Fix users xss (#14469)

Prevent bootgrid from unescaping already escaped strings.
librenms · Oct 17, 2022 · 3e3752e · 3e3752e
1 parent 09a2977
commit 3e3752e
Showing 1 changed file with 10 additions and 5 deletions.
diff --git a/resources/views/user/index.blade.php b/resources/views/user/index.blade.php
@@ -10,22 +10,22 @@
         </x-slot>
 
         <div class="table-responsive">
-            <table id="users" class="table table-bordered table-condensed" style="display: none;">
+            <table id="users" class="table table-bordered table-condensed">
                 <thead>
                 <tr>
                     <th data-column-id="user_id" data-visible="false" data-identifier="true" data-type="numeric">{{ __('ID') }}</th>
-                    <th data-column-id="username">{{ __('Username') }}</th>
-                    <th data-column-id="realname">{{ __('Real Name') }}</th>
+                    <th data-column-id="username" data-formatter="text">{{ __('Username') }}</th>
+                    <th data-column-id="realname" data-formatter="text">{{ __('Real Name') }}</th>
                     <th data-column-id="level" data-formatter="level" data-type="numeric">{{ __('Access') }}</th>
                     <th data-column-id="auth_type" data-visible="{{ $multiauth ? 'true' : 'false' }}">{{ __('auth.title') }}</th>
-                    <th data-column-id="email">{{ __('Email') }}</th>
+                    <th data-column-id="email" data-formatter="text">{{ __('Email') }}</th>
                     @if(\LibreNMS\Authentication\LegacyAuth::getType() == 'mysql')
                     <th data-column-id="enabled" data-formatter="enabled">{{ __('Enabled') }}</th>
                     @endif
                     @config('twofactor')
                     <th data-column-id="twofactor" data-formatter="twofactor">{{ __('2FA') }}</th>
                     @endconfig
-                    <th data-column-id="descr">{{ __('Description') }}</th>
+                    <th data-column-id="descr" data-formatter="text">{{ __('Description') }}</th>
                     <th data-column-id="action" data-formatter="actions" data-sortable="false" data-searchable="false">{{ __('Actions') }}</th>
                 </tr>
                 </thead>
@@ -70,6 +70,11 @@
                             return '<span class="fa fa-fw fa-close text-danger"></span>';
                         }
                     },
+                    text: function (column, row) {
+                        let div = document.createElement('div');
+                        div.innerText = row[column.id];
+                        return div.innerHTML;
+                    },
                     twofactor: function (column, row) {
                         if(row['twofactor'] == 1) {
                             return '<span class="fa fa-fw fa-check text-success"></span>';