Use He library to escape html in prototype-based components. Prevent creation of empty-labelled user repository. Prevent action.compression infinite loop while trying to check if file exists.

Author: cdujeu

core/src/plugins/action.compression/manifest.xml

@@ -42,6 +42,9 @@
                                     while(userSelection.fileNameExists(name + extension)){
                                         name = tmpFileName + "-" + compteurFileName;
                                         compteurFileName ++;
+                                        if(compteurFileName > 20){
+                                            break;
+                                        }
                                     }
                                     archive_nameInput.setValue(name + extension);
                                     return name;

core/src/plugins/core.conf/AbstractConfDriver.php

@@ -1048,7 +1048,11 @@ public function switchAction(ServerRequestInterface $requestInterface, ResponseI
                 $tplRepo = RepositoryService::getRepositoryById($tplId);
                 $options = [];
                 OptionsHelper::parseStandardFormParameters($ctx, $httpVars, $options);
-                $newRep = $tplRepo->createTemplateChild(InputFilter::sanitize($httpVars["DISPLAY"]), $options, $loggedUser->getId(), $loggedUser->getId());
+                $display = InputFilter::sanitize($httpVars["DISPLAY"]);
+                if(empty($display)){
+                    throw new PydioException("Cannot create repository with empty label");
+                }
+                $newRep = $tplRepo->createTemplateChild($display, $options, $loggedUser->getId(), $loggedUser->getId());
                 $gPath = $loggedUser->getGroupPath();
                 if (!empty($gPath)) {
                     $newRep->setGroupPath($gPath);

core/src/plugins/core.notifications/class.NotificationLoader.js

@@ -92,7 +92,7 @@ Class.create("NotificationLoader", {
             }
             var elLabel = el.getLabel();
             if(!elLabel) elLabel = "/";
-            var block = '<div class="notif_event_label">'+elLabel+'</div>';
+            var block = '<div class="notif_event_label">'+He.escape(elLabel)+'</div>';
             var detail = '';
             if(el.getMetadata().get('event_repository_label')){
                 detail += '<div class="notif_event_repository">'+ el.getMetadata().get('event_repository_label') + '</div>';

core/src/plugins/editor.soundmanager/class.SMPlayer.js

@@ -199,7 +199,7 @@ Class.create("SMPlayer", AbstractEditor, {
 
     open : function($super, ajxpNode){
         this.currentRichPreview = this.getPreview(ajxpNode, true);
-        this.element.down(".smplayer_title").update(ajxpNode.getLabel());
+        this.element.down(".smplayer_title").update(He.escape(ajxpNode.getLabel()));
         this.element.down(".smplayer_preview_element").insert(this.currentRichPreview);
         window.setTimeout(function(){
             try{this.currentRichPreview.down('span.sm2-360btn').click();}catch(e){}

core/src/plugins/gui.ajax/package.json

@@ -26,7 +26,8 @@
     "react-autosuggest": "1.18.2",
     "clipboard":"^1.5.8",
     "qrcode.react":"0.6.1",
-    "cronstrue":"0.3.1"
+    "cronstrue":"0.3.1",
+    "he":"1.1.0"
   },
   "devDependencies": {
     "grunt": "~0.4.5",

core/src/plugins/gui.ajax/res/js/ui/prototype/class.AbstractEditor.js

@@ -282,7 +282,7 @@ Class.create("AbstractEditor" , {
 	 */
 	updateTitle : function(title){
 		if(this.filenameSpan) {
-            this.filenameSpan.update(title);
+            this.filenameSpan.update(He.escape(title));
         }
 		if(this.fullScreenMode){
 			this.refreshFullScreenTitle();

core/src/plugins/gui.ajax/res/js/ui/prototype/class.AjxpDraggable.js

@@ -156,7 +156,7 @@ Class.create("AjxpDraggable", Draggable, {
 			var max = Math.min(nodes.length,5);
 			var maxWidth = 0;
 			for(var i=0;i<max;i++){
-				var text = nodes[i].getLabel() + (i<max-1?",<br>":"");
+				var text = He.escape(nodes[i].getLabel()) + (i<max-1?",<br>":"");
 				maxWidth = Math.max(maxWidth, testStringWidth(text));
 				this._clone.insert(text);
 			}

