Skip to content
This repository was archived by the owner on Feb 13, 2024. It is now read-only.

Commit 20f59ed

Browse files
dwisiswant0dwisiswant0
committed
fix(event) dashboard: prevent DOM-XSS for incoming events
1 parent f44787f commit 20f59ed

File tree

1 file changed

+7
-3
lines changed

1 file changed

+7
-3
lines changed

internal/event/www/script.js

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,10 @@ document.addEventListener('DOMContentLoaded', function(event) {
88
filtersCount: document.getElementById('filters-count').getElementsByTagName('span')[0]
99
};
1010
const slugify = (value) => value.toLowerCase().replace(/[^a-z0-9 -]/g, '').replace(/\s+/g, '-').replace(/-+/g, '-');
11+
const escapeHTML = (string) => {
12+
const map = {'&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#039;'};
13+
return string.replace(/[&<>"']/g, function(m) { return map[m]; });
14+
};
1115
const sort = (list) => {
1216
signatures = list.getElementsByTagName("li");
1317
Array.from(signatures)
@@ -70,9 +74,9 @@ document.addEventListener('DOMContentLoaded', function(event) {
7074
row.classList.add('log', sigId);
7175
row.id = eventId;
7276
row.insertCell(0).innerHTML = `<td class="date"><span class="datetime" title="${new Date().toLocaleString}">${new Date().toLocaleTimeString()}</span></td>`;
73-
row.insertCell(1).innerHTML = `<td class="category-name"><strong>${data.category}</strong></td>`;
77+
row.insertCell(1).innerHTML = `<td class="category-name"><strong>${escapeHTML(data.category)}</strong></td>`;
7478
row.insertCell(2).innerHTML = `<td class="element"><div>${data.element}</pre></div></td>`;
75-
row.insertCell(3).innerHTML = `<td class="matches"><strong>${data[data.element]}</strong></td>`;
79+
row.insertCell(3).innerHTML = `<td class="matches"><strong>${escapeHTML(data[data.element])}</strong></td>`;
7680
row.insertCell(4).innerHTML = `<td class="log-line"><div><pre>${JSON.stringify(data)}</pre></div></td>`;
7781
settings.matchesCount.textContent = `${document.getElementsByClassName('log').length} threats`;
7882

@@ -103,7 +107,7 @@ document.addEventListener('DOMContentLoaded', function(event) {
103107
const createSignature = (name) => {
104108
var li = document.createElement('li');
105109
li.id = slugify(name)
106-
li.innerHTML = `<a href="#" class="menu-item" title="${name}">${name}</a>`;
110+
li.innerHTML = `<a href="#" class="menu-item" title="${escapeHTML(name)}">${escapeHTML(name)}</a>`;
107111
li.addEventListener('click', (e) => {
108112
e.preventDefault();
109113
filterSignature(li);

0 commit comments

Comments
 (0)