Improved HTML escaping.

This commit is contained in:
Ylian Saint-Hilaire 2020-06-26 18:04:28 -07:00
parent 74b3075e28
commit 36b5831f18
5 changed files with 34 additions and 26 deletions

View File

@ -4279,7 +4279,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
} }
case 'distributeCore': { case 'distributeCore': {
// This is only available when plugins are enabled since it could cause stress on the server // This is only available when plugins are enabled since it could cause stress on the server
if ((user.siteadmin & 0xFFFFFFFF) == 0 || parent.parent.pluginHandler == null) break; // must be full admin with plugins enabled if ((user.siteadmin != 0xFFFFFFFF) || (parent.parent.pluginHandler == null)) break; // Must be full admin with plugins enabled
for (var i in command.nodes) { for (var i in command.nodes) {
parent.sendMeshAgentCore(user, domain, command.nodes[i]._id, 'default'); parent.sendMeshAgentCore(user, domain, command.nodes[i]._id, 'default');
} }
@ -4287,14 +4287,14 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
} }
case 'plugins': { case 'plugins': {
// Since plugin actions generally require a server restart, use the Full admin permission // Since plugin actions generally require a server restart, use the Full admin permission
if ((user.siteadmin & 0xFFFFFFFF) == 0 || parent.parent.pluginHandler == null) break; // must be full admin with plugins enabled if ((user.siteadmin != 0xFFFFFFFF) || (parent.parent.pluginHandler == null)) break; // Must be full admin with plugins enabled
parent.db.getPlugins(function(err, docs) { parent.db.getPlugins(function(err, docs) {
try { ws.send(JSON.stringify({ action: 'updatePluginList', list: docs, result: err })); } catch (ex) { } try { ws.send(JSON.stringify({ action: 'updatePluginList', list: docs, result: err })); } catch (ex) { }
}); });
break; break;
} }
case 'pluginLatestCheck': { case 'pluginLatestCheck': {
if ((user.siteadmin & 0xFFFFFFFF) == 0 || parent.parent.pluginHandler == null) break; // must be full admin with plugins enabled if ((user.siteadmin != 0xFFFFFFFF) || (parent.parent.pluginHandler == null)) break; // Must be full admin with plugins enabled
parent.parent.pluginHandler.getPluginLatest() parent.parent.pluginHandler.getPluginLatest()
.then(function(latest) { .then(function(latest) {
try { ws.send(JSON.stringify({ action: 'pluginVersionsAvailable', list: latest })); } catch (ex) { } try { ws.send(JSON.stringify({ action: 'pluginVersionsAvailable', list: latest })); } catch (ex) { }
@ -4302,7 +4302,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
break; break;
} }
case 'addplugin': { case 'addplugin': {
if ((user.siteadmin & 0xFFFFFFFF) == 0 || parent.parent.pluginHandler == null) break; // must be full admin, plugins enabled if ((user.siteadmin != 0xFFFFFFFF) || (parent.parent.pluginHandler == null)) break; // Must be full admin with plugins enabled
try { try {
parent.parent.pluginHandler.getPluginConfig(command.url) parent.parent.pluginHandler.getPluginConfig(command.url)
.then(parent.parent.pluginHandler.addPlugin) .then(parent.parent.pluginHandler.addPlugin)
@ -4319,7 +4319,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
break; break;
} }
