Skip to content

Commit

Permalink
#3050 XSS in Reports names
Browse files Browse the repository at this point in the history
  • Loading branch information
Patrykb0802 committed Nov 22, 2024
1 parent 527fd1f commit ef7dc3c
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 2 deletions.
2 changes: 1 addition & 1 deletion WebContent/WEB-INF/jsp/reports.jsp
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@
hide("noReportInstances");
dwr.util.addRows("reportInstancesList", instanceArray,
[
function(ri) { return "<span>" + ri.name + "</span>"; },
function(ri) { return "<span>" + escapeHtml(ri.name) + "</span>"; },
function(ri) { return ri.prettyRunStartTime; },
function(ri) { return ri.prettyRunDuration; },
function(ri) { return ri.prettyReportStartTime; },
Expand Down
4 changes: 3 additions & 1 deletion src/org/scada_lts/dao/report/ReportInstanceDAO.java
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@
import com.serotonin.mango.rt.event.EventInstance;
import com.serotonin.mango.vo.report.ReportInstance;

import static org.directwebremoting.Security.escapeHtml;

/**
* DAO for ReportInstance
*
Expand Down Expand Up @@ -154,7 +156,7 @@ public ReportInstance mapRow(ResultSet rs, int rowNum) throws SQLException {
ReportInstance reportInstance = new ReportInstance();
reportInstance.setId(rs.getInt(COLUMN_NAME_ID));
reportInstance.setUserId(rs.getInt(COLUMN_NAME_USER_ID));
reportInstance.setName(rs.getString(COLUMN_NAME_NAME));
reportInstance.setName(escapeHtml(rs.getString(COLUMN_NAME_NAME)));
reportInstance.setIncludeEvents(rs.getInt(COLUMN_NAME_INCLUDE_EVENTS));
reportInstance.setIncludeUserComments(DAO.charToBool(rs.getString(COLUMN_NAME_INCLUDE_USER_COMMENTS)));
reportInstance.setReportStartTime(rs.getLong(COLUMN_NAME_REPORT_START_TIME));
Expand Down

0 comments on commit ef7dc3c

Please sign in to comment.