[pve-devel] [PATCH manager] ui: fix missing htmlEncodes

Dominik Csapak d.csapak at proxmox.com
Thu Apr 30 16:04:19 CEST 2020


username can include some special characters, so we have
to escape them

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
 www/manager6/Workspace.js          | 2 +-
 www/manager6/dc/ACLView.js         | 2 +-
 www/manager6/dc/GroupView.js       | 1 +
 www/manager6/dc/Log.js             | 2 ++
 www/manager6/dc/PermissionView.js  | 3 ++-
 www/manager6/dc/TFAEdit.js         | 1 +
 www/manager6/dc/Tasks.js           | 1 +
 www/manager6/dc/TokenEdit.js       | 1 +
 www/manager6/dc/TokenView.js       | 4 ++--
 www/manager6/dc/UserEdit.js        | 1 +
 www/manager6/dc/UserView.js        | 4 ++--
 www/manager6/form/GroupSelector.js | 1 +
 www/manager6/form/TokenSelector.js | 1 +
 www/manager6/form/UserSelector.js  | 1 +
 www/manager6/window/Settings.js    | 2 +-
 15 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/www/manager6/Workspace.js b/www/manager6/Workspace.js
index 01b462c7..a95b88d7 100644
--- a/www/manager6/Workspace.js
+++ b/www/manager6/Workspace.js
@@ -182,7 +182,7 @@ Ext.define('PVE.StdWorkspace', {
     updateUserInfo: function() {
 	var me = this;
 	var ui = me.query('#userinfo')[0];
-	ui.setText(Proxmox.UserName || '');
+	ui.setText(Ext.String.htmlEncode(Proxmox.UserName || ''));
 	ui.updateLayout();
     },
 
diff --git a/www/manager6/dc/ACLView.js b/www/manager6/dc/ACLView.js
index d0efe22e..24fd67d9 100644
--- a/www/manager6/dc/ACLView.js
+++ b/www/manager6/dc/ACLView.js
@@ -118,7 +118,7 @@ Ext.define('PVE.dc.ACLView', {
 		return '@' + ugid;
 	    }
 
-	    return ugid;
+	    return Ext.String.htmlEncode(ugid);
 	};
 
 	var columns = [
diff --git a/www/manager6/dc/GroupView.js b/www/manager6/dc/GroupView.js
index c40c5ba1..960ad114 100644
--- a/www/manager6/dc/GroupView.js
+++ b/www/manager6/dc/GroupView.js
@@ -92,6 +92,7 @@ Ext.define('PVE.dc.GroupView', {
 		    header: gettext('Users'),
 		    sortable: false,
 		    dataIndex: 'users',
+		    renderer: Ext.String.htmlEncode,
 		    flex: 1
 		}
 	    ],
diff --git a/www/manager6/dc/Log.js b/www/manager6/dc/Log.js
index 48ce272e..fa58c08a 100644
--- a/www/manager6/dc/Log.js
+++ b/www/manager6/dc/Log.js
@@ -68,6 +68,7 @@ Ext.define('PVE.dc.Log', {
 		{ 
 		    header: gettext("User name"), 
 		    dataIndex: 'user',
+		    renderer: Ext.String.htmlEncode,
 		    width: 150
 		},
 		{ 
@@ -79,6 +80,7 @@ Ext.define('PVE.dc.Log', {
 		{ 
 		    header: gettext("Message"), 
 		    dataIndex: 'msg',
+		    renderer: Ext.String.htmlEncode,
 		    flex: 1	  
 		}
 	    ],
diff --git a/www/manager6/dc/PermissionView.js b/www/manager6/dc/PermissionView.js
index 483ab015..cc582261 100644
--- a/www/manager6/dc/PermissionView.js
+++ b/www/manager6/dc/PermissionView.js
@@ -140,7 +140,8 @@ Ext.define('PVE.dc.PermissionView', {
     height: 600,
     layout: 'fit',
     cbind: {
-	title: '{userid} - ' + gettext('Granted Permissions'),
+	title: (get) => Ext.String.htmlEncode(get('userid')) +
+	    ` - ${gettext('Granted Permissions')}`,
     },
     items: [{
 	xtype: 'pveUserPermissionGrid',
diff --git a/www/manager6/dc/TFAEdit.js b/www/manager6/dc/TFAEdit.js
index bf51b8c9..3aada4cd 100644
--- a/www/manager6/dc/TFAEdit.js
+++ b/www/manager6/dc/TFAEdit.js
@@ -376,6 +376,7 @@ Ext.define('PVE.window.TFAEdit', {
 				{
 				    xtype: 'displayfield',
 				    fieldLabel: gettext('User name'),
+				    renderer: Ext.String.htmlEncode,
 				    cbind: {
 					value: '{userid}'
 				    }
diff --git a/www/manager6/dc/Tasks.js b/www/manager6/dc/Tasks.js
index a011fe4f..b1441a72 100644
--- a/www/manager6/dc/Tasks.js
+++ b/www/manager6/dc/Tasks.js
@@ -101,6 +101,7 @@ Ext.define('PVE.dc.Tasks', {
 		{
 		    header: gettext("User name"),
 		    dataIndex: 'user',
+		    renderer: Ext.String.htmlEncode,
 		    width: 150
 		},
 		{
diff --git a/www/manager6/dc/TokenEdit.js b/www/manager6/dc/TokenEdit.js
index cdb5d911..13f1dff8 100644
--- a/www/manager6/dc/TokenEdit.js
+++ b/www/manager6/dc/TokenEdit.js
@@ -41,6 +41,7 @@ Ext.define('PVE.dc.TokenEdit', {
 		},
 		name: 'userid',
 		value: Proxmox.UserName,
+		renderer: Ext.String.htmlEncode,
 		fieldLabel: gettext('User'),
 	    },
 	    {
diff --git a/www/manager6/dc/TokenView.js b/www/manager6/dc/TokenView.js
index c81d5f2f..69c60569 100644
--- a/www/manager6/dc/TokenView.js
+++ b/www/manager6/dc/TokenView.js
@@ -166,8 +166,8 @@ Ext.define('PVE.dc.TokenView', {
 		    dataIndex: 'userid',
 		    renderer: (uid) => {
 			let realmIndex = uid.lastIndexOf('@');
-			let user = uid.substr(0, realmIndex);
-			let realm = uid.substr(realmIndex);
+			let user = Ext.String.htmlEncode(uid.substr(0, realmIndex));
+			let realm = Ext.String.htmlEncode(uid.substr(realmIndex));
 			return `${user} <span style='float:right;'>${realm}</span>`;
 		    },
 		    hidden: !!me.fixedUser,
diff --git a/www/manager6/dc/UserEdit.js b/www/manager6/dc/UserEdit.js
index 5a0cbcf3..692eb277 100644
--- a/www/manager6/dc/UserEdit.js
+++ b/www/manager6/dc/UserEdit.js
@@ -72,6 +72,7 @@ Ext.define('PVE.dc.UserEdit', {
                 name: 'userid',
                 fieldLabel: gettext('User name'),
                 value: me.userid,
+		renderer: Ext.String.htmlEncode,
                 allowBlank: false,
                 submitValue: me.isCreate ? true : false
             },
diff --git a/www/manager6/dc/UserView.js b/www/manager6/dc/UserView.js
index b9ff206b..cfbb139c 100644
--- a/www/manager6/dc/UserView.js
+++ b/www/manager6/dc/UserView.js
@@ -122,11 +122,11 @@ Ext.define('PVE.dc.UserView', {
         ];
 
