Skip to content

Commit 4bf341e

Browse files
werrolfwerrolf
committed
Fix unescaped HTML / XSS vulnerability in Query results
1 parent a4430cf commit 4bf341e

1 file changed

Lines changed: 24 additions & 19 deletions

File tree

Resources/public/queryBuilder.element.js

Lines changed: 24 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -189,25 +189,15 @@
189189
});
190190
},
191191

192-
/**
193-
* Get column names
194-
*
195-
* @param items
196-
* @returns {Array}
197-
*/
198-
getColumnNames: function(items) {
199-
var columns = [];
200-
if(items.length) {
201-
for (var key in items[0]) {
202-
columns.push({
203-
data: key,
204-
title: key
205-
});
206-
}
207-
}
208-
return columns;
192+
_escapeHtml: function(value) {
193+
'use strict';
194+
return ('' + (value || '')).replace(/["&'\/<>]/g, function (a) {
195+
return {
196+
'"': '&quot;', '&': '&amp;', "'": '&#39;',
197+
'/': '&#47;', '<': '&lt;', '>': '&gt;'
198+
}[a];
199+
});
209200
},
210-
211201
/**
212202
* Executes SQL by ID and display results as popups
213203
*
@@ -225,7 +215,22 @@
225215
if (!results || !results.length) {
226216
columnsOption = [{data: null, title: ''}];
227217
} else {
228-
columnsOption = widget.getColumnNames(results)
218+
var columnNames = Object.keys(results[0]);
219+
columnsOption = columnNames.map(function(name) {
220+
return {
221+
title: name,
222+
render: function(data, type, row) {
223+
switch (type) {
224+
case 'display':
225+
return widget._escapeHtml(row[name]);
226+
case 'filter':
227+
return ('' + row[name]) || undefined;
228+
default:
229+
return row[name];
230+
}
231+
}
232+
};
233+
});
229234
}
230235
$content.append(widget.initDataTable({
231236
selectable: false,

0 commit comments

Comments
 (0)