From bb71b272fe656475579230596e1ee79c4c8a9c8f Mon Sep 17 00:00:00 2001 From: rshivani Date: Wed, 6 Nov 2024 15:56:29 +0530 Subject: [PATCH] [PPP-5353]-XSS Findings For Pentaho-platform-plugin-reporting --- .../dojo/pentaho/reportviewer/GlassPane.js | 12 ++++++------ .../reportviewer/reportviewer-logging.js | 7 ++++--- .../main/javascript/reportviewer/reportviewer.js | 16 ++++++++-------- 3 files changed, 18 insertions(+), 17 deletions(-) diff --git a/core/src/main/javascript/reportviewer/dojo/pentaho/reportviewer/GlassPane.js b/core/src/main/javascript/reportviewer/dojo/pentaho/reportviewer/GlassPane.js index a4bd9fa48..670087833 100644 --- a/core/src/main/javascript/reportviewer/dojo/pentaho/reportviewer/GlassPane.js +++ b/core/src/main/javascript/reportviewer/dojo/pentaho/reportviewer/GlassPane.js @@ -1,5 +1,5 @@ /*! -* Copyright 2010 - 2017 Hitachi Vantara. All rights reserved. +* Copyright 2010 - 2024 Hitachi Vantara. All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -15,8 +15,8 @@ * */ define(["dojo/_base/declare", "dijit/_WidgetBase", "dijit/_Templated", "dojo/on", "dojo/query", -"pentaho/common/button", "pentaho/common/Dialog", "dojo/text!pentaho/reportviewer/GlassPane.html"], - function(declare, _WidgetBase, _Templated, on, query, button, Dialog, templateStr){ +"pentaho/common/button", "pentaho/common/Dialog", "dojo/text!pentaho/reportviewer/GlassPane.html", "common-ui/util/xss"], + function(declare, _WidgetBase, _Templated, on, query, button, Dialog, templateStr, xssUtil){ return declare("pentaho.reportviewer.GlassPane", [Dialog], { buttons: ['ok'], @@ -24,17 +24,17 @@ define(["dojo/_base/declare", "dijit/_WidgetBase", "dijit/_Templated", "dojo/on" hasTitleBar: false, setTitle: function(title) { - this.glasspanetitle.innerHTML = title; + this.xssUtil.setHtml(this.glasspanetitle, title); }, setText: function(text) { - this.glasspanemessage.innerHTML = text; + this.xssUtil.setHtml(this.glasspanemessage, text); }, setButtonText: function(text) { this.buttons[0] = text; query("#button"+0, this.domNode).forEach(function(node, index, arr){ - node.innerHTML = text; + xssUtil.setHtml(node, text); }); }, diff --git a/core/src/main/javascript/reportviewer/reportviewer-logging.js b/core/src/main/javascript/reportviewer/reportviewer-logging.js index 5c437a81b..a862feba7 100644 --- a/core/src/main/javascript/reportviewer/reportviewer-logging.js +++ b/core/src/main/javascript/reportviewer/reportviewer-logging.js @@ -12,10 +12,11 @@ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the GNU Lesser General Public License for more details. * -* Copyright (c) 2002-2017 Hitachi Vantara.. All rights reserved. +* Copyright (c) 2002-2024 Hitachi Vantara.. All rights reserved. */ -define(function() { +define(["common-ui/dompurify"] , + function(DOMPurify) { var levelIndentText = "    "; var S = function(s) { return s == null ? "" : String(s); }; @@ -72,7 +73,7 @@ define(function() { if(!enabled) { return null; } // May be null in case popups blocked - var logWin = window.open('', options.winname || 'report_viewer_log'); + var logWin = window.open('', DOMPurify.sanitize(options.winname) || 'report_viewer_log'); if(!logWin) { return null; } var logDoc = logWin.document; diff --git a/core/src/main/javascript/reportviewer/reportviewer.js b/core/src/main/javascript/reportviewer/reportviewer.js index 0f9b05101..44fddd542 100644 --- a/core/src/main/javascript/reportviewer/reportviewer.js +++ b/core/src/main/javascript/reportviewer/reportviewer.js @@ -12,16 +12,16 @@ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the GNU Lesser General Public License for more details. * -* Copyright (c) 2002-2023 Hitachi Vantara. All rights reserved. +* Copyright (c) 2002-2024 Hitachi Vantara. All rights reserved. */ define([ 'common-ui/util/util', 'common-ui/util/timeutil', 'common-ui/util/formatting', 'pentaho/common/Messages', "dojo/dom", "dojo/on", "dojo/_base/lang", "dijit/registry", "dojo/has", "dojo/sniff", "dojo/dom-class", 'pentaho/reportviewer/ReportDialog', "dojo/dom-style", "dojo/query", "common-ui/util/_a11y", "dojo/dom-geometry", "dojo/parser", "dojo/window", "dojo/_base/window", - 'cdf/lib/jquery', 'amd!cdf/lib/jquery.ui', "common-repo/pentaho-ajax", "dijit/ProgressBar", "common-data/xhr"], + 'cdf/lib/jquery', 'amd!cdf/lib/jquery.ui', "common-repo/pentaho-ajax", "dijit/ProgressBar", "common-data/xhr", "common-ui/util/xss", "common-ui/dompurify"], function(util, _timeutil, _formatting, _Messages, dom, on, lang, registry, has, sniff, domClass, ReportDialog, - domStyle, query, a11yUtil, geometry, parser, win, win2, $) { + domStyle, query, a11yUtil, geometry, parser, win, win2, $, xssUtil, DOMPurify) { return function(reportPrompt) { if (!reportPrompt) { alert("report prompt is required"); @@ -822,7 +822,7 @@ define([ 'common-ui/util/util', 'common-ui/util/timeutil', 'common-ui/util/forma if(isRunningIFrameInSameOrigin) { if (!top.mantle_initialized) { this._topMantleOpenTabRegistration = top.mantle_openTab = function(name, title, url) { - window.open(url, '_blank'); + window.open(DOMPurify.sanitize(url), '_blank'); }; } @@ -1193,7 +1193,7 @@ define([ 'common-ui/util/util', 'common-ui/util/timeutil', 'common-ui/util/forma hideDlgAndPane(registry.byId('feedbackScreen')); //Show loading screen - $('#notification-message').html(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages); + xssUtil.setHtml($('notification-message'), _Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages); $('#notification-screen').css("z-index", 100); if (me._currentReportStatus == 'CONTENT_AVAILABLE') { domClass.remove('notification-screen', 'hidden'); @@ -1236,7 +1236,7 @@ define([ 'common-ui/util/util', 'common-ui/util/timeutil', 'common-ui/util/forma isPageCountUpdated = true; } - $('#notification-message').html(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages); + xssUtil.setHtml($('#notification-message'), _Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages); registry.byId('reportGlassPane').setText(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages); me._keepPolling(mainJobStatus.uuid, url, mainReportGeneration); @@ -1246,13 +1246,13 @@ define([ 'common-ui/util/util', 'common-ui/util/timeutil', 'common-ui/util/forma case "QUEUED": case "WORKING": // Although we are hiding the screen latter, update the label anyway; - $('#notification-message').html(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages); + xssUtil.setHtml($('#notification-message'), _Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages); me._hideAsyncScreens(); me._keepPolling(mainJobStatus.uuid, url, mainReportGeneration); break; case "FINISHED": // Although we are hiding the screen latter, update the label anyway; - $('#notification-message').html(_Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages); + xssUtil.setHtml($('#notification-message'), _Messages.getString('LoadingPage') + " " + mainJobStatus.page + " " + _Messages.getString('Of') + " " + mainJobStatus.totalPages); me._isFinished = true; hideDlgAndPane(registry.byId('feedbackScreen'));