[pve-devel] [PATCH manager] ui: fix missing htmlEncodes
Dominik Csapak
d.csapak at proxmox.com
Thu Apr 30 16:04:19 CEST 2020
username can include some special characters, so we have
to escape them
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
www/manager6/Workspace.js | 2 +-
www/manager6/dc/ACLView.js | 2 +-
www/manager6/dc/GroupView.js | 1 +
www/manager6/dc/Log.js | 2 ++
www/manager6/dc/PermissionView.js | 3 ++-
www/manager6/dc/TFAEdit.js | 1 +
www/manager6/dc/Tasks.js | 1 +
www/manager6/dc/TokenEdit.js | 1 +
www/manager6/dc/TokenView.js | 4 ++--
www/manager6/dc/UserEdit.js | 1 +
www/manager6/dc/UserView.js | 4 ++--
www/manager6/form/GroupSelector.js | 1 +
www/manager6/form/TokenSelector.js | 1 +
www/manager6/form/UserSelector.js | 1 +
www/manager6/window/Settings.js | 2 +-
15 files changed, 19 insertions(+), 8 deletions(-)
diff --git a/www/manager6/Workspace.js b/www/manager6/Workspace.js
index 01b462c7..a95b88d7 100644
--- a/www/manager6/Workspace.js
+++ b/www/manager6/Workspace.js
@@ -182,7 +182,7 @@ Ext.define('PVE.StdWorkspace', {
updateUserInfo: function() {
var me = this;
var ui = me.query('#userinfo')[0];
- ui.setText(Proxmox.UserName || '');
+ ui.setText(Ext.String.htmlEncode(Proxmox.UserName || ''));
ui.updateLayout();
},
diff --git a/www/manager6/dc/ACLView.js b/www/manager6/dc/ACLView.js
index d0efe22e..24fd67d9 100644
--- a/www/manager6/dc/ACLView.js
+++ b/www/manager6/dc/ACLView.js
@@ -118,7 +118,7 @@ Ext.define('PVE.dc.ACLView', {
return '@' + ugid;
}
- return ugid;
+ return Ext.String.htmlEncode(ugid);
};
var columns = [
diff --git a/www/manager6/dc/GroupView.js b/www/manager6/dc/GroupView.js
index c40c5ba1..960ad114 100644
--- a/www/manager6/dc/GroupView.js
+++ b/www/manager6/dc/GroupView.js
@@ -92,6 +92,7 @@ Ext.define('PVE.dc.GroupView', {
header: gettext('Users'),
sortable: false,
dataIndex: 'users',
+ renderer: Ext.String.htmlEncode,
flex: 1
}
],
diff --git a/www/manager6/dc/Log.js b/www/manager6/dc/Log.js
index 48ce272e..fa58c08a 100644
--- a/www/manager6/dc/Log.js
+++ b/www/manager6/dc/Log.js
@@ -68,6 +68,7 @@ Ext.define('PVE.dc.Log', {
{
header: gettext("User name"),
dataIndex: 'user',
+ renderer: Ext.String.htmlEncode,
width: 150
},
{
@@ -79,6 +80,7 @@ Ext.define('PVE.dc.Log', {
{
header: gettext("Message"),
dataIndex: 'msg',
+ renderer: Ext.String.htmlEncode,
flex: 1
}
],
diff --git a/www/manager6/dc/PermissionView.js b/www/manager6/dc/PermissionView.js
index 483ab015..cc582261 100644
--- a/www/manager6/dc/PermissionView.js
+++ b/www/manager6/dc/PermissionView.js
@@ -140,7 +140,8 @@ Ext.define('PVE.dc.PermissionView', {
height: 600,
layout: 'fit',
cbind: {
- title: '{userid} - ' + gettext('Granted Permissions'),
+ title: (get) => Ext.String.htmlEncode(get('userid')) +
+ ` - ${gettext('Granted Permissions')}`,
},
items: [{
xtype: 'pveUserPermissionGrid',
diff --git a/www/manager6/dc/TFAEdit.js b/www/manager6/dc/TFAEdit.js
index bf51b8c9..3aada4cd 100644
--- a/www/manager6/dc/TFAEdit.js
+++ b/www/manager6/dc/TFAEdit.js
@@ -376,6 +376,7 @@ Ext.define('PVE.window.TFAEdit', {
{
xtype: 'displayfield',
fieldLabel: gettext('User name'),
+ renderer: Ext.String.htmlEncode,
cbind: {
value: '{userid}'
}
diff --git a/www/manager6/dc/Tasks.js b/www/manager6/dc/Tasks.js
index a011fe4f..b1441a72 100644
--- a/www/manager6/dc/Tasks.js
+++ b/www/manager6/dc/Tasks.js
@@ -101,6 +101,7 @@ Ext.define('PVE.dc.Tasks', {
{
header: gettext("User name"),
dataIndex: 'user',
+ renderer: Ext.String.htmlEncode,
width: 150
},
{
diff --git a/www/manager6/dc/TokenEdit.js b/www/manager6/dc/TokenEdit.js
