From 475edd30968556c7e4a7f6e12a6ee0c5a104635d Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Wed, 27 Oct 2021 19:21:49 +0100 Subject: [PATCH] Force all columns in any declared datatable to render using datatables render.text function to prevent possible (very low risk, requiring authenticated dashboard anyway) XSS. Signed-off-by: Adam Warner --- scripts/pi-hole/js/customcname.js | 6 ++++++ scripts/pi-hole/js/customdns.js | 4 ++++ scripts/pi-hole/js/db_queries.js | 8 ++++++-- scripts/pi-hole/js/groups-adlists.js | 10 ++++++++++ scripts/pi-hole/js/groups-clients.js | 6 ++++++ scripts/pi-hole/js/groups-domains.js | 6 ++++++ scripts/pi-hole/js/groups.js | 6 ++++++ scripts/pi-hole/js/messages.js | 6 ++++++ scripts/pi-hole/js/network.js | 13 +++++++++---- scripts/pi-hole/js/queries.js | 8 ++++++-- scripts/pi-hole/js/settings.js | 16 ++++++++++++++-- 11 files changed, 79 insertions(+), 10 deletions(-) diff --git a/scripts/pi-hole/js/customcname.js b/scripts/pi-hole/js/customcname.js index 10ebfe3b57..f3afda4ec8 100644 --- a/scripts/pi-hole/js/customcname.js +++ b/scripts/pi-hole/js/customcname.js @@ -64,6 +64,10 @@ $(function () { ); }, }, + { + targets: "_all", + render: $.fn.dataTable.render.text(), + }, ], lengthMenu: [ [10, 25, 50, 100, -1], @@ -81,6 +85,8 @@ $(function () { $(".deleteCustomCNAME").on("click", deleteCustomCNAME); }, }); + + console.log(table); // Disable autocorrect in the search box var input = document.querySelector("input[type=search]"); input.setAttribute("autocomplete", "off"); diff --git a/scripts/pi-hole/js/customdns.js b/scripts/pi-hole/js/customdns.js index 655357fff2..5e592515f1 100644 --- a/scripts/pi-hole/js/customdns.js +++ b/scripts/pi-hole/js/customdns.js @@ -64,6 +64,10 @@ $(function () { ); }, }, + { + targets: "_all", + render: $.fn.dataTable.render.text(), + }, ], lengthMenu: [ [10, 25, 50, 100, -1], diff --git a/scripts/pi-hole/js/db_queries.js b/scripts/pi-hole/js/db_queries.js index aac266e14d..c4f53496c9 100644 --- a/scripts/pi-hole/js/db_queries.js +++ b/scripts/pi-hole/js/db_queries.js @@ -340,8 +340,8 @@ $(function () { }, }, { width: "10%" }, - { width: "40%", render: $.fn.dataTable.render.text() }, - { width: "20%", type: "ip-address", render: $.fn.dataTable.render.text() }, + { width: "40%" }, + { width: "20%", type: "ip-address" }, { width: "10%" }, { width: "5%" }, ], @@ -355,6 +355,10 @@ $(function () { data: null, defaultContent: "", }, + { + targets: "_all", + render: $.fn.dataTable.render.text(), + }, ], initComplete: reloadCallback, }); diff --git a/scripts/pi-hole/js/groups-adlists.js b/scripts/pi-hole/js/groups-adlists.js index b8af5b4f9b..75d5a506b6 100644 --- a/scripts/pi-hole/js/groups-adlists.js +++ b/scripts/pi-hole/js/groups-adlists.js @@ -124,6 +124,16 @@ function initTable() { { data: "groups", searchable: false }, { data: null, width: "80px", orderable: false }, ], + columnDefs: [ + { + targets: [0, 2], + orderable: false, + }, + { + targets: "_all", + render: $.fn.dataTable.render.text(), + }, + ], drawCallback: function () { $('button[id^="deleteAdlist_"]').on("click", deleteAdlist); // Remove visible dropdown to prevent orphaning diff --git a/scripts/pi-hole/js/groups-clients.js b/scripts/pi-hole/js/groups-clients.js index 268017d590..94ca66eb5f 100644 --- a/scripts/pi-hole/js/groups-clients.js +++ b/scripts/pi-hole/js/groups-clients.js @@ -97,6 +97,12 @@ function initTable() { { data: "groups", searchable: false }, { data: "name", width: "80px", orderable: false }, ], + columnDefs: [ + { + targets: "_all", + render: $.fn.dataTable.render.text(), + }, + ], drawCallback: function () { $('button[id^="deleteClient_"]').on("click", deleteClient); // Remove visible dropdown to prevent orphaning diff --git a/scripts/pi-hole/js/groups-domains.js b/scripts/pi-hole/js/groups-domains.js index 0eb1bb6f4a..047dbe50cb 100644 --- a/scripts/pi-hole/js/groups-domains.js +++ b/scripts/pi-hole/js/groups-domains.js @@ -76,6 +76,12 @@ function initTable() { { data: "groups", searchable: false, visible: showtype === "all" }, { data: null, width: "80px", orderable: false }, ], + columnDefs: [ + { + targets: "_all", + render: $.fn.dataTable.render.text(), + }, + ], drawCallback: function () { $('button[id^="deleteDomain_"]').on("click", deleteDomain); // Remove visible dropdown to prevent orphaning diff --git a/scripts/pi-hole/js/groups.js b/scripts/pi-hole/js/groups.js index cdd621a17f..276382a4a8 100644 --- a/scripts/pi-hole/js/groups.js +++ b/scripts/pi-hole/js/groups.js @@ -27,6 +27,12 @@ $(function () { { data: "description" }, { data: null, width: "60px", orderable: false }, ], + columnDefs: [ + { + targets: "_all", + render: $.fn.dataTable.render.text(), + }, + ], drawCallback: function () { $('button[id^="deleteGroup_"]').on("click", deleteGroup); }, diff --git a/scripts/pi-hole/js/messages.js b/scripts/pi-hole/js/messages.js index 1d72bb952a..53c78fe067 100644 --- a/scripts/pi-hole/js/messages.js +++ b/scripts/pi-hole/js/messages.js @@ -114,6 +114,12 @@ $(function () { { data: "blob5", visible: false }, { data: null, width: "80px", orderable: false }, ], + columnDefs: [ + { + targets: "_all", + render: $.fn.dataTable.render.text(), + }, + ], drawCallback: function () { $('button[id^="deleteMessage_"]').on("click", deleteMessage); // Remove visible dropdown to prevent orphaning diff --git a/scripts/pi-hole/js/network.js b/scripts/pi-hole/js/network.js index f68b16b3af..fd817884a6 100644 --- a/scripts/pi-hole/js/network.js +++ b/scripts/pi-hole/js/network.js @@ -236,10 +236,10 @@ $(function () { order: [[6, "desc"]], columns: [ { data: "id", visible: false }, - { data: "ip", type: "ip-address", width: "10%", render: $.fn.dataTable.render.text() }, - { data: "hwaddr", width: "10%", render: $.fn.dataTable.render.text() }, - { data: "interface", width: "4%", render: $.fn.dataTable.render.text() }, - { data: "name", width: "15%", render: $.fn.dataTable.render.text() }, + { data: "ip", type: "ip-address", width: "10%" }, + { data: "hwaddr", width: "10%" }, + { data: "interface", width: "4%" }, + { data: "name", width: "15%" }, { data: "firstSeen", width: "8%", @@ -266,6 +266,7 @@ $(function () { { data: "", width: "6%", orderable: false }, { data: "", width: "6%", orderable: false }, ], + drawCallback: function () { $('button[id^="deleteNetworkEntry_"]').on("click", deleteNetworkEntry); // Remove visible dropdown to prevent orphaning @@ -288,6 +289,10 @@ $(function () { data: null, defaultContent: "", }, + { + targets: "_all", + render: $.fn.dataTable.render.text(), + }, ], }); // Disable autocorrect in the search box diff --git a/scripts/pi-hole/js/queries.js b/scripts/pi-hole/js/queries.js index 94e6e508a5..0acfad4ba9 100644 --- a/scripts/pi-hole/js/queries.js +++ b/scripts/pi-hole/js/queries.js @@ -323,8 +323,8 @@ $(function () { }, }, { width: "4%" }, - { width: "36%", render: $.fn.dataTable.render.text() }, - { width: "8%", type: "ip-address", render: $.fn.dataTable.render.text() }, + { width: "36%" }, + { width: "8%", type: "ip-address" }, { width: "14%", orderData: 4 }, { width: "8%", orderData: 5 }, { width: "10%", orderData: 4 }, @@ -346,6 +346,10 @@ $(function () { data: null, defaultContent: "", }, + { + targets: "_all", + render: $.fn.dataTable.render.text(), + }, ], initComplete: function () { var api = this.api(); diff --git a/scripts/pi-hole/js/settings.js b/scripts/pi-hole/js/settings.js index 7ff3037900..1291509cc8 100644 --- a/scripts/pi-hole/js/settings.js +++ b/scripts/pi-hole/js/settings.js @@ -216,7 +216,13 @@ $(function () { if (document.getElementById("DHCPLeasesTable")) { leasetable = $("#DHCPLeasesTable").DataTable({ dom: "<'row'<'col-sm-12'tr>><'row'<'col-sm-6'i><'col-sm-6'f>>", - columnDefs: [{ bSortable: false, orderable: false, targets: -1 }], + columnDefs: [ + { bSortable: false, orderable: false, targets: -1 }, + { + targets: "_all", + render: $.fn.dataTable.render.text(), + }, + ], paging: false, scrollCollapse: true, scrollY: "200px", @@ -235,7 +241,13 @@ $(function () { if (document.getElementById("DHCPStaticLeasesTable")) { staticleasetable = $("#DHCPStaticLeasesTable").DataTable({ dom: "<'row'<'col-sm-12'tr>><'row'<'col-sm-12'i>>", - columnDefs: [{ bSortable: false, orderable: false, targets: -1 }], + columnDefs: [ + { bSortable: false, orderable: false, targets: -1 }, + { + targets: "_all", + render: $.fn.dataTable.render.text(), + }, + ], paging: false, scrollCollapse: true, scrollY: "200px",