better fix for #2453. Pushing an element causes td's within td's. Weird formatting, etc. We use an html escaping function to prevent XSS
This commit is contained in:
parent
ecc1c6e272
commit
bc58879c61
|
@ -25,6 +25,15 @@ var sortReversed = false;
|
|||
var filterFields = ['Component', 'ServerId', 'Pid', 'Level', 'File', 'Line'];
|
||||
var options = {};
|
||||
|
||||
function escapeHtml(unsafe) {
|
||||
return unsafe
|
||||
.replace(/&/g, "&")
|
||||
.replace(/</g, "<")
|
||||
.replace(/>/g, ">")
|
||||
.replace(/"/g, """)
|
||||
.replace(/'/g, "'");
|
||||
}
|
||||
|
||||
function buildFetchParms( parms ) {
|
||||
var fetchParms = logParms+'&limit='+maxLogFetch;
|
||||
if ( parms ) {
|
||||
|
@ -65,15 +74,13 @@ function logResponse( respObj ) {
|
|||
minLogTime = log.TimeKey;
|
||||
}
|
||||
|
||||
// Manually create table cells by setting the text since `push` will set HTML which
|
||||
// can lead to XSS.
|
||||
var messageCell = new Element('td');
|
||||
messageCell.set('text', log.Message);
|
||||
|
||||
var fileCell = new Element('td');
|
||||
fileCell.set('text', log.File);
|
||||
|
||||
var row = logTable.push( [{content: log.DateTime, properties: {style: 'white-space: nowrap'}}, log.Component, log.Server, log.Pid, log.Code, messageCell, fileCell, log.Line] );
|
||||
var row = logTable.push([
|
||||
{content: log.DateTime, properties: {style: 'white-space: nowrap'}},
|
||||
log.Component, log.Server, log.Pid, log.Code,
|
||||
escapeHtml(log.Message),
|
||||
escapeHtml(log.File),
|
||||
log.Line
|
||||
]);
|
||||
|
||||
delete log.Message;
|
||||
row.tr.store( 'log', log );
|
||||
|
|
Loading…
Reference in New Issue