Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix/#2116 xss vulnerabilities in 2 8 #2952

Open
wants to merge 11 commits into
base: release/2.8.0
Choose a base branch
from
Open

Fix/#2116 xss vulnerabilities in 2 8 #2952

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
6d6da98
#2116 XSS Vulnerabilities in 2.8 - fix dataSourceList.jsp, dataPointE…
Limraj Aug 14, 2023
76d73ae
#2116 XSS Vulnerabilities in 2.8 - revert DataPointEditDwr.java, comm…
Limraj Aug 17, 2023
f6165d5
#2116 XSS Vulnerabilities in 2.8 - refactoring: added function conver…
Limraj Aug 17, 2023
e1295c4
#2116 XSS Vulnerabilities in 2.8 - corrected
Limraj Aug 17, 2023
21e30cb
Merge branch 'release/2.7.6' into fix/#2116_XSS_Vulnerabilities_in_2_8
Limraj Aug 22, 2023
000eb44
#2116 XSS Vulnerabilities in 2.8 - added ScadaEscapeUtils.java; fixed…
Limraj Aug 22, 2023
c1e8e6b
Merge branch 'release/2.7.7' into fix/#2116_XSS_Vulnerabilities_in_2_8
Limraj Oct 25, 2023
4f4e1cd
Merge branch 'release/2.8.0' into fix/#2116_XSS_Vulnerabilities_in_2_8
Patrykb0802 Jul 12, 2024
44aa632
Merge branch 'release/2.8.0' into fix/#2116_XSS_Vulnerabilities_in_2_8
Limraj Sep 6, 2024
2b3d8a1
Merge remote-tracking branch 'origin/release/2.8.0' into fix/#2116_XS…
Limraj Sep 11, 2024
6514d15
Merge remote-tracking branch 'origin/release/2.8.0' into fix/#2116_XS…
Limraj Sep 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions WebContent/WEB-INF/jsp/dataPointDetails.jsp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,7 @@
<spring:message code="pointDetails.goto"/>:&nbsp;
<sst:select id="datPointDetailsPointSelect" value="${point.id}" onchange="window.location='data_point_details.shtm?dpid='+ this.value;">
<c:forEach items="${userPoints}" var="point">
<sst:option value="${point.id}">${point.extendedName}</sst:option>
<sst:option value="${point.id}"><c:out value="${point.extendedName}"/></sst:option>
</c:forEach>
</sst:select>

Expand All @@ -192,7 +192,7 @@
<tr>
<td class="smallTitle" colspan="2">
<tag:img png="icon_comp" title="common.point"/>
${point.name}
<c:out value="${point.name}"/>
<c:if test="${pointEditor}">
<a href="data_point_edit.shtm?dpid=${point.id}"><tag:img png="icon_comp_edit" title="pointDetails.editPoint"/></a>
<a href="data_source_edit.shtm?dsid=${point.dataSourceId}&pid=${point.id}"><tag:img png="icon_ds_edit"
Expand Down Expand Up @@ -428,7 +428,7 @@
</tr>
<c:forEach items="${views}" var="view" varStatus="status">
<tr class="row<c:if test="${status.index % 2 == 1}">Alt</c:if>">
<td>${view.name}</td>
<td><c:out value="${view.name}"/></td>
<td align="center"><a href="views.shtm?viewId=${view.id}"><tag:img png="icon_view"
title="pointDetails.gotoView"/></a></td>
</tr>
Expand Down
2 changes: 1 addition & 1 deletion WebContent/WEB-INF/jsp/dataPointEdit.jsp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -905,7 +905,7 @@
<td colspan="2" class="formField">
<select id="selected_base_on_existing_point_chooser">
<c:forEach items="${userPoints}" var="point">
<sst:option value="${point.id}">${point.extendedName}</sst:option>
<sst:option value="${point.id}"><c:out value="${point.extendedName}"/></sst:option>
</c:forEach>
</select>
</td>
Expand Down
9 changes: 9 additions & 0 deletions WebContent/WEB-INF/jsp/dataSourceEdit.jsp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,7 @@

if (currentPoint)
stopImageFader("editImg"+ currentPoint.id);
escapePoints(points);
dwr.util.removeAllRows("pointsList");
dwr.util.addRows("pointsList", points, pointListColumnFunctions, pointListOptions);
}
Expand Down Expand Up @@ -330,6 +331,14 @@
stopImageFader($("enableAllImg"));
writePointList(points);
}

