From 4f25a3646edf295a54b307b8b82377fbc09f0934 Mon Sep 17 00:00:00 2001 From: Patrik Kernstock Date: Wed, 14 Aug 2019 00:22:40 +0200 Subject: [PATCH 1/2] Fixed several other XSS's --- data/web/js/site/debug.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/data/web/js/site/debug.js b/data/web/js/site/debug.js index ddf7e0cb..6888f39e 100644 --- a/data/web/js/site/debug.js +++ b/data/web/js/site/debug.js @@ -482,6 +482,7 @@ jQuery(function($){ } item.symbols[key].str = str; }); + item.subject = escapeHtml(item.subject); item.symbols = Object.keys(item.symbols). map(function(key) { return item.symbols[key]; @@ -526,6 +527,8 @@ jQuery(function($){ $.each(data, function (i, item) { if (item.ua == null) { item.ua = 'unknown'; + } else { + item.ua = escapeHtml(item.ua); } item.ua = '' + item.ua + ''; if (item.service == "activesync") { @@ -535,7 +538,7 @@ jQuery(function($){ item.service = 'IMAP, SMTP, Cal-/CardDAV'; } else { - item.service = '' + item.service + ''; + item.service = '' + escapeHtml(item.service) + ''; } }); } else if (table == 'watchdog') { From 409ecf7fd5923e914274bbc8609b6fa6d75a788c Mon Sep 17 00:00:00 2001 From: Patrik Kernstock Date: Wed, 14 Aug 2019 22:19:50 +0200 Subject: [PATCH 2/2] [Web] Fixed one more possible XSS XSS might be possible when using a specific-crafted request (harder than previous ones). Might also easily cause JS errors and making the "mailcow UI"-logs not accessible anymore --- data/web/js/site/debug.js | 1 + 1 file changed, 1 insertion(+) diff --git a/data/web/js/site/debug.js b/data/web/js/site/debug.js index 6888f39e..10441874 100644 --- a/data/web/js/site/debug.js +++ b/data/web/js/site/debug.js @@ -564,6 +564,7 @@ jQuery(function($){ $.each(data, function (i, item) { if (item === null) { return true; } item.user = escapeHtml(item.user); + item.call = escapeHtml(item.call); item.task = '' + item.task + ''; item.type = '' + item.type + ''; });