From 24fe998a3aa04e205900476a9601d481e94d8eea Mon Sep 17 00:00:00 2001
From: David Maciejak <david.maciejak@gmail.com>
Date: Sat, 24 Aug 2019 10:07:15 +0800
Subject: [PATCH] Fix multiple XSS issues in User Management Page (#1547)

If the user name is embedding some JS code, it will be executed on the client side. Note: gophish/static/js/dist/app/users.min.js will need to be regenerated too.
---
 static/js/src/app/users.js | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/static/js/src/app/users.js b/static/js/src/app/users.js
index 81db6697..a53c9b89 100644
--- a/static/js/src/app/users.js
+++ b/static/js/src/app/users.js
@@ -19,7 +19,7 @@ const save = (id) => {
         user.id = id
         api.userId.put(user)
             .success(function (data) {
-                successFlash(`User ${user.username} updated successfully!`)
+                successFlash("User " + escapeHtml(user.username) + " updated successfully!")
                 load()
                 dismiss()
                 $("#modal").modal('hide')
@@ -32,7 +32,7 @@ const save = (id) => {
         // to /user
         api.users.post(user)
             .success(function (data) {
-                successFlash(`User ${user.username} registered successfully!`)
+                successFlash("User " + escapeHtml(user.username) + " registered successfully!")
                 load()
                 dismiss()
                 $("#modal").modal('hide')
@@ -79,7 +79,7 @@ const deleteUser = (id) => {
     }
     swal({
         title: "Are you sure?",
-        text: `This will delete the account for ${user.username} as well as all of the objects they have created.\n\nThis can't be undone!`,
+        text: "This will delete the account for " + escapeHtml(user.username) + " as well as all of the objects they have created.\n\nThis can't be undone!",
         type: "warning",
         animation: false,
         showCancelButton: true,
@@ -101,7 +101,7 @@ const deleteUser = (id) => {
     }).then(function () {
         swal(
             'User Deleted!',
-            `The user account for ${user.username} and all associated objects have been deleted!`,
+            "The user account for " + escapeHtml(user.username) + " and all associated objects have been deleted!",
             'success'
         );
         $('button:contains("OK")').on('click', function () {
@@ -175,4 +175,4 @@ $(document).ready(function () {
     $("#userTable").on('click', '.delete_button', function (e) {
         deleteUser($(this).attr('data-user-id'))
     })
-});
\ No newline at end of file
+});