Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: [security] XSS in event-graph node tooltips
- as reported by Cyber Controls from SIX Group
  • Loading branch information
mokaddem committed Mar 10, 2023
1 parent 69e3948 commit 30255b8
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions app/webroot/js/event-graph.js
Expand Up @@ -715,7 +715,7 @@ class EventGraph {
if ( node.node_type == 'object' ) {
var group = 'object';
var label = dataHandler.generate_label(node);
var labelHtml = label + '</br><i>' + escapeHtml(node.comment) + '</i>'
var labelHtml = escapeHtml(label) + '</br><i>' + escapeHtml(node.comment) + '</i>'
label += ' ' + escapeHtml(node.comment)
var striped_value = that.strip_text_value(label);
node_conf = {
Expand All @@ -742,7 +742,7 @@ class EventGraph {
id: node.id,
uuid: node.uuid,
label: label,
title: label,
title: escapeHtml(label),
group: group,
mass: 20,
color: {
Expand All @@ -766,15 +766,15 @@ class EventGraph {
node_conf = {
id: node.id,
label: striped_value,
title: label,
title: escapeHtml(label),
group: group
};
dataHandler.mapping_value_to_nodeID.set(label, node.id);
} else {
group = 'attribute';
label = node.type + ': ' + node.label;
label = escapeHtml(node.type) + ': ' + node.label;
label += ' ' + escapeHtml(node.comment)
var labelHtml = label + '</br><i>' + escapeHtml(node.comment) + '</i>'
var labelHtml = escapeHtml(label) + '</br><i>' + escapeHtml(node.comment) + '</i>'
var striped_value = that.strip_text_value(label);
node_conf = {
id: node.id,
Expand Down Expand Up @@ -1053,7 +1053,7 @@ class EventGraph {
x: parent_pos.x,
y: parent_pos.y,
label: attr.object_relation + ': ' + striped_value,
title: attr.object_relation + ': ' + attr.value,
title: escapeHtml(attr.object_relation) + ': ' + escapeHtml(attr.value),
group: 'obj_relation',
color: {
background: parent_color
Expand Down

0 comments on commit 30255b8

Please sign in to comment.