ui: fix missing htmlEncodes

username can include some special characters, so we have
to escape them

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>

diff --git a/www/manager6/Workspace.js b/www/manager6/Workspace.js
index 69393958bbd726115de2edd86637ecd88babe2d0..57cb1bb9eb5c560350f6631a5784efe9416ac492 100644 (file)
--- a/www/manager6/Workspace.js
+++ b/www/manager6/Workspace.js
@@ -183,7 +183,7 @@ Ext.define('PVE.StdWorkspace', {
     updateUserInfo: function() {
        var me = this;
        var ui = me.query('#userinfo')[0];
-       ui.setText(Proxmox.UserName || '');
+       ui.setText(Ext.String.htmlEncode(Proxmox.UserName || ''));
        ui.updateLayout();
     },
 

diff --git a/www/manager6/dc/ACLView.js b/www/manager6/dc/ACLView.js
index d0efe22e823ee21a404916daf02c82b6aae45617..24fd67d96e4535e6fe64725139bf7cd4cecb39be 100644 (file)
--- a/www/manager6/dc/ACLView.js
+++ b/www/manager6/dc/ACLView.js
@@ -118,7 +118,7 @@ Ext.define('PVE.dc.ACLView', {
                return '@' + ugid;
            }
 
-           return ugid;
+           return Ext.String.htmlEncode(ugid);
        };
 
        var columns = [

diff --git a/www/manager6/dc/GroupView.js b/www/manager6/dc/GroupView.js
index c40c5ba158499b37ba3db18a9119b96f69210037..960ad11406216cb200713188965ecf298c203610 100644 (file)
--- a/www/manager6/dc/GroupView.js
+++ b/www/manager6/dc/GroupView.js
@@ -92,6 +92,7 @@ Ext.define('PVE.dc.GroupView', {
                    header: gettext('Users'),
                    sortable: false,
                    dataIndex: 'users',
+                   renderer: Ext.String.htmlEncode,
                    flex: 1
                }
            ],

diff --git a/www/manager6/dc/Log.js b/www/manager6/dc/Log.js
index 48ce272efff78bc5925a2fa3d723bd39e5ce7560..fa58c08a0a9dd2f26cde3f395c019d03e8c9e87b 100644 (file)
--- a/www/manager6/dc/Log.js
+++ b/www/manager6/dc/Log.js
@@ -68,6 +68,7 @@ Ext.define('PVE.dc.Log', {
                { 
                    header: gettext("User name"), 
                    dataIndex: 'user',
+                   renderer: Ext.String.htmlEncode,
                    width: 150
                },
                { 
@@ -79,6 +80,7 @@ Ext.define('PVE.dc.Log', {
                { 
                    header: gettext("Message"), 
                    dataIndex: 'msg',
+                   renderer: Ext.String.htmlEncode,
                    flex: 1       
                }
            ],

diff --git a/www/manager6/dc/PermissionView.js b/www/manager6/dc/PermissionView.js
index 483ab015eea6dd6bfceb3212ecc63fcedf5c744a..cc5822616be8144f3c08d7a4a02d73c33d2f1ea3 100644 (file)
--- a/www/manager6/dc/PermissionView.js
+++ b/www/manager6/dc/PermissionView.js
@@ -140,7 +140,8 @@ Ext.define('PVE.dc.PermissionView', {
     height: 600,
     layout: 'fit',
     cbind: {
-       title: '{userid} - ' + gettext('Granted Permissions'),
+       title: (get) => Ext.String.htmlEncode(get('userid')) +
+           ` - ${gettext('Granted Permissions')}`,
     },
     items: [{
        xtype: 'pveUserPermissionGrid',

