Recomended security fixes for data tables

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.devices/public/js/listing.js

@@ -375,15 +375,15 @@ function loadDevices(searchType, searchParam) {
 
     var fnCreatedRow = function (row, data, dataIndex) {
         $(row).attr('data-type', 'selectable');
-        $(row).attr('data-deviceid', data.deviceIdentifier);
-        $(row).attr('data-devicetype', data.deviceType);
-        $(row).attr('data-url', context + '/device/' + data.deviceType + '?id=' + data.deviceIdentifier);
-        var model = getPropertyValue(data.properties, 'DEVICE_MODEL');
-        var vendor = getPropertyValue(data.properties, 'VENDOR');
-        var owner = data.user;
-        var status = data.status;
-        var ownership = data.ownership;
-        var deviceType = data.deviceType;
+        $(row).attr('data-deviceid', htmlspecialchars(data.deviceIdentifier));
+        $(row).attr('data-devicetype', htmlspecialchars(data.deviceType));
+        $(row).attr('data-url', context + '/device/' + htmlspecialchars(data.deviceType) + '?id=' + htmlspecialchars(data.deviceIdentifier));
+        var model = htmlspecialchars(getPropertyValue(data.properties, 'DEVICE_MODEL'));
+        var vendor = htmlspecialchars(getPropertyValue(data.properties, 'VENDOR'));
+        var owner = htmlspecialchars(data.user);
+        var status = htmlspecialchars(data.status);
+        var ownership = htmlspecialchars(data.ownership);
+        var deviceType = htmlspecialchars(data.deviceType);
         var category = getDeviceTypeCategory(deviceType);
         $.each($('td', row), function (colIndex) {
             switch (colIndex) {
@@ -417,6 +417,10 @@ function loadDevices(searchType, searchParam) {
         });
     };
 
+    function htmlspecialchars(text){
+        return jQuery('<div/>').text(text).html();
+    }
+
     var dataFilter = function (data) {
         data = JSON.parse(data);
         var objects = [];

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.groups/public/js/listing.js

@@ -112,6 +112,10 @@ function toTitleCase(str) {
     });
 }
 
+function htmlspecialchars(text){
+    return jQuery('<div/>').text(text).html();
+}
+
 function loadGroups() {
     var groupListing = $("#group-listing");
     var currentUser = groupListing.data("currentUser");
@@ -134,10 +138,10 @@ function loadGroups() {
         var objects = [];
         $(data.deviceGroups).each(function (index) {
             objects.push({
-                             groupId: data.deviceGroups[index].id,
-                             name: data.deviceGroups[index].name,
-                             description: data.deviceGroups[index].description,
-                             owner: data.deviceGroups[index].owner
+                             groupId: htmlspecialchars(data.deviceGroups[index].id),
+                             name: htmlspecialchars(data.deviceGroups[index].name),
+                             description: htmlspecialchars(data.deviceGroups[index].description),
+                             owner: htmlspecialchars(data.deviceGroups[index].owner)
                          })
         });
         var json = {

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.policies/public/js/policy-list.js

@@ -109,6 +109,10 @@ function getSelectedPolicies() {
     return policyList;
 }
 
+function htmlspecialchars(text){
+    return jQuery('<div/>').text(text).html();
+}
+
 $(document).ready(function () {
 
     /**

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.roles/public/js/role-listing.js

@@ -86,6 +86,10 @@ function InitiateViewOption() {
     // $(location).attr('href', $(this).data("url"));
 }
 
+function htmlspecialchars(text){
+    return jQuery('<div/>').text(text).html();
+}
+
 function loadRoles() {
     var loadingContent = $("#loading-content");
     loadingContent.show();
@@ -98,8 +102,8 @@ function loadRoles() {
         $(data.roles).each(function (index) {
             objects.push(
                 {
-                    name: data.roles[index],
-                    DT_RowId: "role-" + data.roles[index]
+                    name: htmlspecialchars(data.roles[index]),
+                    DT_RowId: "role-" + htmlspecialchars(data.roles[index])
                 }
             )
         });

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.users/public/js/listing.js

@@ -258,6 +258,10 @@ function InitiateViewOption() {
     }
 }
 
+function htmlspecialchars(text){
+    return jQuery('<div/>').text(text).html();
+}
+
 function loadUsers() {
     var loadingContentView = "#loading-content";
     $(loadingContentView).show();
@@ -269,11 +273,11 @@ function loadUsers() {
 
         $(data.users).each(function (index) {
             objects.push({
-                filter: data.users[index].username,
-                firstname: data.users[index].firstname ? data.users[index].firstname : "",
-                lastname: data.users[index].lastname ? data.users[index].lastname : "",
-                emailAddress: data.users[index].emailAddress ? data.users[index].emailAddress : "",
-                DT_RowId: "user-" + data.users[index].username
+                filter: htmlspecialchars(data.users[index].username),
+                firstname: htmlspecialchars(data.users[index].firstname) ? htmlspecialchars(data.users[index].firstname) : "",
+                lastname: htmlspecialchars(data.users[index].lastname) ? htmlspecialchars(data.users[index].lastname) : "",
+                emailAddress: htmlspecialchars(data.users[index].emailAddress) ? htmlspecialchars(data.users[index].emailAddress) : "",
+                DT_RowId: "user-" + htmlspecialchars(data.users[index].username)
             })
         });
 

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.device.types.listing/public/js/listing.js

@@ -122,6 +122,14 @@ function toTitleCase(str) {
 
 var deviceTypeCount, compiledDeviceTypesCount = 0;
 
+function htmlspecialchars(text){
+    return jQuery('<div/>').text(text).html();
+}
+
+function htmlspecialchars(text){
+    return jQuery('<div/>').text(text).html();
+}
+
 function loadDevices(searchType, searchParam){
     var deviceListing = $("#device-listing");
     var deviceListingSrc = deviceListing.attr("src");
@@ -134,10 +142,10 @@ function loadDevices(searchType, searchParam){
             var viewModel = {};
             viewModel.thumb = deviceTypesList[i].thumb;
             viewModel.appContext = clientJsAppContext;
-            viewModel.deviceTypeName = deviceTypesList[i].deviceTypeName;
-            viewModel.deviceTypeId = deviceTypesList[i].deviceTypeId;
-            viewModel.deviceCategory = deviceTypesList[i].deviceCategory;
-            viewModel.deviceTypeLabel = deviceTypesList[i].deviceTypeLabel;
+            viewModel.deviceTypeName = htmlspecialchars(deviceTypesList[i].deviceTypeName);
+            viewModel.deviceTypeId = htmlspecialchars(deviceTypesList[i].deviceTypeId);
+            viewModel.deviceCategory = htmlspecialchars(deviceTypesList[i].deviceCategory);
+            viewModel.deviceTypeLabel = htmlspecialchars(deviceTypesList[i].deviceTypeLabel);
             compileTemplate(viewModel, deviceListingSrc);
         }
     } else {