Fixed some security hotspots.

web/pgadmin/static/js/Explain/Graphical.jsx

@@ -66,7 +66,7 @@ PolyLine.propTypes = {
 function Multitext({currentXpos, currentYpos, label, maxWidth}) {
   const theme = useTheme();
   let abc = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
-  var xmlns = 'http://www.w3.org/2000/svg';
+  var xmlns = 'https://www.w3.org/2000/svg';
   var svgElem = document.createElementNS(xmlns, 'svg');
   svgElem.setAttributeNS(xmlns, 'height', '100%');
   svgElem.setAttributeNS(xmlns, 'width', '100%');
@@ -295,7 +295,7 @@ function PlanSVG({planData, zoomFactor, fitZoomFactor, ...props}) {
   }, [planData.width]);
 
   return (
-    <svg height={planData.height*zoomFactor} width={planData.width*zoomFactor} version="1.1" xmlns="http://www.w3.org/2000/svg">
+    <svg height={planData.height*zoomFactor} width={planData.width*zoomFactor} version="1.1" xmlns="https://www.w3.org/2000/svg">
       <defs>
         {Object.keys(props.ctx.arrows).map((arr_id, i)=>{
           let arrowPoints = [

web/pgadmin/utils/session.py

@@ -20,7 +20,7 @@ import datetime
 import hmac
 import hashlib
 import os
-import random
+import secrets
 import string
 import time
 import config
@@ -41,7 +41,7 @@ from pgadmin.utils.ajax import make_json_response
 def _calc_hmac(body, secret):
     return base64.b64encode(
         hmac.new(
-            secret.encode(), body.encode(), hashlib.sha1
+            secret.encode(), body.encode(), hashlib.sha256
         ).digest()
     ).decode()
 
@@ -70,7 +70,8 @@ class ManagedSession(CallbackDict, SessionMixin):
         if not self.hmac_digest:
             population = string.ascii_lowercase + string.digits
 
-            self.randval = ''.join(random.sample(population, 20))
+            self.randval = ''.join(
+                secrets.choice(population) for i in range(20))
             self.hmac_digest = _calc_hmac(
                 '%s:%s' % (self.sid, self.randval), secret)