Fixed the cross-site scripting vulnerability. #5405

2025-01-23 23:13:38 -06:00 · 2022-10-06 17:30:41 +05:30 · 2022-10-06 17:30:41 +05:30 · e3a172e0e8
commit e3a172e0e8
parent b519af280b
3 changed files with 4 additions and 3 deletions
--- a/docs/en_US/release_notes_6_15.rst
+++ b/docs/en_US/release_notes_6_15.rst
@ -48,3 +48,4 @@ Bug fixes
  | `Issue #5367 <https://github.com/pgadmin-org/pgadmin4/issues/5367>`_ -  Ensure that the correct value should be returned if an exception occurs while decoding the password.
  | `Issue #5368 <https://github.com/pgadmin-org/pgadmin4/issues/5368>`_ -  Fixed the issue while downloading the file from the file manager.
  | `Issue #5402 <https://github.com/pgadmin-org/pgadmin4/issues/5402>`_ -  Ensure that scroll bar on browser tree should be visible on windows resize.
+  | `Issue #5405 <https://github.com/pgadmin-org/pgadmin4/issues/5405>`_ -  Fixed the cross-site scripting vulnerability.
--- a/web/pgadmin/misc/file_manager/static/js/components/FileManager.jsx
+++ b/web/pgadmin/misc/file_manager/static/js/components/FileManager.jsx
@ -32,7 +32,7 @@ import convert from 'convert-units';
 import PropTypes from 'prop-types';
 import { downloadBlob } from '../../../../../static/js/utils';
 import ErrorBoundary from '../../../../../static/js/helpers/ErrorBoundary';
-
+import _ from 'lodash';

 const useStyles = makeStyles((theme)=>({
  footerSaveAs: {
@ -729,7 +729,7 @@ export default function FileManager({params, closeModal, onOK, onCancel}) {
            {viewMode == 'grid' &&
            <GridView key={fmUtilsObj.currPath} items={filteredItems} operation={operation} onItemEnter={onItemEnter}
              onItemSelect={onItemSelect} />}
-            <FormFooterMessage type={MESSAGE_TYPE.ERROR} message={errorMsg} closable onClose={()=>setErrorMsg('')}  />
+            <FormFooterMessage type={MESSAGE_TYPE.ERROR} message={_.escape(errorMsg)} closable onClose={()=>setErrorMsg('')}  />
            {params.dialog_type == 'create_file' &&
            <Box className={clsx(modalClasses.footer, classes.footerSaveAs)}>
              <span style={{whiteSpace: 'nowrap', marginRight: '4px'}}>Save As</span>
--- a/web/pgadmin/static/js/Dialogs/ConnectServerContent.jsx
+++ b/web/pgadmin/static/js/Dialogs/ConnectServerContent.jsx
@ -102,7 +102,7 @@ export default function ConnectServerContent({closeModal, data, onOK, setHeight}
              onChange={(e)=>onTextChange(e.target.checked, 'save_password')} disabled={!data.allow_save_password} />
          </Box>
        </>}
-        <FormFooterMessage type={MESSAGE_TYPE.ERROR} message={data.errmsg} closable={false} style={{
+        <FormFooterMessage type={MESSAGE_TYPE.ERROR} message={_.escape(data.errmsg)} closable={false} style={{
          position: 'unset', padding: '12px 0px 0px'
        }}/>
      </Box>