[pve-devel] [PATCH stable-5 manager 1/3] ui: fix missing htmlEncodes
Dominik Csapak
d.csapak at proxmox.com
Tue May 12 12:11:08 CEST 2020
username can include some special characters, so we have
to escape them
backport from pve6
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
www/manager6/Workspace.js | 2 +-
www/manager6/dc/ACLView.js | 2 +-
www/manager6/dc/Log.js | 2 ++
www/manager6/dc/TFAEdit.js | 1 +
www/manager6/dc/Tasks.js | 1 +
www/manager6/dc/UserEdit.js | 1 +
www/manager6/dc/UserView.js | 4 ++--
www/manager6/form/UserSelector.js | 1 +
www/manager6/window/Settings.js | 2 +-
9 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/www/manager6/Workspace.js b/www/manager6/Workspace.js
index ca67b7d9..ae41915e 100644
--- a/www/manager6/Workspace.js
+++ b/www/manager6/Workspace.js
@@ -170,7 +170,7 @@ Ext.define('PVE.StdWorkspace', {
var ui = me.query('#userinfo')[0];
if (Proxmox.UserName) {
- var msg = Ext.String.format(gettext("You are logged in as {0}"), "'" + Proxmox.UserName + "'");
+ var msg = Ext.String.format(gettext("You are logged in as {0}"), "'" + Ext.String.htmlEncode(Proxmox.UserName) + "'");
ui.update('<div class="x-unselectable" style="white-space:nowrap;">' + msg + '</div>');
} else {
ui.update('');
diff --git a/www/manager6/dc/ACLView.js b/www/manager6/dc/ACLView.js
index 1322f952..07d8f136 100644
--- a/www/manager6/dc/ACLView.js
+++ b/www/manager6/dc/ACLView.js
@@ -111,7 +111,7 @@ Ext.define('PVE.dc.ACLView', {
return '@' + ugid;
}
- return ugid;
+ return Ext.String.htmlEncode(ugid);
};
var columns = [
diff --git a/www/manager6/dc/Log.js b/www/manager6/dc/Log.js
index 0106af99..2b6e06ad 100644
--- a/www/manager6/dc/Log.js
+++ b/www/manager6/dc/Log.js
@@ -68,6 +68,7 @@ Ext.define('PVE.dc.Log', {
{
header: gettext("User name"),
dataIndex: 'user',
+ renderer: Ext.String.htmlEncode,
width: 150
},
{
@@ -79,6 +80,7 @@ Ext.define('PVE.dc.Log', {
{
header: gettext("Message"),
dataIndex: 'msg',
+ renderer: Ext.String.htmlEncode,
flex: 1
}
],
diff --git a/www/manager6/dc/TFAEdit.js b/www/manager6/dc/TFAEdit.js
index ed2ff30d..b39bed13 100644
--- a/www/manager6/dc/TFAEdit.js
+++ b/www/manager6/dc/TFAEdit.js
@@ -368,6 +368,7 @@ Ext.define('PVE.window.TFAEdit', {
{
xtype: 'displayfield',
fieldLabel: gettext('User name'),
+ renderer: Ext.String.htmlEncode,
cbind: {
value: '{userid}'
}
diff --git a/www/manager6/dc/Tasks.js b/www/manager6/dc/Tasks.js
index 62e5ac71..5220bcb2 100644
--- a/www/manager6/dc/Tasks.js
+++ b/www/manager6/dc/Tasks.js
@@ -101,6 +101,7 @@ Ext.define('PVE.dc.Tasks', {
{
header: gettext("User name"),
dataIndex: 'user',
+ renderer: Ext.String.htmlEncode,
width: 150
},
{
diff --git a/www/manager6/dc/UserEdit.js b/www/manager6/dc/UserEdit.js
index 1665f4b0..26382d60 100644
--- a/www/manager6/dc/UserEdit.js
+++ b/www/manager6/dc/UserEdit.js
@@ -72,6 +72,7 @@ Ext.define('PVE.dc.UserEdit', {
name: 'userid',
fieldLabel: gettext('User name'),
value: me.userid,
+ renderer: Ext.String.htmlEncode,
allowBlank: false,
submitValue: me.isCreate ? true : false
},
diff --git a/www/manager6/dc/UserView.js b/www/manager6/dc/UserView.js
index 8918fb2b..57dda809 100644
--- a/www/manager6/dc/UserView.js
+++ b/www/manager6/dc/UserView.js
@@ -110,11 +110,11 @@ Ext.define('PVE.dc.UserView', {
];
var render_username = function(userid) {
- return userid.match(/^(.+)(@[^@]+)$/)[1];
+ return Ext.String.htmlEncode(userid.match(/^(.+)(@[^@]+)$/)[1]);
};
var render_realm = function(userid) {
- return userid.match(/@([^@]+)$/)[1];
+ return Ext.String.htmlEncode(userid.match(/@([^@]+)$/)[1]);
};
Ext.apply(me, {
diff --git a/www/manager6/form/UserSelector.js b/www/manager6/form/UserSelector.js
index cd01bc3e..8f6f9fa4 100644
--- a/www/manager6/form/UserSelector.js
+++ b/www/manager6/form/UserSelector.js
@@ -29,6 +29,7 @@ Ext.define('PVE.form.UserSelector', {
header: gettext('User'),
sortable: true,
dataIndex: 'userid',
+ renderer: Ext.String.htmlEncode,
flex: 1
},
{
diff --git a/www/manager6/window/Settings.js b/www/manager6/window/Settings.js
index 1a4d8599..54271a75 100644
--- a/www/manager6/window/Settings.js
+++ b/www/manager6/window/Settings.js
@@ -36,7 +36,7 @@ Ext.define('PVE.window.Settings', {
var sp = Ext.state.Manager.getProvider();
var username = sp.get('login-username') || Proxmox.Utils.noneText;
- me.lookupReference('savedUserName').setValue(username);
+ me.lookupReference('savedUserName').setValue(Ext.String.htmlEncode(username));
var settings = ['fontSize', 'fontFamily', 'letterSpacing', 'lineHeight'];
settings.forEach(function(setting) {
--
2.20.1
More information about the pve-devel
mailing list