diff options
author | Costa Tsaousis <costa@tsaousis.gr> | 2018-09-18 13:34:27 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-09-18 13:34:27 +0300 |
commit | 8e0b0bcb551ac14d2b24bbf2551ef9f6cd96e405 (patch) | |
tree | a0d6213f38c94c967998e6059bf238bd7149974e /web/index.html | |
parent | ed289f31f6ee62ce4f7c066b706e2e8043416285 (diff) |
fixes identified by LGTM (#4220)
* fixes identified by LGTM
* fixed hex of quote and slash
* fixed hex of quote and slash on all files
* escape more characters
* removed test
* do not read document.location
* exclude full subpaths for LGTM
* exclude the tests path
* excluded lgtm paths in quotes
* excluded sub-paths on LGTM
* fix xss identified by LGTM
Diffstat (limited to 'web/index.html')
-rw-r--r-- | web/index.html | 41 |
1 files changed, 28 insertions, 13 deletions
diff --git a/web/index.html b/web/index.html index 24d821ef6c..5f6d929234 100644 --- a/web/index.html +++ b/web/index.html @@ -580,11 +580,24 @@ // control the welcome modal and analytics var this_is_demo = null; - function escapeUserInputXss(s) { - return s.toString().replace(/</g, '<') + function escapeUserInputHTML(s) { + return s.toString() + .replace(/&/g, '&') + .replace(/</g, '<') .replace(/>/g, '>') .replace(/"/g, '"') - .replace(/'/g, '#27;'); + .replace(/#/g, '#') + .replace(/'/g, ''') + .replace(/\(/g,'(') + .replace(/\)/g,')') + .replace(/\//g,'/'); + } + function escapeUserInputJS(s) { + return s.toString() + .replace(/"/g, '"') + .replace(/'/g, ''') + .replace(/\(/g,'(') + .replace(/\)/g,')'); } // -------------------------------------------------------------------- @@ -1102,7 +1115,8 @@ document.location.hostname.endsWith('.mynetdata.io') || document.location.hostname.endsWith('.netdata.rocks') || document.location.hostname.endsWith('.firehol.org') || - document.location.hostname.endsWith('.netdata.online')) + document.location.hostname.endsWith('.netdata.online') || + document.location.hostname.endsWith('.netdata.cloud')) this_is_demo = true; } } @@ -1112,7 +1126,8 @@ function netdataURL(url, forReload) { if(typeof url === 'undefined') - url = document.location.toString(); + // url = document.location.toString(); + url = ''; if(url.indexOf('#') !== -1) url = url.substring(0, url.indexOf('#')); @@ -1121,7 +1136,7 @@ // console.log('netdataURL: ' + url + hash); - return escapeUserInputXss(url + hash); + return url + hash; } function netdataReload(url) { @@ -1141,13 +1156,13 @@ var gotoServerMiddleClick = false; var gotoServerStop = false; function gotoServerValidateUrl(id, guid, url) { - var penaldy = 0; + var penalty = 0; var error = 'failed'; if(document.location.toString().startsWith('http://') && url.toString().startsWith('https://')) // we penalize https only if the current url is http // to allow the user walk through all its servers. - penaldy = 500; + penalty = 500; else if(document.location.toString().startsWith('https://') && url.toString().startsWith('http://')) error = 'can\'t check'; @@ -1155,7 +1170,7 @@ var finalURL = netdataURL(url); setTimeout(function() { - document.getElementById('gotoServerList').innerHTML += '<tr><td style="padding-left: 20px;"><a href="' + finalURL + '" target="_blank">' + url + '</a></td><td style="padding-left: 30px;"><code id="' + guid + '-' + id + '-status">checking...</code></td></tr>'; + document.getElementById('gotoServerList').innerHTML += '<tr><td style="padding-left: 20px;"><a href="' + escapeUserInputJS(finalURL) + '" target="_blank">' + escapeUserInputHTML(url) + '</a></td><td style="padding-left: 30px;"><code id="' + guid + '-' + id + '-status">checking...</code></td></tr>'; NETDATA.registry.hello(url, function(data) { if(typeof data !== 'undefined' && data !== null && typeof data.machine_guid === 'string' && data.machine_guid === guid) { @@ -1168,10 +1183,10 @@ if(gotoServerMiddleClick) { window.open(finalURL, '_blank'); gotoServerMiddleClick = false; - document.getElementById('gotoServerResponse').innerHTML = '<b>Opening new window to ' + NETDATA.registry.machines[guid].name + '<br/><a href="' + finalURL + '">' + url + '</a></b><br/>(check your pop-up blocker if it fails)'; + document.getElementById('gotoServerResponse').innerHTML = '<b>Opening new window to ' + NETDATA.registry.machines[guid].name + '<br/><a href="' + escapeUserInputJS(finalURL) + '">' + escapeUserInputHTML(url) + '</a></b><br/>(check your pop-up blocker if it fails)'; } else { - document.getElementById('gotoServerResponse').innerHTML += 'found it! It is at:<br/><small>' + url + '</small>'; + document.getElementById('gotoServerResponse').innerHTML += 'found it! It is at:<br/><small>' + escapeUserInputHTML(url) + '</small>'; document.location = finalURL; } } @@ -1188,7 +1203,7 @@ } } }); - }, (id * 50) + penaldy); + }, (id * 50) + penalty); } function gotoServerModalHandler(guid) { @@ -5740,6 +5755,6 @@ </div> </div> <div id="hiddenDownloadLinks" style="display: none;" hidden></div> - <script type="text/javascript" src="dashboard.js?v20180917-1"></script> + <script type="text/javascript" src="dashboard.js?v20180918-1"></script> </body> </html> |