Fixes for XSS attacks

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/api/data-tables-invoker-api.jag

@@ -24,6 +24,7 @@ var uriMatcher = new URIMatcher(String(uri));
 
 var devicemgtProps = require("/app/modules/conf-reader/main.js")["conf"];
 var serviceInvokers = require("/app/modules/oauth/token-protected-service-invokers.js")["invokers"];
+var utility = require("/app/modules/utility.js")["utility"];
 
 function appendQueryParam (url, queryParam , value) {
     if (url.indexOf("?") > 0) {
@@ -60,7 +61,7 @@ if (uriMatcher.match("/{context}/api/data-tables/invoker")) {
             // response callback
             function (backendResponse) {
                 response["status"] = backendResponse["status"];
-                response["content"] =  backendResponse["responseText"];
+                response["content"] =  utility.encodeJson(backendResponse["responseText"]);
             }
     );
 }

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/utility.js

@@ -153,5 +153,24 @@ utility = function () {
         return scopesList;
     };
 
+
+    /**
+     * Escapes special characters such as <,>,',",...etc
+     * This will prevent XSS attacks upon JSON.
+     * @param text
+     * @returns {*}
+     */
+    publicMethods.encodeJson = function (text) {
+        return text
+            .replace(/\\u003c/g, "&lt;")
+            .replace(/</g, "&lt;")
+            .replace(/\\u003e/g, "&gt;")
+            .replace(/>/g, "&gt;")
+            .replace(/\\u0027/g, "&#39;")
+            .replace(/'/g, "&#39;")
+            .replace(/\\"/g, "&quot;")
+            .replace(/\\u0022/g, "&quot;")
+    };
+
     return publicMethods;
 }();