index cdb5d911..13f1dff8 100644
--- a/www/manager6/dc/TokenEdit.js
+++ b/www/manager6/dc/TokenEdit.js
@@ -41,6 +41,7 @@ Ext.define('PVE.dc.TokenEdit', {
},
name: 'userid',
value: Proxmox.UserName,
+ renderer: Ext.String.htmlEncode,
fieldLabel: gettext('User'),
},
{
diff --git a/www/manager6/dc/TokenView.js b/www/manager6/dc/TokenView.js
index c81d5f2f..69c60569 100644
--- a/www/manager6/dc/TokenView.js
+++ b/www/manager6/dc/TokenView.js
@@ -166,8 +166,8 @@ Ext.define('PVE.dc.TokenView', {
dataIndex: 'userid',
renderer: (uid) => {
let realmIndex = uid.lastIndexOf('@');
- let user = uid.substr(0, realmIndex);
- let realm = uid.substr(realmIndex);
+ let user = Ext.String.htmlEncode(uid.substr(0, realmIndex));
+ let realm = Ext.String.htmlEncode(uid.substr(realmIndex));
return `${user} <span style='float:right;'>${realm}</span>`;
},
hidden: !!me.fixedUser,
diff --git a/www/manager6/dc/UserEdit.js b/www/manager6/dc/UserEdit.js
index 5a0cbcf3..692eb277 100644
--- a/www/manager6/dc/UserEdit.js
+++ b/www/manager6/dc/UserEdit.js
@@ -72,6 +72,7 @@ Ext.define('PVE.dc.UserEdit', {
name: 'userid',
fieldLabel: gettext('User name'),
value: me.userid,
+ renderer: Ext.String.htmlEncode,
allowBlank: false,
submitValue: me.isCreate ? true : false
},
diff --git a/www/manager6/dc/UserView.js b/www/manager6/dc/UserView.js
index b9ff206b..cfbb139c 100644
--- a/www/manager6/dc/UserView.js
+++ b/www/manager6/dc/UserView.js
@@ -122,11 +122,11 @@ Ext.define('PVE.dc.UserView', {
];
var render_username = function(userid) {
- return userid.match(/^(.+)(@[^@]+)$/)[1];
+ return Ext.String.htmlEncode(userid.match(/^(.+)(@[^@]+)$/)[1]);
};
var render_realm = function(userid) {
- return userid.match(/@([^@]+)$/)[1];
+ return Ext.String.htmlEncode(userid.match(/@([^@]+)$/)[1]);
};
Ext.apply(me, {
diff --git a/www/manager6/form/GroupSelector.js b/www/manager6/form/GroupSelector.js
index 3d4776ee..38fc196c 100644
--- a/www/manager6/form/GroupSelector.js
+++ b/www/manager6/form/GroupSelector.js
@@ -35,6 +35,7 @@ Ext.define('PVE.form.GroupSelector', {
header: gettext('Users'),
sortable: false,
dataIndex: 'users',
+ renderer: Ext.String.htmlEncode,
flex: 1
}
]
diff --git a/www/manager6/form/TokenSelector.js b/www/manager6/form/TokenSelector.js
index 8ece6e69..bad829d2 100644
--- a/www/manager6/form/TokenSelector.js
+++ b/www/manager6/form/TokenSelector.js
@@ -44,6 +44,7 @@ Ext.define('PVE.form.TokenSelector', {
header: gettext('API Token'),
sortable: true,
dataIndex: 'id',
+ renderer: Ext.String.htmlEncode,
flex: 1
},
{
diff --git a/www/manager6/form/UserSelector.js b/www/manager6/form/UserSelector.js
index cd01bc3e..8f6f9fa4 100644
--- a/www/manager6/form/UserSelector.js
+++ b/www/manager6/form/UserSelector.js
@@ -29,6 +29,7 @@ Ext.define('PVE.form.UserSelector', {
header: gettext('User'),
sortable: true,
dataIndex: 'userid',
+ renderer: Ext.String.htmlEncode,
flex: 1
},
{
diff --git a/www/manager6/window/Settings.js b/www/manager6/window/Settings.js
index 2fa01ef0..e3519b1f 100644
--- a/www/manager6/window/Settings.js
+++ b/www/manager6/window/Settings.js
@@ -36,7 +36,7 @@ Ext.define('PVE.window.Settings', {
var sp = Ext.state.Manager.getProvider();
var username = sp.get('login-username') || Proxmox.Utils.noneText;
- me.lookupReference('savedUserName').setValue(username);
+ me.lookupReference('savedUserName').setValue(Ext.String.htmlEncode(username));
var vncMode = sp.get('novnc-scaling');
if (vncMode !== undefined) {
me.lookupReference('noVNCScalingGroup').setValue({ noVNCScalingField: vncMode });
--
2.20.1
More information about the pve-devel
mailing list