Skip to content

Commit

Permalink
Enforce escaping on all template content
Browse files Browse the repository at this point in the history
  • Loading branch information
@ollyg
ollyg committed Sep 23, 2019
1 parent 5f378a3 commit deb9b62
Show file tree
Hide file tree
Showing 77 changed files with 392 additions and 387 deletions.
1 change: 1 addition & 0 deletions Build.PL
View file
Expand Up @@ -81,6 +81,7 @@ Module::Build->new(
'SQL::Abstract' => '1.85',
'SQL::Translator' => '0.11024',
'Template' => '2.24',
'Template::AutoFilter' => '0',
'Template::Plugin::CSV' => '0.04',
'Template::Plugin::Number::Format' => '1.02',
'Term::ReadLine' => '0',
Expand Down
4 changes: 4 additions & 0 deletions share/config.yml
View file
Expand Up @@ -483,11 +483,15 @@ show_errors: false
logger: 'console'
engines:
netdisco_template_toolkit:
subclass: 'Template::AutoFilter'
encoding: 'utf8'
start_tag: '[%'
end_tag: '%]'
ANYCASE: 1
ABSOLUTE: 1
PRE_CHOMP: 1
INCLUDE_PATH: []
AUTO_FILTER: 'html_entity'
layout: 'main'
plugins:
Swagger:
Expand Down
16 changes: 8 additions & 8 deletions share/views/admintask.tt
View file
Expand Up @@ -9,14 +9,14 @@
rel="tooltip" data-placement="left" data-offset="5" data-title="Unpin Sidebar" data-container="body"></i>

<div class="tab-content">
<div id="[% task.tag %]_search" class="tab-pane active">
<form id="[% task.tag %]_form" class="nd_sidebar-form form-stacked"
method="get" action="[% uri_for('/admin') %]">
<div id="[% task.tag | html_entity %]_search" class="tab-pane active">
<form id="[% task.tag | html_entity %]_form" class="nd_sidebar-form form-stacked"
method="get" action="[% uri_for('/admin') | none %]">
[% TRY %]
<script type="text/javascript">has_sidebar["[% task.tag %]"] = 1;</script>
<script type="text/javascript">has_sidebar["[% task.tag | html_entity %]"] = 1;</script>
[% INCLUDE "sidebar/admintask/${task.tag}.tt" %]
[% CATCH %]
<script type="text/javascript">has_sidebar["[% task.tag %]"] = 0;</script>
<script type="text/javascript">has_sidebar["[% task.tag | html_entity %]"] = 0;</script>
[% END %]
</form>
</div> <!-- /tab-pane -->
Expand All @@ -26,8 +26,8 @@

<div class="content">
<ul id="nd_search-results" class="nav nav-tabs">
<li class="active"><a id="[% task.tag %]_link" class="nd_single-tab"
href="#[% task.tag %]_pane">[% task.label %]</a></li>
<li class="active"><a id="[% task.tag | html_entity %]_link" class="nd_single-tab"
href="#[% task.tag | html_entity %]_pane">[% task.label | html_entity %]</a></li>
[% IF task.tag == 'jobqueue' %]
<span id="nd_device-name">
<a class="nd_adminbutton" name="delall" href="#"><i class="icon-trash text-error"></i></a>
Expand All @@ -49,7 +49,7 @@
[% END %]
</ul>
<div class="tab-content">
<div class="tab-pane active" id="[% task.tag %]_pane"></div>
<div class="tab-pane active" id="[% task.tag | html_entity %]_pane"></div>
</div>
</div>

Expand Down
10 changes: 5 additions & 5 deletions share/views/ajax/admintask/duplicatedevices.tt
View file
Expand Up @@ -21,7 +21,7 @@
[% SET count = count + 1 %]
<tr>
<td class="nd_center-cell"><a class="nd_linkcell"
href="[% uri_for('/device') %]?tab=details&q=[% row.ip | uri %]">[% row.ip | html_entity %]</a>
href="[% uri_for('/device') | none %]?tab=details&q=[% row.ip | uri %]">[% row.ip | html_entity %]</a>
[% row.dns | html_entity %]</td>
<td class="nd_center-cell">[% row.contact | html_entity %]</td>
<td class="nd_center-cell">[% row.location | html_entity %]</td>
Expand All @@ -33,15 +33,15 @@

