - var vendor = getPropertyValue(data.properties, 'VENDOR'); - var owner = data.user; - var status = data.status; - var ownership = data.ownership; - var deviceType = data.deviceType; + $(row).attr('data-deviceid', htmlspecialchars(data.deviceIdentifier)); + $(row).attr('data-devicetype', htmlspecialchars(data.deviceType)); + $(row).attr('data-url', context + '/device/' + htmlspecialchars(data.deviceType) + '?id=' + htmlspecialchars(data.deviceIdentifier)); + var model = htmlspecialchars(getPropertyValue(data.properties, 'DEVICE_MODEL')); + var vendor = htmlspecialchars(getPropertyValue(data.properties, 'VENDOR')); + var owner = htmlspecialchars(data.user); + var status = htmlspecialchars(data.status); + var ownership = htmlspecialchars(data.ownership); + var deviceType = htmlspecialchars(data.deviceType); var category = getDeviceTypeCategory(deviceType); $.each($('td', row), function (colIndex) { switch (colIndex) { @@ -417,6 +417,10 @@ function loadDevices(searchType, searchParam) { }); }; + function htmlspecialchars(text){ + return jQuery('
').text(text).html(); + } + var dataFilter = function (data) { data = JSON.parse(data); var objects = []; diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/public/js/listing.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/public/js/listing.js index 212bec7521..6566078bf9 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/public/js/listing.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/public/js/listing.js @@ -112,6 +112,10 @@ function toTitleCase(str) { }); } +function htmlspecialchars(text){ + return jQuery('
').text(text).html(); +} + function loadGroups() { var groupListing = $("#group-listing"); var currentUser = groupListing.data("currentUser"); @@ -134,10 +138,10 @@ function loadGroups() { var objects = []; $(data.deviceGroups).each(function (index) { objects.push({ - groupId: data.deviceGroups[index].id, - name: data.deviceGroups[index].name, - description: data.deviceGroups[index].description, - owner: data.deviceGroups[index].owner + groupId: htmlspecialchars(data.deviceGroups[index].id), + name: htmlspecialchars(data.deviceGroups[index].name), + description: htmlspecialchars(data.deviceGroups[index].description), + owner: htmlspecialchars(data.deviceGroups[index].owner) }) }); var json = { diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.policies/public/js/policy-list.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.policies/public/js/policy-list.js index 8e31e39ecc..39742fd9dc 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.policies/public/js/policy-list.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.policies/public/js/policy-list.js @@ -109,6 +109,10 @@ function getSelectedPolicies() { return policyList; } +function htmlspecialchars(text){ + return jQuery('
').text(text).html(); +} + $(document).ready(function () { /** diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.roles/public/js/role-listing.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.roles/public/js/role-listing.js index 5b5b835d5b..d673e72929 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.roles/public/js/role-listing.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.roles/public/js/role-listing.js @@ -86,6 +86,10 @@ function InitiateViewOption() { // $(location).attr('href', $(this).data("url")); } +function htmlspecialchars(text){ + return jQuery('
').text(text).html(); +} + function loadRoles() { var loadingContent = $("#loading-content"); loadingContent.show(); @@ -98,8 +102,8 @@ function loadRoles() { $(data.roles).each(function (index) { objects.push( { - name: data.roles[index], - DT_RowId: "role-" + data.roles[index] + name: htmlspecialchars(data.roles[index]), + DT_RowId: "role-" + htmlspecialchars(data.roles[index]) } ) }); diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.users/public/js/listing.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.users/public/js/listing.js index 95c8b9bbc3..ce89b335f5 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.users/public/js/listing.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.users/public/js/listing.js @@ -258,6 +258,10 @@ function InitiateViewOption() { } } +function htmlspecialchars(text){ + return jQuery('
').text(text).html(); +} + function loadUsers() { var loadingContentView = "#loading-content"; $(loadingContentView).show(); @@ -269,11 +273,11 @@ function loadUsers() { $(data.users).each(function (index) { objects.push({ - filter: data.users[index].username, - firstname: data.users[index].firstname ? data.users[index].firstname : "", - lastname: data.users[index].lastname ? data.users[index].lastname : "", - emailAddress: data.users[index].emailAddress ? data.users[index].emailAddress : "", - DT_RowId: "user-" + data.users[index].username + filter: htmlspecialchars(data.users[index].username), + firstname: htmlspecialchars(data.users[index].firstname) ? htmlspecialchars(data.users[index].firstname) : "", + lastname: htmlspecialchars(data.users[index].lastname) ? htmlspecialchars(data.users[index].lastname) : "", + emailAddress: htmlspecialchars(data.users[index].emailAddress) ? htmlspecialchars(data.users[index].emailAddress) : "", + DT_RowId: "user-" + htmlspecialchars(data.users[index].username) }) }); diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.device.types.listing/public/js/listing.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.device.types.listing/public/js/listing.js index ba9a4be94a..d841590be9 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.device.types.listing/public/js/listing.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.device.types.listing/public/js/listing.js @@ -122,6 +122,14 @@ function toTitleCase(str) { var deviceTypeCount, compiledDeviceTypesCount = 0; +function htmlspecialchars(text){ + return jQuery('
').text(text).html(); +} + +function htmlspecialchars(text){ + return jQuery('
').text(text).html(); +} + function loadDevices(searchType, searchParam){ var deviceListing = $("#device-listing"); var deviceListingSrc = deviceListing.attr("src"); @@ -134,10 +142,10 @@ function loadDevices(searchType, searchParam){ var viewModel = {}; viewModel.thumb = deviceTypesList[i].thumb; viewModel.appContext = clientJsAppContext; - viewModel.deviceTypeName = deviceTypesList[i].deviceTypeName; - viewModel.deviceTypeId = deviceTypesList[i].deviceTypeId; - viewModel.deviceCategory = deviceTypesList[i].deviceCategory; - viewModel.deviceTypeLabel = deviceTypesList[i].deviceTypeLabel; + viewModel.deviceTypeName = htmlspecialchars(deviceTypesList[i].deviceTypeName); + viewModel.deviceTypeId = htmlspecialchars(deviceTypesList[i].deviceTypeId); + viewModel.deviceCategory = htmlspecialchars(deviceTypesList[i].deviceCategory); + viewModel.deviceTypeLabel = htmlspecialchars(deviceTypesList[i].deviceTypeLabel); compileTemplate(viewModel, deviceListingSrc); } } else {