 	var render_username = function(userid) {
-	    return userid.match(/^(.+)(@[^@]+)$/)[1];
+	    return Ext.String.htmlEncode(userid.match(/^(.+)(@[^@]+)$/)[1]);
 	};
 
 	var render_realm = function(userid) {
-	    return userid.match(/@([^@]+)$/)[1];
+	    return Ext.String.htmlEncode(userid.match(/@([^@]+)$/)[1]);
 	};
 
 	Ext.apply(me, {
diff --git a/www/manager6/form/GroupSelector.js b/www/manager6/form/GroupSelector.js
index 3d4776ee..38fc196c 100644
--- a/www/manager6/form/GroupSelector.js
+++ b/www/manager6/form/GroupSelector.js
@@ -35,6 +35,7 @@ Ext.define('PVE.form.GroupSelector', {
 		header: gettext('Users'),
 		sortable: false,
 		dataIndex: 'users',
+		renderer: Ext.String.htmlEncode,
 		flex: 1
 	    }
 	]
diff --git a/www/manager6/form/TokenSelector.js b/www/manager6/form/TokenSelector.js
index 8ece6e69..bad829d2 100644
--- a/www/manager6/form/TokenSelector.js
+++ b/www/manager6/form/TokenSelector.js
@@ -44,6 +44,7 @@ Ext.define('PVE.form.TokenSelector', {
 		header: gettext('API Token'),
 		sortable: true,
 		dataIndex: 'id',
+		renderer: Ext.String.htmlEncode,
 		flex: 1
 	    },
 	    {
diff --git a/www/manager6/form/UserSelector.js b/www/manager6/form/UserSelector.js
index cd01bc3e..8f6f9fa4 100644
--- a/www/manager6/form/UserSelector.js
+++ b/www/manager6/form/UserSelector.js
@@ -29,6 +29,7 @@ Ext.define('PVE.form.UserSelector', {
 			header: gettext('User'),
 			sortable: true,
 			dataIndex: 'userid',
+			renderer: Ext.String.htmlEncode,
 			flex: 1
 		    },
 		    {
diff --git a/www/manager6/window/Settings.js b/www/manager6/window/Settings.js
index 2fa01ef0..e3519b1f 100644
--- a/www/manager6/window/Settings.js
+++ b/www/manager6/window/Settings.js
@@ -36,7 +36,7 @@ Ext.define('PVE.window.Settings', {
 	    var sp = Ext.state.Manager.getProvider();
 
 	    var username = sp.get('login-username') || Proxmox.Utils.noneText;
-	    me.lookupReference('savedUserName').setValue(username);
+	    me.lookupReference('savedUserName').setValue(Ext.String.htmlEncode(username));
 	    var vncMode = sp.get('novnc-scaling');
 	    if (vncMode !== undefined) {
 		me.lookupReference('noVNCScalingGroup').setValue({ noVNCScalingField: vncMode });
-- 
2.20.1





More information about the pve-devel mailing list