From 5de2a233d7647d7efd04599514f61aeef75a213c Mon Sep 17 00:00:00 2001 From: kamidu Date: Wed, 18 Jan 2017 00:16:18 +0530 Subject: [PATCH 1/3] Recomended security fixes for data tables --- .../cdmf.page.devices/public/js/listing.js | 22 +++++++++++-------- .../cdmf.page.groups/public/js/listing.js | 12 ++++++---- .../public/js/policy-list.js | 4 ++++ .../cdmf.page.roles/public/js/role-listing.js | 8 +++++-- .../cdmf.page.users/public/js/listing.js | 14 +++++++----- .../public/js/listing.js | 16 ++++++++++---- 6 files changed, 52 insertions(+), 24 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.devices/public/js/listing.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.devices/public/js/listing.js index bae88512d5a..51c9d926255 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.devices/public/js/listing.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.devices/public/js/listing.js @@ -375,15 +375,15 @@ function loadDevices(searchType, searchParam) { var fnCreatedRow = function (row, data, dataIndex) { $(row).attr('data-type', 'selectable'); - $(row).attr('data-deviceid', data.deviceIdentifier); - $(row).attr('data-devicetype', data.deviceType); - $(row).attr('data-url', context + '/device/' + data.deviceType + '?id=' + data.deviceIdentifier); - var model = getPropertyValue(data.properties, 'DEVICE_MODEL'); - var vendor = getPropertyValue(data.properties, 'VENDOR'); - var owner = data.user; - var status = data.status; - var ownership = data.ownership; - var deviceType = data.deviceType; + $(row).attr('data-deviceid', htmlspecialchars(data.deviceIdentifier)); + $(row).attr('data-devicetype', htmlspecialchars(data.deviceType)); + $(row).attr('data-url', context + '/device/' + htmlspecialchars(data.deviceType) + '?id=' + htmlspecialchars(data.deviceIdentifier)); + var model = htmlspecialchars(getPropertyValue(data.properties, 'DEVICE_MODEL')); + var vendor = htmlspecialchars(getPropertyValue(data.properties, 'VENDOR')); + var owner = htmlspecialchars(data.user); + var status = htmlspecialchars(data.status); + var ownership = htmlspecialchars(data.ownership); + var deviceType = htmlspecialchars(data.deviceType); var category = getDeviceTypeCategory(deviceType); $.each($('td', row), function (colIndex) { switch (colIndex) { @@ -417,6 +417,10 @@ function loadDevices(searchType, searchParam) { }); }; + function htmlspecialchars(text){ + return jQuery('
').text(text).html(); + } + var dataFilter = function (data) { data = JSON.parse(data); var objects = []; diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/public/js/listing.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/public/js/listing.js index 212bec7521b..6566078bf9c 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/public/js/listing.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/public/js/listing.js @@ -112,6 +112,10 @@ function toTitleCase(str) { }); } +function htmlspecialchars(text){ + return jQuery('
').text(text).html(); +} + function loadGroups() { var groupListing = $("#group-listing"); var currentUser = groupListing.data("currentUser"); @@ -134,10 +138,10 @@ function loadGroups() { var objects = []; $(data.deviceGroups).each(function (index) { objects.push({ - groupId: data.deviceGroups[index].id, - name: data.deviceGroups[index].name, - description: data.deviceGroups[index].description, - owner: data.deviceGroups[index].owner + groupId: htmlspecialchars(data.deviceGroups[index].id), + name: htmlspecialchars(data.deviceGroups[index].name), + description: htmlspecialchars(data.deviceGroups[index].description), + owner: htmlspecialchars(data.deviceGroups[index].owner) }) }); var json = { diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.policies/public/js/policy-list.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.policies/public/js/policy-list.js index 8e31e39ecc8..39742fd9dcd 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.policies/public/js/policy-list.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.policies/public/js/policy-list.js @@ -109,6 +109,10 @@ function getSelectedPolicies() { return policyList; } +function htmlspecialchars(text){ + return jQuery('
').text(text).html(); +} + $(document).ready(function () { /** diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.roles/public/js/role-listing.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.roles/public/js/role-listing.js index 5b5b835d5b9..d673e729291 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.roles/public/js/role-listing.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.roles/public/js/role-listing.js @@ -86,6 +86,10 @@ function InitiateViewOption() { // $(location).attr('href', $(this).data("url")); } +function htmlspecialchars(text){ + return jQuery('
').text(text).html(); +} + function loadRoles() { var loadingContent = $("#loading-content"); loadingContent.show(); @@ -98,8 +102,8 @@ function loadRoles() { $(data.roles).each(function (index) { objects.push( { - name: data.roles[index], - DT_RowId: "role-" + data.roles[index] + name: htmlspecialchars(data.roles[index]), + DT_RowId: "role-" + htmlspecialchars(data.roles[index]) } ) }); diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.users/public/js/listing.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.users/public/js/listing.js index 95c8b9bbc37..ce89b335f55 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.users/public/js/listing.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.users/public/js/listing.js @@ -258,6 +258,10 @@ function InitiateViewOption() { } } +function htmlspecialchars(text){ + return jQuery('
