security fix: Cross-site Scripting (XSS) using Bloodhound

Patrowl · Nov 9, 2021 · 5199074 · 5199074
1 parent d2bbea1
commit 5199074
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 7 deletions.
diff --git a/assets/templates/add-asset-group.html b/assets/templates/add-asset-group.html
@@ -145,7 +145,7 @@
           return '<div class="noitems"> No items found</div>';
         },
         suggestion: function(data) {
-            return '<div>' + data.value + ' - '+ data.name + '</div>';
+            return '<div>' + encodeURIComponent(data.value) + ' - '+ encodeURIComponent(data.name) + '</div>';
         }
       }
     }).bind("typeahead:selected", function(e, datum, name) {

diff --git a/assets/templates/edit-asset-group.html b/assets/templates/edit-asset-group.html
@@ -174,7 +174,7 @@ <h4 class="modal-title" id="myModalLabel">Delete Asset Group</h4>
           return '<div class="noitems"> No items found</div>';
         },
         suggestion: function(data) {
-            return '<div>' + data.value + ' - '+ data.name + '</div>';
+            return '<div>' + encodeURIComponent(data.value) + ' - '+ encodeURIComponent(data.name) + '</div>';
         }
       }
     }).bind("typeahead:selected", function(e, datum, name) {

diff --git a/scans/templates/add-scan-definition.html b/scans/templates/add-scan-definition.html
@@ -394,11 +394,11 @@
         },
         suggestion: function(data) {
           if (data.format == "asset"){
-            return '<div>' + data.value + ' - '+ data.name + '</div>';
+            return '<div>' + encodeURIComponent(data.value) + ' - '+ encodeURIComponent(data.name) + '</div>';
           } else if (data.format == "taggroup"){
-            return '<div> [Tags] ' + data.value + ' - '+ data.name + '</div>';
+            return '<div> [Tags] ' + encodeURIComponent(data.value) + ' - '+ encodeURIComponent(data.name) + '</div>';
           }else {
-            return '<div> [Group] ' + data.value + ' - '+ data.name + '</div>';
+            return '<div> [Group] ' + encodeURIComponent(data.value) + ' - '+ encodeURIComponent(data.name) + '</div>';
           }
         }
       }

diff --git a/scans/templates/edit-scan-definition.html b/scans/templates/edit-scan-definition.html
@@ -470,9 +470,9 @@
         },
         suggestion: function(data) {
           if (data.format == "asset"){
-            return '<div>' + data.value + ' - '+ data.name + '</div>';
+            return '<div>' + encodeURIComponent(data.value) + ' - '+ encodeURIComponent(data.name) + '</div>';
           } else {
-            return '<div> [Group] ' + data.value + ' - '+ data.name + '</div>';
+            return '<div> [Group] ' + encodeURIComponent(data.value) + ' - '+ encodeURIComponent(data.name) + '</div>';
           }
         }
       }