Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: [security] Stored XSS in the galaxy cluster view
- Galaxy cluster names were vulnerable to XSS injection

- As reported by Patrik Kontura of ESET
  • Loading branch information
iglocska committed Jan 19, 2021
1 parent afbf95a commit 741243f
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions app/View/GalaxyClusters/view.ctp
Expand Up @@ -58,15 +58,15 @@
'field' => array('data_path' => 'distribution')
));
$table_data[] = array(
'key' => __('Owner Organisation'),
'key' => __('Owner Organisation'),
'html' => $this->OrgImg->getOrgImg(array('name' => $cluster['GalaxyCluster']['Org']['name'], 'id' => $cluster['GalaxyCluster']['Org']['id'], 'size' => 18), true),
);
$table_data[] = array(
'key' => __('Creator Organisation'),
'key' => __('Creator Organisation'),
'html' => $this->OrgImg->getOrgImg(array('name' => $cluster['GalaxyCluster']['Orgc']['name'], 'id' => $cluster['GalaxyCluster']['Orgc']['id'], 'size' => 18), true),
);
$table_data[] = array('key' => __('Connector tag'), 'value' => $cluster['GalaxyCluster']['tag_name']);
$table_data[] = array('key' => __('Events'), 'html' => isset($cluster['GalaxyCluster']['tag_count']) ?
$table_data[] = array('key' => __('Events'), 'html' => isset($cluster['GalaxyCluster']['tag_count']) ?
sprintf('<a href="%s">%s</a>',
sprintf('%s/events/index/searchtag:%s', $baseurl, h($cluster['GalaxyCluster']['tag_id'])),
__n('%s event', '%s events', $cluster['GalaxyCluster']['tag_count'], h($cluster['GalaxyCluster']['tag_count']))
Expand All @@ -85,7 +85,7 @@
<div class="row-fluid">
<div class="span8">
<h2>
<?= sprintf('%s :: %s', h($cluster['GalaxyCluster']['Galaxy']['name']), $cluster['GalaxyCluster']['value']); ?>
<?= sprintf('%s :: %s', h($cluster['GalaxyCluster']['Galaxy']['name']), h($cluster['GalaxyCluster']['value'])); ?>
</h2>
<?php echo $this->element('genericElements/viewMetaTable', array('table_data' => $table_data)); ?>
</div>
Expand Down

0 comments on commit 741243f

Please sign in to comment.