1
0
mirror of https://github.com/cydrobolt/polr.git synced 2024-11-13 21:52:29 +01:00

Fix XSS vulnerability due to DataTables; escape user-provided fields

This commit is contained in:
Chaoyi Zha 2016-12-03 17:19:52 -05:00
parent 037ddb2f10
commit 06c714ad4a
2 changed files with 12 additions and 8 deletions

View File

@ -22,7 +22,7 @@ class AdminPaginationController extends Controller {
->addColumn('api_action', function ($user) { ->addColumn('api_action', function ($user) {
// Add "API Info" action button // Add "API Info" action button
return '<a class="activate-api-modal btn btn-sm btn-info" return '<a class="activate-api-modal btn btn-sm btn-info"
ng-click="openAPIModal($event, \'' . $user->username . '\', \'' . $user->api_key . '\', \'' . $user->api_active . '\', \'' . $user->api_quota . '\', \'' . $user->id . '\')"> ng-click="openAPIModal($event, \'' . e($user->username) . '\', \'' . $user->api_key . '\', \'' . $user->api_active . '\', \'' . e($user->api_quota) . '\', \'' . $user->id . '\')">
API info API info
</a>'; </a>';
}) })
@ -49,8 +49,8 @@ class AdminPaginationController extends Controller {
// FIXME <select> field does not use Angular bindings // FIXME <select> field does not use Angular bindings
// because of an issue affecting fields with duplicate names. // because of an issue affecting fields with duplicate names.
$select_role = '<select ng-init="changeUserRole.u'.$user->id.' = \''.$user->role.'\'" $select_role = '<select ng-init="changeUserRole.u' . $user->id . ' = \'' . e($user->role) . '\'"
ng-model="changeUserRole.u'.$user->id.'" ng-change="changeUserRole(changeUserRole.u'.$user->id.', '.$user->id.')" ng-model="changeUserRole.u' . $user->id . '" ng-change="changeUserRole(changeUserRole.u' . $user->id . ', '.$user->id.')"
class="form-control"'; class="form-control"';
if (session('username') == $user->username) { if (session('username') == $user->username) {
@ -61,13 +61,13 @@ class AdminPaginationController extends Controller {
foreach (UserHelper::USER_ROLES as $role_text => $role_val) { foreach (UserHelper::USER_ROLES as $role_text => $role_val) {
// Iterate over each available role and output option // Iterate over each available role and output option
$select_role .= '<option value="' . $role_val . '"'; $select_role .= '<option value="' . e($role_val) . '"';
if ($user->role == $role_val) { if ($user->role == $role_val) {
$select_role .= ' selected'; $select_role .= ' selected';
} }
$select_role .= '>' . $role_text . '</option>'; $select_role .= '>' . e($role_text) . '</option>';
} }
$select_role .= '</select>'; $select_role .= '</select>';
@ -83,6 +83,7 @@ class AdminPaginationController extends Controller {
Delete Delete
</a>'; </a>';
}) })
->escapeColumns(['username', 'email'])
->make(true); ->make(true);
} }
@ -101,17 +102,18 @@ class AdminPaginationController extends Controller {
$btn_text = 'Enable'; $btn_text = 'Enable';
} }
return '<a ng-click="toggleLink($event, \'' . $link->short_url . '\')" class="btn btn-sm ' . $btn_class . '"> return '<a ng-click="toggleLink($event, \'' . e($link->short_url) . '\')" class="btn btn-sm ' . $btn_class . '">
' . $btn_text . ' ' . $btn_text . '
</a>'; </a>';
}) })
->addColumn('delete', function ($link) { ->addColumn('delete', function ($link) {
// Add "Delete" action button // Add "Delete" action button
return '<a ng-click="deleteLink($event, \'' . $link->short_url . '\')" return '<a ng-click="deleteLink($event, \'' . e($link->short_url) . '\')"
class="btn btn-sm btn-warning delete-link"> class="btn btn-sm btn-warning delete-link">
Delete Delete
</a>'; </a>';
}) })
->escapeColumns(['short_url', 'long_url', 'creator'])
->make(true); ->make(true);
} }
@ -123,6 +125,7 @@ class AdminPaginationController extends Controller {
->select(['short_url', 'long_url', 'clicks', 'created_at']); ->select(['short_url', 'long_url', 'clicks', 'created_at']);
return Datatables::of($user_links) return Datatables::of($user_links)
->escapeColumns()
->make(true); ->make(true);
} }
} }

View File

@ -26,7 +26,8 @@ class LinkController extends Controller {
// Validate URL form data // Validate URL form data
$this->validate($request, [ $this->validate($request, [
'link-url' => 'required|url' 'link-url' => 'required|url',
'custom-ending' => 'alpha_dash'
]); ]);
$long_url = $request->input('link-url'); $long_url = $request->input('link-url');