function escapePoints(points) {
for(var i=0; i < points.length; i++) {
var point = points[i];
point.name = convertToText(point.name);
point.xid = convertToText(point.xid);
}
}

function copyDataPoint(fromDataSourceId, dataPointId) {
return DataSourceEditDwr.copyDataPoint(fromDataSourceId, dataPointId, function(response) {
Expand Down
2 changes: 1 addition & 1 deletion WebContent/WEB-INF/jsp/dataSourceEdit/editMeta.jsp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
<c:forEach items="${userPoints}" var="dp">
pointsArray[pointsArray.length] = {
id : ${dp.id},
name : '${sst:quotEncode(dp.extendedName)}',
name : '<c:out value="${dp.extendedName}"/>',
xid : '${dp.xid}',
type : '<sst:i18n message="${dp.dataTypeMessage}"/>'
};
Expand Down
2 changes: 1 addition & 1 deletion WebContent/WEB-INF/jsp/dataSourceEdit/editVirtual.jsp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -398,7 +398,7 @@
<td class="formLabelRequired"><spring:message code="dsEdit.virtual.attractionPoint"/></td>
<td class="formField"><select id="analogAttractorChange.attractionPointId">
<c:forEach items="${analogPoints}" var="dataPoint">
<option value="${dataPoint.id}">${dataPoint.extendedName}</option>
<option value="${dataPoint.id}"><c:out value="${dataPoint.extendedName}"/></option>
</c:forEach>
</select></td>
</tr>
Expand Down
6 changes: 3 additions & 3 deletions WebContent/WEB-INF/jsp/dataSourceList.jsp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@
<c:set var="showText"><spring:message code="dsList.show"/></c:set>
<c:forEach items="${data}" var="listParent">
<tr class="row" id="dataSourceRow${listParent.parent.id}">
<td><b>${listParent.parent.name}</b></td>
<td><b><c:out value="${listParent.parent.name}"/></b></td>
<td><spring:message code="${listParent.parent.type.key}"/></td>
<td><sst:i18n message="${listParent.parent.connectionDescription}"/></td>
<td align="center">
Expand All @@ -146,7 +146,7 @@
</c:choose>
</td>
<td id="stateDes${listParent.parent.id}">
${listParent.parent.state.describe}
<c:out value="${listParent.parent.state.describe}"/>
</td>
<td>
<a href="data_source_edit.shtm?dsid=${listParent.parent.id}"><tag:img png="icon_ds_edit"
Expand All @@ -170,7 +170,7 @@
</tr>
<c:forEach items="${listParent.list}" var="point">
<tr id="pointRow${point.id}">
<td>${point.name}</td>
<td><c:out value="${point.name}"/></td>
<td><sst:i18n message="${point.dataTypeMessage}"/> / <sst:i18n message="${point.configurationDescription}"/></td>
<td align="center">
<c:choose>
Expand Down
16 changes: 8 additions & 8 deletions WebContent/WEB-INF/jsp/pointEdit/eventTextRenderer.jsp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@
<td class="formField">
<table cellspacing="0" cellpadding="0">
<tr>
<td valign="top"><input class="formLong" id="eventTextRendererBinaryZero" type="text"/></td>
<td valign="top"><input class="formLong" id="eventTextRendererBinaryZero" type="text" value="<c:catch var="exception"><c:out value="${form.eventTextRenderer.zeroLabel}" /></c:catch>"/></td>
</tr>
</table>
</td>
Expand All @@ -52,7 +52,7 @@
<td class="formField">
<table cellspacing="0" cellpadding="0">
<tr>
<td valign="top"><input class="formLong" id="eventTextRendererBinaryOne" type="text"/></td>
<td valign="top"><input class="formLong" id="eventTextRendererBinaryOne" type="text" value="<c:catch var="exception"><c:out value="${form.eventTextRenderer.oneLabel}" /></c:catch>"/></td>
</tr>
</table>
</td>
Expand Down Expand Up @@ -120,8 +120,6 @@
// Figure out which fields to populate with data.
<c:choose>
<c:when test='${form.eventTextRenderer.typeName == "eventTextRendererBinary"}'>
$set("eventTextRendererBinaryZero", "${form.eventTextRenderer.zeroLabel}");
$set("eventTextRendererBinaryOne", "${form.eventTextRenderer.oneLabel}");
</c:when>
<c:when test='${form.eventTextRenderer.typeName == "eventTextRendererMultistate"}'>
<c:forEach items="${form.eventTextRenderer.multistateEventValues}" var="msValue">
Expand Down Expand Up @@ -198,8 +196,9 @@
theValue.key = theNumericKey;
if (text)
theValue.text = text;
else
theValue.text = $get("eventTextRendererMultistateText");
else {
theValue.text = convertToText($get("eventTextRendererMultistateText"));
}
multistateEventValues[multistateEventValues.length] = theValue;
this.sortMultistateEventValues();
this.refreshMultistateEventList();
Expand Down Expand Up @@ -270,8 +269,9 @@
theValue.to = theTo;
if (text)
theValue.text = text;
else
theValue.text = $get("eventTextRendererRangeText");
else {
theValue.text = convertToText($get("eventTextRendererRangeText"));
}
rangeEventValues[rangeEventValues.length] = theValue;
this.sortRangeEventValues();
this.refreshRangeList();
Expand Down
2 changes: 1 addition & 1 deletion WebContent/WEB-INF/jsp/pointEdit/pointName.jsp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@
<spring:message code="pointEdit.name.goto"/>:&nbsp;
<sst:select id="allPointsList" value="${form.id}" onchange="window.location='data_point_edit.shtm?dpid='+ this.value;">
<c:forEach items="${userPoints}" var="point">
<sst:option value="${point.id}">${point.extendedName}</sst:option>
<sst:option value="${point.id}"><c:out value="${point.extendedName}"/></sst:option>
</c:forEach>
</sst:select>

