better fix for #2453. Pushing an element causes td's within td's. Weird formatting, etc. We use an html escaping function to prevent XSS

This commit is contained in:
Isaac Connor 2019-06-04 10:32:29 -04:00
parent ecc1c6e272
commit bc58879c61
1 changed files with 16 additions and 9 deletions

View File

@ -25,6 +25,15 @@ var sortReversed = false;
var filterFields = ['Component', 'ServerId', 'Pid', 'Level', 'File', 'Line'];
var options = {};
function escapeHtml(unsafe) {
return unsafe
.replace(/&/g, "&")
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;")
.replace(/"/g, "&quot;")
.replace(/'/g, "&#039;");
}
function buildFetchParms( parms ) {
var fetchParms = logParms+'&limit='+maxLogFetch;
if ( parms ) {
@ -65,15 +74,13 @@ function logResponse( respObj ) {
minLogTime = log.TimeKey;
}
// Manually create table cells by setting the text since `push` will set HTML which
// can lead to XSS.
var messageCell = new Element('td');
messageCell.set('text', log.Message);
var fileCell = new Element('td');
fileCell.set('text', log.File);
var row = logTable.push( [{content: log.DateTime, properties: {style: 'white-space: nowrap'}}, log.Component, log.Server, log.Pid, log.Code, messageCell, fileCell, log.Line] );
var row = logTable.push([
{content: log.DateTime, properties: {style: 'white-space: nowrap'}},
log.Component, log.Server, log.Pid, log.Code,
escapeHtml(log.Message),
escapeHtml(log.File),
log.Line
]);
delete log.Message;
row.tr.store( 'log', log );