ref #11748.
Merged by
(May 4, 2025 6:49am UTC)
Activity
33 33 exit 0 34 34 fi 35 35 36 SQLITE_OUTPUT=$(sqlite3 "$WHITELIST_DBFILE" "$WHITELIST_QUERY" 2>&1) 36 # The "name" column values sometimes contain double quotes, and they could 37 # potentially contain backslashes. Both characters need to be escaped in json 38 # string values. We perform the escaping on the full sqlite3 output, since those 39 # characters may only appear in string column values. 40 escape() { 41 sed -e 's/\\/\\\\/g' -e 's/\"/\\\"/g' -
I am not sure if this is enough, this is a nice place for an HTML injection attack via a nicely crafted vDC device name. I think we should sanitize the input here to prevent insertion of HTML code (i.e. apart from quotes also not allow < > to prevent insertion of HTML tags, not sure what else).
You are right. I just checked, and Ext does not do any kind of validation on the grid text output!
I have made a fix in the client js side: the sanitation is done when generating the grid output. This preserves the service name and dsuid intact, in case we may later need to offer the option to edit/enter it in the UI.
But it would be simple to do it here, if we must. The characters quoted by htmlEncode are four: <, >, &, "
Added 1 commit:
- 8da3ed59 - Render the whitelist text columns with htmlEncode.
mentioned in commit ed704c36
