[PPP-5353]-XSS Findings For Pentaho-platform-plugin-reporting

core/src/main/javascript/reportviewer/dojo/pentaho/reportviewer/GlassPane.js

@@ -11,26 +11,26 @@
  ******************************************************************************/
 
 define(["dojo/_base/declare", "dijit/_WidgetBase", "dijit/_Templated", "dojo/on", "dojo/query",
-"pentaho/common/button", "pentaho/common/Dialog", "dojo/text!pentaho/reportviewer/GlassPane.html"],
-    function(declare, _WidgetBase, _Templated, on, query, button, Dialog, templateStr){
+"pentaho/common/button", "pentaho/common/Dialog", "dojo/text!pentaho/reportviewer/GlassPane.html", "common-ui/util/xss"],
+    function(declare, _WidgetBase, _Templated, on, query, button, Dialog, templateStr, xssUtil){
       return declare("pentaho.reportviewer.GlassPane", [Dialog],
       {
         buttons: ['ok'],
         imagePath: '',
         hasTitleBar: false,
 
         setTitle: function(title) {
-            this.glasspanetitle.innerHTML = title;
+            xssUtil.setHtml(this.glasspanetitle, title);
         },
 
         setText: function(text) {
-            this.glasspanemessage.innerHTML = text;
+            xssUtil.setHtml(this.glasspanemessage, text);
         },
 
         setButtonText: function(text) {
           this.buttons[0] = text;
           query("#button"+0, this.domNode).forEach(function(node, index, arr){
-            node.innerHTML = text;
+            xssUtil.setHtml(node, text);
           });
         },
 

core/src/main/javascript/reportviewer/reportviewer.js

@@ -15,9 +15,9 @@ define([ 'common-ui/util/util', 'common-ui/util/timeutil', 'common-ui/util/forma
       "dojo/dom", "dojo/on", "dojo/_base/lang", "dijit/registry", "dojo/has", "dojo/sniff", "dojo/dom-class",
       'pentaho/reportviewer/ReportDialog', "dojo/dom-style",
       "dojo/query", "common-ui/util/_a11y", "dojo/dom-geometry", "dojo/parser", "dojo/window", "dojo/_base/window",
-      'cdf/lib/jquery', 'amd!cdf/lib/jquery.ui', "common-repo/pentaho-ajax", "dijit/ProgressBar", "common-data/xhr"],
+      'cdf/lib/jquery', 'amd!cdf/lib/jquery.ui', "common-repo/pentaho-ajax", "dijit/ProgressBar", "common-data/xhr", "common-ui/util/xss"],
     function(util, _timeutil, _formatting, _Messages, dom, on, lang, registry, has, sniff, domClass, ReportDialog,
-             domStyle, query, a11yUtil, geometry, parser, win, win2, $) {
+             domStyle, query, a11yUtil, geometry, parser, win, win2, $, xssUtil) {
   return function(reportPrompt) {
     if (!reportPrompt) {
       alert("report prompt is required");
@@ -818,7 +818,7 @@ define([ 'common-ui/util/util', 'common-ui/util/timeutil', 'common-ui/util/forma
         if(isRunningIFrameInSameOrigin) {
           if (!top.mantle_initialized) {
             this._topMantleOpenTabRegistration = top.mantle_openTab = function(name, title, url) {
-              window.open(url, '_blank');
+              window.open(xssUtil.sanitizeUrl(url), '_blank');
             };
           }
 
@@ -1189,7 +1189,7 @@ define([ 'common-ui/util/util', 'common-ui/util/timeutil', 'common-ui/util/forma
                     hideDlgAndPane(registry.byId('feedbackScreen'));
 
                     //Show loading screen
-                    $('#notification-message').html(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages);
+                    $('#notification-message').html(xssUtil.sanitizeHtml(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages));
                     $('#notification-screen').css("z-index", 100);
                     if (me._currentReportStatus == 'CONTENT_AVAILABLE') {
                       domClass.remove('notification-screen', 'hidden');
@@ -1232,7 +1232,7 @@ define([ 'common-ui/util/util', 'common-ui/util/timeutil', 'common-ui/util/forma
                       isPageCountUpdated = true;
                     }
 
-                    $('#notification-message').html(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages);
+                    $('#notification-message').html(xssUtil.sanitizeHtml(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages));
                     registry.byId('reportGlassPane').setText(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages);
 
                     me._keepPolling(mainJobStatus.uuid, url, mainReportGeneration);
@@ -1242,13 +1242,13 @@ define([ 'common-ui/util/util', 'common-ui/util/timeutil', 'common-ui/util/forma
                 case "QUEUED":
                 case "WORKING":
                   // Although we are hiding the screen latter, update the label anyway;
-                  $('#notification-message').html(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages);
+                  $('#notification-message').html(xssUtil.sanitizeHtml(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages));
                   me._hideAsyncScreens();
                   me._keepPolling(mainJobStatus.uuid, url, mainReportGeneration);
                   break;
                 case "FINISHED":
                   // Although we are hiding the screen latter, update the label anyway;
-                  $('#notification-message').html(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages);
+                  $('#notification-message').html(xssUtil.sanitizeHtml(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages));
                   me._isFinished = true;
 
                   hideDlgAndPane(registry.byId('feedbackScreen'));