<td class="nd_center-cell">
<button class="btn btn-danger btn-small"
data-toggle="modal" data-target="#nd_devdel-[% count %]" type="button">
data-toggle="modal" data-target="#nd_devdel-[% count | html_entity %]" type="button">
<i class="icon-trash text-danger"></i>
</button>

<div id="nd_devdel-[% count %]" class="nd_modal nd_deep-horizon modal hide fade" tabindex="-1"
role="dialog" aria-labelledby="nd_devdel-label-[% count %]" aria-hidden="true">
<div id="nd_devdel-[% count | html_entity %]" class="nd_modal nd_deep-horizon modal hide fade" tabindex="-1"
role="dialog" aria-labelledby="nd_devdel-label-[% count | html_entity %]" aria-hidden="true">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">x</button>
<h3 id="nd_devdel-label-[% count %]">Confirm Delete: [% row.ip || row.dns | html_entity %]</h3>
<h3 id="nd_devdel-label-[% count | html_entity %]">Confirm Delete: [% row.ip || row.dns | html_entity %]</h3>
</div>
<div class="modal-body">
<blockquote>
Expand Down
4 changes: 2 additions & 2 deletions share/views/ajax/admintask/jobqueue.tt
View file
Expand Up @@ -37,9 +37,9 @@
[% END %]
<td class="nd_center-cell">
[% IF row.action == 'discover' AND row.status == 'error' %]
<a href="[% uri_for('/') %]?device=[% row.device | uri %]">[% row.device | html_entity %]</a>
<a href="[% uri_for('/') | none %]?device=[% row.device | uri %]">[% row.device | html_entity %]</a>
[% ELSE %]
<a href="[% uri_for('/device') %]?q=[% row.device | uri %]">[% row.target.dns || row.device | html_entity %]</a>
<a href="[% uri_for('/device') | none %]?q=[% row.device | uri %]">[% row.target.dns || row.device | html_entity %]</a>
[% END %]
</td>
<td class="nd_center-cell">[% row.port | html_entity %]</td>
Expand Down
8 changes: 4 additions & 4 deletions share/views/ajax/admintask/nodemonitor.tt
View file
Expand Up @@ -48,13 +48,13 @@
<button class="btn nd_adminbutton" name="update" type="submit"><i class="icon-save text-warning"></i></button>

<button class="btn" data-toggle="modal"
data-target="#nd_devdel-[% count %]" type="button"><i class="icon-trash text-error"></i></button>
data-target="#nd_devdel-[% count | html_entity %]" type="button"><i class="icon-trash text-error"></i></button>

