From 255806bd549392114af4306422cd23445e843259 Mon Sep 17 00:00:00 2001 From: Matthew Noorenberghe Date: Sat, 9 Feb 2019 18:43:55 -0800 Subject: [PATCH] log.js: Escape HTML to be shown in the log HtmlTable. Fixes #2453 --- web/skins/classic/views/js/log.js | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/web/skins/classic/views/js/log.js b/web/skins/classic/views/js/log.js index 49c45c78b..293d425b5 100644 --- a/web/skins/classic/views/js/log.js +++ b/web/skins/classic/views/js/log.js @@ -64,7 +64,16 @@ function logResponse( respObj ) { if ( ( !minLogTime ) || ( log.TimeKey < minLogTime ) ) { minLogTime = log.TimeKey; } - var row = logTable.push( [{content: log.DateTime, properties: {style: 'white-space: nowrap'}}, log.Component, log.Server, log.Pid, log.Code, log.Message, log.File, log.Line] ); + + // Manually create table cells by setting the text since `push` will set HTML which + // can lead to XSS. + let messageCell = new Element('td'); + messageCell.set('text', log.Message); + + let fileCell = new Element('td'); + fileCell.set('text', log.File); + + var row = logTable.push( [{content: log.DateTime, properties: {style: 'white-space: nowrap'}}, log.Component, log.Server, log.Pid, log.Code, messageCell, fileCell, log.Line] ); delete log.Message; row.tr.store( 'log', log );