Prevent malformed DNS queries executing JS on querylog/long term quer…

…y log

Signed-off-by: Adam Warner <me@adamwarner.co.uk>

scripts/pi-hole/js/db_queries.js

@@ -194,6 +194,10 @@ $(function () {
 
   tableApi = $("#all-queries").DataTable({
     rowCallback: function (row, data) {
+      for (i = 0; i < data.length; i++) {
+        //Santise data coming back from API to ensure no malicious HTML
+        data[i] = utils.escapeHtml(data[i]);
+      }
       var fieldtext, buttontext, color;
       switch (data[4]) {
         case 1:
@@ -324,8 +328,8 @@ $(function () {
         }
       },
       { width: "10%" },
-      { width: "40%" },
-      { width: "20%", type: "ip-address" },
+      { width: "40%", render: $.fn.dataTable.render.text() },
+      { width: "20%", type: "ip-address", render: $.fn.dataTable.render.text() },
       { width: "10%" },
       { width: "5%" }
     ],

scripts/pi-hole/js/queries.js

@@ -74,6 +74,10 @@ $(function () {
 
   tableApi = $("#all-queries").DataTable({
     rowCallback: function (row, data) {
+      for (i = 0; i < data.length; i++) {
+        //Santise data coming back from API to ensure no malicious HTML
+        data[i] = utils.escapeHtml(data[i]);
+      }
       // DNSSEC status
       var dnssecStatus;
       switch (data[6]) {

scripts/pi-hole/js/utils.js

@@ -16,7 +16,7 @@ function escapeHtml(text) {
     '"': """,
     "'": "'"
   };
-
+  if (typeof text !== "string") return text;
   if (text === null) return null;
 
   return text.replace(/[&<>"']/g, function (m) {
@@ -32,7 +32,7 @@ function unescapeHtml(text) {
     "&quot;": '"',
     "&#039;": "'"
   };
-
+  if (typeof text !== "string") return text;
   if (text === null) return null;
 
   return text.replace(/&(?:amp|lt|gt|quot|#039);/g, function (m) {