vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #2933 from coreos-inc/joseph.schorr/QS-82/xss-fix

Browse source 
Fix XSS in usage log viewer
This commit is contained in:
josephschorr 2017-12-06 13:51:30 -05:00 committed by GitHub
commit afbb2d2168
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
static/js/services/string-builder-service.js
View file

@ -117,8 +117,8 @@ angular.module('quay').factory('StringBuilderService', ['$sce', 'UtilService', f
value = value.substr(0, 12); value = value.substr(0, 12);
} }
var safe = UtilService.escapeHtmlString(value); var safe = UtilService.textToSafeHtml(value);
var markedDown = UtilService.getMarkedDown(value); var markedDown = UtilService.getMarkedDown(safe);
markedDown = markedDown.substr('<p>'.length, markedDown.length - '<p></p>'.length); markedDown = markedDown.substr('<p>'.length, markedDown.length - '<p></p>'.length);
var icon = fieldIcons[key]; var icon = fieldIcons[key];
@ -132,7 +132,7 @@ angular.module('quay').factory('StringBuilderService', ['$sce', 'UtilService', f
var codeTag = opt_codetag || 'code'; var codeTag = opt_codetag || 'code';
description = description.replace('{' + prefix + key + '}', description = description.replace('{' + prefix + key + '}',
'<' + codeTag + ' title="' + safe + '">' + markedDown + '</' + codeTag + '>'); '<' + codeTag + '>' + markedDown + '</' + codeTag + '>');
return description return description
} }