case 'installplugin': { case 'installplugin': {
if ((user.siteadmin & 0xFFFFFFFF) == 0 || parent.parent.pluginHandler == null) break; // must be full admin, plugins enabled if ((user.siteadmin != 0xFFFFFFFF) || (parent.parent.pluginHandler == null)) break; // Must be full admin with plugins enabled
parent.parent.pluginHandler.installPlugin(command.id, command.version_only, null, function(){ parent.parent.pluginHandler.installPlugin(command.id, command.version_only, null, function(){
parent.db.getPlugins(function(err, docs) { parent.db.getPlugins(function(err, docs) {
try { ws.send(JSON.stringify({ action: 'updatePluginList', list: docs, result: err })); } catch (ex) { } try { ws.send(JSON.stringify({ action: 'updatePluginList', list: docs, result: err })); } catch (ex) { }
@ -4330,7 +4330,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
break; break;
} }
case 'disableplugin': { case 'disableplugin': {
if ((user.siteadmin & 0xFFFFFFFF) == 0 || parent.parent.pluginHandler == null) break; // must be full admin, plugins enabled if ((user.siteadmin != 0xFFFFFFFF) || (parent.parent.pluginHandler == null)) break; // Must be full admin with plugins enabled
parent.parent.pluginHandler.disablePlugin(command.id, function(){ parent.parent.pluginHandler.disablePlugin(command.id, function(){
parent.db.getPlugins(function(err, docs) { parent.db.getPlugins(function(err, docs) {
try { ws.send(JSON.stringify({ action: 'updatePluginList', list: docs, result: err })); } catch (ex) { } try { ws.send(JSON.stringify({ action: 'updatePluginList', list: docs, result: err })); } catch (ex) { }
@ -4341,7 +4341,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
break; break;
} }
case 'removeplugin': { case 'removeplugin': {
if ((user.siteadmin & 0xFFFFFFFF) == 0 || parent.parent.pluginHandler == null) break; // must be full admin, plugins enabled if ((user.siteadmin != 0xFFFFFFFF) || (parent.parent.pluginHandler == null)) break; // Must be full admin with plugins enabled
parent.parent.pluginHandler.removePlugin(command.id, function(){ parent.parent.pluginHandler.removePlugin(command.id, function(){
parent.db.getPlugins(function(err, docs) { parent.db.getPlugins(function(err, docs) {
try { ws.send(JSON.stringify({ action: 'updatePluginList', list: docs, result: err })); } catch (ex) { } try { ws.send(JSON.stringify({ action: 'updatePluginList', list: docs, result: err })); } catch (ex) { }
@ -4350,7 +4350,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
break; break;
} }
case 'getpluginversions': { case 'getpluginversions': {
if ((user.siteadmin & 0xFFFFFFFF) == 0 || parent.parent.pluginHandler == null) break; // must be full admin, plugins enabled if ((user.siteadmin != 0xFFFFFFFF) || (parent.parent.pluginHandler == null)) break; // Must be full admin with plugins enabled
parent.parent.pluginHandler.getPluginVersions(command.id) parent.parent.pluginHandler.getPluginVersions(command.id)
.then(function (versionInfo) { .then(function (versionInfo) {
try { ws.send(JSON.stringify({ action: 'downgradePluginVersions', info: versionInfo, error: null })); } catch (ex) { } try { ws.send(JSON.stringify({ action: 'downgradePluginVersions', info: versionInfo, error: null })); } catch (ex) { }

