Fixes #19505:

Normation · Jul 5, 2021 · 2d3e154 · 2d3e154
1 parent 5785a5c
commit 2d3e154
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 22 deletions.
diff --git a/...rces/rudder/rudder-core/src/main/scala/com/normation/rudder/domain/nodes/Properties.scala b/...rces/rudder/rudder-core/src/main/scala/com/normation/rudder/domain/nodes/Properties.scala
@@ -770,7 +770,7 @@ object JsonPropertySerialisation {
 
     def toApiJsonRenderParents = {
       buildHierarchy(list => list.reverse.map(p =>
-        s"<p>from <b>${p.displayName}</b>:<pre>${p.value.render(ConfigRenderOptions.defaults().setOriginComments(false))}</pre></p>"
+        s"<p>from <b>${p.displayName}</b>:<pre>${xml.Utility.escape(p.value.render(ConfigRenderOptions.defaults().setOriginComments(false)))}</pre></p>"
       ).mkString(""))
     }
 

diff --git a/...pp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/lift/NodeApi.scala b/...pp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/lift/NodeApi.scala
@@ -116,6 +116,7 @@ import com.normation.rudder.services.servers.DeleteMode
 import com.normation.rudder.services.reports.ReportingService
 import com.normation.utils.DateFormaterService
 import net.liftweb.http.JsonResponse
+import net.liftweb.http.js.JsExp
 import net.liftweb.json.JsonAST.JDouble
 import net.liftweb.json.JsonAST.JField
 import net.liftweb.json.JsonAST.JInt
@@ -586,6 +587,9 @@ class NodeApiService13 (
     , compliance            : Option[NodeStatusReport]
     , sysCompliance         : Option[NodeStatusReport]
   ): JObject = {
+
+    def escapeHTML(s: String): String = JsExp.strToJsExp(xml.Utility.escape(s)).str
+
     import net.liftweb.json.JsonDSL._
     def toComplianceArray(comp : ComplianceLevel) : JArray =
       JArray (
@@ -617,24 +621,24 @@ class NodeApiService13 (
       }
 
