Skip to content
Permalink
Browse files Browse the repository at this point in the history
web UI: fixed XSS vulnerability
  • Loading branch information
ondrejmular authored and tomjelinek committed Mar 21, 2017
1 parent dff989f commit 1874a76
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 3 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Expand Up @@ -25,14 +25,18 @@
even if the cluster is running Virtual IP resources ([rhbz#1334429])
- `pcs booth remove` now works correctly even if the booth resource group is
disabled (another fix) ([rhbz#1389941])
- Fixed Cross-site scripting (XSS) vulnerability in web UI ([CVE-2017-2661],
[rhbz#1434111])

[CVE-2017-2661]: https://access.redhat.com/security/cve/CVE-2017-2661
[rhbz#1303969]: https://bugzilla.redhat.com/show_bug.cgi?id=1303969
[rhbz#1315627]: https://bugzilla.redhat.com/show_bug.cgi?id=1315627
[rhbz#1334429]: https://bugzilla.redhat.com/show_bug.cgi?id=1334429
[rhbz#1362493]: https://bugzilla.redhat.com/show_bug.cgi?id=1362493
[rhbz#1378742]: https://bugzilla.redhat.com/show_bug.cgi?id=1378742
[rhbz#1389941]: https://bugzilla.redhat.com/show_bug.cgi?id=1389941
[rhbz#1421702]: https://bugzilla.redhat.com/show_bug.cgi?id=1421702
[rhbz#1434111]: https://bugzilla.redhat.com/show_bug.cgi?id=1434111


## [0.9.156] - 2017-02-10
Expand Down
4 changes: 2 additions & 2 deletions pcsd/public/js/nodes-ember.js
Expand Up @@ -75,7 +75,7 @@ Pcs = Ember.Application.createWithMixins({
var banned_options = ["SBD_OPTS", "SBD_WATCHDOG_DEV", "SBD_PACEMAKER"];
$.each(this.get("sbd_config"), function(opt, val) {
if (banned_options.indexOf(opt) == -1) {
out += '<tr><td>' + opt + '</td><td>' + val + '</td></tr>\n';
out += '<tr><td>' + htmlEncode(opt) + '</td><td>' + htmlEncode(val) + '</td></tr>\n';
}
});
return out + '</table>';
Expand Down Expand Up @@ -879,7 +879,7 @@ Pcs.ResourceObj = Ember.Object.extend({
}.property("status_val"),
show_status: function() {
return '<span style="' + this.get('status_style') + '">'
+ this.get('status') + (this.get("is_unmanaged") ? " (unmanaged)" : "")
+ htmlEncode(this.get('status')) + (this.get("is_unmanaged") ? " (unmanaged)" : "")
+ '</span>';
}.property("status_style", "disabled"),
status_class: function() {
Expand Down
2 changes: 1 addition & 1 deletion pcsd/public/js/pcsd.js
Expand Up @@ -821,7 +821,7 @@ function auth_nodes_dialog(unauth_nodes, callback_success, callback_success_one)

dialog_obj.find('#auth_nodes_list').empty();
unauth_nodes.forEach(function(node) {
dialog_obj.find('#auth_nodes_list').append("\t\t\t<tr><td>" + node + '</td><td><input type="password" name="' + node + '-pass"></td></tr>\n');
dialog_obj.find('#auth_nodes_list').append("\t\t\t<tr><td>" + htmlEncode(node) + '</td><td><input type="password" name="' + htmlEncode(node) + '-pass"></td></tr>\n');
});

}
Expand Down

0 comments on commit 1874a76

Please sign in to comment.