<div id="nd_devdel-[% count %]" class="nd_modal nd_deep-horizon modal hide fade" tabindex="-1"
role="dialog" aria-labelledby="nd_devdel-label-[% count %]" aria-hidden="true">
<div id="nd_devdel-[% count | html_entity %]" class="nd_modal nd_deep-horizon modal hide fade" tabindex="-1"
role="dialog" aria-labelledby="nd_devdel-label-[% count | html_entity %]" aria-hidden="true">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">x</button>
<h3 id="nd_devdel-label-[% count %]">Are you sure?</h3>
<h3 id="nd_devdel-label-[% count | html_entity %]">Are you sure?</h3>
</div>
<div class="modal-body">
<blockquote>
Expand Down
12 changes: 6 additions & 6 deletions share/views/ajax/admintask/orphaned.tt
View file
Expand Up @@ -22,11 +22,11 @@
<tbody>
[% FOREACH row IN orphans %]
<tr>
<td><a href="[% uri_for('/device') %]?q=[% row.ip | uri %]">
<td><a href="[% uri_for('/device') | none %]?q=[% row.ip | uri %]">
[% row.dns || row.name || row.ip | html_entity %]</a></td>
<td>
[% IF row.location %]
<a href="[% search_device %]&q=[% row.location | uri %]&location=[% row.location | uri %]">
<a href="[% search_device | none %]&q=[% row.location | uri %]&location=[% row.location | uri %]">
[% row.location | html_entity %]</a>
[% ELSE %]
[Not Set]
Expand Down Expand Up @@ -55,12 +55,12 @@
[% NEXT IF count == 1 %]
<div class="accordion-group">
<div class="accordion-heading">
<a class="accordion-toggle" data-toggle="collapse" data-target="#collapse-[% count %]" href="#collapse-[% count %]">
<a class="accordion-toggle" data-toggle="collapse" data-target="#collapse-[% count | html_entity %]" href="#collapse-[% count | html_entity %]">
<i class="icon-chevron-up"></i> &nbsp;
Orphaned Network: [% count - 1 | html_entity %] Size: [% network.size | html_entity %] Devices
</a>
</div>
<div id="collapse-[% count %]" class="accordion-body collapse">
<div id="collapse-[% count | html_entity %]" class="accordion-body collapse">
<div class="accordion-inner">
<table class="table table-bordered table-condensed">
<thead>
Expand All @@ -75,11 +75,11 @@
<tbody>
[% FOREACH row IN network %]
<tr>
<td><a href="[% uri_for('/device') %]?tab=netmap&q=[% row.ip | uri %]&firstsearch=on">
<td><a href="[% uri_for('/device') | none %]?tab=netmap&q=[% row.ip | uri %]&firstsearch=on">
[% row.dns || row.name || row.ip | html_entity %]</a></td>
<td>
[% IF row.location %]
<a href="[% search_device %]&q=[% row.location | uri %]&location=[% row.location | uri %]">
<a href="[% search_device | none %]&q=[% row.location | uri %]&location=[% row.location | uri %]">
[% row.location | html_entity %]</a>
[% ELSE %]
[Not Set]
Expand Down
10 changes: 5 additions & 5 deletions share/views/ajax/admintask/pseudodevice.tt
View file
Expand Up @@ -27,7 +27,7 @@
[% SET count = count + 1 %]
<tr>
<td class="nd_center-cell"><a class="nd_linkcell"
href="[% uri_for('/device') %]?q=[% row.ip | uri %]">[% row.dns | html_entity %]</a></td>
href="[% uri_for('/device') | none %]?q=[% row.ip | uri %]">[% row.dns | html_entity %]</a></td>
<td class="nd_center-cell">[% row.ip | html_entity %]</td>
<td class="nd_center-cell">
<input data-form="update" name="ports" type="number" value="[% row.port_count | html_entity %]">
Expand All @@ -43,13 +43,13 @@
<button class="btn nd_adminbutton" name="update" type="submit"><i class="icon-save text-warning"></i></button>

<button class="btn" data-toggle="modal"
data-target="#nd_devdel-[% count %]" type="button"><i class="icon-trash text-error"></i></button>
data-target="#nd_devdel-[% count | html_entity %]" type="button"><i class="icon-trash text-error"></i></button>

