🔒️ Fix an XSS issue in the user/group delete confirmation

Requires admin rights to exploit in any way. With OctoPrint 1.8.0 all cookies with credentials are http-only and thus not targetable (to my knowledge) by this. CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N, Severity Low
OctoPrint · May 19, 2022 · 77904a7 · 77904a7
1 parent 89fbcfd
commit 77904a7
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/octoprint/static/js/app/viewmodels/access.js b/src/octoprint/static/js/app/viewmodels/access.js
@@ -324,7 +324,7 @@ $(function () {
                     title: gettext("Are you sure?"),
                     message: _.sprintf(
                         gettext('You are about to delete the user "%(name)s".'),
-                        {name: user.name}
+                        {name: _.escape(user.name)}
                     ),
                     proceed: gettext("Delete"),
                     onproceed: function () {
@@ -656,7 +656,7 @@ $(function () {
                     title: gettext("Are you sure?"),
                     message: _.sprintf(
                         gettext('You are about to delete the group "%(name)s".'),
-                        {name: group.name}
+                        {name: _.escape(group.name)}
                     ),
                     proceed: gettext("Delete"),
                     onproceed: function () {