Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: Fix to a potential reflected XSS on the quickDelete
- low impact, XSS required user confirmation of malicious payload

- as reported by Or Hanuka (PALANTIR)
  • Loading branch information
iglocska committed Oct 9, 2017
1 parent 17592a4 commit ca6f4a7
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 28 deletions.
2 changes: 1 addition & 1 deletion app/View/Sightings/ajax/quickDeleteConfirmationForm.ctp
Expand Up @@ -8,7 +8,7 @@
<table>
<tr>
<td style="vertical-align:top">
<span id="PromptYesButton" role="button" tabindex="0" aria-label="Remove sighting" title="Remove sighting" class="btn btn-primary" onClick="removeSighting('<?php echo h($id); ?>', '<?php echo h($rawId); ?>', '<?php echo h($context); ?>');">Yes</span>
<span id="PromptYesButton" role="button" tabindex="0" aria-label="Remove sighting" title="Remove sighting" class="btn btn-primary" data-id="<?php echo h($id); ?>" data-rawid="<?php echo h($rawId); ?>" data-context="<?php echo h($context); ?>" onClick="removeSighting(this);">Yes</span>
</td>
<td style="width:540px;">
</td>
Expand Down
35 changes: 8 additions & 27 deletions app/webroot/js/misp.js
Expand Up @@ -72,28 +72,6 @@ function cancelPrompt(isolated) {
$("#confirmation_box").empty();
}

function submitEventDeletion() {
var formData = $('#PromptForm').serialize();
$.ajax({
beforeSend: function (XMLHttpRequest) {
$(".loading").show();
},
data: formData,
success:function (data, textStatus) {
updateIndex(context_id, context);
handleGenericAjaxResponse(data);
},
complete:function() {
$(".loading").hide();
$("#confirmation_box").fadeOut();
$("#gray_out").fadeOut();
},
type:"post",
cache: false,
url:"/" + type + "/" + action + "/" + id,
});
}

function submitDeletion(context_id, action, type, id) {
var context = 'event';
if (type == 'template_elements') context = 'template';
Expand All @@ -118,7 +96,10 @@ function submitDeletion(context_id, action, type, id) {
});
}

function removeSighting(id, rawid, context) {
function removeSighting(caller) {
var id = $(caller).data('id');
var rawid = $(caller).data('rawid');
var context = $(caller).data('context');
if (context != 'attribute') {
context = 'event';
}
Expand All @@ -130,16 +111,16 @@ function removeSighting(id, rawid, context) {
data: formData,
success:function (data, textStatus) {
handleGenericAjaxResponse(data);
},
complete:function() {
$(".loading").hide();
$("#confirmation_box").fadeOut();
var org = "/" + $('#org_id').text();
updateIndex(id, 'event');
$.get( "/sightings/listSightings/" + rawid + "/" + context + org, function(data) {
$("#sightingsData").html(data);
});
},
complete:function() {
$(".loading").hide();
$("#confirmation_box").fadeOut();
},
type:"post",
cache: false,
url:"/sightings/quickDelete/" + id + "/" + rawid + "/" + context,
Expand Down

0 comments on commit ca6f4a7

Please sign in to comment.