From 60ac0522d8b5e78139c756034e84f6418840b162 Mon Sep 17 00:00:00 2001 From: Rasika Perera Date: Wed, 18 Jan 2017 08:14:17 +0530 Subject: [PATCH] Fixes for XSS attacks --- .../devicemgt/api/data-tables-invoker-api.jag | 3 ++- .../devicemgt/app/modules/utility.js | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/api/data-tables-invoker-api.jag b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/api/data-tables-invoker-api.jag index 0fb2945cf49..f8cfa13520e 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/api/data-tables-invoker-api.jag +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/api/data-tables-invoker-api.jag @@ -24,6 +24,7 @@ var uriMatcher = new URIMatcher(String(uri)); var devicemgtProps = require("/app/modules/conf-reader/main.js")["conf"]; var serviceInvokers = require("/app/modules/oauth/token-protected-service-invokers.js")["invokers"]; +var utility = require("/app/modules/utility.js")["utility"]; function appendQueryParam (url, queryParam , value) { if (url.indexOf("?") > 0) { @@ -60,7 +61,7 @@ if (uriMatcher.match("/{context}/api/data-tables/invoker")) { // response callback function (backendResponse) { response["status"] = backendResponse["status"]; - response["content"] = backendResponse["responseText"]; + response["content"] = utility.encodeJson(backendResponse["responseText"]); } ); } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/utility.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/utility.js index 49b1a0d5b11..d1658872b32 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/utility.js +++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/utility.js @@ -153,5 +153,24 @@ utility = function () { return scopesList; }; + + /** + * Escapes special characters such as <,>,',",...etc + * This will prevent XSS attacks upon JSON. + * @param text + * @returns {*} + */ + publicMethods.encodeJson = function (text) { + return text + .replace(/\\u003c/g, "<") + .replace(//g, ">") + .replace(/\\u0027/g, "'") + .replace(/'/g, "'") + .replace(/\\"/g, """) + .replace(/\\u0022/g, """) + }; + return publicMethods; }();