Skip to content

Commit

Permalink
#3050 XSS in Reports names:
Browse files Browse the repository at this point in the history
- Fixed Legend report;
  • Loading branch information
Limraj committed Nov 25, 2024
1 parent 65ceac1 commit eb20baa
Show file tree
Hide file tree
Showing 3 changed files with 4 additions and 4 deletions.
4 changes: 2 additions & 2 deletions WebContent/WEB-INF/ftl/report/reportChart.ftl
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@
<td>
<table>
<tr>
<td colspan="2"><h1>${escapeHtml.escapeHtml(instance.name)}</h1></td>
<td colspan="2"><h1>${security.escapeHtml(instance.name)}</h1></td>
</tr>
<tr>
<td class="label"><@fmt key="reports.runTimeStart"/></td>
Expand Down Expand Up @@ -121,7 +121,7 @@

<td class="stats">
<table>
<tr><td colspan="2" class="pointName">${point.name}</td></tr>
<tr><td colspan="2" class="pointName">${security.escapeHtml(point.name)}</td></tr>
<tr>
<td class="label"><@fmt key="reports.dataType"/></td>
<td>${point.dataTypeDescription}</td>
Expand Down
2 changes: 1 addition & 1 deletion src/com/serotonin/mango/vo/report/ReportChartCreator.java
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,7 @@ public void createContent(ReportInstance reportInstance, ReportDao reportDao, St
model.put("instance", reportInstance);
model.put("points", pointStatistics);
model.put("inline", inlinePrefix == null ? "" : "cid:");
model.put("escapeHtml", new Security());
model.put("security", new Security());

model.put("ALPHANUMERIC", DataTypes.ALPHANUMERIC);
model.put("BINARY", DataTypes.BINARY);
Expand Down
2 changes: 1 addition & 1 deletion src/com/serotonin/mango/vo/report/SeriesIdentifier.java
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,6 @@ public int hashCode() {

@Override
public String toString() {
return XssProtectHtmlEscapeUtils.escape(name);
return name;
}
}

0 comments on commit eb20baa

Please sign in to comment.