mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2024-12-24 06:05:53 -05:00
Improved HTML escaping.
This commit is contained in:
parent
74b3075e28
commit
36b5831f18
16
meshuser.js
16
meshuser.js
@ -4279,7 +4279,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
}
|
||||
case 'distributeCore': {
|
||||
// This is only available when plugins are enabled since it could cause stress on the server
|
||||
if ((user.siteadmin & 0xFFFFFFFF) == 0 || parent.parent.pluginHandler == null) break; // must be full admin with plugins enabled
|
||||
if ((user.siteadmin != 0xFFFFFFFF) || (parent.parent.pluginHandler == null)) break; // Must be full admin with plugins enabled
|
||||
for (var i in command.nodes) {
|
||||
parent.sendMeshAgentCore(user, domain, command.nodes[i]._id, 'default');
|
||||
}
|
||||
@ -4287,14 +4287,14 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
}
|
||||
case 'plugins': {
|
||||
// Since plugin actions generally require a server restart, use the Full admin permission
|
||||
if ((user.siteadmin & 0xFFFFFFFF) == 0 || parent.parent.pluginHandler == null) break; // must be full admin with plugins enabled
|
||||
if ((user.siteadmin != 0xFFFFFFFF) || (parent.parent.pluginHandler == null)) break; // Must be full admin with plugins enabled
|
||||
parent.db.getPlugins(function(err, docs) {
|
||||
try { ws.send(JSON.stringify({ action: 'updatePluginList', list: docs, result: err })); } catch (ex) { }
|
||||
});
|
||||
break;
|
||||
}
|
||||
case 'pluginLatestCheck': {
|
||||
if ((user.siteadmin & 0xFFFFFFFF) == 0 || parent.parent.pluginHandler == null) break; // must be full admin with plugins enabled
|
||||
if ((user.siteadmin != 0xFFFFFFFF) || (parent.parent.pluginHandler == null)) break; // Must be full admin with plugins enabled
|
||||
parent.parent.pluginHandler.getPluginLatest()
|
||||
.then(function(latest) {
|
||||
try { ws.send(JSON.stringify({ action: 'pluginVersionsAvailable', list: latest })); } catch (ex) { }
|
||||
@ -4302,7 +4302,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
break;
|
||||
}
|
||||
case 'addplugin': {
|
||||
if ((user.siteadmin & 0xFFFFFFFF) == 0 || parent.parent.pluginHandler == null) break; // must be full admin, plugins enabled
|
||||
if ((user.siteadmin != 0xFFFFFFFF) || (parent.parent.pluginHandler == null)) break; // Must be full admin with plugins enabled
|
||||
try {
|
||||
parent.parent.pluginHandler.getPluginConfig(command.url)
|
||||
.then(parent.parent.pluginHandler.addPlugin)
|
||||
@ -4319,7 +4319,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
break;
|
||||
}
|
||||
case 'installplugin': {
|
||||
if ((user.siteadmin & 0xFFFFFFFF) == 0 || parent.parent.pluginHandler == null) break; // must be full admin, plugins enabled
|
||||
if ((user.siteadmin != 0xFFFFFFFF) || (parent.parent.pluginHandler == null)) break; // Must be full admin with plugins enabled
|
||||
parent.parent.pluginHandler.installPlugin(command.id, command.version_only, null, function(){
|
||||
parent.db.getPlugins(function(err, docs) {
|
||||
try { ws.send(JSON.stringify({ action: 'updatePluginList', list: docs, result: err })); } catch (ex) { }
|
||||
@ -4330,7 +4330,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
break;
|
||||
}