<div id="nd_devdel-[% count %]" class="nd_modal nd_deep-horizon modal hide fade" tabindex="-1"
role="dialog" aria-labelledby="nd_devdel-label-[% count %]" aria-hidden="true">
<div id="nd_devdel-[% count | html_entity %]" class="nd_modal nd_deep-horizon modal hide fade" tabindex="-1"
role="dialog" aria-labelledby="nd_devdel-label-[% count | html_entity %]" aria-hidden="true">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">x</button>
<h3 id="nd_devdel-label-[% count %]">Are you sure?</h3>
<h3 id="nd_devdel-label-[% count | html_entity %]">Are you sure?</h3>
</div>
<div class="modal-body">
<blockquote>
Expand Down
2 changes: 1 addition & 1 deletion share/views/ajax/admintask/slowdevices.tt
View file
Expand Up @@ -16,7 +16,7 @@
<tr>
<td class="nd_center-cell">[% row.action.ucfirst | html_entity %]</td>
<td class="nd_center-cell"><a class="nd_linkcell"
href="[% uri_for('/device') %]?q=[% row.device | uri %]">[% row.device | html_entity %]</a></td>
href="[% uri_for('/device') | none %]?q=[% row.device | uri %]">[% row.device | html_entity %]</a></td>
<td class="nd_center-cell">[% row.started | html_entity %]</td>
<td class="nd_center-cell">[% row.finished | html_entity %]</td>
<td class="nd_center-cell">[% row.elapsed | html_entity %]</td>
Expand Down
2 changes: 1 addition & 1 deletion share/views/ajax/admintask/timedoutdevices.tt
View file
Expand Up @@ -17,7 +17,7 @@
<tr>
<td class="nd_center-cell">[% row.backend | html_entity %]</td>
<td class="nd_center-cell"><a class="nd_linkcell"
href="[% uri_for('/search') %]?tab=node&q=[% row.device | uri %]">[% row.device | html_entity %]</a></td>
href="[% uri_for('/search') | none %]?tab=node&q=[% row.device | uri %]">[% row.device | html_entity %]</a></td>
<td class="nd_center-cell">[% row.dns | html_entity %]</td>
<td class="nd_center-cell">[% row.deferrals | html_entity %]</td>
<td class="nd_center-cell">[% row.last_defer | html_entity %]</td>
Expand Down
12 changes: 6 additions & 6 deletions share/views/ajax/admintask/topology.tt
View file
Expand Up @@ -42,22 +42,22 @@
[% WHILE (row = results.next) %]
[% SET count = count + 1 %]
<tr>
<td class="nd_center-cell"><a class="nd_linkcell" href="[% uri_for('/device') %]?q=[% row.device1.ip | uri %]">
<td class="nd_center-cell"><a class="nd_linkcell" href="[% uri_for('/device') | none %]?q=[% row.device1.ip | uri %]">
[% (row.device1.dns || row.device1.name || row.device1.ip) | html_entity %]</a>
</td>
<td class="nd_center-cell">[% row.port1 | html_entity %]</td>
<td class="nd_center-cell"><a class="nd_linkcell" href="[% uri_for('/device') %]?q=[% row.device2.ip | uri %]">
<td class="nd_center-cell"><a class="nd_linkcell" href="[% uri_for('/device') | none %]?q=[% row.device2.ip | uri %]">
[% (row.device2.dns || row.device2.name || row.device2.ip) | html_entity %]</a></td>
<td class="nd_center-cell">[% row.port2 | html_entity %]</td>
<td class="nd_center-cell">
<button class="btn" data-toggle="modal"
data-target="#nd_devdel-[% count %]" type="button"><i class="icon-trash text-error"></i></button>
data-target="#nd_devdel-[% count | html_entity %]" type="button"><i class="icon-trash text-error"></i></button>

<div id="nd_devdel-[% count %]" class="nd_modal nd_deep-horizon modal hide fade" tabindex="-1"
role="dialog" aria-labelledby="nd_devdel-label-[% count %]" aria-hidden="true">
<div id="nd_devdel-[% count | html_entity %]" class="nd_modal nd_deep-horizon modal hide fade" tabindex="-1"
role="dialog" aria-labelledby="nd_devdel-label-[% count | html_entity %]" aria-hidden="true">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">x</button>
<h3 id="nd_devdel-label-[% count %]">Are you sure?</h3>
<h3 id="nd_devdel-label-[% count | html_entity %]">Are you sure?</h3>
</div>
<div class="modal-body">
<blockquote>
Expand Down
6 changes: 3 additions & 3 deletions share/views/ajax/admintask/undiscoveredneighbors.tt
View file
Expand Up @@ -11,14 +11,14 @@
[% FOREACH row IN results %]
[% NEXT IF NOT row.remote_ip %]
<tr>
<td nowrap><a href="[% device_ports %]&q=[% row.ip | uri %]">
<td nowrap><a href="[% device_ports | none %]&q=[% row.ip | uri %]">
[% row.dns || row.name || row.ip | html_entity %]</a><br>
<a href="[% device_ports %]&q=[% row.ip | uri %]&f=[% row.port | uri %]">
<a href="[% device_ports | none %]&q=[% row.ip | uri %]&f=[% row.port | uri %]">
[% row.port | html_entity %]</a>
[% IF row.port_description %]<br>[% row.port_description | html_entity %][% END %]
[% IF row.comment %]<br>&quot;<em>[% row.comment | html_entity %]</em>&quot;[% END %]
</td>
<td nowrap><a href="[% search_node %]&q=[% row.remote_ip | uri %]">
<td nowrap><a href="[% search_node | none %]&q=[% row.remote_ip | uri %]">
[% row.remote_ip | html_entity %]</a><br>
[% row.remote_port | html_entity %]</td>
<td>[% row.remote_id | html_entity %]<br>
Expand Down
2 changes: 1 addition & 1 deletion share/views/ajax/admintask/userlog.tt
View file
Expand Up @@ -19,7 +19,7 @@ $(document).ready(function() {
$('#aul-data-table').dataTable( {
"serverSide": true,
"order": [[ 0, "desc" ]],
"ajax": "[% uri_for('/ajax/control/admin/userlog/data') %]",
"ajax": "[% uri_for('/ajax/control/admin/userlog/data') | none %]",
"columns": [{
"data": 'creation',
"className": "nd_center-cell",
Expand Down
8 changes: 4 additions & 4 deletions share/views/ajax/admintask/users.tt
View file
Expand Up @@ -66,13 +66,13 @@
<button class="btn nd_adminbutton" name="update" type="submit"><i class="icon-save text-warning"></i></button>

