Ensure Python escaping matched JS escaping and fix a minor XSS issue in the Query Tool that required superuser access to trigger. Fixes #4378

docs/en_US/release_notes_4_9.rst

@@ -39,4 +39,5 @@ Bug fixes
 | `Bug #4362 <https://redmine.postgresql.org/issues/4362>`_ - Remove additional "SETOF" included when generating CREATE scripts for trigger functions.
 | `Bug #4365 <https://redmine.postgresql.org/issues/4365>`_ - Fix help links for backup globals and backup server.
 | `Bug #4367 <https://redmine.postgresql.org/issues/4367>`_ - Fix an XSS issue seen in View/Edit data mode if a column name includes HTML.
+| `Bug #4378 <https://redmine.postgresql.org/issues/4378>`_ - Ensure Python escaping matched JS escaping and fix a minor XSS issue in the Query Tool that required superuser access to trigger.
 | `Bug #4380 <https://redmine.postgresql.org/issues/4380>`_ - Ensure that both columns and partitions can be edited at the same time in the table dialog.

web/pgadmin/browser/utils.py

@@ -22,6 +22,31 @@ from pgadmin.utils.exception import ConnectionLost, SSHTunnelConnectionLost,\
     CryptKeyMissing
 
 
+def underscore_escape(text):
+    """
+    This function mimics the behaviour of underscore js escape function
+    The html escaped by jinja is not compatible for underscore unescape
+    function
+    :param text: input html text
+    :return: escaped text
+    """
+    html_map = {
+        '&': "&",
+        '<': "&lt;",
+        '>': "&gt;",
+        '"': "&quot;",
+        '`': "&#96;",
+        "'": "&#x27;"
+    }
+
+    # always replace & first
+    for c, r in sorted(html_map.items(),
+                       key=lambda x: 0 if x[0] == '&' else 1):
+        text = text.replace(c, r)
+
+    return text
+
+
 def is_version_in_range(sversion, min_ver, max_ver):
     assert (max_ver is None or isinstance(max_ver, int))
     assert (min_ver is None or isinstance(min_ver, int))

web/pgadmin/tools/datagrid/__init__.py

@@ -30,6 +30,8 @@ from pgadmin.utils.driver import get_driver
 from pgadmin.utils.exception import ConnectionLost, SSHTunnelConnectionLost
 from pgadmin.utils.preferences import Preferences
 from pgadmin.settings import get_setting
+from pgadmin.browser.utils import underscore_escape
+
 
 query_tool_close_session_lock = Lock()
 
@@ -304,7 +306,7 @@ def panel(trans_id, is_query_tool, editor_title):
         _=gettext,
         uniqueId=trans_id,
         is_query_tool=is_query_tool,
-        editor_title=editor_title,
+        editor_title=underscore_escape(editor_title),
         script_type_url=sURL,
         is_desktop_mode=app.PGADMIN_RUNTIME,
         is_linux=is_linux_platform,

web/pgadmin/tools/datagrid/static/js/datagrid.js

@@ -313,7 +313,7 @@ define('pgadmin.datagrid', [
           var queryToolPanel = pgBrowser.docker.addPanel('frm_datagrid', wcDocker.DOCK.STACKED, propertiesPanel[0]);
 
           // Set panel title and icon
-          queryToolPanel.title('<span title="'+panel_tooltip+'">'+panel_title+'</span>');
+          queryToolPanel.title('<span title="'+_.escape(panel_tooltip)+'">'+_.escape(panel_title)+'</span>');
           queryToolPanel.icon(panel_icon);
           queryToolPanel.focus();