|
||||
case 'disableplugin': {
|
||||
if ((user.siteadmin & 0xFFFFFFFF) == 0 || parent.parent.pluginHandler == null) break; // must be full admin, plugins enabled
|
||||
if ((user.siteadmin != 0xFFFFFFFF) || (parent.parent.pluginHandler == null)) break; // Must be full admin with plugins enabled
|
||||
parent.parent.pluginHandler.disablePlugin(command.id, function(){
|
||||
parent.db.getPlugins(function(err, docs) {
|
||||
try { ws.send(JSON.stringify({ action: 'updatePluginList', list: docs, result: err })); } catch (ex) { }
|
||||
@ -4341,7 +4341,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
break;
|
||||
}
|
||||
case 'removeplugin': {
|
||||
if ((user.siteadmin & 0xFFFFFFFF) == 0 || parent.parent.pluginHandler == null) break; // must be full admin, plugins enabled
|
||||
if ((user.siteadmin != 0xFFFFFFFF) || (parent.parent.pluginHandler == null)) break; // Must be full admin with plugins enabled
|
||||
parent.parent.pluginHandler.removePlugin(command.id, function(){
|
||||
parent.db.getPlugins(function(err, docs) {
|
||||
try { ws.send(JSON.stringify({ action: 'updatePluginList', list: docs, result: err })); } catch (ex) { }
|
||||
@ -4350,7 +4350,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
break;
|
||||
}
|
||||
case 'getpluginversions': {
|
||||
if ((user.siteadmin & 0xFFFFFFFF) == 0 || parent.parent.pluginHandler == null) break; // must be full admin, plugins enabled
|
||||
if ((user.siteadmin != 0xFFFFFFFF) || (parent.parent.pluginHandler == null)) break; // Must be full admin with plugins enabled
|
||||
parent.parent.pluginHandler.getPluginVersions(command.id)
|
||||
.then(function (versionInfo) {
|
||||
try { ws.send(JSON.stringify({ action: 'downgradePluginVersions', info: versionInfo, error: null })); } catch (ex) { }
|
||||
|
@ -297,6 +297,13 @@
|
||||
"default.handlebars->27->171"
|
||||
]
|
||||
},
|
||||
{
|
||||
"en": "'",
|
||||
"xloc": [
|
||||
"agentinvite.handlebars->3->4",
|
||||
"agentinvite.handlebars->3->5"
|
||||
]
|
||||
},
|
||||
{
|
||||
"cs": "(",
|
||||
"de": "(",
|
||||
|
@ -144,7 +144,7 @@
|
||||
var installFlags = '{{{installflags}}}';
|
||||
var groupName = decodeURIComponent('{{{meshname}}}');
|
||||
if (groupName != '') {
|
||||
QH('groupname', format("Remote Agent Installation for {0}", groupName));
|
||||
QH('groupname', format("Remote Agent Installation for {0}", escapeHtml(groupName)));
|
||||
document.title = format("{0} - Agent Installation", groupName);
|
||||
} else {
|
||||
document.title = "Agent Installation";
|
||||
@ -295,7 +295,8 @@
|
||||
function copyToClipLinuxUnInstall() { copyTextToClip(linuxUnInstall); }
|
||||
function copyTextToClip(txt) { function selectElementText(e) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(e); range.select(); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(e); window.getSelection().removeAllRanges(); window.getSelection().addRange(range); } } var e = document.createElement('DIV'); e.textContent = txt; document.body.appendChild(e); selectElementText(e); document.execCommand('copy'); e.remove(); }
|
||||
function format(format) { var args = Array.prototype.slice.call(arguments, 1); return format.replace(/{(\d+)}/g, function (match, number) { return typeof args[number] != 'undefined' ? args[number] : match; }); };