').text(text).html(); +} + function loadUsers() { var loadingContentView = "#loading-content"; $(loadingContentView).show(); @@ -269,11 +273,11 @@ function loadUsers() { $(data.users).each(function (index) { objects.push({ - filter: data.users[index].username, - firstname: data.users[index].firstname ? data.users[index].firstname : "", - lastname: data.users[index].lastname ? data.users[index].lastname : "", - emailAddress: data.users[index].emailAddress ? data.users[index].emailAddress : "", - DT_RowId: "user-" + data.users[index].username + filter: htmlspecialchars(data.users[index].username), + firstname: htmlspecialchars(data.users[index].firstname) ? htmlspecialchars(data.users[index].firstname) : "", + lastname: htmlspecialchars(data.users[index].lastname) ? htmlspecialchars(data.users[index].lastname) : "", + emailAddress: htmlspecialchars(data.users[index].emailAddress) ? htmlspecialchars(data.users[index].emailAddress) : "", + DT_RowId: "user-" + htmlspecialchars(data.users[index].username) }) }); diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.device.types.listing/public/js/listing.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.device.types.listing/public/js/listing.js index ba9a4be94a2..d841590be90 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.device.types.listing/public/js/listing.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.device.types.listing/public/js/listing.js @@ -122,6 +122,14 @@ function toTitleCase(str) { var deviceTypeCount, compiledDeviceTypesCount = 0; +function htmlspecialchars(text){ + return jQuery('
').text(text).html(); +} + +function htmlspecialchars(text){ + return jQuery('
').text(text).html(); +} + function loadDevices(searchType, searchParam){ var deviceListing = $("#device-listing"); var deviceListingSrc = deviceListing.attr("src"); @@ -134,10 +142,10 @@ function loadDevices(searchType, searchParam){ var viewModel = {}; viewModel.thumb = deviceTypesList[i].thumb; viewModel.appContext = clientJsAppContext; - viewModel.deviceTypeName = deviceTypesList[i].deviceTypeName; - viewModel.deviceTypeId = deviceTypesList[i].deviceTypeId; - viewModel.deviceCategory = deviceTypesList[i].deviceCategory; - viewModel.deviceTypeLabel = deviceTypesList[i].deviceTypeLabel; + viewModel.deviceTypeName = htmlspecialchars(deviceTypesList[i].deviceTypeName); + viewModel.deviceTypeId = htmlspecialchars(deviceTypesList[i].deviceTypeId); + viewModel.deviceCategory = htmlspecialchars(deviceTypesList[i].deviceCategory); + viewModel.deviceTypeLabel = htmlspecialchars(deviceTypesList[i].deviceTypeLabel); compileTemplate(viewModel, deviceListingSrc); } } else { From 7698c12d8056e7d980b6989acdf1149c6529b2cc Mon Sep 17 00:00:00 2001 From: kamidu Date: Wed, 18 Jan 2017 10:07:59 +0530 Subject: [PATCH 2/3] removing duplicate methoads --- .../public/js/listing.js | 91 +++++++++---------- 1 file changed, 44 insertions(+), 47 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.device.types.listing/public/js/listing.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.device.types.listing/public/js/listing.js index d841590be90..c68cfbe1f91 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.device.types.listing/public/js/listing.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.device.types.listing/public/js/listing.js @@ -41,22 +41,22 @@ $(document).ready(function () { /* for device list sorting drop down */ $(".ctrl-filter-type-switcher").popover({ - html : true, - content : function () { - return $("#content-filter-types").html(); - } - }); + html: true, + content: function () { + return $("#content-filter-types").html(); + } + }); - $(".ast-container").on("click", ".claim-btn", function(e){ + $(".ast-container").on("click", ".claim-btn", function (e) { e.stopPropagation(); var deviceId = $(this).data("deviceid"); var deviceListing = $("#device-listing"); var currentUser = deviceListing.data("current-user"); var serviceURL = "/temp-controller-agent/enrollment/claim?username=" + currentUser; var deviceIdentifier = {id: deviceId, type: "TemperatureController"}; - invokerUtil.put(serviceURL, deviceIdentifier, function(message){ + invokerUtil.put(serviceURL, deviceIdentifier, function (message) { console.log(message); - }, function(message){ + }, function (message) { console.log(message); }); }); @@ -68,15 +68,15 @@ $(document).ready(function () { * @param button: Select All Device button */ function selectAllDevices(button) { - if(!$(button).data('select')){ - $(deviceCheckbox).each(function(index){ + if (!