View File

@ -297,6 +297,13 @@
"default.handlebars->27->171" "default.handlebars->27->171"
] ]
}, },
{
"en": "'",
"xloc": [
"agentinvite.handlebars->3->4",
"agentinvite.handlebars->3->5"
]
},
{ {
"cs": "(", "cs": "(",
"de": "(", "de": "(",

View File

@ -144,7 +144,7 @@
var installFlags = '{{{installflags}}}'; var installFlags = '{{{installflags}}}';
var groupName = decodeURIComponent('{{{meshname}}}'); var groupName = decodeURIComponent('{{{meshname}}}');
if (groupName != '') { if (groupName != '') {
QH('groupname', format("Remote Agent Installation for {0}", groupName)); QH('groupname', format("Remote Agent Installation for {0}", escapeHtml(groupName)));
document.title = format("{0} - Agent Installation", groupName); document.title = format("{0} - Agent Installation", groupName);
} else { } else {
document.title = "Agent Installation"; document.title = "Agent Installation";
@ -295,7 +295,8 @@
function copyToClipLinuxUnInstall() { copyTextToClip(linuxUnInstall); } function copyToClipLinuxUnInstall() { copyTextToClip(linuxUnInstall); }
function copyTextToClip(txt) { function selectElementText(e) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(e); range.select(); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(e); window.getSelection().removeAllRanges(); window.getSelection().addRange(range); } } var e = document.createElement('DIV'); e.textContent = txt; document.body.appendChild(e); selectElementText(e); document.execCommand('copy'); e.remove(); } function copyTextToClip(txt) { function selectElementText(e) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(e); range.select(); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(e); window.getSelection().removeAllRanges(); window.getSelection().addRange(range); } } var e = document.createElement('DIV'); e.textContent = txt; document.body.appendChild(e); selectElementText(e); document.execCommand('copy'); e.remove(); }
function format(format) { var args = Array.prototype.slice.call(arguments, 1); return format.replace(/{(\d+)}/g, function (match, number) { return typeof args[number] != 'undefined' ? args[number] : match; }); }; function format(format) { var args = Array.prototype.slice.call(arguments, 1); return format.replace(/{(\d+)}/g, function (match, number) { return typeof args[number] != 'undefined' ? args[number] : match; }); };
function escapeHtml(string) { return String(string).replace(/[&<>"'`=\/]/g, function (s) { return { '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;', '/': '&#x2F;', '`': '&#x60;', '=': '&#x3D;' }[s]; }); };
function escapeHtmlBreaks(string) { return String(string).replace(/[&<>"'`=\/]/g, function (s) { return { '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;', '/': '&#x2F;', '`': '&#x60;', '=': '&#x3D;', '\r': '<br />', '\n': '' }[s]; }); };
</script> </script>
</body> </body>
</html> </html>

View File

@ -733,7 +733,7 @@
var webState = '{{{webstate}}}'; var webState = '{{{webstate}}}';
if (webState != '') { webState = JSON.parse(decodeURIComponent(webState)); } if (webState != '') { webState = JSON.parse(decodeURIComponent(webState)); }
