Merge pull request #2910 from jaredevantabor/monkey-punch

XSS sanitize permissions-popover
2024-10-31 23:51:09 +03:00 · 2016-07-11 10:22:11 -07:00 · 2016-07-11 10:22:11 -07:00 · c09a08e012
commit c09a08e012
parent d9e31c53eb b4d489ff1b
2 changed files with 5 additions and 4 deletions
--- a/awx/ui/client/src/access/roleList.partial.html
+++ b/awx/ui/client/src/access/roleList.partial.html
@ -9,7 +9,7 @@
    <div class="RoleList-tag"
        ng-class="{'RoleList-tag--deletable': entry.explicit,
            'RoleList-tag--team': entry.team_id}"
-        aw-tool-tip='{{entry.team_name}}' aw-tip-placement='bottom'>
+        aw-tool-tip='{{entry.team_name | sanitize}}' aw-tip-placement='bottom'>
        <span class="RoleList-name">{{ entry.name }}</span>
        <i ng-show='entry.team_id' class="fa fa-users"></i>
    </div>
--- a/awx/ui/client/src/app.js
+++ b/awx/ui/client/src/app.js
@ -521,11 +521,12 @@ var tower = angular.module('Tower', [
        'ClearScope', 'Socket', 'LoadConfig', 'Store',
        'ShowSocketHelp', 'pendoService', 'Prompt', 'Rest', 'Wait',
        'ProcessErrors', '$state', 'GetBasePath', 'ConfigService',
-        'FeaturesService',
+        'FeaturesService', '$filter',
        function ($q, $compile, $cookieStore, $rootScope, $log, CheckLicense,
            $location, Authorization, LoadBasePaths, Timer, ClearScope, Socket,
            LoadConfig, Store, ShowSocketHelp, pendoService, Prompt, Rest, Wait,
-            ProcessErrors, $state, GetBasePath, ConfigService, FeaturesService) {
+            ProcessErrors, $state, GetBasePath, ConfigService, FeaturesService,
+            $filter) {
            var sock;
            $rootScope.addPermission = function (scope) {
                $compile("<add-permissions class='AddPermissions'></add-permissions>")(scope);
@ -563,7 +564,7 @@ var tower = angular.module('Tower', [
                if (accessListEntry.team_id) {
                    Prompt({
                        hdr: `Team access removal`,
-                        body: `<div class="Prompt-bodyQuery">Please confirm that you would like to remove <span class="Prompt-emphasis">${entry.name}</span> access from the team <span class="Prompt-emphasis">${entry.team_name}</span>. This will affect all members of the team. If you would like to only remove access for this particular user, please remove them from the team.</div>`,
+                        body: `<div class="Prompt-bodyQuery">Please confirm that you would like to remove <span class="Prompt-emphasis">${entry.name}</span> access from the team <span class="Prompt-emphasis">${$filter('sanitize')(entry.team_name)}</span>. This will affect all members of the team. If you would like to only remove access for this particular user, please remove them from the team.</div>`,
                            action: action,
                        actionText: 'REMOVE TEAM ACCESS'
                    });