From 084d4109b88b9209d0720b26acdfc415d71611b7 Mon Sep 17 00:00:00 2001
From: Nicola Murino <nicola.murino@gmail.com>
Date: Tue, 28 Mar 2023 12:28:38 +0200
Subject: [PATCH] WebAdmin: ensure to sanitize data before rendering

Thanks to Polina Zvorykina, VK for reporting this issue

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
---
 go.mod                          |  2 +-
 go.sum                          |  4 ++--
 templates/webadmin/events.html  | 20 ++++++++++++++++----
 templates/webadmin/iplists.html |  2 +-
 4 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/go.mod b/go.mod
index 1cfca2fd..1cd6750e 100644
--- a/go.mod
+++ b/go.mod
@@ -158,7 +158,7 @@ require (
 	golang.org/x/tools v0.7.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20230323212658-478b75c54725 // indirect
+	google.golang.org/genproto v0.0.0-20230327215041-6ac7f18bb9d5 // indirect
 	google.golang.org/grpc v1.54.0 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
diff --git a/go.sum b/go.sum
index be07720e..174a4ce8 100644
--- a/go.sum
+++ b/go.sum
@@ -2805,8 +2805,8 @@ google.golang.org/genproto v0.0.0-20230113154510-dbe35b8444a5/go.mod h1:RGgjbofJ
 google.golang.org/genproto v0.0.0-20230124163310-31e0e69b6fc2/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
 google.golang.org/genproto v0.0.0-20230125152338-dcaf20b6aeaa/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
 google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/genproto v0.0.0-20230323212658-478b75c54725 h1:VmCWItVXcKboEMCwZaWge+1JLiTCQSngZeINF+wzO+g=
-google.golang.org/genproto v0.0.0-20230323212658-478b75c54725/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
+google.golang.org/genproto v0.0.0-20230327215041-6ac7f18bb9d5 h1:Kd6tRRHXw8z4TlPlWi+NaK10gsePL6GdZBQChptOLGA=
+google.golang.org/genproto v0.0.0-20230327215041-6ac7f18bb9d5/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
 google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
diff --git a/templates/webadmin/events.html b/templates/webadmin/events.html
index 9f5d581b..fb0ab908 100644
--- a/templates/webadmin/events.html
+++ b/templates/webadmin/events.html
@@ -403,7 +403,7 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.
                     "data": "object_type",
                     "render": function (data, type, row) {
                         if (type === 'display') {
-                            let ellipsisFn = $.fn.dataTable.render.ellipsis(70, true);
+                            let ellipsisFn = $.fn.dataTable.render.ellipsis(70, true, true);
                             return ellipsisFn(`${data}: ${row["object_name"]}`,type);
                         }
                         return data;
@@ -411,7 +411,13 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.
                 },
                 {
                     "data": "username",
-                    "defaultContent": ""
+                    "defaultContent": "",
+                    "render": function (data, type, row) {
+                        if (type === 'display') {
+                            return escapeHTML(data);
+                        }
+                        return data;
+                    }
                 },
                 {
                     "data": "ip",
@@ -486,7 +492,7 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.
                     "data": "virtual_path",
                     "render": function (data, type, row) {
                         if (type === 'display') {
-                            let ellipsisFn = $.fn.dataTable.render.ellipsis(70, true);
+                            let ellipsisFn = $.fn.dataTable.render.ellipsis(70, true, true);
                             if (row["virtual_target_path"]){
                                 return ellipsisFn(`${data} => ${row["virtual_target_path"]}`,type);
                             }
@@ -497,7 +503,13 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.
                 },
                 {
                     "data": "username",
-                    "defaultContent": ""
+                    "defaultContent": "",
+                    "render": function (data, type, row) {
+                        if (type === 'display') {
+                            return escapeHTML(data);
+                        }
+                        return data;
+                    }
                 },
                 {
                     "data": "protocol",
diff --git a/templates/webadmin/iplists.html b/templates/webadmin/iplists.html
index 2a5ae4d5..d4286bd2 100644
--- a/templates/webadmin/iplists.html
+++ b/templates/webadmin/iplists.html
@@ -455,7 +455,7 @@ $(document).ready(function () {
                 "data": "description",
                 "render": function (data, type, row) {
                     if (type === 'display') {
-                        let ellipsisFn = $.fn.dataTable.render.ellipsis(70, true);
+                        let ellipsisFn = $.fn.dataTable.render.ellipsis(70, true, true);
                         return ellipsisFn(data,type);
                     }
                     return data;