|
36 | 36 | <%@page import="java.util.*" %> |
37 | 37 | <%@page import="org.opennms.netmgt.config.*" %> |
38 | 38 | <%@page import="org.opennms.netmgt.config.users.*" %> |
| 39 | +<%@ page import="org.opennms.core.utils.WebSecurityUtils" %> |
| 40 | + |
| 41 | +<%@taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %> |
| 42 | + |
39 | 43 | <% |
40 | 44 | UserManager userFactory; |
41 | 45 | Map<String,User> users = null; |
|
97 | 101 | var newID = prompt("Enter new name for user.", userID); |
98 | 102 |
|
99 | 103 | if (newID != null && newID != "") { |
100 | | - if (/.*[&<>"`']+.*/.test(newId)) { |
| 104 | + if (/.*[&<>"`']+.*/.test(newID)) { |
101 | 105 | alert("The user ID must not contain any HTML markup."); |
102 | 106 | return; |
103 | 107 | } |
|
154 | 158 | String textService = userFactory.getTextPage(userid); |
155 | 159 | String numericPin = userFactory.getNumericPin(userid); |
156 | 160 | String textPin = userFactory.getTextPin(userid); |
| 161 | + String sanitizedUserId = WebSecurityUtils.sanitizeString(curUser.getUserId()); |
157 | 162 | %> |
158 | 163 | <tr id="user-<%= userid %>"> |
159 | 164 | <% if (!curUser.getUserId().equals("admin") && !curUser.getUserId().equals("rtc")) { %> |
160 | 165 | <td rowspan="2" class="text-center"> |
161 | | - <a id="<%= "users("+curUser.getUserId()+").doDelete" %>" href="javascript:deleteUser('<%=curUser.getUserId()%>')" onclick="return confirm('Are you sure you want to delete the user <%=curUser.getUserId()%>?')"><i class="fa fa-trash-o fa-2x"></i></a> |
| 166 | + <a id="<%= "users("+sanitizedUserId+").doDelete" %>" href="javascript:deleteUser('<%=sanitizedUserId%>')" onclick="return confirm('Are you sure you want to delete the user <%=sanitizedUserId%>?')"><i class="fa fa-trash-o fa-2x"></i></a> |
162 | 167 | </td> |
163 | 168 | <% } else { %> |
164 | 169 | <td rowspan="2" class="text-center"> |
165 | 170 | <i class="fa fa-trash-o fa-2x" onclick="alert('Sorry, the admin user cannot be deleted.')"></i> |
166 | 171 | </td> |
167 | 172 | <% } %> |
168 | 173 | <td rowspan="2" class="text-center"> |
169 | | - <a id="<%= "users("+curUser.getUserId()+").doModify" %>" href="javascript:modifyUser('<%=curUser.getUserId()%>')"><i class="fa fa-edit fa-2x"></i></a> |
| 174 | + <a id="<%= "users("+sanitizedUserId+").doModify" %>" href="javascript:modifyUser('<%=sanitizedUserId%>')"><i class="fa fa-edit fa-2x"></i></a> |
170 | 175 | </td> |
171 | 176 | <td rowspan="2" class="text-center"> |
172 | 177 | <% if ( !curUser.getUserId().equals("admin")) { %> |
173 | | - <button id="<%= "users("+curUser.getUserId()+").doRename" %>" class="btn btn-secondary" name="rename" onclick="renameUser('<%=curUser.getUserId()%>')">Rename</button> |
| 178 | + <button id="<%= "users("+sanitizedUserId+").doRename" %>" class="btn btn-secondary" name="rename" onclick="renameUser('<%=sanitizedUserId%>')">Rename</button> |
174 | 179 | <% } else { %> |
175 | | - <button id="<%= "users("+curUser.getUserId()+").doRename" %>" class="btn btn-secondary" name="rename" onclick="alert('Sorry, the admin user cannot be renamed.')">Rename</button> |
| 180 | + <button id="<%= "users("+sanitizedUserId+").doRename" %>" class="btn btn-secondary" name="rename" onclick="alert('Sorry, the admin user cannot be renamed.')">Rename</button> |
176 | 181 | <% } %> |
177 | 182 | </td> |
178 | 183 | <td> |
179 | | - <a id="<%= "users("+curUser.getUserId()+").doDetails" %>" href="javascript:detailUser('<%=curUser.getUserId()%>')"><%=curUser.getUserId()%></a> |
| 184 | + <a id="<%= "users("+sanitizedUserId+").doDetails" %>" href="javascript:detailUser('<%=sanitizedUserId%>')"><%=sanitizedUserId%></a> |
180 | 185 | </td> |
181 | 186 | <td> |
182 | | - <div id="<%= "users("+curUser.getUserId()+").fullName" %>"> |
| 187 | + <div id="<%= "users("+sanitizedUserId+").fullName" %>"> |
183 | 188 | <%= (curUser.getFullName().orElse("")) %> |
184 | 189 | </div> |
185 | 190 | </td> |
186 | 191 | <td> |
187 | | - <div id="<%= "users("+curUser.getUserId()+").email" %>"> |
| 192 | + <div id="<%= "users("+sanitizedUserId+").email" %>"> |
188 | 193 | <%= ((email == null || email.equals("")) ? " " : email) %> |
189 | 194 | </div> |
190 | 195 | </td> |
191 | 196 | <td> |
192 | | - <div id="<%= "users("+curUser.getUserId()+").pagerEmail" %>"> |
| 197 | + <div id="<%= "users("+sanitizedUserId+").pagerEmail" %>"> |
193 | 198 | <%= ((pagerEmail == null || pagerEmail.equals("")) ? " " : pagerEmail) %> |
194 | 199 | </div> |
195 | 200 | </td> |
196 | 201 | <td> |
197 | | - <div id="<%= "users("+curUser.getUserId()+").xmppAddress" %>"> |
| 202 | + <div id="<%= "users("+sanitizedUserId+").xmppAddress" %>"> |
198 | 203 | <%= ((xmppAddress == null || xmppAddress.equals("")) ? " " : xmppAddress) %> |
199 | 204 | </div> |
200 | 205 | </td> |
201 | 206 | </tr> |
202 | 207 | <tr> |
203 | 208 | <td colspan="5"> |
204 | | - <div id="<%= "users("+curUser.getUserId()+").userComments" %>"> |
| 209 | + <div id="<%= "users("+sanitizedUserId+").userComments" %>"> |
205 | 210 | <%= (curUser.getUserComments().orElse("No Comments")) %> |
206 | 211 | </div> |
207 | 212 | </td> |
|
0 commit comments