Fix various escaping issues. Fixes #1527

2025-02-25 18:55:31 -06:00 · 2016-08-05 12:20:00 +01:00
parent a43f053a10
commit 8e099e29c3
5 changed files with 13 additions and 8 deletions
--- a/web/pgadmin/browser/templates/browser/js/browser.js
+++ b/web/pgadmin/browser/templates/browser/js/browser.js
@@ -333,8 +333,12 @@ function(require, $, _, S, Bootstrap, pgAdmin, alertify, CodeMirror) {
          url: '{{ url_for('browser.get_nodes') }}',
          converters: {
            'text json': function(payload) {
-              return $.parseJSON(payload).data;
-            }
+              data = JSON.parse(payload).data;
+              _.each(data, function(d){
+                d.label = _.escape(d.label);
+              })
+              return data;
+            },
          }
        },
        ajaxHook: function(item, settings) {
--- a/web/pgadmin/browser/templates/browser/js/node.js
+++ b/web/pgadmin/browser/templates/browser/js/node.js
@@ -1119,10 +1119,10 @@ function($, _, S, pgAdmin, Menu, Backbone, Alertify, pgBrowser, Backform) {
                newNodeData = view.model.tnode;

            tree.addIcon(item, {icon: newNodeData.icon});
-            tree.setLabel(item, {label: newNodeData.label});
+            tree.setLabel(item, {label: _.escape(newNodeData.label)});
            _.extend(itemData, newNodeData);
          } else if (view.model.get('name')) {
-            tree.setLabel(item, {label: view.model.get("name")});
+            tree.setLabel(item, {label: _.escape(view.model.get("name"))});
            if (
              view.model.get('data').icon && view.model.get('data').icon != ''
            )
@@ -1145,6 +1145,7 @@ function($, _, S, pgAdmin, Menu, Backbone, Alertify, pgBrowser, Backform) {

          /* TODO:: Create new tree node for this */
          if (view.model.tnode && '_id' in view.model.tnode) {
+            view.model.tnode.label = _.escape(view.model.tnode.label);
            var d = _.extend({}, view.model.tnode),
              func = function(i) {
                setTimeout(function() {closePanel();}, 0);
--- a/web/pgadmin/static/js/alertifyjs/pgadmin.defaults.js
+++ b/web/pgadmin/static/js/alertifyjs/pgadmin.defaults.js
@@ -102,7 +102,7 @@ function(alertify, S) {
                onJSONResult && typeof(onJSONResult) == 'function') {
              return onJSONResult(resp.result);
            }
-            msg = resp.result || resp.errormsg || "Unknown error";
+            msg = _.escape(resp.result) || _.escape(resp.errormsg) || "Unknown error";
          }
        } catch (exc) {
        }
--- a/web/pgadmin/static/js/backform.pgadmin.js
+++ b/web/pgadmin/static/js/backform.pgadmin.js
@@ -162,7 +162,7 @@
                  '<label class="<%=Backform.controlLabelClassName%>"><%=label%></label>',
                  '<div class="<%=Backform.controlsClassName%>">',
                  '  <span class="<%=Backform.controlClassName%> uneditable-input" <%=disabled ? "disabled" : ""%>>',
-                  '    <%=value%>',
+                  '    <%-value%>',
                  '  </span>',
                  '</div>',
                  '<% if (helpMessage && helpMessage.length) { %>',
--- a/web/pgadmin/tools/sqleditor/templates/sqleditor/js/sqleditor.js
+++ b/web/pgadmin/tools/sqleditor/templates/sqleditor/js/sqleditor.js
@@ -190,7 +190,7 @@ define(
      render: function() {
        var self = this;

-        $('.editor-title').text(self.editor_title);
+        $('.editor-title').text(_.unescape(self.editor_title));

        var filter = self.$el.find('#sql_filter');

@@ -1108,7 +1108,7 @@ define(
          });
          self.transId = self.gridView.transId = self.container.data('transId');

-          self.gridView.editor_title = editor_title;
+          self.gridView.editor_title = _.unescape(editor_title);
          self.gridView.current_file = undefined;
          self.gridView.items_per_page = self.items_per_page