diff --git a/DockerfileDev b/DockerfileDev
index 23bf082..cb66772 100644
--- a/DockerfileDev
+++ b/DockerfileDev
@@ -21,11 +21,14 @@ ARG CRONICLE_UID=1007
ARG CRONICLE_GID=1099
RUN addgroup cronicle --gid $CRONICLE_GID && adduser -D -h /opt/cronicle -u $CRONICLE_UID -G cronicle cronicle
-COPY . /opt/cronicle
-WORKDIR /opt/cronicle
ARG echo
RUN echo $echo
+COPY . /opt/cronicle
+WORKDIR /opt/cronicle
+
RUN npm audit fix --force; npm install
+# downgrade chartjs for now
+RUN npm i chart.js@2.7.1
RUN node bin/build dist
# protect sensitive folders
diff --git a/htdocs/index-dev.html b/htdocs/index-dev.html
index 6b1ac1c..47b6948 100644
--- a/htdocs/index-dev.html
+++ b/htdocs/index-dev.html
@@ -23,6 +23,7 @@
+
@@ -163,8 +164,7 @@
$.widget("ui.tooltip", $.ui.tooltip, {
options: {
content: function () {
- let title = $(this).prop('title');
- return `${title}`.replace(/script/ig, 'scrpt'); // prevent xss
+ return filterXSS($(this).prop('title'));
}
}
});
diff --git a/htdocs/js/pages/Base.class.js b/htdocs/js/pages/Base.class.js
index ad8a024..3cb0fe5 100644
--- a/htdocs/js/pages/Base.class.js
+++ b/htdocs/js/pages/Base.class.js
@@ -67,7 +67,7 @@ Class.subclass(Page, "Page.Base", {
if (!extra) extra = '';
let icon_class = 'fa fa-clock-o';
if(title.plugin == 'workflow') icon_class = 'fa fa-folder';
- let notes = title.notes ? title.notes : ""
+ let notes = title.notes ? title.notes.replace(/\"/g, """) : ""
if (typeof (title) == 'object') {
title = title.title
}
diff --git a/htdocs/js/pages/admin/APIKeys.js b/htdocs/js/pages/admin/APIKeys.js
index 85c3a47..cf0bc8e 100644
--- a/htdocs/js/pages/admin/APIKeys.js
+++ b/htdocs/js/pages/admin/APIKeys.js
@@ -55,7 +55,7 @@ Class.add( Page.Admin, {
];
return [
'' + self.getNiceAPIKey(item, true, col_width) + '
',
- '' + item.key + '
',
+ '' + encode_entities(item.key) + '
',
item.active ? ' Active' : ' Suspended',
self.getNiceUsername(item.username, true, col_width),
''+get_nice_date(item.created, true)+'',
diff --git a/htdocs/js/pages/admin/Activity.js b/htdocs/js/pages/admin/Activity.js
index c3c6350..5ac4be8 100644
--- a/htdocs/js/pages/admin/Activity.js
+++ b/htdocs/js/pages/admin/Activity.js
@@ -287,7 +287,7 @@ Class.add( Page.Admin, {
var tds = [
'' + get_nice_date_time( item.epoch || 0, false, true ) + '
',
'' + item_type + '
',
- '' + desc + '
',
+ '' + filterXSS(desc) + '
',
'' + self.getNiceUsername(item, true) + '
',
(item.ip || 'n/a').replace(/^\:\:ffff\:(\d+\.\d+\.\d+\.\d+)$/, '$1'),
'' + actions.join(' | ') + '
'
diff --git a/htdocs/js/pages/admin/Categories.js b/htdocs/js/pages/admin/Categories.js
index 7cc9c4d..24a253f 100644
--- a/htdocs/js/pages/admin/Categories.js
+++ b/htdocs/js/pages/admin/Categories.js
@@ -52,7 +52,7 @@ Class.add( Page.Admin, {
var tds = [
'' + self.getNiceCategory(cat, col_width) + '
',
- '' + (cat.description || '(No description)') + '
',
+ '' + encode_entities(cat.description || '(No description)') + '
',
num_events ? commify( num_events ) : '(None)',
cat.max_children ? commify(cat.max_children) : '(No limit)',
actions.join(' | ')
diff --git a/htdocs/js/pages/admin/ConfigKeys.js b/htdocs/js/pages/admin/ConfigKeys.js
index c62f9ff..015a4e8 100644
--- a/htdocs/js/pages/admin/ConfigKeys.js