|
||||
|
||||
function escapeHtml(string) { return String(string).replace(/[&<>"'`=\/]/g, function (s) { return { '&': '&', '<': '<', '>': '>', '"': '"', "'": ''', '/': '/', '`': '`', '=': '=' }[s]; }); };
|
||||
function escapeHtmlBreaks(string) { return String(string).replace(/[&<>"'`=\/]/g, function (s) { return { '&': '&', '<': '<', '>': '>', '"': '"', "'": ''', '/': '/', '`': '`', '=': '=', '\r': '<br />', '\n': '' }[s]; }); };
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -733,7 +733,7 @@
|
||||
var webState = '{{{webstate}}}';
|
||||
if (webState != '') { webState = JSON.parse(decodeURIComponent(webState)); }
|
||||
for (var i in webState) { localStorage.setItem(i, webState[i]); }
|
||||
if (!webState.loctag) { delete localStorage.removeItem('loctag'); }
|
||||
if (webState && !webState.loctag) { delete localStorage.removeItem('loctag'); }
|
||||
|
||||
var urlargs = parseUriArgs();
|
||||
if (urlargs.key && (isAlphaNumeric(urlargs.key) == false)) { delete urlargs.key; }
|
||||
@ -1714,7 +1714,7 @@
|
||||
if (filetreelinkpath != '') { filetreelinkpath += '/' + filetreelocation[i]; if (folderdepth > 2) { publicPath += '/' + filetreelocation[i]; } }
|
||||
}
|
||||
filetreex = filetreex.f[filetreelocation[i]];
|
||||
displayPath += ' / <a style=cursor:pointer onclick=p5folderup(' + folderdepth + ')>' + (filetreex.n != null ? filetreex.n : filetreelocation[i]) + '</a>';
|
||||
displayPath += ' / <a style=cursor:pointer onclick=p5folderup(' + folderdepth + ')>' + EscapeHtml(filetreex.n != null ? filetreex.n : filetreelocation[i]) + '</a>';
|
||||
folderdepth++;
|
||||
} else {
|
||||
break;
|
||||
@ -2435,7 +2435,7 @@
|
||||
|
||||
// Node tags
|
||||
var groupingTags = '<i>' + "None" + '</i>';
|
||||
if (node.tags != null) { groupingTags = ''; for (var i in node.tags) { groupingTags += '<span style="background-color:lightgray;padding:3px;margin-right:4px;border-radius:5px">' + node.tags[i] + '</span>'; } }
|
||||
if (node.tags != null) { groupingTags = ''; for (var i in node.tags) { groupingTags += '<span style="background-color:lightgray;padding:3px;margin-right:4px;border-radius:5px">' + EscapeHtml(node.tags[i]) + '</span>'; } }
|
||||
if ((meshrights & 4) != 0) {
|
||||
x += addDeviceAttribute("Tags", '<span onclick=showEditNodeValueDialog(3) style=cursor:pointer>' + groupingTags + '</span>');
|
||||
} else {
|
||||
@ -3224,7 +3224,7 @@
|
||||
var x = p13filetree.path.split('\\');
|
||||
p13filetreelocation = [];
|
||||
for (var i in x) { if (x[i] != '') { p13filetreelocation.push(x[i]); } } // Remove empty spaces
|
||||
for (var i in p13filetreelocation) { displayPath += ' / <a style=cursor:pointer onclick=p13folderup(' + (parseInt(i) + 1) + ')>' + p13filetreelocation[i] + '</a>' } // Setup the path we display
|
||||
for (var i in p13filetreelocation) { displayPath += ' / <a style=cursor:pointer onclick=p13folderup(' + (parseInt(i) + 1) + ')>' + EscapeHtml(p13filetreelocation[i]) + '</a>' } // Setup the path we display
|
||||
var newlinkpath = p13filetreelocation.join('/');
|
||||
|
||||
// Sort the files
|
||||
|
@ -5352,12 +5352,12 @@
|
||||
if ((node.agent != null) && (node.agent.tag != null)) {
|
||||