Expand Down
2 changes: 1 addition & 1 deletion WebContent/WEB-INF/jsp/pointEdit/pointProperties.jsp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@
<tr>
<td class="formLabelRequired"><spring:message code="pointEdit.props.ds"/></td>
<td colspan="2" class="formField">
${dataSource.name}
<c:out value="${dataSource.name}"/>
<a href="data_source_edit.shtm?dsid=${dataSource.id}&pid=${form.id}"><tag:img png="icon_ds_edit"
title="pointEdit.props.editDs"/></a>
</td>
Expand Down
34 changes: 14 additions & 20 deletions WebContent/WEB-INF/jsp/pointEdit/textRenderer.jsp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,13 +40,13 @@
<tr>
<td class="formLabelRequired"><spring:message code="pointEdit.text.format"/></td>
<td class="formField">
<input id="textRendererAnalogFormat" type="text"/>
<input id="textRendererAnalogFormat" type="text" value="<c:catch var="exception"><c:out value="${form.textRenderer.format}" /></c:catch>"/>
<tag:help id="numberFormats"/>
</td>
</tr>
<tr>
<td class="formLabel"><spring:message code="pointEdit.text.suffix"/></td>
<td class="formField"><input id="textRendererAnalogSuffix" type="text"/></td>
<td class="formField"><input id="textRendererAnalogSuffix" type="text" value="<c:catch var="exception"><c:out value="${form.textRenderer.suffix}" /></c:catch>"/></td>
</tr>
</tbody>
<tbody id="textRendererBinary" style="display:none;">
Expand All @@ -55,7 +55,7 @@
<td class="formField">
<table cellspacing="0" cellpadding="0">
<tr>
<td valign="top"><input id="textRendererBinaryZero" type="text"/></td>
<td valign="top"><input id="textRendererBinaryZero" type="text" value="<c:catch var="exception"><c:out value="${form.textRenderer.zeroLabel}" /></c:catch>"/></td>
<td width="10"></td>
<td valign="top" align="center">
<div dojoType="ColorPalette" palette="3x4" id="textRendererBinaryZeroColour"></div>
Expand All @@ -70,7 +70,7 @@
<td class="formField">
<table cellspacing="0" cellpadding="0">
<tr>
<td valign="top"><input id="textRendererBinaryOne" type="text"/></td>
<td valign="top"><input id="textRendererBinaryOne" type="text" value="<c:catch var="exception"><c:out value="${form.textRenderer.oneLabel}" /></c:catch>"/></td>
<td width="10"></td>
<td valign="top" align="center">
<div dojoType="ColorPalette" palette="3x4" id="textRendererBinaryOneColour"></div>
Expand Down Expand Up @@ -112,13 +112,13 @@
<tbody id="textRendererPlain" style="display:none;">
<tr>
<td class="formLabel"><spring:message code="pointEdit.text.suffix"/></td>
<td class="formField"><input id="textRendererPlainSuffix" type="text"/></td>
<td class="formField"><input id="textRendererPlainSuffix" type="text" value="<c:catch var="exception"><c:out value="${form.textRenderer.suffix}" /></c:catch>" /></td>
</tr>
</tbody>
<tbody id="textRendererRange" style="display:none;">
<tr>
<td class="formLabelRequired"><spring:message code="pointEdit.text.format"/></td>
<td class="formField"><input id="textRendererRangeFormat" type="text"/></td>
<td class="formField"><input id="textRendererRangeFormat" type="text" value="<c:catch var="exception"><c:out value="${form.textRenderer.format}" /></c:catch>" /></td>
</tr>
<tr>
<td colspan="2">
Expand Down Expand Up @@ -151,13 +151,13 @@
<tr>
<td class="formLabelRequired"><spring:message code="pointEdit.text.format"/></td>
<td class="formField">
<input id="textRendererTimeFormat" type="text"/>
<input id="textRendererTimeFormat" type="text" value="<c:catch var="exception"><c:out value="${form.textRenderer.format}" /></c:catch>"/>
<tag:help id="datetimeFormats"/>
</td>
</tr>
<tr>
<td class="formLabel"><spring:message code="pointEdit.text.conversionExponent"/></td>
<td class="formField"><input id="textRendererTimeConversionExponent" type="text"/></td>
<td class="formField"><input id="textRendererTimeConversionExponent" type="text" value="<c:catch var="exception"><c:out value="${form.textRenderer.conversionExponent}" /></c:catch>"/></td>
</tr>
</tbody>
</table>
Expand Down Expand Up @@ -185,13 +185,9 @@
// Figure out which fields to populate with data.
<c:choose>
<c:when test='${form.textRenderer.typeName == "textRendererAnalog"}'>
$set("textRendererAnalogFormat", "${form.textRenderer.format}");
$set("textRendererAnalogSuffix", "${form.textRenderer.suffix}");
</c:when>
<c:when test='${form.textRenderer.typeName == "textRendererBinary"}'>
$set("textRendererBinaryZero", "${form.textRenderer.zeroLabel}");
textRendererEditor.handlerBinaryZeroColour("${form.textRenderer.zeroColour}");
$set("textRendererBinaryOne", "${form.textRenderer.oneLabel}");
textRendererEditor.handlerBinaryOneColour("${form.textRenderer.oneColour}");
</c:when>
<c:when test='${form.textRenderer.typeName == "textRendererMultistate"}'>
Expand All @@ -202,18 +198,14 @@
<c:when test='${form.textRenderer.typeName == "textRendererNone"}'>
</c:when>
<c:when test='${form.textRenderer.typeName == "textRendererPlain"}'>
$set("textRendererPlainSuffix", "${form.textRenderer.suffix}");
</c:when>
<c:when test='${form.textRenderer.typeName == "textRendererRange"}'>
$set("textRendererRangeFormat", "${form.textRenderer.format}");
<c:forEach items="${form.textRenderer.rangeValues}" var="rgValue">
textRendererEditor.addRangeValue("${rgValue.from}", "${rgValue.to}", "${rgValue.text}",
"${rgValue.colour}");
</c:forEach>
</c:when>
<c:when test='${form.textRenderer.typeName == "textRendererTime"}'>
$set("textRendererTimeFormat", "${form.textRenderer.format}");
$set("textRendererTimeConversionExponent", "${form.textRenderer.conversionExponent}");
</c:when>
<c:otherwise>
dojo.debug("Unknown text renderer: ${form.textRenderer.typeName}");
Expand Down Expand Up @@ -290,8 +282,9 @@
theValue.key = theNumericKey;
if (text)
theValue.text = text;
else
theValue.text = $get("textRendererMultistateText");
else {
theValue.text = convertToText($get("textRendererMultistateText"));
}
if (colour)
theValue.colour = colour;
else
Expand Down Expand Up @@ -368,8 +361,9 @@
theValue.to = theTo;
if (text)
theValue.text = text;
else
theValue.text = $get("textRendererRangeText");
else {
theValue.text = convertToText($get("textRendererRangeText"));
}
if (colour)
theValue.colour = colour;
else
Expand Down
8 changes: 4 additions & 4 deletions WebContent/WEB-INF/jsp/users.jsp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@

