safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 21:27:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #317 from glyptodon/GUAC-1465

Browse Source 
GUAC-1465: Interpolate text nodes as text to avoid XSS issues.
This commit is contained in:
Mike Jumper
2016-01-07 21:59:08 -08:00
parent 0fb0ca8030 7da13129c4
commit abbff6d9ac
1 changed files with 30 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
guacamole/src/main/webapp/app/client/directives/guacFileBrowser.js
View File

@@ -122,6 +122,34 @@ angular.module('client').directive('guacFileBrowser', [function guacFileBrowser(
ManagedFilesystem.downloadFile($scope.client, $scope.filesystem, file.streamName); ManagedFilesystem.downloadFile($scope.client, $scope.filesystem, file.streamName);
}; };
/**
* Recursively interpolates all text nodes within the DOM tree of
* the given element. All other node types, attributes, etc. will
* be left uninterpolated.
*
* @param {Element} element
* The element at the root of the DOM tree to be interpolated.
*
* @param {Object} context
* The evaluation context to use when evaluating expressions
* embedded in text nodes within the provided element.
*/
var interpolateElement = function interpolateElement(element, context) {
// Interpolate the contents of text nodes directly
if (element.nodeType === Node.TEXT_NODE)
element.nodeValue = $interpolate(element.nodeValue)(context);
// Recursively interpolate the contents of all descendant text
// nodes
if (element.hasChildNodes()) {
var children = element.childNodes;
for (var i = 0; i < children.length; i++)
interpolateElement(children[i], context);
}
};
/** /**
* Creates a new element representing the given file and properly * Creates a new element representing the given file and properly
* handling user events, bypassing the overhead incurred through * handling user events, bypassing the overhead incurred through
@@ -140,7 +168,8 @@ angular.module('client').directive('guacFileBrowser', [function guacFileBrowser(
var createFileElement = function createFileElement(file) { var createFileElement = function createFileElement(file) {
// Create from internal template // Create from internal template
var element = angular.element($interpolate(fileTemplate)(file)); var element = angular.element(fileTemplate);
interpolateElement(element[0], file);
// Double-clicking on unknown file types will do nothing // Double-clicking on unknown file types will do nothing
var fileAction = function doNothing() {}; var fileAction = function doNothing() {};