community/device-mgt-core
1
0
Fork 0
mirror of https://repository.entgra.net/community/device-mgt-core.git synced 2025-10-06 02:01:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fixes for XSS attacks

Browse Source
This commit is contained in:
Rasika Perera 2017-01-18 08:14:17 +05:30
parent 2b46691405
commit 60ac0522d8
2 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/api/data-tables-invoker-api.jag
View File

@ -24,6 +24,7 @@ var uriMatcher = new URIMatcher(String(uri));
var devicemgtProps = require("/app/modules/conf-reader/main.js")["conf"];
var serviceInvokers = require("/app/modules/oauth/token-protected-service-invokers.js")["invokers"];
var utility = require("/app/modules/utility.js")["utility"];
function appendQueryParam (url, queryParam , value) {
if (url.indexOf("?") > 0) {
@ -60,7 +61,7 @@ if (uriMatcher.match("/{context}/api/data-tables/invoker")) {
// response callback
function (backendResponse) {
response["status"] = backendResponse["status"];
response["content"] = backendResponse["responseText"];
response["content"] = utility.encodeJson(backendResponse["responseText"]);
}
);
}

19
components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/utility.js
View File

@ -153,5 +153,24 @@ utility = function () {
return scopesList;
};
/**
* Escapes special characters such as <,>,',",...etc
* This will prevent XSS attacks upon JSON.
* @param text
* @returns {*}
*/
publicMethods.encodeJson = function (text) {
return text
.replace(/\\u003c/g, "&lt;")
.replace(/</g, "&lt;")
.replace(/\\u003e/g, "&gt;")
.replace(/>/g, "&gt;")
.replace(/\\u0027/g, "&#39;")
.replace(/'/g, "&#39;")
.replace(/\\"/g, "&quot;")
.replace(/\\u0022/g, "&quot;")
};
return publicMethods;
}();