diff options
author | Costa Tsaousis <costa@tsaousis.gr> | 2018-09-18 13:34:27 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-09-18 13:34:27 +0300 |
commit | 8e0b0bcb551ac14d2b24bbf2551ef9f6cd96e405 (patch) | |
tree | a0d6213f38c94c967998e6059bf238bd7149974e /web/goto-host-from-alarm.html | |
parent | ed289f31f6ee62ce4f7c066b706e2e8043416285 (diff) |
fixes identified by LGTM (#4220)
* fixes identified by LGTM
* fixed hex of quote and slash
* fixed hex of quote and slash on all files
* escape more characters
* removed test
* do not read document.location
* exclude full subpaths for LGTM
* exclude the tests path
* excluded lgtm paths in quotes
* excluded sub-paths on LGTM
* fix xss identified by LGTM
Diffstat (limited to 'web/goto-host-from-alarm.html')
-rw-r--r-- | web/goto-host-from-alarm.html | 31 |
1 files changed, 22 insertions, 9 deletions
diff --git a/web/goto-host-from-alarm.html b/web/goto-host-from-alarm.html index db67033602..4800ae8028 100644 --- a/web/goto-host-from-alarm.html +++ b/web/goto-host-from-alarm.html @@ -22,11 +22,24 @@ <script type="text/javascript" src="dashboard.js?v20170724-7"></script> <script> -function escapeUserInputXss(s) { - return s.toString().replace(/</g, '<') +function escapeUserInputHTML(s) { + return s.toString() + .replace(/&/g, '&') + .replace(/</g, '<') .replace(/>/g, '>') .replace(/"/g, '"') - .replace(/'/g, '#27;'); + .replace(/#/g, '#') + .replace(/'/g, ''') + .replace(/\(/g,'(') + .replace(/\)/g,')') + .replace(/\//g,'/'); +} +function escapeUserInputJS(s) { + return s.toString() + .replace(/"/g, '"') + .replace(/'/g, ''') + .replace(/\(/g,'(') + .replace(/\)/g,')'); } var urlOptions = { @@ -94,7 +107,7 @@ function gotoServerValidateUrl(id, guid, url) { var finalURL = netdataURL(url); setTimeout(function() { - document.getElementById('gotoServerList').innerHTML += '<tr><td style="padding-left: 20px;"><a href="' + escapeUserInputXss(finalURL) + '" target="_blank">' + escapeUserInputXss(url) + '</a></td><td style="padding-left: 30px;"><code id="' + guid + '-' + id + '-status">checking...</code></td></tr>'; + document.getElementById('gotoServerList').innerHTML += '<tr><td style="padding-left: 20px;"><a href="' + escapeUserInputJS(finalURL) + '" target="_blank">' + escapeUserInputHTML(url) + '</a></td><td style="padding-left: 30px;"><code id="' + guid + '-' + id + '-status">checking...</code></td></tr>'; NETDATA.registry.hello(url, function(data) { if(typeof data !== 'undefined' && data !== null && typeof data.machine_guid === 'string' && data.machine_guid === guid) { @@ -107,11 +120,11 @@ function gotoServerValidateUrl(id, guid, url) { if(gotoServerMiddleClick) { window.open(finalURL); gotoServerMiddleClick = false; - document.getElementById('gotoServerResponse').innerHTML = '<b>Opening new window to ' + NETDATA.registry.machines[guid].name + '<br/><a href="' + escapeUserInputXss(finalURL) + '">' + escapeUserInputXss(url) + '</a></b><br/>(check your pop-up blocker if it fails)'; + document.getElementById('gotoServerResponse').innerHTML = '<b>Opening new window to ' + NETDATA.registry.machines[guid].name + '<br/><a href="' + escapeUserInputJS(finalURL) + '">' + escapeUserInputHTML(url) + '</a></b><br/>(check your pop-up blocker if it fails)'; } else { - document.getElementById('gotoServerResponse').innerHTML += 'found it! It is at:<br/><small>' + url + '</small>'; - document.location = finalURL; + document.getElementById('gotoServerResponse').innerHTML += 'found it! It is at:<br/><small>' + escapeUserInputHTML(url) + '</small>'; + document.location = escapeUserInputJS(finalURL); } } } @@ -127,7 +140,7 @@ function gotoServerValidateUrl(id, guid, url) { if(thisIsHttps === true && urlsInHttp > 0) { document.getElementById('gotoServerResponse').innerHTML += '<br/>redirecting myself to HTTP to allow checking'; - document.location = document.location.toString().replace('https://', 'http://'); + document.location = escapeUserInputJS(document.location.toString().replace('https://', 'http://')); } } } @@ -192,7 +205,7 @@ var netdataRegistryCallback = function(machines_array) { } } - document.getElementById('bodylog').innerHTML = "Sorry... your account is not linked to a netdata server named: <b>" + escapeUserInputXss(urlOptions.host) + '</b>'; + document.getElementById('bodylog').innerHTML = "Sorry... your account is not linked to a netdata server named: <b>" + escapeUserInputHTML(urlOptions.host) + '</b>'; }; netdataQueryParse(); |