for (var i in webState) { localStorage.setItem(i, webState[i]); } for (var i in webState) { localStorage.setItem(i, webState[i]); }
if (!webState.loctag) { delete localStorage.removeItem('loctag'); } if (webState && !webState.loctag) { delete localStorage.removeItem('loctag'); }
var urlargs = parseUriArgs(); var urlargs = parseUriArgs();
if (urlargs.key && (isAlphaNumeric(urlargs.key) == false)) { delete urlargs.key; } if (urlargs.key && (isAlphaNumeric(urlargs.key) == false)) { delete urlargs.key; }
@ -1714,7 +1714,7 @@
if (filetreelinkpath != '') { filetreelinkpath += '/' + filetreelocation[i]; if (folderdepth > 2) { publicPath += '/' + filetreelocation[i]; } } if (filetreelinkpath != '') { filetreelinkpath += '/' + filetreelocation[i]; if (folderdepth > 2) { publicPath += '/' + filetreelocation[i]; } }
} }
filetreex = filetreex.f[filetreelocation[i]]; filetreex = filetreex.f[filetreelocation[i]];
displayPath += ' / <a style=cursor:pointer onclick=p5folderup(' + folderdepth + ')>' + (filetreex.n != null ? filetreex.n : filetreelocation[i]) + '</a>'; displayPath += ' / <a style=cursor:pointer onclick=p5folderup(' + folderdepth + ')>' + EscapeHtml(filetreex.n != null ? filetreex.n : filetreelocation[i]) + '</a>';
folderdepth++; folderdepth++;
} else { } else {
break; break;
@ -2435,7 +2435,7 @@
// Node tags // Node tags
var groupingTags = '<i>' + "None" + '</i>'; var groupingTags = '<i>' + "None" + '</i>';
if (node.tags != null) { groupingTags = ''; for (var i in node.tags) { groupingTags += '<span style="background-color:lightgray;padding:3px;margin-right:4px;border-radius:5px">' + node.tags[i] + '</span>'; } } if (node.tags != null) { groupingTags = ''; for (var i in node.tags) { groupingTags += '<span style="background-color:lightgray;padding:3px;margin-right:4px;border-radius:5px">' + EscapeHtml(node.tags[i]) + '</span>'; } }
if ((meshrights & 4) != 0) { if ((meshrights & 4) != 0) {
x += addDeviceAttribute("Tags", '<span onclick=showEditNodeValueDialog(3) style=cursor:pointer>' + groupingTags + '</span>'); x += addDeviceAttribute("Tags", '<span onclick=showEditNodeValueDialog(3) style=cursor:pointer>' + groupingTags + '</span>');
} else { } else {
@ -3224,7 +3224,7 @@
var x = p13filetree.path.split('\\'); var x = p13filetree.path.split('\\');
p13filetreelocation = []; p13filetreelocation = [];
for (var i in x) { if (x[i] != '') { p13filetreelocation.push(x[i]); } } // Remove empty spaces for (var i in x) { if (x[i] != '') { p13filetreelocation.push(x[i]); } } // Remove empty spaces
for (var i in p13filetreelocation) { displayPath += ' / <a style=cursor:pointer onclick=p13folderup(' + (parseInt(i) + 1) + ')>' + p13filetreelocation[i] + '</a>' } // Setup the path we display for (var i in p13filetreelocation) { displayPath += ' / <a style=cursor:pointer onclick=p13folderup(' + (parseInt(i) + 1) + ')>' + EscapeHtml(p13filetreelocation[i]) + '</a>' } // Setup the path we display
var newlinkpath = p13filetreelocation.join('/'); var newlinkpath = p13filetreelocation.join('/');
// Sort the files // Sort the files

