Merge pull request #114 from browserstack/fix-uri-encode

fix: added urlencode for every query param

Author: vedharish

templates/EnigmaOps/allUserAccessList.html

@@ -82,21 +82,21 @@
     reqParams = []
     var allowTag = true;
     if(access_type.length){
-      reqParams.push("accessTag="+access_type)
-      reqParams.push("accessTagExact="+access_type)
+      reqParams.push("accessTag="+encodeURIComponent(access_type))
+      reqParams.push("accessTagExact="+encodeURIComponent(access_type))
       allowTag = false
     }
     for(var i = 0; i<fields.length; i++){
       if(fields[i].value && fields[i].value.trim().length)
         if(fields[i].id != "accessTag" || allowTag){
-          reqParams.push(fields[i].id+"="+fields[i].value)
+          reqParams.push(fields[i].id+"="+encodeURIComponent(fields[i].value))
         }
     }
-    reqParams.push("responseType="+contentType)
+    reqParams.push("responseType="+encodeURIComponent(contentType))
     reqParams.push("page="+String(page_number))
     url = new URL(window.location.href)
     if(url.searchParams.get("username")){
-      reqParams.push("username="+url.searchParams.get("username"))
+      reqParams.push("username="+encodeURIComponent(url.searchParams.get("username")))
     }
     urlBuilder = "userAccesses?" + reqParams.join("&");
     return urlBuilder;
@@ -171,7 +171,7 @@ <h4 id="header-title">`+access_type+` Accesses for User {{username}}</h4>`
             html_string += "<td>"+record["offboarding_date"]+"</td>"
             html_string += "<td>"+record["grantOwner"]+"</td>"
             html_string += "<td>"+record["revokeOwner"]+"</td>"
-            html_string += "<td>{% if is_ops %} <a class=\"btn btn-primary\" target=\"_blank\" href=\"/individual_resolve?requestId="+record["requestId"]+"&ops_resolve=true\">ReGrant</a></td>{% endif %}"
+            html_string += "<td>{% if is_ops %} <a class=\"btn btn-primary\" target=\"_blank\" href=\"/individual_resolve?requestId="+encodeURIComponent(record["requestId"])+"&ops_resolve=true\">ReGrant</a></td>{% endif %}"
             html_string += "<td>"+record["type"]+"</td>"
             html_string += "</tr>"
           }
@@ -191,7 +191,7 @@ <h4 id="header-title">`+access_type+` Accesses for User {{username}}</h4>`
 
   $(document).on('click', '.revoke-button', function(){
     id = $(this).attr("id");
-    urlBuilder = "/access/markRevoked?requestId="+id+"&username="+current_username
+    urlBuilder = "/access/markRevoked?requestId="+encodeURIComponent(id)+"&username="+encodeURIComponent(current_username)
     $.ajax({url: urlBuilder,
         success: function(result){
           console.log("yes", id+"-revoke-button", id+"-access-status")
@@ -333,7 +333,7 @@ <h4 id="header-title">Access List for User {{username}}</h4>
         <td>{{item.grantOwner}}</td>
         <td>{{item.revokeOwner}}</td>
         <td>{% if is_ops %}
-          <a class="btn btn-primary" target="_blank" href="/individual_resolve?requestId={{ item.requestId }}&ops_resolve=true">ReGrant</a></td>
+          <a class="btn btn-primary" target="_blank" href="/individual_resolve?requestId={{ item.requestId|urlencode }}&ops_resolve=true">ReGrant</a></td>
           {% endif %}
           <td>{{item.access_type}}</td>
       </tr>

templates/EnigmaOps/allUsersList.html

@@ -56,7 +56,7 @@
       if(data.status == 'success') {
         custom_alert.addClass('alert-success');
         $('.loading-spinner').css('visibility', 'hidden')
-        window.location.href = "/access/userAccesses?username=" + data.username;
+        window.location.href = "/access/userAccesses?username=" + encodeURIComponent(data.username);
       } else {
         custom_alert.addClass('alert-danger');
         setTimeout(() => {
@@ -214,7 +214,7 @@ <h4 class="modal-title"></h4>
         <td>{{ item.is_active }}</td>
         <td>{{ item.state }}</td>
         <td>
-          <a target="_blank" class="nav-link" href="{% url 'allUserAccessList' %}?username={{ item.username }}" rel="noopener noreferrer nofollow">Link</a>
+          <a target="_blank" class="nav-link" href="{% url 'allUserAccessList' %}?username={{ item.username|urlencode }}" rel="noopener noreferrer nofollow">Link</a>
         </td>
         <td>{{ item.offbaord_date }}</td>
         {% if viewDetails.allowOffboarding %}

templates/EnigmaOps/failureAdminRequests.html

@@ -94,7 +94,7 @@
 
             $(`.${selector}`).each(function () {
                 if ($(this).is(":checked"))
-                    reqParams.push(`requestId=${$(this).val()}`)
+                    reqParams.push(`requestId=${encodeURIComponent($(this).val())}`)
             });
 
             if (reqParams.length == 0) {
@@ -182,9 +182,9 @@ <h4 class="card-title">{{request.request_id}}</h4>
                             </div>
                             <div class="col-4">
                                 <div class="row float-right">
-                                <a class="card-link btn btn-primary" style="margin-top: 10px;" href="/resolve_bulk?requestId={{ request.request_id }}">Resolve</a><br>
-                                <a class="card-link btn btn-danger" style="margin-top: 10px;" href="/ignore/decline?requestId={{ request.request_id }}">Mark Declined</a><br>
-                                <a class="card-link btn btn-warning" style="margin-top: 10px;" href="/ignore/approve?requestId={{ request.request_id }}">Mark Approved</a><br>
+                                <a class="card-link btn btn-primary" style="margin-top: 10px;" href="/resolve_bulk?requestId={{ request.request_id|urlencode }}">Resolve</a><br>
+                                <a class="card-link btn btn-danger" style="margin-top: 10px;" href="/ignore/decline?requestId={{ request.request_id|urlencode }}">Mark Declined</a><br>
+                                <a class="card-link btn btn-warning" style="margin-top: 10px;" href="/ignore/approve?requestId={{ request.request_id|urlencode }}">Mark Approved</a><br>
                                 </div>
                             </div>
                         </div>

templates/EnigmaOps/showAccessHistory.html

@@ -152,7 +152,7 @@ <h2 class="h5 no-margin-bottom">Access List</h2>
         <td>{{ item.status }}</td>
         <td>{{ item.accessReason }}</td>
         <td>{{ item.decline_reason }}</td>
-        <td><a class="btn btn-primary" target="_blank"  href="/individual_resolve?requestId={{ item.requestId }}">ReGrant</a></td>
+        <td><a class="btn btn-primary" target="_blank"  href="/individual_resolve?requestId={{ item.requestId|urlencode }}">ReGrant</a></td>
       </tr>
       {% endfor %}
   	</tbody>

templates/celery_revoke_failure_email.html

@@ -6,5 +6,5 @@
 
 <BR/><BR/>
 {% if access_tag %}
-  <a target='_blank' href="{% url 'pendingFailure' %}?access_type={{ access_tag }}">View all failed grants</a>
+  <a target='_blank' href="{% url 'pendingFailure' %}?access_type={{ access_tag|urlencode }}">View all failed grants</a>
 {% endif %}