We have various places in the Javascript code where no escaping of HTML is done. This might lead to parsing errors in the browser (e.g. if the content contains a ">") and even - if the content is build up from user input - to XSS attacks, which allow to do requests with the valid session of logged in users. E.g. the following functions…: umc.dialog.alert() umc.dialog.confirm() umc.dialog.confirmForm() umc.widgets.Text … probably more … …could take additional parameters, if they allow HTML content. Most often this is not needed, so the default should be false.
Also _Module.set('title') doesn't escape HTML (this is used in UDM with HTML). A flag _Module.titleAllowHTML should be implemented.
Bug #44498 is one example, where the attack vector is the progress bar.
diff --git management/univention-web/js/widgets/LabelPane.js management/univention-web/js/widgets/LabelPane.js index b6d693e69d..dc6766ea34 100644 --- management/univention-web/js/widgets/LabelPane.js +++ management/univention-web/js/widgets/LabelPane.js @@ -111,6 +111,8 @@ define([ // Whether this LabelPane is in a layout with non CheckBox widgets betweenNonCheckBoxes: true, + allowLabelHTML: false, + constructor: function(params) { this._startupDeferred = new Deferred(); @@ -281,17 +283,18 @@ define([ return; } + var labelHTML = this.allowLabelHTML ? label : entities.encode(label); // if we have a widget which is required, add the string ' (*)' to the label if (this._isContentAWidget() && this._isContentRequired()) { - label = label + ' *'; + labelHTML = labelHTML + ' *'; } this.label = label; // set the label itself and show the corresponding label node var labelNode = null; - if (label) { + if (labelHTML) { labelNode = this._getLabelNode(); - attr.set(labelNode, 'innerHTML', label); + attr.set(labelNode, 'innerHTML', labelHTML); } this._hideNodes(labelNode);
More enhancements in https://git.knut.univention.de/univention/dev/ucs/-/merge_requests/1494