WebAdmin: ensure to sanitize data before rendering

Thanks to Polina Zvorykina, VK for reporting this issue Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
2025-12-06 14:20:55 +03:00 · 2023-03-28 12:28:38 +02:00
parent b60d3f680e
commit 084d4109b8
4 changed files with 20 additions and 8 deletions
--- a/templates/webadmin/events.html
+++ b/templates/webadmin/events.html
@@ -403,7 +403,7 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.
                    "data": "object_type",
                    "render": function (data, type, row) {
                        if (type === 'display') {
-                            let ellipsisFn = $.fn.dataTable.render.ellipsis(70, true);
+                            let ellipsisFn = $.fn.dataTable.render.ellipsis(70, true, true);
                            return ellipsisFn(`${data}: ${row["object_name"]}`,type);
                        }
                        return data;
@@ -411,7 +411,13 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.
                },
                {
                    "data": "username",
-                    "defaultContent": ""
+                    "defaultContent": "",
+                    "render": function (data, type, row) {
+                        if (type === 'display') {
+                            return escapeHTML(data);
+                        }
+                        return data;
+                    }
                },
                {
                    "data": "ip",
@@ -486,7 +492,7 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.
                    "data": "virtual_path",
                    "render": function (data, type, row) {
                        if (type === 'display') {
-                            let ellipsisFn = $.fn.dataTable.render.ellipsis(70, true);
+                            let ellipsisFn = $.fn.dataTable.render.ellipsis(70, true, true);
                            if (row["virtual_target_path"]){
                                return ellipsisFn(`${data} => ${row["virtual_target_path"]}`,type);
                            }
@@ -497,7 +503,13 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.
                },
                {
                    "data": "username",
-                    "defaultContent": ""
+                    "defaultContent": "",
+                    "render": function (data, type, row) {
+                        if (type === 'display') {
+                            return escapeHTML(data);
+                        }
+                        return data;
+                    }
                },
                {
                    "data": "protocol",
--- a/templates/webadmin/iplists.html
+++ b/templates/webadmin/iplists.html
@@ -455,7 +455,7 @@ $(document).ready(function () {
                "data": "description",
                "render": function (data, type, row) {
                    if (type === 'display') {
-                        let ellipsisFn = $.fn.dataTable.render.ellipsis(70, true);
+                        let ellipsisFn = $.fn.dataTable.render.ellipsis(70, true, true);
                        return ellipsisFn(data,type);
                    }
                    return data;