Merge pull request #28 from mabashian/7279-xss

Fixed xss vulnerabilities within the delete permissions modals
2024-11-01 08:21:15 +03:00 · 2017-07-24 17:22:43 -04:00 · 2017-07-24 17:22:43 -04:00 · 35f70965aa
commit 35f70965aa
parent b9b37f4ca9 b6547fe97a
2 changed files with 9 additions and 7 deletions
--- a/awx/ui/client/src/access/permissions-list.controller.js
+++ b/awx/ui/client/src/access/permissions-list.controller.js
@ -4,8 +4,8 @@
 * All Rights Reserved
 *************************************************/

-export default ['$scope', 'ListDefinition', 'Dataset', 'Wait', 'Rest', 'ProcessErrors', 'Prompt', '$state',
-    function($scope, list, Dataset, Wait, Rest, ProcessErrors, Prompt, $state) {
+export default ['$scope', 'ListDefinition', 'Dataset', 'Wait', 'Rest', 'ProcessErrors', 'Prompt', '$state', '$filter',
+    function($scope, list, Dataset, Wait, Rest, ProcessErrors, Prompt, $state, $filter) {
        init();

        function init() {
@ -15,6 +15,7 @@ export default ['$scope', 'ListDefinition', 'Dataset', 'Wait', 'Rest', 'ProcessE
        }

        $scope.deletePermissionFromUser = function(userId, userName, roleName, roleType, url) {
+
            var action = function() {
                $('#prompt-modal').modal('hide');
                Wait('start');
@ -36,9 +37,9 @@ export default ['$scope', 'ListDefinition', 'Dataset', 'Wait', 'Rest', 'ProcessE
                hdr: `Remove role`,
                body: `
                    <div class="Prompt-bodyQuery">
-                        Confirm  the removal of the ${roleType}
+                        Confirm  the removal of the ${$filter('sanitize')(roleType)}
                            <span class="Prompt-emphasis"> ${roleName} </span>
-                        role associated with ${userName}.
+                        role associated with ${$filter('sanitize')(userName)}.
                    </div>
                `,
                action: action,
@ -47,6 +48,7 @@ export default ['$scope', 'ListDefinition', 'Dataset', 'Wait', 'Rest', 'ProcessE
        };

        $scope.deletePermissionFromTeam = function(teamId, teamName, roleName, roleType, url) {
+
            var action = function() {
                $('#prompt-modal').modal('hide');
                Wait('start');
@ -68,9 +70,9 @@ export default ['$scope', 'ListDefinition', 'Dataset', 'Wait', 'Rest', 'ProcessE
                hdr: `Remove role`,
                body: `
                    <div class="Prompt-bodyQuery">
-                        Confirm  the removal of the ${roleType}
+                        Confirm  the removal of the ${$filter('sanitize')(roleType)}
                            <span class="Prompt-emphasis"> ${roleName} </span>
-                        role associated with the ${teamName} team.
+                        role associated with the ${$filter('sanitize')(teamName)} team.
                    </div>
                `,
                action: action,
--- a/awx/ui/client/src/access/rbac-role-column/roleList.directive.js
+++ b/awx/ui/client/src/access/rbac-role-column/roleList.directive.js
@ -75,7 +75,7 @@ export default
                        } else {
                            Prompt({
                                hdr: `User access removal`,
-                                body: `<div class="Prompt-bodyQuery">Please confirm that you would like to remove <span class="Prompt-emphasis">${entry.name}</span> access from <span class="Prompt-emphasis">${user.username}</span>.</div>`,
+                                body: `<div class="Prompt-bodyQuery">Please confirm that you would like to remove <span class="Prompt-emphasis">${entry.name}</span> access from <span class="Prompt-emphasis">${$filter('sanitize')(user.username)}</span>.</div>`,
                                action: action,
                                actionText: 'REMOVE'
                            });