Fix XSS vulnerability (#3230)

* Fix XSS vulnerability
spotify · Mar 14, 2023 · 29887c0 · 29887c0
1 parent e1d5161
commit 29887c0
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 5 deletions.
diff --git a/luigi/static/visualiser/index.html b/luigi/static/visualiser/index.html
@@ -16,6 +16,7 @@
         <script src="lib/d3/d3.min.js" charset="utf-8"></script>
         <script src="lib/d3/dagre-d3.min.js"></script>
         <script src="lib/mustache.js"></script>
+        <script src="js/util.js"></script>
         <script src="js/luigi.js"></script>
         <script src="js/graph.js"></script>
         <script src="js/visualiserApp.js"></script>

diff --git a/luigi/static/visualiser/js/graph.js b/luigi/static/visualiser/js/graph.js
@@ -269,7 +269,7 @@ Graph = (function() {
             $(svgLink(node.trackingUrl))
                 .append(
                     $(svgElement("text"))
-                    .text(node.name)
+                    .text(escapeHtml(node.name))
                     .attr("y", 3))
                 .attr("class","graph-node-a")
                 .attr("data-task-status", node.status)
@@ -284,7 +284,7 @@ Graph = (function() {
                     container: 'body',
                     html: true,
                     placement: 'top',
-                    content: content
+                    content: escapeHtml(content)
                 });
         });
 
@@ -313,7 +313,7 @@ Graph = (function() {
                 .appendTo(legend);
 
             $(svgElement("text"))
-                .text(key.charAt(0).toUpperCase() + key.substring(1).toLowerCase().replace(/_./gi, function (x) { return " " + x[1].toUpperCase(); }))
+                .text(escapeHtml(key.charAt(0).toUpperCase() + key.substring(1).toLowerCase().replace(/_./gi, function (x) { return " " + x[1].toUpperCase(); })))
                 .attr("x", legendLineHeight + 14)
                 .attr("y", legendLineHeight+(x*legendLineHeight))
                 .appendTo(legend);

diff --git a/luigi/static/visualiser/js/util.js b/luigi/static/visualiser/js/util.js
@@ -0,0 +1,8 @@
+function escapeHtml(unsafe) {
+  return unsafe
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#039;");
+}
diff --git a/luigi/static/visualiser/js/visualiserApp.js b/luigi/static/visualiser/js/visualiserApp.js
@@ -1018,8 +1018,8 @@ function visualiserApp(luigi) {
     function renderParams(params) {
         var htmls = [];
         for (var key in params) {
-            htmls.push('<span class="param-name">' + key +
-                '</span>=<span class="param-value">' + params[key] + '</span>');
+            htmls.push('<span class="param-name">' + escapeHtml(key) +
+                '</span>=<span class="param-value">' + escapeHtml(params[key]) + '</span>');
         }
         return htmls.join(', ');
     }