[pve-devel] [PATCH stable-5 manager 1/3] ui: fix missing htmlEncodes

Dominik Csapak Tue, 12 May 2020 03:12:01 -0700

username can include some special characters, so we have
to escape them

backport from pve6


Signed-off-by: Dominik Csapak <d.csa...@proxmox.com>
---
 www/manager6/Workspace.js         | 2 +-
 www/manager6/dc/ACLView.js        | 2 +-
 www/manager6/dc/Log.js            | 2 ++
 www/manager6/dc/TFAEdit.js        | 1 +
 www/manager6/dc/Tasks.js          | 1 +
 www/manager6/dc/UserEdit.js       | 1 +
 www/manager6/dc/UserView.js       | 4 ++--
 www/manager6/form/UserSelector.js | 1 +
 www/manager6/window/Settings.js   | 2 +-
 9 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/www/manager6/Workspace.js b/www/manager6/Workspace.js
index ca67b7d9..ae41915e 100644
--- a/www/manager6/Workspace.js
+++ b/www/manager6/Workspace.js
@@ -170,7 +170,7 @@ Ext.define('PVE.StdWorkspace', {
        var ui = me.query('#userinfo')[0];
 
        if (Proxmox.UserName) {
-           var msg =  Ext.String.format(gettext("You are logged in as {0}"), 
"'" + Proxmox.UserName + "'");
+           var msg =  Ext.String.format(gettext("You are logged in as {0}"), 
"'" + Ext.String.htmlEncode(Proxmox.UserName) + "'");
            ui.update('<div class="x-unselectable" 
style="white-space:nowrap;">' + msg + '</div>');
        } else {
            ui.update('');
diff --git a/www/manager6/dc/ACLView.js b/www/manager6/dc/ACLView.js
index 1322f952..07d8f136 100644
--- a/www/manager6/dc/ACLView.js
+++ b/www/manager6/dc/ACLView.js
@@ -111,7 +111,7 @@ Ext.define('PVE.dc.ACLView', {
                return '@' + ugid;
            }
 
-           return ugid;
+           return Ext.String.htmlEncode(ugid);
        };
 
        var columns = [
diff --git a/www/manager6/dc/Log.js b/www/manager6/dc/Log.js
index 0106af99..2b6e06ad 100644
--- a/www/manager6/dc/Log.js
+++ b/www/manager6/dc/Log.js
@@ -68,6 +68,7 @@ Ext.define('PVE.dc.Log', {
                { 
                    header: gettext("User name"), 
                    dataIndex: 'user',
+                   renderer: Ext.String.htmlEncode,
                    width: 150
                },
                { 
@@ -79,6 +80,7 @@ Ext.define('PVE.dc.Log', {
                { 
                    header: gettext("Message"), 
                    dataIndex: 'msg',
+                   renderer: Ext.String.htmlEncode,
                    flex: 1       
                }
            ],
diff --git a/www/manager6/dc/TFAEdit.js b/www/manager6/dc/TFAEdit.js
index ed2ff30d..b39bed13 100644
--- a/www/manager6/dc/TFAEdit.js
+++ b/www/manager6/dc/TFAEdit.js
@@ -368,6 +368,7 @@ Ext.define('PVE.window.TFAEdit', {
                                {
                                    xtype: 'displayfield',
                                    fieldLabel: gettext('User name'),
+                                   renderer: Ext.String.htmlEncode,
                                    cbind: {
                                        value: '{userid}'
                                    }
diff --git a/www/manager6/dc/Tasks.js b/www/manager6/dc/Tasks.js
index 62e5ac71..5220bcb2 100644
--- a/www/manager6/dc/Tasks.js
+++ b/www/manager6/dc/Tasks.js
@@ -101,6 +101,7 @@ Ext.define('PVE.dc.Tasks', {
                {
                    header: gettext("User name"),
                    dataIndex: 'user',
+                   renderer: Ext.String.htmlEncode,
                    width: 150
                },
                {
diff --git a/www/manager6/dc/UserEdit.js b/www/manager6/dc/UserEdit.js
index 1665f4b0..26382d60 100644
--- a/www/manager6/dc/UserEdit.js
+++ b/www/manager6/dc/UserEdit.js
@@ -72,6 +72,7 @@ Ext.define('PVE.dc.UserEdit', {
                 name: 'userid',
                 fieldLabel: gettext('User name'),
                 value: me.userid,
+               renderer: Ext.String.htmlEncode,
                 allowBlank: false,
                 submitValue: me.isCreate ? true : false
             },
diff --git a/www/manager6/dc/UserView.js b/www/manager6/dc/UserView.js
index 8918fb2b..57dda809 100644
--- a/www/manager6/dc/UserView.js
+++ b/www/manager6/dc/UserView.js
@@ -110,11 +110,11 @@ Ext.define('PVE.dc.UserView', {
         ];
 
        var render_username = function(userid) {
-           return userid.match(/^(.+)(@[^@]+)$/)[1];
+           return Ext.String.htmlEncode(userid.match(/^(.+)(@[^@]+)$/)[1]);
        };
 
        var render_realm = function(userid) {
-           return userid.match(/@([^@]+)$/)[1];
+           return Ext.String.htmlEncode(userid.match(/@([^@]+)$/)[1]);
        };
 
        Ext.apply(me, {
diff --git a/www/manager6/form/UserSelector.js 
b/www/manager6/form/UserSelector.js
index cd01bc3e..8f6f9fa4 100644
--- a/www/manager6/form/UserSelector.js
+++ b/www/manager6/form/UserSelector.js
@@ -29,6 +29,7 @@ Ext.define('PVE.form.UserSelector', {
                        header: gettext('User'),
                        sortable: true,
                        dataIndex: 'userid',
+                       renderer: Ext.String.htmlEncode,
                        flex: 1
                    },
                    {
diff --git a/www/manager6/window/Settings.js b/www/manager6/window/Settings.js
index 1a4d8599..54271a75 100644
--- a/www/manager6/window/Settings.js
+++ b/www/manager6/window/Settings.js
@@ -36,7 +36,7 @@ Ext.define('PVE.window.Settings', {
            var sp = Ext.state.Manager.getProvider();
 
            var username = sp.get('login-username') || Proxmox.Utils.noneText;
-           me.lookupReference('savedUserName').setValue(username);
+           
me.lookupReference('savedUserName').setValue(Ext.String.htmlEncode(username));
 
            var settings = ['fontSize', 'fontFamily', 'letterSpacing', 
'lineHeight'];
            settings.forEach(function(setting) {
-- 
2.20.1


_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH stable-5 manager 1/3] ui: fix missing htmlEncodes

Reply via email to