$(button).data('select')) { + $(deviceCheckbox).each(function (index) { $(this).prop('checked', true); addDeviceSelectedClass(this); }); $(button).data('select', true); $(button).html('Deselect All Devices'); - }else{ - $(deviceCheckbox).each(function(index){ + } else { + $(deviceCheckbox).each(function (index) { $(this).prop('checked', false); addDeviceSelectedClass(this); }); @@ -92,7 +92,7 @@ function selectAllDevices(button) { * @param selection: Selection button */ function changeDeviceView(view, selection) { - $(".view-toggle").each(function() { + $(".view-toggle").each(function () { $(this).removeClass("selected"); }); $(selection).addClass("selected"); @@ -117,27 +117,25 @@ function addDeviceSelectedClass(checkbox) { } function toTitleCase(str) { - return str.replace(/\w\S*/g, function(txt){return txt.charAt(0).toUpperCase() + txt.substr(1).toLowerCase();}); + return str.replace(/\w\S*/g, function (txt) { + return txt.charAt(0).toUpperCase() + txt.substr(1).toLowerCase(); + }); } var deviceTypeCount, compiledDeviceTypesCount = 0; -function htmlspecialchars(text){ - return jQuery('
').text(text).html(); -} - -function htmlspecialchars(text){ +function htmlspecialchars(text) { return jQuery('
').text(text).html(); } -function loadDevices(searchType, searchParam){ +function loadDevices(searchType, searchParam) { var deviceListing = $("#device-listing"); var deviceListingSrc = deviceListing.attr("src"); var currentUser = deviceListing.data("currentUser"); $('#ast-container').html(""); deviceTypeCount = deviceTypesList.length; - if(deviceTypesList.length > 0){ + if (deviceTypesList.length > 0) { for (var i = 0; i < deviceTypesList.length; i++) { var viewModel = {}; viewModel.thumb = deviceTypesList[i].thumb; @@ -163,12 +161,12 @@ function loadDevices(searchType, searchParam){ } -function compileTemplate(viewModel, templateSrc){ +function compileTemplate(viewModel, templateSrc) { $.template("device-listing", templateSrc, function (template) { $("#ast-container").html($("#ast-container").html() + template(viewModel)); compiledDeviceTypesCount++; - if(deviceTypeCount == compiledDeviceTypesCount){ - $('#device-type-grid').datatables_extended({"bFilter": false, "order": [[ 1, "asc" ]]}); + if (deviceTypeCount == compiledDeviceTypesCount) { + $('#device-type-grid').datatables_extended({"bFilter": false, "order": [[1, "asc"]]}); } }); } @@ -179,17 +177,16 @@ function compileTemplate(viewModel, templateSrc){ var deviceCheckbox = "#ast-container .ctrl-wr-asset .itm-select input[type='checkbox']"; var assetContainer = "#ast-container"; -function openCollapsedNav(){ +function openCollapsedNav() { $('.wr-hidden-nav-toggle-btn').addClass('active'); - $('#hiddenNav').slideToggle('slideDown', function(){ - if($(this).css('display') == 'none'){ + $('#hiddenNav').slideToggle('slideDown', function () { + if ($(this).css('display') == 'none') { $('.wr-hidden-nav-toggle-btn').removeClass('active'); } }); } - /* * DOM ready functions. */ @@ -204,22 +201,22 @@ $(document).ready(function () { /* for device list sorting drop down */ $(".ctrl-filter-type-switcher").popover({ - html : true, - content : function () { - return $("#content-filter-types").html(); - } - }); + html: true, + content: function () { + return $("#content-filter-types").html(); + } + }); - $(".ast-container").on("click", ".claim-btn", function(e){ + $(".ast-container").on("click", ".claim-btn", function (e) { e.stopPropagation(); var deviceId = $(this).data("deviceid"); var deviceListing = $("#device-listing"); var currentUser = deviceListing.data("current-user"); var serviceURL = "/temp-controller-agent/enrollment/claim?username=" + currentUser; var deviceIdentifier = {id: deviceId, type: "TemperatureController"}; - invokerUtil.put(serviceURL, deviceIdentifier, function(message){ + invokerUtil.put(serviceURL, deviceIdentifier, function (message) { console.log(message); - }, function(message){ + }, function (message) { console.log(message); }); }); @@ -230,20 +227,20 @@ $(document).ready(function () { $("[data-toggle=popover]").popover(); $(".ctrl-filter-type-switcher").popover({ - html : true, - content: function() { - return $('#content-filter-types').html(); - } - }); + html: true, + content: function () { + return $('#content-filter-types').html(); + } + }); $('#nav').affix({ - offset: { - top: $('header').height() - } - }); + offset: { + top: $('header').height() + } + }); - $(document).on("click", "tr.clickable-row", function(){ - window.document.location = $(this).data('href'); + $(document).on("click", "tr.clickable-row", function () { + window.document.location = $(this).data('href'); }) }); From bb8985781e98185905498f5fbd6c91a38e3f719c Mon Sep 17 00:00:00 2001 From: kamidu Date: Wed, 18 Jan 2017 10:22:11 +0530 Subject: [PATCH 3/3] removing duplicate methoads --- .../app/pages/cdmf.page.policies/public/js/policy-list.js | 3 --- 1 file changed, 3 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.policies/public/js/policy-list.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.policies/public/js/policy-list.js index 39742fd9dcd..0d94332844e 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.policies/public/js/policy-list.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.policies/public/js/policy-list.js @@ -109,9 +109,6 @@ function getSelectedPolicies() { return policyList; } -function htmlspecialchars(text){ - return jQuery('
').text(text).html(); -} $(document).ready(function () {