for (k=0; k<data.usersProfiles.length; k++) {
userProfileId = data.usersProfiles[k].id;
userProfileName = data.usersProfiles[k].name;
userProfileName = <c:out value="data.usersProfiles[k].name"/>;
usersProfileHtml += "<option value=" + userProfileId + ">"+ userProfileName + "</option>";
}
$("usersProfilesList").innerHTML = usersProfileHtml;
Expand All @@ -66,14 +66,14 @@
for (i=0; i<dataSources.length; i++) {
id = "ds"+ dataSources[i].id;
dshtml += '<input type="checkbox" id="'+ id +'" onclick="dataSourceChange(this)">';
dshtml += '<label for="'+ id +'"> '+ dataSources[i].name +'</label><br/>';
dshtml += '<label for="'+ id +'"> '+ <c:out value="dataSources[i].name"/> +'</label><br/>';
dshtml += '<div style="margin-left:25px;" id="dsps'+ dataSources[i].id +'">';
if (dataSources[i].points.length > 0) {
dshtml += '<table cellspacing="0" cellpadding="1">';
for (j=0; j<dataSources[i].points.length; j++) {
dp = dataSources[i].points[j];
dshtml += '<tr>';
dshtml += '<td class="formLabelRequired">'+ dp.name +'</td>';
dshtml += '<td class="formLabelRequired">'+ <c:out value="dp.name" /> +'</td>';
dshtml += '<td>';
dshtml += '<input type="radio" name="dp'+ dp.id +'" id="dp'+ dp.id +'/0" value="0">';
dshtml += '<label for="dp'+ dp.id +'/0"><spring:message code="common.access.none"/></label> ';
Expand Down Expand Up @@ -323,7 +323,7 @@

