xss update

DockerfileDev

@@ -21,11 +21,14 @@ ARG CRONICLE_UID=1007
 ARG CRONICLE_GID=1099
 RUN  addgroup cronicle --gid $CRONICLE_GID && adduser -D -h /opt/cronicle -u $CRONICLE_UID -G cronicle cronicle
 
-COPY . /opt/cronicle
-WORKDIR /opt/cronicle
 ARG echo
 RUN echo $echo
+COPY . /opt/cronicle
+WORKDIR /opt/cronicle
+
 RUN npm audit fix --force; npm install
+# downgrade chartjs for now
+RUN npm i [email protected] 
 RUN node bin/build dist
 
 # protect sensitive folders

htdocs/index-dev.html

@@ -23,6 +23,7 @@
 	<link rel="stylesheet" href="codemirror/addon/scroll/simplescrollbars.css">
 	<link rel="stylesheet" href="codemirror/addon/display/fullscreen.css">
 	<link rel="stylesheet" href="codemirror/addon/lint/lint.css">
+	<script src="js/external/xss.min.js"></script>
 	<script src="js/external/ansi_up.js"></script>
 	<script src="js/external/graphlib.min.js"></script>
 	<script src="js/external/vis-network.min.js"></script>
@@ -163,8 +164,7 @@
 			$.widget("ui.tooltip", $.ui.tooltip, {
 				options: {
 					content: function () {
-						let title = $(this).prop('title');
-						return `${title}`.replace(/script/ig, 'scrpt'); // prevent xss
+						return filterXSS($(this).prop('title'));
 					}
 				}
 			});

htdocs/js/pages/Base.class.js

@@ -67,7 +67,7 @@ Class.subclass(Page, "Page.Base", {
 		if (!extra) extra = '';
 		let icon_class = 'fa fa-clock-o';
 		if(title.plugin == 'workflow') icon_class = 'fa fa-folder';
-		let notes = title.notes ? title.notes : ""
+		let notes = title.notes ? title.notes.replace(/\"/g, """) : ""
 		if (typeof (title) == 'object') {
 			title = title.title
         }

htdocs/js/pages/admin/APIKeys.js

@@ -55,7 +55,7 @@ Class.add( Page.Admin, {
 			];
 			return [
 				'<div class="td_big">' + self.getNiceAPIKey(item, true, col_width) + '</div>',
-				'<div style="">' + item.key + '</div>',
+				'<div style="">' + encode_entities(item.key) + '</div>',
 				item.active ? '<span class="color_label green"><i class="fa fa-check">&nbsp;</i>Active</span>' : '<span class="color_label red"><i class="fa fa-warning">&nbsp;</i>Suspended</span>',
 				self.getNiceUsername(item.username, true, col_width),
 				'<span title="'+get_nice_date_time(item.created, true)+'">'+get_nice_date(item.created, true)+'</span>',

htdocs/js/pages/admin/Activity.js

@@ -287,7 +287,7 @@ Class.add( Page.Admin, {
 			var tds = [
 				'<div style="white-space:nowrap;">' + get_nice_date_time( item.epoch || 0, false, true ) + '</div>',
 				'<div class="td_big" style="white-space:nowrap; font-size:12px; font-weight:normal;">' + item_type + '</div>',
-				'<div class="activity_desc">' + desc + '</div>',
+				'<div class="activity_desc">' + filterXSS(desc) + '</div>',
 				'<div style="white-space:nowrap;">' + self.getNiceUsername(item, true) + '</div>',
 				(item.ip || 'n/a').replace(/^\:\:ffff\:(\d+\.\d+\.\d+\.\d+)$/, '$1'),
 				'<div style="white-space:nowrap;">' + actions.join(' | ') + '</div>'

htdocs/js/pages/admin/Categories.js

@@ -52,7 +52,7 @@ Class.add( Page.Admin, {
 
 			var tds = [
 				'<div class="td_big"><span class="link" onMouseUp="$P().edit_category('+idx+')">' + self.getNiceCategory(cat, col_width) + '</span></div>',
-				'<div class="ellip" style="max-width:'+col_width+'px;">' + (cat.description || '(No description)') + '</div>',
+				'<div class="ellip" style="max-width:'+col_width+'px;">' + encode_entities(cat.description || '(No description)') + '</div>',
 				num_events ? commify( num_events ) : '(None)',
 				cat.max_children ? commify(cat.max_children) : '(No limit)',
 				actions.join(' | ')

htdocs/js/pages/admin/ConfigKeys.js

@@ -110,8 +110,8 @@ Class.add( Page.Admin, {
 			if(item.type == "bool" && !item.key) key_disp = "☐"
 
 			return [
-				`<div style="white-space:nowrap;" title="${item.description}" ><i class="fa fa-wrench">&nbsp;&nbsp;</i><b>${item.title}<b></div>`
-				, `<div class="activity_desc">${key_disp}</div>`
+				`<div style="white-space:nowrap;" title="${(item.description || '').replace(/\"/g, "&quot;")}" ><i class="fa fa-wrench">&nbsp;&nbsp;</i><b>${item.title}<b></div>`
+				, `<div class="activity_desc">${encode_entities(key_disp)}</div>`
 				, '<div style="white-space:nowrap;">' + actions.join(' | ') + '</div>'
 			];
 		});

htdocs/js/pages/admin/Users.js

@@ -56,8 +56,8 @@ Class.add(Page.Admin, {
 			];
 			return [
 				'<div class="td_big">' + self.getNiceUsername(user, true, col_width) + '</div>',
-				'<div class="ellip" style="max-width:' + col_width + 'px;">' + user.full_name + '</div>',
-				'<div class="ellip" style="max-width:' + col_width + 'px;"><a href="mailto:' + user.email + '">' + user.email + '</a></div>',
+				'<div class="ellip" style="max-width:' + col_width + 'px;">' + encode_entities(user.full_name) + '</div>',
+				'<div class="ellip" style="max-width:' + col_width + 'px;"><a href="mailto:' + encode_entities(user.email) + '">' + encode_entities(user.email) + '</a></div>',
 				user.active ? '<span class="color_label green"><i class="fa fa-check">&nbsp;</i>Active</span>' : '<span class="color_label red"><i class="fa fa-warning">&nbsp;</i>Suspended</span>',
 				user.privileges.admin ? '<span class="color_label purple"><i class="fa fa-lock">&nbsp;</i>Admin</span>' : '<span class="color_label gray">Standard</span>',
 				'<span title="' + get_nice_date_time(user.created, true) + '">' + get_nice_date(user.created, true) + '</span>',

package.json

@@ -60,6 +60,7 @@
 		"socket.io-client": "1.7.3",
 		"uglify-js": "2.8.22",
 		"uncatch": "^1.0.0",
+		"xss": "^1.0.8",
 		"zxcvbn": "3.5.0"
 	},
 	"devDependencies": {

sample_conf/setup.json

@@ -401,6 +401,7 @@
 			[ "symlinkCompress", "node_modules/zxcvbn/dist/zxcvbn.js", "htdocs/js/external/" ],
 			[ "symlinkCompress", "node_modules/zxcvbn/dist/zxcvbn.js.map", "htdocs/js/external/" ],
 			[ "symlinkCompress", "node_modules/chart.js/dist/Chart.min.js", "htdocs/js/external/" ],
+			[ "symlinkCompress", "node_modules/xss/dist/xss.min.js", "htdocs/js/external/" ],
 
 
 			[ "symlinkCompress", "node_modules/font-awesome/css/font-awesome.min.css", "htdocs/css/" ],