From bba188e481ef32c38970f870aed045c25207ac8f Mon Sep 17 00:00:00 2001 From: Lazlo Westerhof Date: Mon, 12 Aug 2024 15:55:49 +0200 Subject: [PATCH 1/5] Fix DOM text reinterpreted as HTML --- .../deposit/js/dlgFileBrowseOperations.js | 6 +++--- deposit/templates/deposit/data.html | 1 + .../static/group_manager/js/group_manager.js | 19 +++++++++++-------- .../templates/group_manager/index.html | 1 + .../research/js/dlgFileBrowseOperations.js | 6 +++--- research/templates/research/browse.html | 1 + search/static/search/js/revision.js | 8 +++++--- search/static/search/js/search.js | 4 +++- search/templates/search/search.html | 1 + vault/static/vault/js/dlgSelectCollection.js | 3 ++- vault/templates/vault/browse.html | 1 + 11 files changed, 32 insertions(+), 19 deletions(-) diff --git a/deposit/static/deposit/js/dlgFileBrowseOperations.js b/deposit/static/deposit/js/dlgFileBrowseOperations.js index 65e10ce8..05600023 100644 --- a/deposit/static/deposit/js/dlgFileBrowseOperations.js +++ b/deposit/static/deposit/js/dlgFileBrowseOperations.js @@ -1,4 +1,4 @@ -/* global browse, path */ +/* global browse, DOMPurify, path */ 'use strict' let folderSelectBrowser = null @@ -133,7 +133,7 @@ $(document).ready(function () { - ` - $('.multi-select-table tbody').append(row) + $('.multi-select-table tbody').append(DOMPurify.sanitize(row)) }) if (action === 'multiple-delete') { @@ -694,7 +694,7 @@ function dlgMakeBreadcrumb (urlEncodedDir) { /// alert handling function dlgSelectAlertShow (errorMessage) { $('#dlg-select-alert-panel').removeClass('hide') - $('#dlg-select-alert-panel span').html(errorMessage) + $('#dlg-select-alert-panel span').html(DOMPurify.sanitize(errorMessage)) } function dlgSelectAlertHide () { diff --git a/deposit/templates/deposit/data.html b/deposit/templates/deposit/data.html index d8d9d7d8..24e6d34e 100644 --- a/deposit/templates/deposit/data.html +++ b/deposit/templates/deposit/data.html @@ -13,6 +13,7 @@ var path = {{ path|tojson|safe }}; var view = 'browse'; + diff --git a/group_manager/static/group_manager/js/group_manager.js b/group_manager/static/group_manager/js/group_manager.js index dc62b8be..e35dce37 100644 --- a/group_manager/static/group_manager/js/group_manager.js +++ b/group_manager/static/group_manager/js/group_manager.js @@ -1,4 +1,4 @@ -/* global bootstrap, FileReader, jQuery, Option */ +/* global bootstrap, DOMPurify, FileReader, jQuery, Option */ 'use strict' let enteredUsername = '' @@ -973,7 +973,8 @@ $(function () { $('.properties-update').removeClass('hidden') $('.users').removeClass('hidden') - $('#group-properties-group-name').html('[' + groupName + ']') + const sanitizedGroupName = DOMPurify.sanitize('[' + groupName + ']') + $('#group-properties-group-name').html(sanitizedGroupName) $oldGroup.removeClass('active') $group.addClass('active') @@ -1346,7 +1347,8 @@ $(function () { // $(this).val(null).trigger('change') }).on('change', function () { // Reset the subcategory value - $($(this).attr('data-subcategory')).val(null).trigger('change') + const sanitizedSubCategory = DOMPurify.sanitize($(this).attr('data-subcategory')) + $(sanitizedSubCategory).val(null).trigger('change') // bring over the category value to the schema-id if exists. if (that.schemaIDs.includes($(this).select2('data')[0].id)) { @@ -1376,6 +1378,8 @@ $(function () { $(sel).filter('.selectify-subcategory').each(function () { const $el = $(this) + const sanitizedCategory = DOMPurify.sanitize($el.attr('data-category')) + $el.select2({ placeholder: 'Select a subcategory or enter a new name', ajax: { @@ -1386,7 +1390,7 @@ $(function () { data: function (params) { const request = { query: '', - category: $($el.attr('data-category')).val() + category: $(sanitizedCategory).val() } if (params.term) { request.query = params.term @@ -1544,7 +1548,8 @@ $(function () { users.forEach(function (userName) { // Exclude users already in the group. - if (!