Avoid XSS issues while deleting account and looking at logs.

modoboa · Jan 26, 2023 · eef9ab7 · eef9ab7
1 parent 718ee43
commit eef9ab7
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/modoboa/admin/static/admin/js/admin.js b/modoboa/admin/static/admin/js/admin.js
@@ -408,7 +408,7 @@ Identities.prototype = {
         }
 
         $("a[name=delaccount]").confirm({
-            question: function() { return this.$element.attr('title'); },
+            question: function() { return htmlEncode(this.$element.attr('title')); },
             method: "POST",
             checkboxes: deloptions,
             success_cb: $.proxy(this.reload_listing, this)

diff --git a/modoboa/core/templates/core/logs_page.html b/modoboa/core/templates/core/logs_page.html
@@ -5,6 +5,6 @@
   <td>{{ l.date_created|date:"SHORT_DATETIME_FORMAT" }}</td>
   <td>{{ l.level|colorize_level|safe }}</td>
   <td>{{ l.logger }}</td>
-  <td>{{ l.message|tohtml|safe }}</td>
+  <td>{{ l.message }}</td>
 </tr>
 {% endfor %}
diff --git a/modoboa/static/js/autocompleter.js b/modoboa/static/js/autocompleter.js
@@ -56,7 +56,7 @@
             $.each(this.choices, $.proxy(function(index, value) {
                 if (exp.test(value)) {
                     this.$menu.append(
-                        $('<li><a href="#" name="' + value + '">' + value + '</a></li>')
+                        $('<li><a href="#" name="' + htmlEncode(value) + '">' + htmlEncode(value) + '</a></li>')
                     );
                 }
             }, this));