Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330.

2025-02-25 18:55:31 -06:00 · 2017-04-10 14:07:48 +01:00
parent b86fa15dbc
commit a2a2b8b888
7 changed files with 405 additions and 14 deletions
--- a/web/pgadmin/tools/debugger/init.py
+++ b/web/pgadmin/tools/debugger/init.py
@@ -1425,10 +1425,10 @@ def poll_end_execution_result(trans_id):
            status = 'Success'
            additional_msgs = conn.messages()
            if len(additional_msgs) > 0:
-                additional_msgs = [msg.strip("<br>") for msg in additional_msgs]
-                additional_msgs = "<br>".join(additional_msgs)
+                additional_msgs = [msg.strip("\n") for msg in additional_msgs]
+                additional_msgs = "\n".join(additional_msgs)
                if statusmsg:
-                    statusmsg = additional_msgs + "<br>" + statusmsg
+                    statusmsg = additional_msgs + "\n" + statusmsg
                else:
                    statusmsg = additional_msgs

@@ -1443,10 +1443,10 @@ def poll_end_execution_result(trans_id):
                status = 'Success'
                additional_msgs = conn.messages()
                if len(additional_msgs) > 0:
-                    additional_msgs = [msg.strip("<br>") for msg in additional_msgs]
-                    additional_msgs = "<br>".join(additional_msgs)
+                    additional_msgs = [msg.strip("\n") for msg in additional_msgs]
+                    additional_msgs = "\n".join(additional_msgs)
                    if statusmsg:
-                        statusmsg = additional_msgs + "<br>" + statusmsg
+                        statusmsg = additional_msgs + "\n" + statusmsg
                    else:
                        statusmsg = additional_msgs

@@ -1460,9 +1460,9 @@ def poll_end_execution_result(trans_id):
            additional_msgs = conn.messages()
            if len(additional_msgs) > 0:
                additional_msgs = [msg.strip("\n") for msg in additional_msgs]
-                additional_msgs = "<br>".join(additional_msgs)
+                additional_msgs = "\n".join(additional_msgs)
                if statusmsg:
-                    statusmsg = additional_msgs + "<br>" + statusmsg
+                    statusmsg = additional_msgs + "\n" + statusmsg
                else:
                    statusmsg = additional_msgs
            return make_json_response(data={
--- a/web/pgadmin/tools/debugger/templates/debugger/js/direct.js
+++ b/web/pgadmin/tools/debugger/templates/debugger/js/direct.js
@@ -383,6 +383,9 @@ define(

    // This function will update messages tab
    update_messages: function(msg) {
+      // To prevent xss
+      msg = _.escape(msg);
+
      var old_msgs='', new_msgs='';
        old_msgs = pgTools.DirectDebug.messages_panel.$container.find('.messages').html();
        if(old_msgs) {