View File

@ -5352,12 +5352,12 @@
if ((node.agent != null) && (node.agent.tag != null)) { if ((node.agent != null) && (node.agent.tag != null)) {
// Attribute: Mesh Agent Tag // Attribute: Mesh Agent Tag
var tag = EscapeHtml(node.agent.tag); var tag = EscapeHtml(node.agent.tag);
if (tag.startsWith('mailto:')) { tag = '<a href="' + tag + '">' + tag.substring(7) + '</a>'; } if (tag.startsWith('mailto:')) { tag = '<a href="' + EscapeHtml(tag) + '">' + EscapeHtml(tag.substring(7)) + '</a>'; }
x += addDeviceAttribute("Agent Tag", tag); x += addDeviceAttribute("Agent Tag", tag);
} else if ((node.intelamt != null) && (node.intelamt.tag != null)) { } else if ((node.intelamt != null) && (node.intelamt.tag != null)) {
// Attribute: Intel AMT Tag // Attribute: Intel AMT Tag
var tag = EscapeHtml(node.intelamt.tag); var tag = EscapeHtml(node.intelamt.tag);
if (tag.startsWith('mailto:')) { tag = '<a href="' + tag + '">' + tag.substring(7) + '</a>'; } if (tag.startsWith('mailto:')) { tag = '<a href="' + EscapeHtml(tag) + '">' + EscapeHtml(tag.substring(7)) + '</a>'; }
x += addDeviceAttribute("Intel&reg; AMT Tag", tag); x += addDeviceAttribute("Intel&reg; AMT Tag", tag);
} }
@ -5416,7 +5416,7 @@
// Node grouping tags // Node grouping tags
var groupingTags = '<i>' + "None" + '</i>'; var groupingTags = '<i>' + "None" + '</i>';
if (node.tags != null) { groupingTags = ''; for (var i in node.tags) { groupingTags += '<span class="tagSpan">' + node.tags[i] + '</span>'; } } if (node.tags != null) { groupingTags = ''; for (var i in node.tags) { groupingTags += '<span class="tagSpan">' + EscapeHtml(node.tags[i]) + '</span>'; } }
if ((meshrights & 4) != 0) { if ((meshrights & 4) != 0) {
x += addDeviceAttribute('Tags', '<span onclick=showEditNodeValueDialog(3) style=cursor:pointer>' + groupingTags + ' <img class=hoverButton src="images/link5.png" /></span>'); x += addDeviceAttribute('Tags', '<span onclick=showEditNodeValueDialog(3) style=cursor:pointer>' + groupingTags + ' <img class=hoverButton src="images/link5.png" /></span>');
} else { } else {
@ -7522,7 +7522,7 @@
var x = p13filetree.path.split('\\'); var x = p13filetree.path.split('\\');
p13filetreelocation = []; p13filetreelocation = [];
for (var i in x) { if (x[i] != '') { p13filetreelocation.push(x[i]); } } // Remove empty spaces for (var i in x) { if (x[i] != '') { p13filetreelocation.push(x[i]); } } // Remove empty spaces
for (var i in p13filetreelocation) { displayPath += ' / <a href=# style=cursor:pointer onclick="return p13folderup(' + (parseInt(i) + 1) + ')">' + p13filetreelocation[i] + '</a>' } // Setup the path we display for (var i in p13filetreelocation) { displayPath += ' / <a href=# style=cursor:pointer onclick="return p13folderup(' + (parseInt(i) + 1) + ')">' + EscapeHtml(p13filetreelocation[i]) + '</a>' } // Setup the path we display
var newlinkpath = p13filetreelocation.join('/'); var newlinkpath = p13filetreelocation.join('/');
// Sort the files // Sort the files
@ -9941,7 +9941,7 @@
if (filetreelinkpath != '') { filetreelinkpath += '/' + filetreelocation[i]; if (folderdepth > 2) { publicPath += '/' + filetreelocation[i]; } } if (filetreelinkpath != '') { filetreelinkpath += '/' + filetreelocation[i]; if (folderdepth > 2) { publicPath += '/' + filetreelocation[i]; } }
} }
filetreex = filetreex.f[filetreelocation[i]]; filetreex = filetreex.f[filetreelocation[i]];
displayPath += ' / <a href=# style=cursor:pointer onclick="return p5folderup(' + folderdepth + ')">' + (filetreex.n != null?filetreex.n:filetreelocation[i]) + '</a>'; displayPath += ' / <a href=# style=cursor:pointer onclick="return p5folderup(' + folderdepth + ')">' + EscapeHtml(filetreex.n != null?filetreex.n:filetreelocation[i]) + '</a>';
folderdepth++; folderdepth++;
} else { } else {
break; break;
@ -10446,10 +10446,10 @@
if (user.email != null) { if (user.email != null) {
if (((features & 0x200000) == 0) || (user.email.toLowerCase() != user.name.toLowerCase())) { if (((features & 0x200000) == 0) || (user.email.toLowerCase() != user.name.toLowerCase())) {
// Username & email are different // Username & email are different
