shaba/awx
1
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2024-11-01 16:51:11 +03:00
Code Releases Activity

Merge pull request #28 from mabashian/7279-xss

Browse Source 
Fixed xss vulnerabilities within the delete permissions modals
This commit is contained in:
Michael Abashian 2017-07-24 17:22:43 -04:00 committed by GitHub
commit 35f70965aa
2 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
awx/ui/client/src/access/permissions-list.controller.js
View File

@ -4,8 +4,8 @@
* All Rights Reserved * All Rights Reserved
*************************************************/ *************************************************/
export default ['$scope', 'ListDefinition', 'Dataset', 'Wait', 'Rest', 'ProcessErrors', 'Prompt', '$state', export default ['$scope', 'ListDefinition', 'Dataset', 'Wait', 'Rest', 'ProcessErrors', 'Prompt', '$state', '$filter',
function($scope, list, Dataset, Wait, Rest, ProcessErrors, Prompt, $state) { function($scope, list, Dataset, Wait, Rest, ProcessErrors, Prompt, $state, $filter) {
init(); init();
function init() { function init() {
@ -15,6 +15,7 @@ export default ['$scope', 'ListDefinition', 'Dataset', 'Wait', 'Rest', 'ProcessE
} }
$scope.deletePermissionFromUser = function(userId, userName, roleName, roleType, url) { $scope.deletePermissionFromUser = function(userId, userName, roleName, roleType, url) {
var action = function() { var action = function() {
$('#prompt-modal').modal('hide'); $('#prompt-modal').modal('hide');
Wait('start'); Wait('start');
@ -36,9 +37,9 @@ export default ['$scope', 'ListDefinition', 'Dataset', 'Wait', 'Rest', 'ProcessE
hdr: `Remove role`, hdr: `Remove role`,
body: ` body: `
<div class="Prompt-bodyQuery"> <div class="Prompt-bodyQuery">
Confirm the removal of the ${roleType} Confirm the removal of the ${$filter('sanitize')(roleType)}
<span class="Prompt-emphasis"> ${roleName} </span> <span class="Prompt-emphasis"> ${roleName} </span>
role associated with ${userName}. role associated with ${$filter('sanitize')(userName)}.
</div> </div>
`, `,
action: action, action: action,
@ -47,6 +48,7 @@ export default ['$scope', 'ListDefinition', 'Dataset', 'Wait', 'Rest', 'ProcessE
}; };
$scope.deletePermissionFromTeam = function(teamId, teamName, roleName, roleType, url) { $scope.deletePermissionFromTeam = function(teamId, teamName, roleName, roleType, url) {
var action = function() { var action = function() {
$('#prompt-modal').modal('hide'); $('#prompt-modal').modal('hide');
Wait('start'); Wait('start');
@ -68,9 +70,9 @@ export default ['$scope', 'ListDefinition', 'Dataset', 'Wait', 'Rest', 'ProcessE
hdr: `Remove role`, hdr: `Remove role`,
body: ` body: `
<div class="Prompt-bodyQuery"> <div class="Prompt-bodyQuery">
Confirm the removal of the ${roleType} Confirm the removal of the ${$filter('sanitize')(roleType)}
<span class="Prompt-emphasis"> ${roleName} </span> <span class="Prompt-emphasis"> ${roleName} </span>
role associated with the ${teamName} team. role associated with the ${$filter('sanitize')(teamName)} team.
</div> </div>
`, `,
action: action, action: action,

2
awx/ui/client/src/access/rbac-role-column/roleList.directive.js
View File

@ -75,7 +75,7 @@ export default
} else { } else {
Prompt({ Prompt({
hdr: `User access removal`, hdr: `User access removal`,
body: `<div class="Prompt-bodyQuery">Please confirm that you would like to remove <span class="Prompt-emphasis">${entry.name}</span> access from <span class="Prompt-emphasis">${user.username}</span>.</div>`, body: `<div class="Prompt-bodyQuery">Please confirm that you would like to remove <span class="Prompt-emphasis">${entry.name}</span> access from <span class="Prompt-emphasis">${$filter('sanitize')(user.username)}</span>.</div>`,
action: action, action: action,
actionText: 'REMOVE' actionText: 'REMOVE'
}); });