log.js: Escape HTML to be shown in the log HtmlTable. Fixes #2453

This commit is contained in:
Matthew Noorenberghe 2019-02-09 18:43:55 -08:00
parent 6af2c4ad0e
commit 255806bd54
1 changed files with 10 additions and 1 deletions

View File

@ -64,7 +64,16 @@ function logResponse( respObj ) {
if ( ( !minLogTime ) || ( log.TimeKey < minLogTime ) ) {
minLogTime = log.TimeKey;
}
var row = logTable.push( [{content: log.DateTime, properties: {style: 'white-space: nowrap'}}, log.Component, log.Server, log.Pid, log.Code, log.Message, log.File, log.Line] );
// Manually create table cells by setting the text since `push` will set HTML which
// can lead to XSS.
let messageCell = new Element('td');
messageCell.set('text', log.Message);
let fileCell = new Element('td');
fileCell.set('text', log.File);
var row = logTable.push( [{content: log.DateTime, properties: {style: 'white-space: nowrap'}}, log.Component, log.Server, log.Pid, log.Code, messageCell, fileCell, log.Line] );
delete log.Message;
row.tr.store( 'log', log );