Merge pull request #3052 from SCADA-LTS/fix/#3050_XSS_in_Reports_names

#3050 XSS in Reports names
SCADA-LTS · Nov 25, 2024 · a06a15c · a06a15c
2 parents c95948e + 05c83d2
commit a06a15c
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 5 deletions.
diff --git a/WebContent/WEB-INF/ftl/report/reportChart.ftl b/WebContent/WEB-INF/ftl/report/reportChart.ftl
@@ -87,7 +87,7 @@
       <td>
         <table>
           <tr>
-            <td colspan="2"><h1>${instance.name}</h1></td>
+            <td colspan="2"><h1>${security.escapeHtml(instance.name)}</h1></td>
           </tr>
           <tr>
             <td class="label"><@fmt key="reports.runTimeStart"/></td>
@@ -121,7 +121,7 @@
 
       <td class="stats">
         <table>
-          <tr><td colspan="2" class="pointName">${point.name}</td></tr>
+          <tr><td colspan="2" class="pointName">${security.escapeHtml(point.name)}</td></tr>
           <tr>
             <td class="label"><@fmt key="reports.dataType"/></td>
             <td>${point.dataTypeDescription}</td>

diff --git a/WebContent/WEB-INF/jsp/reports.jsp b/WebContent/WEB-INF/jsp/reports.jsp
@@ -142,7 +142,7 @@
             hide("noReportInstances");
             dwr.util.addRows("reportInstancesList", instanceArray,
                 [
-                    function(ri) { return "<span>" + ri.name + "</span>"; },
+                    function(ri) { return "<span>" + escapeHtml(ri.name) + "</span>"; },
                     function(ri) { return ri.prettyRunStartTime; },
                     function(ri) { return ri.prettyRunDuration; },
                     function(ri) { return ri.prettyReportStartTime; },
@@ -336,7 +336,8 @@
     }
     
     function updateReport(id, name) {
-        $("r"+ id +"Name").innerHTML = name;
+        let escapedName = escapeHtml(name);
+        $("r"+ id +"Name").innerHTML = escapedName;
     }
     
     function clearMessages() {

diff --git a/src/com/serotonin/mango/vo/report/ReportChartCreator.java b/src/com/serotonin/mango/vo/report/ReportChartCreator.java
@@ -35,6 +35,7 @@
 import freemarker.template.Template;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.directwebremoting.Security;
 import org.jfree.data.time.TimeSeries;
 import org.scada_lts.mango.service.SystemSettingsService;
 import org.scada_lts.utils.ColorUtils;
@@ -123,6 +124,7 @@ public void createContent(ReportInstance reportInstance, ReportDao reportDao, St
         model.put("instance", reportInstance);
         model.put("points", pointStatistics);
         model.put("inline", inlinePrefix == null ? "" : "cid:");
+        model.put("security", new Security());
 
         model.put("ALPHANUMERIC", DataTypes.ALPHANUMERIC);
         model.put("BINARY", DataTypes.BINARY);

diff --git a/src/com/serotonin/mango/vo/report/SeriesIdentifier.java b/src/com/serotonin/mango/vo/report/SeriesIdentifier.java
@@ -38,6 +38,6 @@ public int hashCode() {
 
     @Override
     public String toString() {
-        return XssProtectHtmlEscapeUtils.escape(name);
+        return name;
     }
 }