Fix multiple XSS issues in User Management Page (#1547)

If the user name is embedding some JS code, it will be executed on the client side. Note: gophish/static/js/dist/app/users.min.js will need to be regenerated too.
2019-08-24 10:07:15 +08:00 · 2019-08-24 10:07:15 +08:00 · 24fe998a3a
parent f95e9554c7
commit 24fe998a3a
1 changed files with 5 additions and 5 deletions
--- a/static/js/src/app/users.js
+++ b/static/js/src/app/users.js
@ -19,7 +19,7 @@ const save = (id) => {
        user.id = id
        api.userId.put(user)
            .success(function (data) {
-                successFlash(`User ${user.username} updated successfully!`)
+                successFlash("User " + escapeHtml(user.username) + " updated successfully!")
                load()
                dismiss()
                $("#modal").modal('hide')
@ -32,7 +32,7 @@ const save = (id) => {
        // to /user
        api.users.post(user)
            .success(function (data) {
-                successFlash(`User ${user.username} registered successfully!`)
+                successFlash("User " + escapeHtml(user.username) + " registered successfully!")
                load()
                dismiss()
                $("#modal").modal('hide')
@ -79,7 +79,7 @@ const deleteUser = (id) => {
    }
    swal({
        title: "Are you sure?",
-        text: `This will delete the account for ${user.username} as well as all of the objects they have created.\n\nThis can't be undone!`,
+        text: "This will delete the account for " + escapeHtml(user.username) + " as well as all of the objects they have created.\n\nThis can't be undone!",
        type: "warning",
        animation: false,
        showCancelButton: true,
@ -101,7 +101,7 @@ const deleteUser = (id) => {
    }).then(function () {
        swal(
            'User Deleted!',
-            `The user account for ${user.username} and all associated objects have been deleted!`,
+            "The user account for " + escapeHtml(user.username) + " and all associated objects have been deleted!",
            'success'
        );
        $('button:contains("OK")').on('click', function () {
@ -175,4 +175,4 @@ $(document).ready(function () {
    $("#userTable").on('click', '.delete_button', function (e) {
        deleteUser($(this).attr('data-user-id'))
    })
-});
+});