// Attribute: Mesh Agent Tag
|
||||
var tag = EscapeHtml(node.agent.tag);
|
||||
if (tag.startsWith('mailto:')) { tag = '<a href="' + tag + '">' + tag.substring(7) + '</a>'; }
|
||||
if (tag.startsWith('mailto:')) { tag = '<a href="' + EscapeHtml(tag) + '">' + EscapeHtml(tag.substring(7)) + '</a>'; }
|
||||
x += addDeviceAttribute("Agent Tag", tag);
|
||||
} else if ((node.intelamt != null) && (node.intelamt.tag != null)) {
|
||||
// Attribute: Intel AMT Tag
|
||||
var tag = EscapeHtml(node.intelamt.tag);
|
||||
if (tag.startsWith('mailto:')) { tag = '<a href="' + tag + '">' + tag.substring(7) + '</a>'; }
|
||||
if (tag.startsWith('mailto:')) { tag = '<a href="' + EscapeHtml(tag) + '">' + EscapeHtml(tag.substring(7)) + '</a>'; }
|
||||
x += addDeviceAttribute("Intel® AMT Tag", tag);
|
||||
}
|
||||
|
||||
@ -5416,7 +5416,7 @@
|
||||
|
||||
// Node grouping tags
|
||||
var groupingTags = '<i>' + "None" + '</i>';
|
||||
if (node.tags != null) { groupingTags = ''; for (var i in node.tags) { groupingTags += '<span class="tagSpan">' + node.tags[i] + '</span>'; } }
|
||||
if (node.tags != null) { groupingTags = ''; for (var i in node.tags) { groupingTags += '<span class="tagSpan">' + EscapeHtml(node.tags[i]) + '</span>'; } }
|
||||
if ((meshrights & 4) != 0) {
|
||||
x += addDeviceAttribute('Tags', '<span onclick=showEditNodeValueDialog(3) style=cursor:pointer>' + groupingTags + ' <img class=hoverButton src="images/link5.png" /></span>');
|
||||
} else {
|
||||
@ -7522,7 +7522,7 @@
|
||||
var x = p13filetree.path.split('\\');
|
||||
p13filetreelocation = [];
|
||||
for (var i in x) { if (x[i] != '') { p13filetreelocation.push(x[i]); } } // Remove empty spaces
|
||||
for (var i in p13filetreelocation) { displayPath += ' / <a href=# style=cursor:pointer onclick="return p13folderup(' + (parseInt(i) + 1) + ')">' + p13filetreelocation[i] + '</a>' } // Setup the path we display
|
||||
for (var i in p13filetreelocation) { displayPath += ' / <a href=# style=cursor:pointer onclick="return p13folderup(' + (parseInt(i) + 1) + ')">' + EscapeHtml(p13filetreelocation[i]) + '</a>' } // Setup the path we display
|
||||
var newlinkpath = p13filetreelocation.join('/');
|
||||
|
||||
// Sort the files
|
||||
@ -9941,7 +9941,7 @@
|
||||
if (filetreelinkpath != '') { filetreelinkpath += '/' + filetreelocation[i]; if (folderdepth > 2) { publicPath += '/' + filetreelocation[i]; } }
|
||||
}
|
||||
filetreex = filetreex.f[filetreelocation[i]];
|
||||
displayPath += ' / <a href=# style=cursor:pointer onclick="return p5folderup(' + folderdepth + ')">' + (filetreex.n != null?filetreex.n:filetreelocation[i]) + '</a>';
|
||||
displayPath += ' / <a href=# style=cursor:pointer onclick="return p5folderup(' + folderdepth + ')">' + EscapeHtml(filetreex.n != null?filetreex.n:filetreelocation[i]) + '</a>';
|
||||
folderdepth++;
|
||||
} else {
|
||||
break;
|
||||
@ -10446,10 +10446,10 @@
|
||||
if (user.email != null) {
|
||||
if (((features & 0x200000) == 0) || (user.email.toLowerCase() != user.name.toLowerCase())) {
|
||||
// Username & email are different
|
||||
username += ', <a href="mailto:' + user.email + '" \'>' + user.email + '</a>' + emailVerified;
|
||||