core/src/plugins/gui.ajax/res/js/ui/prototype/class.AjxpTabulator.js

@@ -125,6 +125,8 @@ Class.create("AjxpTabulator", AjxpPane, {
                 label = MessageHash[tabInfo.label] || tabInfo.label;
             }
             var title = MessageHash[tabInfo.title] || label.stripTags();
+            title = He.escape(title);
+            label = He.escape(label);
             var options = {className:'toggleHeader toggleInactive'};
             if(!this.options.tabsTips){ options.title = title; }
             td = new Element('span', options);
@@ -165,14 +167,15 @@ Class.create("AjxpTabulator", AjxpPane, {
         if(label && label.innerHTML !== undefined){
             if(label.down('.filenameSpan')){
                 var cont = label.down('.filenameSpan').innerHTML;
+                cont = He.escape(cont);
                 if(cont.length > 25){
                     cont = cont.substr(0,7)+"[...]"+cont.substr(-13);
                     label.down('.filenameSpan').update(cont);
                 }
             }
             return label;
         }
-        if(label.stripTags() != label) return label;
+        label = label.stripTags();
         if(!label || !label.length) return '';
         if(label.length > 25){
             return label.substr(0,7)+"[...]"+label.substr(-13);

core/src/plugins/gui.ajax/res/js/ui/prototype/class.BackgroundManagerPane.js

@@ -52,7 +52,7 @@ Class.create("BackgroundManagerPane", {
 
     updatePanelMessage : function(message){
         var imgString = '<img src="'+ajxpResourcesFolder+'/images/loadingImage.gif" width="16" align="absmiddle">';
-        this.panel.update(imgString+' '+message);
+        this.panel.update(imgString+' '+ He.escape(message));
         Effect.Appear(this.panel);
     },
 
@@ -61,7 +61,7 @@ Class.create("BackgroundManagerPane", {
 	 * @param errorMessage String
 	 */
 	updatePanelError:function(errorMessage){
-		this.panel.update(errorMessage);
+		this.panel.update(He.escape(errorMessage));
 		this.panel.insert(this.makeCloseLink());
 	},
 	/**

core/src/plugins/gui.ajax/res/js/ui/prototype/class.Breadcrumb.js

@@ -86,15 +86,15 @@ Class.create("Breadcrumb", AjxpPane, {
                         refresh = '<i class="icon-refresh ajxp-goto-refresh" title="'+MessageHash[149]+'"></i>';
                     }
                     var first = pos == 0 ? ' first-bread':'';
-                    clickPath += "<li><span class='ajxp-goto "+first+"' data-goTo='"+pair.key+"'><em>"+pair.value+"</em></span></li>";
+                    clickPath += "<li><span class='ajxp-goto "+first+"' data-goTo='"+He.escape(pair.key)+"'><em>"+He.escape(pair.value)+"</em></span></li>";
                     if(refresh){
-                        clickPath += "<li><i class='ajxp-goto' data-goTo='"+pair.key+"'>"+refresh+"</i></li>";
+                        clickPath += "<li><i class='ajxp-goto' data-goTo='"+He.escape(pair.key)+"'>"+refresh+"</i></li>";
                     }
                 }else{
                     if(pos == length-1){
                         refresh = '<span class="icon-refresh ajxp-goto-refresh" title="'+MessageHash[149]+'"></span>';
                     }
-                    clickPath += (pair.value != pos == 0 || !this.options['hide_home_icon'] ? chevron : "") + "<span class='ajxp-goto' data-goTo='"+pair.key+"'>"+pair.value+refresh+"</span>";
+                    clickPath += (pair.value != pos == 0 || !this.options['hide_home_icon'] ? chevron : "") + "<span class='ajxp-goto' data-goTo='"+He.escape(pair.key)+"'>"+He.escape(pair.value)+refresh+"</span>";
                 }
                 pos ++;
             }.bind(this));