diff options
| author | Costa Tsaousis <costa@tsaousis.gr> | 2018-10-05 12:26:02 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-10-05 12:26:02 +0300 |
| commit | 98f13d85150227cfc83648bfab1dd64b9a0217f6 (patch) | |
| tree | 3123391c02a8a5f5bc7043256cd1f9127d524d61 /web/index.html | |
| parent | 9e508c7c61fca91c9e75c82d4998896d13e0d8c6 (diff) | |
send pipes URL encoded (#4358)
* send pipes URL encoded; fixes #3819
* use encodeURIComponent() for user supplied parameters
* fix LGTM detected XSS
* escape also parenthesis on URLs
* escape also parenthesis on URLs no2
Diffstat (limited to 'web/index.html')
| -rw-r--r-- | web/index.html | 32 |
1 files changed, 19 insertions, 13 deletions
diff --git a/web/index.html b/web/index.html index b1dcc8a86f..ddd749f411 100644 --- a/web/index.html +++ b/web/index.html @@ -592,12 +592,18 @@ .replace(/\)/g,')') .replace(/\//g,'/'); } - function escapeUserInputJS(s) { - return s.toString() - .replace(/"/g, '"') - .replace(/'/g, ''') - .replace(/\(/g,'(') - .replace(/\)/g,')'); + + function verifyURL(s) { + if(typeof(s) === 'string' && (s.startsWith('http://') || s.startsWith('https://'))) + return s + .replace(/'/g, '%22') + .replace(/"/g, '%27') + .replace(/\)/g, '%28') + .replace(/\(/g, '%29'); + + console.log('invalid URL detected:'); + console.log(s); + return 'javascript:alert("invalid url");'; } // -------------------------------------------------------------------- @@ -1142,7 +1148,7 @@ } function netdataReload(url) { - document.location = netdataURL(url, true); + document.location = verifyURL(netdataURL(url, true)); // since we play with hash // this is needed to reload the page @@ -1150,7 +1156,7 @@ } function gotoHostedModalHandler(url) { - document.location = url + urlOptions.genHash(); + document.location = verifyURL(url + urlOptions.genHash()); return false; } @@ -1172,7 +1178,7 @@ var finalURL = netdataURL(url); setTimeout(function() { - document.getElementById('gotoServerList').innerHTML += '<tr><td style="padding-left: 20px;"><a href="' + escapeUserInputJS(finalURL) + '" target="_blank">' + escapeUserInputHTML(url) + '</a></td><td style="padding-left: 30px;"><code id="' + guid + '-' + id + '-status">checking...</code></td></tr>'; + document.getElementById('gotoServerList').innerHTML += '<tr><td style="padding-left: 20px;"><a href="' + verifyURL(finalURL) + '" target="_blank">' + escapeUserInputHTML(url) + '</a></td><td style="padding-left: 30px;"><code id="' + guid + '-' + id + '-status">checking...</code></td></tr>'; NETDATA.registry.hello(url, function(data) { if(typeof data !== 'undefined' && data !== null && typeof data.machine_guid === 'string' && data.machine_guid === guid) { @@ -1183,13 +1189,13 @@ gotoServerStop = true; if(gotoServerMiddleClick) { - window.open(finalURL, '_blank'); + window.open(verifyURL(finalURL), '_blank'); gotoServerMiddleClick = false; - document.getElementById('gotoServerResponse').innerHTML = '<b>Opening new window to ' + NETDATA.registry.machines[guid].name + '<br/><a href="' + escapeUserInputJS(finalURL) + '">' + escapeUserInputHTML(url) + '</a></b><br/>(check your pop-up blocker if it fails)'; + document.getElementById('gotoServerResponse').innerHTML = '<b>Opening new window to ' + NETDATA.registry.machines[guid].name + '<br/><a href="' + verifyURL(finalURL) + '">' + escapeUserInputHTML(url) + '</a></b><br/>(check your pop-up blocker if it fails)'; } else { document.getElementById('gotoServerResponse').innerHTML += 'found it! It is at:<br/><small>' + escapeUserInputHTML(url) + '</small>'; - document.location = finalURL; + document.location = verifyURL(finalURL); } } } @@ -5780,6 +5786,6 @@ </div> </div> <div id="hiddenDownloadLinks" style="display: none;" hidden></div> - <script type="text/javascript" src="dashboard.js?v20180922-1"></script> + <script type="text/javascript" src="dashboard.js?v20181005-5"></script> </body> </html> |