[PPP-5353]-XSS Findings For Pentaho-platform-plugin-reporting

pentaho · Nov 7, 2024 · bb71b27 · bb71b27
1 parent 4d5950e
commit bb71b27
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 17 deletions.
diff --git a/core/src/main/javascript/reportviewer/dojo/pentaho/reportviewer/GlassPane.js b/core/src/main/javascript/reportviewer/dojo/pentaho/reportviewer/GlassPane.js
@@ -1,5 +1,5 @@
 /*!
-* Copyright 2010 - 2017 Hitachi Vantara.  All rights reserved.
+* Copyright 2010 - 2024 Hitachi Vantara.  All rights reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -15,26 +15,26 @@
 *
 */
 define(["dojo/_base/declare", "dijit/_WidgetBase", "dijit/_Templated", "dojo/on", "dojo/query",
-"pentaho/common/button", "pentaho/common/Dialog", "dojo/text!pentaho/reportviewer/GlassPane.html"],
-    function(declare, _WidgetBase, _Templated, on, query, button, Dialog, templateStr){
+"pentaho/common/button", "pentaho/common/Dialog", "dojo/text!pentaho/reportviewer/GlassPane.html", "common-ui/util/xss"],
+    function(declare, _WidgetBase, _Templated, on, query, button, Dialog, templateStr, xssUtil){
       return declare("pentaho.reportviewer.GlassPane", [Dialog],
       {
         buttons: ['ok'],
         imagePath: '',
         hasTitleBar: false,
 
         setTitle: function(title) {
-            this.glasspanetitle.innerHTML = title;
+            this.xssUtil.setHtml(this.glasspanetitle, title);
         },
 
         setText: function(text) {
-            this.glasspanemessage.innerHTML = text;
+            this.xssUtil.setHtml(this.glasspanemessage, text);
         },
 
         setButtonText: function(text) {
           this.buttons[0] = text;
           query("#button"+0, this.domNode).forEach(function(node, index, arr){
-            node.innerHTML = text;
+            xssUtil.setHtml(node, text);
           });
         },
 

diff --git a/core/src/main/javascript/reportviewer/reportviewer-logging.js b/core/src/main/javascript/reportviewer/reportviewer-logging.js
@@ -12,10 +12,11 @@
 * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 * See the GNU Lesser General Public License for more details.
 *
-* Copyright (c) 2002-2017 Hitachi Vantara..  All rights reserved.
+* Copyright (c) 2002-2024 Hitachi Vantara..  All rights reserved.
 */
 
-define(function() {
+define(["common-ui/dompurify"] ,
+  function(DOMPurify) {
   var levelIndentText = "&nbsp;&nbsp;&nbsp;&nbsp;";
 
   var S = function(s) { return s == null ? "" : String(s); };
@@ -72,7 +73,7 @@ define(function() {
     if(!enabled) { return null; }
 
     // May be null in case popups blocked
-    var logWin = window.open('', options.winname || 'report_viewer_log');
+    var logWin = window.open('', DOMPurify.sanitize(options.winname) || 'report_viewer_log');
     if(!logWin) { return null; }
 
     var logDoc = logWin.document;

diff --git a/core/src/main/javascript/reportviewer/reportviewer.js b/core/src/main/javascript/reportviewer/reportviewer.js
@@ -12,16 +12,16 @@
 * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 * See the GNU Lesser General Public License for more details.
 *
-* Copyright (c) 2002-2023 Hitachi Vantara.  All rights reserved.
+* Copyright (c) 2002-2024 Hitachi Vantara.  All rights reserved.
 */
 
 define([ 'common-ui/util/util', 'common-ui/util/timeutil', 'common-ui/util/formatting', 'pentaho/common/Messages',
       "dojo/dom", "dojo/on", "dojo/_base/lang", "dijit/registry", "dojo/has", "dojo/sniff", "dojo/dom-class",
       'pentaho/reportviewer/ReportDialog', "dojo/dom-style",
       "dojo/query", "common-ui/util/_a11y", "dojo/dom-geometry", "dojo/parser", "dojo/window", "dojo/_base/window",
-      'cdf/lib/jquery', 'amd!cdf/lib/jquery.ui', "common-repo/pentaho-ajax", "dijit/ProgressBar", "common-data/xhr"],
+      'cdf/lib/jquery', 'amd!cdf/lib/jquery.ui', "common-repo/pentaho-ajax", "dijit/ProgressBar", "common-data/xhr", "common-ui/util/xss", "common-ui/dompurify"],
     function(util, _timeutil, _formatting, _Messages, dom, on, lang, registry, has, sniff, domClass, ReportDialog,
-             domStyle, query, a11yUtil, geometry, parser, win, win2, $) {
+             domStyle, query, a11yUtil, geometry, parser, win, win2, $, xssUtil, DOMPurify) {
   return function(reportPrompt) {
     if (!reportPrompt) {
       alert("report prompt is required");
@@ -822,7 +822,7 @@ define([ 'common-ui/util/util', 'common-ui/util/timeutil', 'common-ui/util/forma
         if(isRunningIFrameInSameOrigin) {
           if (!top.mantle_initialized) {
             this._topMantleOpenTabRegistration = top.mantle_openTab = function(name, title, url) {
-              window.open(url, '_blank');
+              window.open(DOMPurify.sanitize(url), '_blank');
             };
           }
 
@@ -1193,7 +1193,7 @@ define([ 'common-ui/util/util', 'common-ui/util/timeutil', 'common-ui/util/forma
                     hideDlgAndPane(registry.byId('feedbackScreen'));
 
                     //Show loading screen
-                    $('#notification-message').html(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages);
+                    xssUtil.setHtml($('notification-message'), _Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages);
                     $('#notification-screen').css("z-index", 100);
                     if (me._currentReportStatus == 'CONTENT_AVAILABLE') {
                       domClass.remove('notification-screen', 'hidden');
@@ -1236,7 +1236,7 @@ define([ 'common-ui/util/util', 'common-ui/util/timeutil', 'common-ui/util/forma
                       isPageCountUpdated = true;
                     }
 
-                    $('#notification-message').html(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages);
+                    xssUtil.setHtml($('#notification-message'), _Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages);
                     registry.byId('reportGlassPane').setText(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages);
 
                     me._keepPolling(mainJobStatus.uuid, url, mainReportGeneration);
@@ -1246,13 +1246,13 @@ define([ 'common-ui/util/util', 'common-ui/util/timeutil', 'common-ui/util/forma
                 case "QUEUED":
                 case "WORKING":
                   // Although we are hiding the screen latter, update the label anyway;
-                  $('#notification-message').html(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages);
+                  xssUtil.setHtml($('#notification-message'), _Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages);
                   me._hideAsyncScreens();
                   me._keepPolling(mainJobStatus.uuid, url, mainReportGeneration);
                   break;
                 case "FINISHED":
                   // Although we are hiding the screen latter, update the label anyway;
-                  $('#notification-message').html(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages);
+                  xssUtil.setHtml($('#notification-message'), _Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages);
                   me._isFinished = true;
 
                   hideDlgAndPane(registry.byId('feedbackScreen'));