From a05a08eac401bbeadab3006786b530b967fe784e Mon Sep 17 00:00:00 2001 From: rshivani Date: Fri, 15 Nov 2024 18:12:52 +0530 Subject: [PATCH] [PPP-5353]-XSS Findings For Pentaho-platform-plugin-reporting --- .../dojo/pentaho/reportviewer/GlassPane.js | 10 +++++----- .../main/javascript/reportviewer/reportviewer.js | 14 +++++++------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/core/src/main/javascript/reportviewer/dojo/pentaho/reportviewer/GlassPane.js b/core/src/main/javascript/reportviewer/dojo/pentaho/reportviewer/GlassPane.js index a5195363b..da0e7bf41 100644 --- a/core/src/main/javascript/reportviewer/dojo/pentaho/reportviewer/GlassPane.js +++ b/core/src/main/javascript/reportviewer/dojo/pentaho/reportviewer/GlassPane.js @@ -11,8 +11,8 @@ ******************************************************************************/ define(["dojo/_base/declare", "dijit/_WidgetBase", "dijit/_Templated", "dojo/on", "dojo/query", -"pentaho/common/button", "pentaho/common/Dialog", "dojo/text!pentaho/reportviewer/GlassPane.html"], - function(declare, _WidgetBase, _Templated, on, query, button, Dialog, templateStr){ +"pentaho/common/button", "pentaho/common/Dialog", "dojo/text!pentaho/reportviewer/GlassPane.html", "common-ui/util/xss"], + function(declare, _WidgetBase, _Templated, on, query, button, Dialog, templateStr, xssUtil){ return declare("pentaho.reportviewer.GlassPane", [Dialog], { buttons: ['ok'], @@ -20,17 +20,17 @@ define(["dojo/_base/declare", "dijit/_WidgetBase", "dijit/_Templated", "dojo/on" hasTitleBar: false, setTitle: function(title) { - this.glasspanetitle.innerHTML = title; + xssUtil.setHtml(this.glasspanetitle, title); }, setText: function(text) { - this.glasspanemessage.innerHTML = text; + xssUtil.setHtml(this.glasspanemessage, text); }, setButtonText: function(text) { this.buttons[0] = text; query("#button"+0, this.domNode).forEach(function(node, index, arr){ - node.innerHTML = text; + xssUtil.setHtml(node, text); }); }, diff --git a/core/src/main/javascript/reportviewer/reportviewer.js b/core/src/main/javascript/reportviewer/reportviewer.js index 0e3e4e718..2de4fa773 100644 --- a/core/src/main/javascript/reportviewer/reportviewer.js +++ b/core/src/main/javascript/reportviewer/reportviewer.js @@ -15,9 +15,9 @@ define([ 'common-ui/util/util', 'common-ui/util/timeutil', 'common-ui/util/forma "dojo/dom", "dojo/on", "dojo/_base/lang", "dijit/registry", "dojo/has", "dojo/sniff", "dojo/dom-class", 'pentaho/reportviewer/ReportDialog', "dojo/dom-style", "dojo/query", "common-ui/util/_a11y", "dojo/dom-geometry", "dojo/parser", "dojo/window", "dojo/_base/window", - 'cdf/lib/jquery', 'amd!cdf/lib/jquery.ui', "common-repo/pentaho-ajax", "dijit/ProgressBar", "common-data/xhr"], + 'cdf/lib/jquery', 'amd!cdf/lib/jquery.ui', "common-repo/pentaho-ajax", "dijit/ProgressBar", "common-data/xhr", "common-ui/util/xss"], function(util, _timeutil, _formatting, _Messages, dom, on, lang, registry, has, sniff, domClass, ReportDialog, - domStyle, query, a11yUtil, geometry, parser, win, win2, $) { + domStyle, query, a11yUtil, geometry, parser, win, win2, $, xssUtil) { return function(reportPrompt) { if (!reportPrompt) { alert("report prompt is required"); @@ -818,7 +818,7 @@ define([ 'common-ui/util/util', 'common-ui/util/timeutil', 'common-ui/util/forma if(isRunningIFrameInSameOrigin) { if (!top.mantle_initialized) { this._topMantleOpenTabRegistration = top.mantle_openTab = function(name, title, url) { - window.open(url, '_blank'); + xssUtil.open(url, '_blank'); }; } @@ -1189,7 +1189,7 @@ define([ 'common-ui/util/util', 'common-ui/util/timeutil', 'common-ui/util/forma hideDlgAndPane(registry.byId('feedbackScreen')); //Show loading screen - $('#notification-message').html(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages); + xssUtil.setHtml($('#notification-message'), _Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages); $('#notification-screen').css("z-index", 100); if (me._currentReportStatus == 'CONTENT_AVAILABLE') { domClass.remove('notification-screen', 'hidden'); @@ -1232,7 +1232,7 @@ define([ 'common-ui/util/util', 'common-ui/util/timeutil', 'common-ui/util/forma isPageCountUpdated = true; } - $('#notification-message').html(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages); + xssUtil.setHtml($('#notification-message'), _Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages); registry.byId('reportGlassPane').setText(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages); me._keepPolling(mainJobStatus.uuid, url, mainReportGeneration); @@ -1242,13 +1242,13 @@ define([ 'common-ui/util/util', 'common-ui/util/timeutil', 'common-ui/util/forma case "QUEUED": case "WORKING": // Although we are hiding the screen latter, update the label anyway; - $('#notification-message').html(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages); + xssUtil.setHtml($('#notification-message'), _Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages); me._hideAsyncScreens(); me._keepPolling(mainJobStatus.uuid, url, mainReportGeneration); break; case "FINISHED": // Although we are hiding the screen latter, update the label anyway; - $('#notification-message').html(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages); + xssUtil.setHtml($('#notification-message'), _Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages); me._isFinished = true; hideDlgAndPane(registry.byId('feedbackScreen'));