From 77904a71b45e6d017cf4c7e5eb8b8d973693c146 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gina=20H=C3=A4u=C3=9Fge?= <gina@octoprint.org>
Date: Thu, 19 May 2022 13:08:16 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F=20Fix=20an=20XSS=20issue?=
 =?UTF-8?q?=20in=20the=20user/group=20delete=20confirmation?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Requires admin rights to exploit in any way.
With OctoPrint 1.8.0 all cookies with credentials
are http-only and thus not targetable (to my
knowledge) by this.

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N, Severity Low
---
 src/octoprint/static/js/app/viewmodels/access.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/octoprint/static/js/app/viewmodels/access.js b/src/octoprint/static/js/app/viewmodels/access.js
index 27c18d9444..0c9c842097 100644
--- a/src/octoprint/static/js/app/viewmodels/access.js
+++ b/src/octoprint/static/js/app/viewmodels/access.js
@@ -324,7 +324,7 @@ $(function () {
                     title: gettext("Are you sure?"),
                     message: _.sprintf(
                         gettext('You are about to delete the user "%(name)s".'),
-                        {name: user.name}
+                        {name: _.escape(user.name)}
                     ),
                     proceed: gettext("Delete"),
                     onproceed: function () {
@@ -656,7 +656,7 @@ $(function () {
                     title: gettext("Are you sure?"),
                     message: _.sprintf(
                         gettext('You are about to delete the group "%(name)s".'),
-                        {name: group.name}
+                        {name: _.escape(group.name)}
                     ),
                     proceed: gettext("Delete"),
                     onproceed: function () {