     import com.normation.rudder.domain.nodes.JsonPropertySerialisation._
-    (  ("name" -> nodeInfo.hostname)
-      ~  ("policyServerId" -> nodeInfo.policyServerId.value)
-      ~  ("policyMode" -> policyMode.name)
-      ~  ("globalModeOverride" -> explanation)
-      ~  ("kernel" -> nodeInfo.osDetails.kernelVersion.value)
-      ~  ("agentVersion" -> nodeInfo.agentsName.headOption.flatMap(_.version.map(_.value)))
-      ~  ("id" -> nodeInfo.id.value)
-      ~  ("ram" -> nodeInfo.ram.map(_.toStringMo))
-      ~  ("machineType" -> nodeInfo.machine.map(_.machineType.toString))
-      ~  ("os" -> nodeInfo.osDetails.fullName)
-      ~  ("state" -> nodeInfo.state.name)
-      ~  ("compliance" -> userCompliance )
-      ~  ("systemError" -> sysCompliance.map(_.compliance.compliance < 100 ).getOrElse(true) )
-      ~  ("ipAddresses" -> nodeInfo.ips.filter(ip => ip != "127.0.0.1" && ip != "0:0:0:0:0:0:0:1"))
-      ~  ("lastRun" -> agentRunWithNodeConfig.map(d => DateFormaterService.getDisplayDate(d.agentRunId.date)).getOrElse("Never"))
-      ~  ("lastInventory" ->  DateFormaterService.getDisplayDate(nodeInfo.inventoryDate))
-      ~  ("software" -> JObject(softs.map(s => JField(s.name.getOrElse(""), JString(s.version.map(_.value).getOrElse("N/A"))))))
-      ~  ("properties" -> JObject(properties.map(s => JField(s.name, s.toJson))))
+    (    ("name"                -> escapeHTML(nodeInfo.hostname))
+      ~  ("policyServerId"      -> escapeHTML(nodeInfo.policyServerId.value))
+      ~  ("policyMode"          -> escapeHTML(policyMode.name))
+      ~  ("globalModeOverride"  -> explanation)
+      ~  ("kernel"              -> escapeHTML(nodeInfo.osDetails.kernelVersion.value))
+      ~  ("agentVersion"        -> nodeInfo.agentsName.headOption.flatMap(_.version.map(_.value)))
+      ~  ("id"                  -> escapeHTML(nodeInfo.id.value))
+      ~  ("ram"                 -> nodeInfo.ram.map(_.toStringMo))
+      ~  ("machineType"         -> nodeInfo.machine.map(_.machineType.toString))
+      ~  ("os"                  -> nodeInfo.osDetails.fullName)
+      ~  ("state"               -> nodeInfo.state.name)
+      ~  ("compliance"          -> userCompliance )
+      ~  ("systemError"         -> sysCompliance.map(_.compliance.compliance < 100 ).getOrElse(true) )
+      ~  ("ipAddresses"         -> nodeInfo.ips.filter(ip => ip != "127.0.0.1" && ip != "0:0:0:0:0:0:0:1").map(escapeHTML(_)))
+      ~  ("lastRun"             -> agentRunWithNodeConfig.map(d => DateFormaterService.getDisplayDate(d.agentRunId.date)).getOrElse("Never"))
+      ~  ("lastInventory"       -> DateFormaterService.getDisplayDate(nodeInfo.inventoryDate))
+      ~  ("software"            -> JObject(softs.map(s => JField(escapeHTML(s.name.getOrElse("")), JString(escapeHTML(s.version.map(_.value).getOrElse("N/A")))))))
+      ~  ("properties"          -> JObject(properties.map(s => JField(s.name, s.toJson ))))
       ~  ("inheritedProperties" -> JObject(inheritedProperties.map(s => JField(s.prop.name, s.toApiJson))))
       )
   }
@@ -1246,7 +1250,7 @@ class NodeApiService8 (
               s"Node with id '${node.id.value}' has an agent type (${node.agentsName.map(_.agentType.displayName).mkString(",")}) which doesn't support remote run"
             }
           }
-           ( ( "id" -> node.id.value)
+           ( ( "id"       -> node.id.value)
            ~ ( "hostname" -> node.hostname)
            ~ ( "result"   -> commandResult)
            )

diff --git a/...dder-web/src/main/scala/com/normation/rudder/web/components/ShowNodeDetailsFromNode.scala b/...dder-web/src/main/scala/com/normation/rudder/web/components/ShowNodeDetailsFromNode.scala
@@ -255,7 +255,7 @@ class ShowNodeDetailsFromNode(
                 bindNode(node, sm, withinPopup, globalMode) ++ Script(
                   DisplayNode.jsInit(node.id, sm.node.softwareIds, "") &
                   JsRaw(s"""
-                    $$('#nodeHostname').html("${sm.node.main.hostname}");
+                    $$('#nodeHostname').html("${xml.Utility.escape(sm.node.main.hostname)}");
                     $$( "#${detailsId}" ).tabs({ active : ${tab} } );
                     $$('#nodeInventory .ui-tabs-vertical .ui-tabs-nav li a').on('click',function(){
                       var tab = $$(this).attr('href');

diff --git a/webapp/sources/rudder/rudder-web/src/main/webapp/javascript/rudder/rudder-datatable.js b/webapp/sources/rudder/rudder-web/src/main/webapp/javascript/rudder/rudder-datatable.js
@@ -1095,7 +1095,8 @@ function propertyFunction(value, inherited) { return function (nTd, sData, oData
       provider = $('<span class="rudder-label label-provider label-sm" data-toggle="tooltip" data-placement="right" data-html="true" data-container="body" >inherited</span>')
       provider.attr('title', "This property is inherited from these group(s) or global parameter: <div>"+ property.hierarchy + "</div>.")
     }
-    $(nTd).prepend( "<pre onclick='$(this).toggleClass(\"toggle\")' class='json-beautify show-more'>"+text+"</pre>").prepend(provider)
+    var pre = $("<pre onclick='$(this).toggleClass(\"toggle\")' class='json-beautify show-more'></pre>").text(text);
+    $(nTd).prepend( pre ).prepend(provider)
   }
 } }