From ab89a271ad0bd6d5d6f9d6cf134595638235f115 Mon Sep 17 00:00:00 2001
From: Yogesh Ojha <yogesh.ojha11@gmail.com>
Date: Wed, 1 Sep 2021 00:02:11 +0530
Subject: [PATCH] Fixed XSS reported by @phor3nsic on Huntr.dev XSS payloads
 could be uploaded via Nuclei and GF pattern files

---
 web/scanEngine/static/scanEngine/js/custom_tools.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/web/scanEngine/static/scanEngine/js/custom_tools.js b/web/scanEngine/static/scanEngine/js/custom_tools.js
index 7af299d16..bae524d78 100644
--- a/web/scanEngine/static/scanEngine/js/custom_tools.js
+++ b/web/scanEngine/static/scanEngine/js/custom_tools.js
@@ -7,7 +7,7 @@ function load_gf_template(pattern_name){
   $('.modal-text').append(`<div class='outer-div' id="modal-loader"><span class="inner-div spinner-border text-info align-self-center loader-sm"></span></div>`);
   $.getJSON(`/api/getFileContents?gf_pattern&name=${pattern_name}&format=json`, function(data) {
     $('#modal-loader').empty();
-    $('#modal-text-content').append(`<pre>${data['content']}</pre>`);
+    $('#modal-text-content').append(`<pre>${htmlEncode(data['content'])}</pre>`);
   }).fail(function(){
     $('#modal-loader').empty();
     $("#modal-text-content").append(`<p class='text-danger'>Error loading GF Pattern</p>`);
@@ -24,7 +24,7 @@ function load_nuclei_template(pattern_name){
   $('.modal-text').append(`<div class='outer-div' id="modal-loader"><span class="inner-div spinner-border text-info align-self-center loader-sm"></span></div>`);
   $.getJSON(`/api/getFileContents?nuclei_template&name=${pattern_name}&format=json`, function(data) {
     $('#modal-loader').empty();
-    $('#modal-text-content').append(`<pre>${data['content']}</pre>`);
+    $('#modal-text-content').append(`<pre>${htmlEncode(data['content'])}</pre>`);
   }).fail(function(){
     $('#modal-loader').empty();
     $("#modal-text-content").append(`<p class='text-danger'>Error loading Nuclei Template</p>`);