function updateUser(response) {
var user = response.data ? response.data.user : response.user;
$("u"+ user.id +"Username").innerHTML = user.username;
$("u"+ user.id +"Username").textContent = user.username;
setUserImg(user.admin, user.disabled, $("u"+ user.id +"Img"));
}

Expand Down
7 changes: 5 additions & 2 deletions WebContent/WEB-INF/jsp/watchList.jsp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,8 +152,11 @@
}

function addPoint(point, parent) {
var spanNode = document.createElement("span");
spanNode.id = 'ph'+ point.key +'Name';
spanNode.textContent = point.value;
var pointNode = dojo.widget.createWidget("TreeNode", {
title: "<img src='images/icon_comp.png'/> <span id='ph"+ point.key +"Name'>"+ point.value +"</span> "+
title: "<img src='images/icon_comp.png'/> " + spanNode.innerHTML +
"<img src='images/bullet_go.png' id='ph"+ point.key +"Image' title='<spring:message code="watchlist.addToWatchlist"/>'/>",
object: point
});
Expand Down Expand Up @@ -344,7 +347,7 @@
show("p"+ pointId +"Delete");
}

$("p"+ pointId +"Name").innerHTML = pointNames[pointId];
$("p"+ pointId +"Name").textContent = pointNames[pointId];

// Disable the element in the point list.
togglePointTreeIcon(pointId, false);
Expand Down
6 changes: 6 additions & 0 deletions WebContent/resources/common.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1093,6 +1093,12 @@ function updateChartComparatorComponent(idPrefix, width, height) {

}

function convertToText(content) {
var node = document.createElement("span");
node.textContent = content;
return node.innerHTML;
}

function isInt32(state) {
if(!(/^([+-]?[1-9]\d*|0).[0]$/.test(state))
&& !(/^([+-]?[1-9]\d*|0)$/.test(state))) {
Expand Down
4 changes: 3 additions & 1 deletion src/br/org/scadabr/view/component/ChartComparatorComponent.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,12 @@
import com.serotonin.mango.view.component.ViewComponent;
import com.serotonin.mango.vo.User;
import com.serotonin.util.SerializationHelper;
import org.scada_lts.utils.security.ScadaEscapeUtils;
import org.scada_lts.dao.DataPointDAO;
import org.scada_lts.dao.model.ScadaObjectIdentifier;
import org.scada_lts.permissions.service.GetDataPointsWithAccess;


@JsonRemoteEntity
public class ChartComparatorComponent extends HtmlComponent {
public static ImplDefinition DEFINITION = new ImplDefinition(
Expand Down Expand Up @@ -113,7 +115,7 @@ private String createDataPointsSelectComponent(String idPrefix, List<ScadaObject
sb.append("<option value='0'> &nbsp; </option>");

for (ScadaObjectIdentifier dp : dataPoints) {
sb.append("<option value='" + dp.getId() + "'> " + dp.getName()
sb.append("<option value='" + dp.getId() + "'> " + ScadaEscapeUtils.escapeXml(dp.getName())
+ "</option>");
}
sb.append("</select>");
Expand Down
Loading
Loading