Sanitize inputs to toast function

[argaudreau]

Description

String messages to the toast() function were not sanitized, allowing for malicious HTML to be passed to it. In particular, the operation name input in the operations page allowed a user to enter a XSS string such as <img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);>, which would fire the onerror handler once created.

A sanitize() method has been added so it can be used anywhere in Caldera's UI. It will completely remove any HTML content and return the remaining text, if any. The toast method now uses this, along with a couple of other sections in the operations page.

Type of change

• Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

After inputing malicious strings to the operation name input, the scripts never fire like they did before.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

[yee-jonathan]

Changes correctly sanitize output and prevent execution when using html tags. Even when HTML encoded, malicious scripts will not execute and are displayed as plain text.

[JamieScottC]

Confirmed that entering an XSS input doesn't execute any of its malicious behavior.