+++ b/htdocs/js/pages/admin/ConfigKeys.js
@@ -110,8 +110,8 @@ Class.add( Page.Admin, {
if(item.type == "bool" && !item.key) key_disp = "☐"
return [
- ` ${item.title}
`
- , `${key_disp}
`
+ ` ${item.title}
`
+ , `${encode_entities(key_disp)}
`
, '' + actions.join(' | ') + '
'
];
});
diff --git a/htdocs/js/pages/admin/Users.js b/htdocs/js/pages/admin/Users.js
index 4a54b4f..9538617 100644
--- a/htdocs/js/pages/admin/Users.js
+++ b/htdocs/js/pages/admin/Users.js
@@ -56,8 +56,8 @@ Class.add(Page.Admin, {
];
return [
'' + self.getNiceUsername(user, true, col_width) + '
',
- '' + user.full_name + '
',
- '',
+ '' + encode_entities(user.full_name) + '
',
+ '',
user.active ? ' Active' : ' Suspended',
user.privileges.admin ? ' Admin' : 'Standard',
'' + get_nice_date(user.created, true) + '',
diff --git a/package-lock.json b/package-lock.json
index 947ab77..866c2a6 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,6 +1,6 @@
{
"name": "Cronicle",
- "version": "1.3.3",
+ "version": "1.3.4",
"lockfileVersion": 1,
"requires": true,
"dependencies": {
@@ -330,6 +330,11 @@
"delayed-stream": "~1.0.0"
}
},
+ "commander": {
+ "version": "2.20.3",
+ "resolved": "https://registry.npmjs.org/commander/-/commander-2.20.3.tgz",
+ "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ=="
+ },
"component-bind": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/component-bind/-/component-bind-1.0.0.tgz",
@@ -360,6 +365,11 @@
"resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz",
"integrity": "sha1-tf1UIgqivFq1eqtxQMlAdUUDwac="
},
+ "cssfilter": {
+ "version": "0.0.10",
+ "resolved": "https://registry.npmjs.org/cssfilter/-/cssfilter-0.0.10.tgz",
+ "integrity": "sha1-xtJnJjKi5cg+AT5oZKQs6N79IK4="
+ },
"daemon": {
"version": "1.1.0",
"resolved": "https://registry.npmjs.org/daemon/-/daemon-1.1.0.tgz",
@@ -1468,6 +1478,15 @@
"resolved": "https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.3.tgz",
"integrity": "sha1-GFqIjATspGw+QHDZn3tJ3jUomS0="
},
+ "xss": {
+ "version": "1.0.8",
+ "resolved": "https://registry.npmjs.org/xss/-/xss-1.0.8.tgz",
+ "integrity": "sha512-3MgPdaXV8rfQ/pNn16Eio6VXYPTkqwa0vc7GkiymmY/DqR1SE/7VPAAVZz1GJsJFrllMYO3RHfEaiUGjab6TNw==",
+ "requires": {
+ "commander": "^2.20.3",
+ "cssfilter": "0.0.10"
+ }
+ },
"yargs": {
"version": "3.10.0",
"resolved": "https://registry.npmjs.org/yargs/-/yargs-3.10.0.tgz",
diff --git a/package.json b/package.json
index 5e512ec..c05905b 100644
--- a/package.json
+++ b/package.json
@@ -60,6 +60,7 @@
"socket.io-client": "1.7.3",
"uglify-js": "2.8.22",
"uncatch": "^1.0.0",
+ "xss": "^1.0.8",
"zxcvbn": "3.5.0"
},
"devDependencies": {
diff --git a/sample_conf/setup.json b/sample_conf/setup.json
index 8d7aff2..05211d5 100644
--- a/sample_conf/setup.json
+++ b/sample_conf/setup.json
@@ -401,6 +401,7 @@
[ "symlinkCompress", "node_modules/zxcvbn/dist/zxcvbn.js", "htdocs/js/external/" ],
[ "symlinkCompress", "node_modules/zxcvbn/dist/zxcvbn.js.map", "htdocs/js/external/" ],
[ "symlinkCompress", "node_modules/chart.js/dist/Chart.min.js", "htdocs/js/external/" ],
+ [ "symlinkCompress", "node_modules/xss/dist/xss.min.js", "htdocs/js/external/" ],
[ "symlinkCompress", "node_modules/font-awesome/css/font-awesome.min.css", "htdocs/css/" ],