username += ', <a href="mailto:' + EscapeHtml(user.email) + '" \'>' + EscapeHtml(user.email) + '</a>' + emailVerified;
|
||||
} else {
|
||||
// Username & email are the same
|
||||
username += ' <a href="mailto:' + user.email + '" \'><img src="images/mail12.png" height=9 width=12 title="' + "Send email to user" + '" style="margin-top:2px" /></a>' + emailVerified;
|
||||
username += ' <a href="mailto:' + EscapeHtml(user.email) + '" \'><img src="images/mail12.png" height=9 width=12 title="' + "Send email to user" + '" style="margin-top:2px" /></a>' + emailVerified;
|
||||
}
|
||||
}
|
||||
|
||||
@ -11314,8 +11314,8 @@
|
||||
if ((event != null) && (event.originalTarget != null) && (event.originalTarget.href != null)) return;
|
||||
var user = currentUser = users[decodeURIComponent(userid)];
|
||||
if (user == null) { setDialogMode(0); go(4); return; }
|
||||
QH('p30userName', user.name);
|
||||
QH('p31userName', user.name);
|
||||
QH('p30userName', EscapeHtml(user.name));
|
||||
QH('p31userName', EscapeHtml(user.name));
|
||||
var self = (user._id == userinfo._id), activeSessions = 0;
|
||||
if (wssessions != null && wssessions[user._id]) { activeSessions = wssessions[user._id]; }
|
||||
|
||||
@ -11356,9 +11356,9 @@
|
||||
}
|
||||
|
||||
if (((user.siteadmin != 0xFFFFFFFF) || (userinfo.siteadmin == 0xFFFFFFFF))) { // If we are not site admin, we can't change a admin email.
|
||||
x += addDeviceAttribute("Email", everify + email + ' <a href="mailto:' + user.email + '" \'><img class=hoverButton src="images/link1.png" /></a>' + ' <img class=hoverButton style=cursor:pointer src="images/link5.png" onclick=p30showUserEmailChangeDialog(event,"' + userid + '") />');
|
||||
x += addDeviceAttribute("Email", everify + email + ' <a href="mailto:' + EscapeHtml(user.email) + '" \'><img class=hoverButton src="images/link1.png" /></a>' + ' <img class=hoverButton style=cursor:pointer src="images/link5.png" onclick=p30showUserEmailChangeDialog(event,"' + userid + '") />');
|
||||
} else {
|
||||
x += addDeviceAttribute("Email", everify + email + ' <a href="mailto:' + user.email + '" \'><img class=hoverButton src="images/link1.png" /></a>');
|
||||
x += addDeviceAttribute("Email", everify + email + ' <a href="mailto:' + EscapeHtml(user.email) + '" \'><img class=hoverButton src="images/link1.png" /></a>');
|
||||
}
|
||||
|
||||
if ((features & 0x02000000) || (user.phone != null)) { // If SMS is enabled on the server or user has a phone number
|
||||
@ -11383,7 +11383,7 @@
|
||||
// Administrative Realms
|
||||
if ((userinfo.siteadmin == 0xFFFFFFFF) || (userinfo.siteadmin & 2)) {
|
||||
var xuserGroups = '<i>' + "None" + '</i>';
|
||||
if (user.groups) { xuserGroups = ''; for (var i in user.groups) { xuserGroups += '<span class="tagSpan">' + user.groups[i] + '</span>'; } }
|
||||
if (user.groups) { xuserGroups = ''; for (var i in user.groups) { xuserGroups += '<span class="tagSpan">' + EscapeHtml(user.groups[i]) + '</span>'; } }
|
||||
x += addDeviceAttribute("Admin Realms", addLinkConditional(xuserGroups, 'showUserGroupDialog(event,"' + userid + '")', (userinfo.siteadmin == 0xFFFFFFFF) || ((userinfo.groups == null) && (userinfo._id != user._id) && (user.siteadmin != 0xFFFFFFFF))));
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user