(userName in that.groups[$($el.attr('data-group')).val()].members)) { + const sanitizedGroup = DOMPurify.sanitize($el.attr('data-group')) + if (!(userName in that.groups[$(sanitizedGroup).val()].members)) { const nameAndZone = userName.split('#') results.push({ id: userName, @@ -2209,12 +2214,10 @@ $(function () { }) // Group creation {{{ - $('#f-group-create-prefix-div a').on('click', function (e) { // Select new group prefix. - const newPrefix = $(this).attr('data-value') + const newPrefix = DOMPurify.sanitize($(this).attr('data-value')) const oldPrefix = $('#f-group-create-name').attr('data-prefix') - $('#f-group-create-prefix-div button .text').html(newPrefix + ' ') $('#f-group-create-name').attr('data-prefix', newPrefix) diff --git a/group_manager/templates/group_manager/index.html b/group_manager/templates/group_manager/index.html index 9328477e..9dbb4221 100644 --- a/group_manager/templates/group_manager/index.html +++ b/group_manager/templates/group_manager/index.html @@ -9,6 +9,7 @@ {% endblock style %} {% block scripts %} + diff --git a/search/static/search/js/revision.js b/search/static/search/js/revision.js index 97375958..2dd25ef1 100644 --- a/search/static/search/js/revision.js +++ b/search/static/search/js/revision.js @@ -1,3 +1,4 @@ +/* global DOMPurify */ 'use strict' // Handles content of two tables @@ -412,7 +413,8 @@ $(document).ready(function () { $('#newFileName').val($('#org_folder_select_filename').val()) // Is in dialog where to enter a new name when duplicate // For error reporting - $('.mode-dlg-exists .alert-warning').html('The file name ' + $('#org_folder_select_filename').val() + ' (location: ' + $('#org_folder_select_path').val() + ') already exists') + const errorReport = DOMPurify.sanitize('The file name ' + $('#org_folder_select_filename').val() + ' (location: ' + $('#org_folder_select_path').val() + ') already exists') + $('.mode-dlg-exists .alert-warning').html(errorReport) restoreRevision('restore_no_overwrite') }) @@ -453,7 +455,7 @@ $(document).ready(function () { // select-folder function dlgAlertShow (alertMessage) { - $('.alert-folder-select').html(alertMessage) + $('.alert-folder-select').html(DOMPurify.sanitize(alertMessage)) } // dlg-select-folder @@ -593,7 +595,7 @@ async function restoreRevision (overwriteFlag) { // Alerts to user in dialog when file already exists function dlgAlreadyExistsAlert (message) { - $('.alert-dlg-already-exists').html(message) + $('.alert-dlg-already-exists').html(DOMPurify.sanitize(message)) } /// //////////////////////////////////////////////////////////////////////////////////////////////////////// diff --git a/search/static/search/js/search.js b/search/static/search/js/search.js index 82f52918..c80b9971 100644 --- a/search/static/search/js/search.js +++ b/search/static/search/js/search.js @@ -1,3 +1,4 @@ +/* global DOMPurify */ 'use strict' let currentSearchString @@ -30,7 +31,8 @@ $(document).ready(function () { } $('#search-panel a').on('click', function () { - $('#search_concept').html($(this).text()) + const sanitizedSearchConcept = DOMPurify.sanitize($(this).text()) + $('#search_concept').html(sanitizedSearchConcept) $('#search_concept').attr('data-type', $(this).attr('data-type')) if ($(this).attr('data-type') === 'status') { diff --git a/search/templates/search/search.html b/search/templates/search/search.html index 9ab41911..a0b0feeb 100644 --- a/search/templates/search/search.html +++ b/search/templates/search/search.html @@ -3,6 +3,7 @@ {% block title %}{{ super() }} ‐ Search{% endblock title %} {% block scripts %} + diff --git a/vault/static/vault/js/dlgSelectCollection.js b/vault/static/vault/js/dlgSelectCollection.js index 7a9a6317..f88b3731 100644 --- a/vault/static/vault/js/dlgSelectCollection.js +++ b/vault/static/vault/js/dlgSelectCollection.js @@ -1,3 +1,4 @@ +/* global DOMPurify */ 'use strict' let urlEncodedPath = '' @@ -100,7 +101,7 @@ function dlgShowFolderSelectDialog (orgPath) { /// alert handling function dlgSelectAlertShow (errorMessage) { $('#dlg-select-alert-panel').removeClass('hide') - $('#dlg-select-alert-panel span').html(errorMessage) + $('#dlg-select-alert-panel span').html(DOMPurify.sanitize(errorMessage)) } function dlgSelectAlertHide () { diff --git a/vault/templates/vault/browse.html b/vault/templates/vault/browse.html index 21595821..a0b6c1bb 100644 --- a/vault/templates/vault/browse.html +++ b/vault/templates/vault/browse.html @@ -8,6 +8,7 @@ {% endblock style %} {% block scripts %} + From 5f1254c7473e9e7a651a8f261c7cd9a9c4daa97e Mon Sep 17 00:00:00 2001 From: Lazlo Westerhof Date: Tue, 13 Aug 2024 09:25:37 +0200 Subject: [PATCH 2/5] Do not use entity references --- admin/templates/admin/admin.html | 2 +- datarequest/templates/datarequest/add.html | 2 +- datarequest/templates/datarequest/add_attachments.html | 2 +- datarequest/templates/datarequest/assign.html | 2 +- datarequest/templates/datarequest/dao_evaluate.html | 2 +- datarequest/templates/datarequest/datamanager_review.html | 2 +- datarequest/templates/datarequest/evaluate.html | 2 +- datarequest/templates/datarequest/index.html | 2 +- datarequest/templates/datarequest/preliminary_review.html | 2 +- datarequest/templates/datarequest/preregister.html | 2 +- datarequest/templates/datarequest/preregistration_confirm.html | 2 +- datarequest/templates/datarequest/review.html | 2 +- datarequest/templates/datarequest/view.html | 2 +- deposit/templates/deposit/data.html | 2 +- deposit/templates/deposit/metadata-form.html | 2 +- deposit/templates/deposit/overview.html | 2 +- deposit/templates/deposit/submit.html | 2 +- deposit/templates/deposit/thank-you.html | 2 +- fileviewer/templates/fileviewer/file.html | 2 +- general/templates/general/403.html | 2 +- general/templates/general/404.html | 2 +- general/templates/general/500.html | 2 +- general/templates/general/index.html | 2 +- group_manager/templates/group_manager/index.html | 2 +- intake/templates/intake/intake.html | 2 +- intake/templates/intake/reports.html | 2 +- open_search/templates/open_search/search.html | 2 +- research/templates/research/browse.html | 2 +- research/templates/research/metadata-form.html | 2 +- search/templates/search/search.html | 2 +- stats/templates/stats/stats.html | 2 +- themes/uu_dag/vault/browse.html | 2 +- themes/uu_dgk/index.html | 2 +- themes/uu_fsw/index.html | 2 +- themes/uu_geo/index.html | 2 +- themes/uu_gw/index.html | 2 +- themes/uu_i-lab/index.html | 2 +- themes/uu_its/index.html | 2 +- themes/uu_science/index.html | 2 +- themes/uu_youth/index.html | 2 +- themes/vu/index.html | 2 +- user/templates/user/data_access.html | 2 +- user/templates/user/data_transfer.html | 2 +- user/templates/user/gate.html | 2 +- user/templates/user/login.html | 2 +- user/templates/user/notifications.html | 2 +- user/templates/user/settings.html | 2 +- vault/templates/vault/browse.html | 2 +- vault/templates/vault/datapackage.html | 2 +- vault/templates/vault/metadata-form.html | 2 +- 50 files changed, 50 insertions(+), 50 deletions(-) diff --git a/admin/templates/admin/admin.html b/admin/templates/admin/admin.html index 7c8f78b0..9512253d 100644 --- a/admin/templates/admin/admin.html +++ b/admin/templates/admin/admin.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Administration{% endblock title %} +{% block title %}{{ super() }} - Administration{% endblock title %} {% block scripts %} diff --git a/datarequest/templates/datarequest/add.html b/datarequest/templates/datarequest/add.html index 720fd782..ac0e6b8c 100644 --- a/datarequest/templates/datarequest/add.html +++ b/datarequest/templates/datarequest/add.