username += ', <a href="mailto:' + user.email + '" \'>' + user.email + '</a>' + emailVerified; username += ', <a href="mailto:' + EscapeHtml(user.email) + '" \'>' + EscapeHtml(user.email) + '</a>' + emailVerified;
} else { } else {
// Username & email are the same // Username & email are the same
username += ' <a href="mailto:' + user.email + '" \'><img src="images/mail12.png" height=9 width=12 title="' + "Send email to user" + '" style="margin-top:2px" /></a>' + emailVerified; username += ' <a href="mailto:' + EscapeHtml(user.email) + '" \'><img src="images/mail12.png" height=9 width=12 title="' + "Send email to user" + '" style="margin-top:2px" /></a>' + emailVerified;
} }
} }
@ -11314,8 +11314,8 @@
if ((event != null) && (event.originalTarget != null) && (event.originalTarget.href != null)) return; if ((event != null) && (event.originalTarget != null) && (event.originalTarget.href != null)) return;
var user = currentUser = users[decodeURIComponent(userid)]; var user = currentUser = users[decodeURIComponent(userid)];
if (user == null) { setDialogMode(0); go(4); return; } if (user == null) { setDialogMode(0); go(4); return; }
QH('p30userName', user.name); QH('p30userName', EscapeHtml(user.name));
QH('p31userName', user.name); QH('p31userName', EscapeHtml(user.name));
var self = (user._id == userinfo._id), activeSessions = 0; var self = (user._id == userinfo._id), activeSessions = 0;
if (wssessions != null && wssessions[user._id]) { activeSessions = wssessions[user._id]; } if (wssessions != null && wssessions[user._id]) { activeSessions = wssessions[user._id]; }
@ -11356,9 +11356,9 @@
} }
if (((user.siteadmin != 0xFFFFFFFF) || (userinfo.siteadmin == 0xFFFFFFFF))) { // If we are not site admin, we can't change a admin email. if (((user.siteadmin != 0xFFFFFFFF) || (userinfo.siteadmin == 0xFFFFFFFF))) { // If we are not site admin, we can't change a admin email.
x += addDeviceAttribute("Email", everify + email + ' <a href="mailto:' + user.email + '" \'><img class=hoverButton src="images/link1.png" /></a>' + ' <img class=hoverButton style=cursor:pointer src="images/link5.png" onclick=p30showUserEmailChangeDialog(event,"' + userid + '") />'); x += addDeviceAttribute("Email", everify + email + ' <a href="mailto:' + EscapeHtml(user.email) + '" \'><img class=hoverButton src="images/link1.png" /></a>' + ' <img class=hoverButton style=cursor:pointer src="images/link5.png" onclick=p30showUserEmailChangeDialog(event,"' + userid + '") />');
} else { } else {
x += addDeviceAttribute("Email", everify + email + ' <a href="mailto:' + user.email + '" \'><img class=hoverButton src="images/link1.png" /></a>'); x += addDeviceAttribute("Email", everify + email + ' <a href="mailto:' + EscapeHtml(user.email) + '" \'><img class=hoverButton src="images/link1.png" /></a>');
} }
if ((features & 0x02000000) || (user.phone != null)) { // If SMS is enabled on the server or user has a phone number if ((features & 0x02000000) || (user.phone != null)) { // If SMS is enabled on the server or user has a phone number
@ -11383,7 +11383,7 @@
// Administrative Realms // Administrative Realms
if ((userinfo.siteadmin == 0xFFFFFFFF) || (userinfo.siteadmin & 2)) { if ((userinfo.siteadmin == 0xFFFFFFFF) || (userinfo.siteadmin & 2)) {
var xuserGroups = '<i>' + "None" + '</i>'; var xuserGroups = '<i>' + "None" + '</i>';
if (user.groups) { xuserGroups = ''; for (var i in user.groups) { xuserGroups += '<span class="tagSpan">' + user.groups[i] + '</span>'; } } if (user.groups) { xuserGroups = ''; for (var i in user.groups) { xuserGroups += '<span class="tagSpan">' + EscapeHtml(user.groups[i]) + '</span>'; } }
x += addDeviceAttribute("Admin Realms", addLinkConditional(xuserGroups, 'showUserGroupDialog(event,"' + userid + '")', (userinfo.siteadmin == 0xFFFFFFFF) || ((userinfo.groups == null) && (userinfo._id != user._id) && (user.siteadmin != 0xFFFFFFFF)))); x += addDeviceAttribute("Admin Realms", addLinkConditional(xuserGroups, 'showUserGroupDialog(event,"' + userid + '")', (userinfo.siteadmin == 0xFFFFFFFF) || ((userinfo.groups == null) && (userinfo._id != user._id) && (user.siteadmin != 0xFFFFFFFF))));
} }