<button class="btn" data-toggle="modal"
data-target="#nd_devdel-[% count %]" type="button"><i class="icon-trash text-error"></i></button>
data-target="#nd_devdel-[% count | html_entity %]" type="button"><i class="icon-trash text-error"></i></button>

<div id="nd_devdel-[% count %]" class="nd_modal nd_deep-horizon modal hide fade" tabindex="-1"
role="dialog" aria-labelledby="nd_devdel-label-[% count %]" aria-hidden="true">
<div id="nd_devdel-[% count | html_entity %]" class="nd_modal nd_deep-horizon modal hide fade" tabindex="-1"
role="dialog" aria-labelledby="nd_devdel-label-[% count | html_entity %]" aria-hidden="true">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">x</button>
<h3 id="nd_devdel-label-[% count %]">Are you sure?</h3>
<h3 id="nd_devdel-label-[% count | html_entity %]">Are you sure?</h3>
</div>
<div class="modal-body">
<blockquote>
Expand Down
4 changes: 2 additions & 2 deletions share/views/ajax/datatabledefaults.tt
View file
@@ -1,8 +1,8 @@

"processing": true
,"stateSave": true
,"pageLength": [% settings.table_pagesize %]
,"lengthMenu": [% table_showrecordsmenu %]
,"pageLength": [% settings.table_pagesize | none %]
,"lengthMenu": [% table_showrecordsmenu | none %]
,"dom": '<"top"l<"nd_datatables-pager"p>f>rit<"bottom"><"clear">'
,"language": {
"search": '_INPUT_'
Expand Down
6 changes: 3 additions & 3 deletions share/views/ajax/device/addresses.tt
View file
Expand Up @@ -14,7 +14,7 @@
$(document).ready(function() {
var table = $('#da-data-table').dataTable({
"deferRender": true,
"data": [% results %],
"data": [% results | none %],
"columns": [
{
"data": 'alias',
Expand All @@ -31,7 +31,7 @@ $(document).ready(function() {
"type": 'portsort',
"render": function(data, type, row, meta) {
return type === 'display' ?
'<a href="[% device_ports %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>' :
'<a href="[% device_ports | none %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>' :
he.encode(data || '');
}
}, {
Expand All @@ -42,7 +42,7 @@ $(document).ready(function() {
}, {
"data": 'subnet',
"render": function(data, type, row, meta) {
return '<a href="[% search_device %]&q=' + encodeURIComponent(data) + '&ip=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
return '<a href="[% search_device | none %]&q=' + encodeURIComponent(data) + '&ip=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
}
}
],
Expand Down

1 comment on commit deb9b62

@inphobia
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wickedness, can no longer reproduce it with any of the test cases i had.

Please sign in to comment.