Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

FMC-495 FMC susceptible to cross site scripting issues

  • Loading branch information...
commit e280cb370323eeb759030919d5111ed809e8ded5 1 parent 1548257
Stan Lewis authored
4 fmc/fmc-webui/src/main/webapp/app/controllers/patches_page.coffee
@@ -129,7 +129,7 @@ define [
129 129 tagName: "option"
130 130 attr:
131 131 "value": model.id
132   - template: _.template("#{model.id}")
  132 + template: _.template("#{FON.escapeHtml(model.id)}")
133 133 on_render: =>
134 134 super
135 135 if @versions.get(@version.id)
@@ -150,7 +150,7 @@ define [
150 150 FON.model_backed_template
151 151 model: model
152 152 tagName: "li"
153   - template: _.template("""<a href="#" class="delete"><img src="img/x-16.png"></a>#{model.id}""")
  153 + template: _.template("""<a href="#" class="delete"><img src="img/x-16.png"></a>#{FON.escapeHtml(model.id)}""")
154 154 elements:
155 155 ".delete": "delete"
156 156 on_render: (controller) ->
4 fmc/fmc-webui/src/main/webapp/app/controllers/profile_details_page.coffee
@@ -111,7 +111,7 @@ define [
111 111 FON.model_backed_template
112 112 model: model
113 113 tagName: "li"
114   - template: _.template("""<a href="#" class="delete"><img src="img/x-16.png"></a><a href="#" class="view">{{id}}</a>""")
  114 + template: _.template("""<a href="#" class="delete"><img src="img/x-16.png"></a><a href="#" class="view">{{FON.escapeHtml(id)}}</a>""")
115 115 elements:
116 116 ".delete": "delete"
117 117 ".view": "view"
@@ -166,7 +166,7 @@ define [
166 166 FON.model_backed_template
167 167 model: model
168 168 tagName: "li"
169   - template: _.template('<a href=#/containers/{{id}}>{{id}}</a>')
  169 + template: _.template('<a href=#/containers/{{id}}>{{FON.escapeHtml(id)}}</a>')
170 170
171 171
172 172 class ValueListEntry extends FON.TemplateController
2  fmc/fmc-webui/src/main/webapp/app/controllers/users_page.coffee
@@ -137,7 +137,7 @@ define [
137 137 class RoleEntry extends FON.ModelBackedTemplate
138 138 tagName:"li"
139 139
140   - template: _.template("""<a href="#" class="delete-role" title="Delete role"><img src="img/x-16.png"></a>{{id}}""")
  140 + template: _.template("""<a href="#" class="delete-role" title="Delete role"><img src="img/x-16.png"></a>{{FON.escapeHtml(id)}}""")
141 141 elements:
142 142 "a.delete-role": "delete"
143 143

0 comments on commit e280cb3

Please sign in to comment.
Something went wrong with that request. Please try again.