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Datarequest {{ request_id }} ‐ Add request{% endblock title %} +{% block title %}{{ super() }} - Datarequest {{ request_id }} - Add request{% endblock title %} {% block scripts %} diff --git a/research/templates/research/browse.html b/research/templates/research/browse.html index 6c1cc893..289474a5 100644 --- a/research/templates/research/browse.html +++ b/research/templates/research/browse.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Research{% endblock title %} +{% block title %}{{ super() }} - Research{% endblock title %} {% block scripts %} diff --git a/research/templates/research/metadata-form.html b/research/templates/research/metadata-form.html index a2125f7b..719fc29d 100644 --- a/research/templates/research/metadata-form.html +++ b/research/templates/research/metadata-form.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Research{% endblock title %} +{% block title %}{{ super() }} - Research{% endblock title %} {% block style %} diff --git a/search/templates/search/search.html b/search/templates/search/search.html index a0b0feeb..3d3feebd 100644 --- a/search/templates/search/search.html +++ b/search/templates/search/search.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Search{% endblock title %} +{% block title %}{{ super() }} - Search{% endblock title %} {% block scripts %} diff --git a/stats/templates/stats/stats.html b/stats/templates/stats/stats.html index 0745d10f..f33ca1db 100644 --- a/stats/templates/stats/stats.html +++ b/stats/templates/stats/stats.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Statistics{% endblock title %} +{% block title %}{{ super() }} - Statistics{% endblock title %} {% block style %} diff --git a/themes/uu_dag/vault/browse.html b/themes/uu_dag/vault/browse.html index 3d6ee00a..1fa581e2 100644 --- a/themes/uu_dag/vault/browse.html +++ b/themes/uu_dag/vault/browse.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Vault{% endblock title %} +{% block title %}{{ super() }} - Vault{% endblock title %} {% block style %} diff --git a/themes/uu_dgk/index.html b/themes/uu_dgk/index.html index 12409f9b..b2491d69 100644 --- a/themes/uu_dgk/index.html +++ b/themes/uu_dgk/index.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Home{% endblock %} +{% block title %}{{ super() }} - Home{% endblock %} {% block style %} {{ super() }} diff --git a/themes/uu_fsw/index.html b/themes/uu_fsw/index.html index 8c57809e..2499bcfc 100644 --- a/themes/uu_fsw/index.html +++ b/themes/uu_fsw/index.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Home{% endblock %} +{% block title %}{{ super() }} - Home{% endblock %} {% block style %} {{ super() }} diff --git a/themes/uu_geo/index.html b/themes/uu_geo/index.html index da8637b8..772db3e4 100644 --- a/themes/uu_geo/index.html +++ b/themes/uu_geo/index.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Home{% endblock %} +{% block title %}{{ super() }} - Home{% endblock %} {% block style %} {{ super() }} diff --git a/themes/uu_gw/index.html b/themes/uu_gw/index.html index 7022deba..1042c6a0 100644 --- a/themes/uu_gw/index.html +++ b/themes/uu_gw/index.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Home{% endblock %} +{% block title %}{{ super() }} - Home{% endblock %} {% block style %} {{ super() }} diff --git a/themes/uu_i-lab/index.html b/themes/uu_i-lab/index.html index 36a03641..d40242f9 100644 --- a/themes/uu_i-lab/index.html +++ b/themes/uu_i-lab/index.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Home{% endblock %} +{% block title %}{{ super() }} - Home{% endblock %} {% block style %} {{ super() }} diff --git a/themes/uu_its/index.html b/themes/uu_its/index.html index 5a52c004..b740d181 100644 --- a/themes/uu_its/index.html +++ b/themes/uu_its/index.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Home{% endblock %} +{% block title %}{{ super() }} - Home{% endblock %} {% block style %} {{ super() }} diff --git a/themes/uu_science/index.html b/themes/uu_science/index.html index 49085a84..c6441faf 100644 --- a/themes/uu_science/index.html +++ b/themes/uu_science/index.