fix: [security] Fix persistent xss due to invalid sanitisation of ima…

…ge names in titles - triggered by expanding a screenshot - as reported by João Lucas Melo Brasio from Elytron Security S.A. (https://elytronsecurity.com)
MISP · May 7, 2019 · 62f1543 · 62f1543
1 parent 6f6fb67
commit 62f1543
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/app/webroot/js/misp.js b/app/webroot/js/misp.js
@@ -97,7 +97,9 @@ function screenshotPopup(url, title) {
     if (!url.startsWith('data:image/')) {
         url = url.slice(0, -1);
     }
-    popupHtml = '<it class="fa fa-spin fa-spinner" style="font-size: xx-large; color: white; position: fixed; left: 50%; top: 50%;"></it>'
+    popupHtml = '<it class="fa fa-spin fa-spinner" style="font-size: xx-large; color: white; position: fixed; left: 50%; top: 50%;"></it>';
+    url = $('<div>').text(url).html();
+    title = $('<div>').text(title).html();
     popupHtml += '<img class="screenshot_box-content hidden" src="' + url + '" id="screenshot-image" title="' + title + '" alt="' + title + '" onload="$(this).show(); $(this).parent().find(\'.fa-spinner\').remove();"/>';
     popupHtml += '<div class="close-icon useCursorPointer" onClick="closeScreenshot();"></div>';
     if (!url.startsWith('data:image/')) {