diff options
Diffstat (limited to 'web/goto-host-from-alarm.html')
-rw-r--r-- | web/goto-host-from-alarm.html | 31 |
1 files changed, 22 insertions, 9 deletions
diff --git a/web/goto-host-from-alarm.html b/web/goto-host-from-alarm.html index db67033602..4800ae8028 100644 --- a/web/goto-host-from-alarm.html +++ b/web/goto-host-from-alarm.html @@ -22,11 +22,24 @@ <script type="text/javascript" src="dashboard.js?v20170724-7"></script> <script> -function escapeUserInputXss(s) { - return s.toString().replace(/</g, '<') +function escapeUserInputHTML(s) { + return s.toString() + .replace(/&/g, '&') + .replace(/</g, '<') .replace(/>/g, '>') .replace(/"/g, '"') - .replace(/'/g, '#27;'); + .replace(/#/g, '#') + .replace(/'/g, ''') + .replace(/\(/g,'(') + .replace(/\)/g,')') + .replace(/\//g,'/'); +} +function escapeUserInputJS(s) { + return s.toString() + .replace(/"/g, '"') + .replace(/'/g, ''') + .replace(/\(/g,'(') + .replace(/\)/g,')'); } var urlOptions = { @@ -94,7 +107,7 @@ function gotoServerValidateUrl(id, guid, url) { var finalURL = netdataURL(url); setTimeout(function() { - document.getElementById('gotoServerList').innerHTML += '<tr><td style="padding-left: 20px;"><a href="' + escapeUserInputXss(finalURL) + '" target="_blank">' + escapeUserInputXss(url) + '</a></td><td style="padding-left: 30px;"><code id="' + guid + '-' + id + '-status">checking...</code></td></tr>'; + document.getElementById('gotoServerList').innerHTML += '<tr><td style="padding-left: 20px;"><a href="' + escapeUserInputJS(finalURL) + '" target="_blank">' + escapeUserInputHTML(url) + '</a></td><td style="padding-left: 30px;"><code id="' + guid + '-' + id + '-status">checking...</code></td></tr>'; NETDATA.registry.hello(url, function(data) { if(typeof data !== 'undefined' && data !== null && typeof data.machine_guid === 'string' && data.machine_guid === guid) { @@ -107,11 +120,11 @@ function gotoServerValidateUrl(id, guid, url) { if(gotoServerMiddleClick) { window.open(finalURL); gotoServerMiddleClick = false; - document.getElementById('gotoServerResponse').innerHTML = '<b>Opening new window to ' + NETDATA.registry.machines[guid].name + '<br/><a href="' + escapeUserInputXss(finalURL) + '">' + escapeUserInputXss(url) + '</a></b><br/>(check your pop-up blocker if it fails)'; + document.getElementById('gotoServerResponse').innerHTML = '<b>Opening new window to ' + NETDATA.registry.machines[guid].name + '<br/><a href="' + escapeUserInputJS(finalURL) + '">' + escapeUserInputHTML(url) + '</a></b><br/>(check your pop-up blocker if it fails)'; } else { - document.getElementById('gotoServerResponse').innerHTML += 'found it! It is at:<br/><small>' + url + '</small>'; - document.location = finalURL; + document.getElementById('gotoServerResponse').innerHTML += 'found it! It is at:<br/><small>' + escapeUserInputHTML(url) + '</small>'; + document.location = escapeUserInputJS(finalURL); } } } @@ -127,7 +140,7 @@ function gotoServerValidateUrl(id, guid, url) { if(thisIsHttps === true && urlsInHttp > 0) { document.getElementById('gotoServerResponse').innerHTML += '<br/>redirecting myself to HTTP to allow checking'; - document.location = document.location.toString().replace('https://', 'http://'); + document.location = escapeUserInputJS(document.location.toString().replace('https://', 'http://')); } } } @@ -192,7 +205,7 @@ var netdataRegistryCallback = function(machines_array) { } } - document.getElementById('bodylog').innerHTML = "Sorry... your account is not linked to a netdata server named: <b>" + escapeUserInputXss(urlOptions.host) + '</b>'; + document.getElementById('bodylog').innerHTML = "Sorry... your account is not linked to a netdata server named: <b>" + escapeUserInputHTML(urlOptions.host) + '</b>'; }; netdataQueryParse(); |