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Home{% endblock %} +{% block title %}{{ super() }} - Home{% endblock %} {% block style %} {{ super() }} diff --git a/themes/uu_youth/index.html b/themes/uu_youth/index.html index cc3f44d0..0278b121 100644 --- a/themes/uu_youth/index.html +++ b/themes/uu_youth/index.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Home{% endblock %} +{% block title %}{{ super() }} - Home{% endblock %} {% block style %} {{ super() }} diff --git a/themes/vu/index.html b/themes/vu/index.html index 81b13b5b..47e77815 100644 --- a/themes/vu/index.html +++ b/themes/vu/index.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Home{% endblock %} +{% block title %}{{ super() }} - Home{% endblock %} {% block style %} {{ super() }} diff --git a/user/templates/user/data_access.html b/user/templates/user/data_access.html index 1d424452..3cd3761e 100644 --- a/user/templates/user/data_access.html +++ b/user/templates/user/data_access.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Data Access Tokens{% endblock %} +{% block title %}{{ super() }} - Data Access Tokens{% endblock %} {% block scripts %} diff --git a/user/templates/user/data_transfer.html b/user/templates/user/data_transfer.html index 4ae2256c..05239750 100644 --- a/user/templates/user/data_transfer.html +++ b/user/templates/user/data_transfer.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Data Transfer{% endblock %} +{% block title %}{{ super() }} - Data Transfer{% endblock %} {% block scripts %} diff --git a/user/templates/user/gate.html b/user/templates/user/gate.html index 20fc7b37..79f3918f 100644 --- a/user/templates/user/gate.html +++ b/user/templates/user/gate.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Sign in{% endblock title %} +{% block title %}{{ super() }} - Sign in{% endblock title %} {% block content %}
diff --git a/user/templates/user/login.html b/user/templates/user/login.html index a0f7062e..2b1c9039 100644 --- a/user/templates/user/login.html +++ b/user/templates/user/login.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Sign in{% endblock title %} +{% block title %}{{ super() }} - Sign in{% endblock title %} {% block content %}
diff --git a/user/templates/user/settings.html b/user/templates/user/settings.html index 797db13f..e1a3f1e6 100644 --- a/user/templates/user/settings.html +++ b/user/templates/user/settings.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Settings{% endblock title %} +{% block title %}{{ super() }} - Settings{% endblock title %} {% block content %}

Settings

diff --git a/vault/templates/vault/browse.html b/vault/templates/vault/browse.html index a0b6c1bb..f0661795 100644 --- a/vault/templates/vault/browse.html +++ b/vault/templates/vault/browse.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Vault{% endblock title %} +{% block title %}{{ super() }} - Vault{% endblock title %} {% block style %} diff --git a/vault/templates/vault/datapackage.html b/vault/templates/vault/datapackage.html index 929a078c..297fec31 100644 --- a/vault/templates/vault/datapackage.html +++ b/vault/templates/vault/datapackage.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ DAG Datapackage{% endblock title %} +{% block title %}{{ super() }} - DAG Datapackage{% endblock title %} {% block style %} diff --git a/vault/templates/vault/metadata-form.html b/vault/templates/vault/metadata-form.html index 7b02bb09..2830ab72 100644 --- a/vault/templates/vault/metadata-form.html +++ b/vault/templates/vault/metadata-form.html @@ -1,6 +1,6 @@ {% extends 'base.html' %} -{% block title %}{{ super() }} ‐ Vault{% endblock title %} +{% block title %}{{ super() }} - Vault{% endblock title %} {% block scripts %}