From ef7dc3cf00ec6a9248fa79a0e3d0978f84994e31 Mon Sep 17 00:00:00 2001 From: Patrykb0802 Date: Fri, 22 Nov 2024 12:44:00 +0100 Subject: [PATCH] #3050 XSS in Reports names --- WebContent/WEB-INF/jsp/reports.jsp | 2 +- src/org/scada_lts/dao/report/ReportInstanceDAO.java | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/WebContent/WEB-INF/jsp/reports.jsp b/WebContent/WEB-INF/jsp/reports.jsp index e3b976bb9b..fd92eb1666 100644 --- a/WebContent/WEB-INF/jsp/reports.jsp +++ b/WebContent/WEB-INF/jsp/reports.jsp @@ -142,7 +142,7 @@ hide("noReportInstances"); dwr.util.addRows("reportInstancesList", instanceArray, [ - function(ri) { return "" + ri.name + ""; }, + function(ri) { return "" + escapeHtml(ri.name) + ""; }, function(ri) { return ri.prettyRunStartTime; }, function(ri) { return ri.prettyRunDuration; }, function(ri) { return ri.prettyReportStartTime; }, diff --git a/src/org/scada_lts/dao/report/ReportInstanceDAO.java b/src/org/scada_lts/dao/report/ReportInstanceDAO.java index 2f8a581bdc..2ec51ccb4c 100644 --- a/src/org/scada_lts/dao/report/ReportInstanceDAO.java +++ b/src/org/scada_lts/dao/report/ReportInstanceDAO.java @@ -44,6 +44,8 @@ import com.serotonin.mango.rt.event.EventInstance; import com.serotonin.mango.vo.report.ReportInstance; +import static org.directwebremoting.Security.escapeHtml; + /** * DAO for ReportInstance * @@ -154,7 +156,7 @@ public ReportInstance mapRow(ResultSet rs, int rowNum) throws SQLException { ReportInstance reportInstance = new ReportInstance(); reportInstance.setId(rs.getInt(COLUMN_NAME_ID)); reportInstance.setUserId(rs.getInt(COLUMN_NAME_USER_ID)); - reportInstance.setName(rs.getString(COLUMN_NAME_NAME)); + reportInstance.setName(escapeHtml(rs.getString(COLUMN_NAME_NAME))); reportInstance.setIncludeEvents(rs.getInt(COLUMN_NAME_INCLUDE_EVENTS)); reportInstance.setIncludeUserComments(DAO.charToBool(rs.getString(COLUMN_NAME_INCLUDE_USER_COMMENTS))); reportInstance.setReportStartTime(rs.getLong(COLUMN_NAME_REPORT_START_TIME));