From 3b23bdc378b6b5a7a5d254e3b4a35bcc10b7e81a Mon Sep 17 00:00:00 2001
From: Ondrej Mular <omular@redhat.com>
Date: Sat, 4 Mar 2017 14:01:43 +0100
Subject: [PATCH] web UI: fixed XSS vulnerability CVE-2017-2661
---
pcsd/public/js/nodes-ember.js | 4 ++--
pcsd/public/js/pcsd.js | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/pcsd/public/js/nodes-ember.js b/pcsd/public/js/nodes-ember.js
index cb2f4d16..41fede89 100644
--- a/pcsd/public/js/nodes-ember.js
+++ b/pcsd/public/js/nodes-ember.js
@@ -75,7 +75,7 @@ Pcs = Ember.Application.createWithMixins({
var banned_options = ["SBD_OPTS", "SBD_WATCHDOG_DEV", "SBD_PACEMAKER"];
$.each(this.get("sbd_config"), function(opt, val) {
if (banned_options.indexOf(opt) == -1) {
- out += '<tr><td>' + opt + '</td><td>' + val + '</td></tr>\n';
+ out += '<tr><td>' + htmlEncode(opt) + '</td><td>' + htmlEncode(val) + '</td></tr>\n';
}
});
return out + '</table>';
@@ -879,7 +879,7 @@ Pcs.ResourceObj = Ember.Object.extend({
}.property("status_val"),
show_status: function() {
return '<span style="' + this.get('status_style') + '">'
- + this.get('status') + (this.get("is_unmanaged") ? " (unmanaged)" : "")
+ + htmlEncode(this.get('status')) + (this.get("is_unmanaged") ? " (unmanaged)" : "")
+ '</span>';
}.property("status_style", "disabled"),
status_class: function() {
diff --git a/pcsd/public/js/pcsd.js b/pcsd/public/js/pcsd.js
index c96f9baa..6f57de0f 100644
--- a/pcsd/public/js/pcsd.js
+++ b/pcsd/public/js/pcsd.js
@@ -821,7 +821,7 @@ function auth_nodes_dialog(unauth_nodes, callback_success, callback_success_one)
dialog_obj.find('#auth_nodes_list').empty();
unauth_nodes.forEach(function(node) {
- dialog_obj.find('#auth_nodes_list').append("\t\t\t<tr><td>" + node + '</td><td><input type="password" name="' + node + '-pass"></td></tr>\n');
+ dialog_obj.find('#auth_nodes_list').append("\t\t\t<tr><td>" + htmlEncode(node) + '</td><td><input type="password" name="' + htmlEncode(node) + '-pass"></td></tr>\n');
});
}
--
2.11.0