Skip to content

Commit

Permalink
Fix #4406: stored xss vulnerability
Browse files Browse the repository at this point in the history
  • Loading branch information
gschueler committed Jan 23, 2019
1 parent 70072cd commit e546d34
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -388,7 +388,7 @@ function ScriptStep(data) {
self.argStringAsQuotedWithScriptfile = ko.computed(function () {
var isq = self.argsQuoted() ? '"' : '';
return isq
+ '<em>' + self.scriptfileText() +'</em> '
+ self.scriptfileText() + ' '
+ self.args()
+ isq;
});
Expand All @@ -410,7 +410,7 @@ function ScriptStep(data) {
self.invocationPreviewHtml = ko.computed(function () {
var text = '';
if (self.invocationString() && self.invocationString().indexOf('${scriptfile}') >= 0) {
text += self.invocationString().split('\$\{scriptfile\}').join('<em>' + self.scriptfileText() +'</em>') + ' ' + self.argStringAsQuoted();
text += self.invocationString().split('\$\{scriptfile\}').join( self.scriptfileText() ) + ' ' + self.argStringAsQuoted();
} else if (self.invocationString()) {
text += self.invocationString() + ' ' + self.argStringAsQuotedWithScriptfile();
} else {
Expand Down Expand Up @@ -527,4 +527,4 @@ function WorkflowStep(data) {
},
ignore: ['editor']
}, this);
}
}
2 changes: 1 addition & 1 deletion rundeckapp/grails-app/views/execution/_wfitemEdit.gsp
Original file line number Diff line number Diff line change
Expand Up @@ -560,7 +560,7 @@
<div class="col-sm-2 control-label"><g:message code="Workflow.step.script.execution.preview.label" /></div>

<div id='interpreterArgsQuotedHelp${rkey}_preview' class="col-sm-10 form-control-static">
<code>$ <span data-bind="html: invocationPreviewHtml"></span></code>
<code>$ <span data-bind="text: invocationPreviewHtml"></span></code>
</div>

<g:embedJSON id="scriptStepData_${rkey}" data="${[invocationString: item?.scriptInterpreter?:'',fileExtension: item?.fileExtension?:'',args: item?.argString?:'',argsQuoted: item?.interpreterArgsQuoted?true:false]}"/>
Expand Down

0 comments on commit e546d34

Please sign in to comment.