diff --git a/www/manager6/dc/TFAEdit.js b/www/manager6/dc/TFAEdit.js
index bf51b8c9e013a0c6f6108080315f7ff26f9d13e5..3aada4cde8dffdbd16b00b4469ed6b2081f028a1 100644 (file)
--- a/www/manager6/dc/TFAEdit.js
+++ b/www/manager6/dc/TFAEdit.js
@@ -376,6 +376,7 @@ Ext.define('PVE.window.TFAEdit', {
                                {
                                    xtype: 'displayfield',
                                    fieldLabel: gettext('User name'),
+                                   renderer: Ext.String.htmlEncode,
                                    cbind: {
                                        value: '{userid}'
                                    }

diff --git a/www/manager6/dc/Tasks.js b/www/manager6/dc/Tasks.js
index a011fe4ffc1d7c4cac244b356b0cb476ac130848..b1441a72841a66082eec8dc67f807a3113dd927e 100644 (file)
--- a/www/manager6/dc/Tasks.js
+++ b/www/manager6/dc/Tasks.js
@@ -101,6 +101,7 @@ Ext.define('PVE.dc.Tasks', {
                {
                    header: gettext("User name"),
                    dataIndex: 'user',
+                   renderer: Ext.String.htmlEncode,
                    width: 150
                },
                {

diff --git a/www/manager6/dc/TokenEdit.js b/www/manager6/dc/TokenEdit.js
index cdb5d911dbc095f0c97ceda435374f969d4f5ff4..13f1dff84246c6c9918ae64195e28b933849c44a 100644 (file)
--- a/www/manager6/dc/TokenEdit.js
+++ b/www/manager6/dc/TokenEdit.js
@@ -41,6 +41,7 @@ Ext.define('PVE.dc.TokenEdit', {
                },
                name: 'userid',
                value: Proxmox.UserName,
+               renderer: Ext.String.htmlEncode,
                fieldLabel: gettext('User'),
            },
            {

diff --git a/www/manager6/dc/TokenView.js b/www/manager6/dc/TokenView.js
index c81d5f2ff802844d53e0e16e035feebaec605431..69c60569f67e4dacd1640c66c43b691850cd21a6 100644 (file)
--- a/www/manager6/dc/TokenView.js
+++ b/www/manager6/dc/TokenView.js
@@ -166,8 +166,8 @@ Ext.define('PVE.dc.TokenView', {
                    dataIndex: 'userid',
                    renderer: (uid) => {
                        let realmIndex = uid.lastIndexOf('@');
-                       let user = uid.substr(0, realmIndex);
-                       let realm = uid.substr(realmIndex);
+                       let user = Ext.String.htmlEncode(uid.substr(0, realmIndex));
+                       let realm = Ext.String.htmlEncode(uid.substr(realmIndex));
                        return `${user} <span style='float:right;'>${realm}</span>`;
                    },
                    hidden: !!me.fixedUser,

diff --git a/www/manager6/dc/UserEdit.js b/www/manager6/dc/UserEdit.js
index 5a0cbcf3ccdb9a4c52336873c449d07ae2b579ad..692eb2775d07b51be9ea43e13d9e6e60b3cfda1c 100644 (file)
--- a/www/manager6/dc/UserEdit.js
+++ b/www/manager6/dc/UserEdit.js
@@ -72,6 +72,7 @@ Ext.define('PVE.dc.UserEdit', {
                 name: 'userid',
                 fieldLabel: gettext('User name'),
                 value: me.userid,
+               renderer: Ext.String.htmlEncode,
                 allowBlank: false,
                 submitValue: me.isCreate ? true : false
             },

diff --git a/www/manager6/dc/UserView.js b/www/manager6/dc/UserView.js
index b9ff206bb3e01cb406ce18d39bdf274e0acc9d96..cfbb139c7ebdeaabef27283c3cc2e0b020c6f6c7 100644 (file)
--- a/www/manager6/dc/UserView.js
+++ b/www/manager6/dc/UserView.js
@@ -122,11 +122,11 @@ Ext.define('PVE.dc.UserView', {
         ];
 
        var render_username = function(userid) {
-           return userid.match(/^(.+)(@[^@]+)$/)[1];
+           return Ext.String.htmlEncode(userid.match(/^(.+)(@[^@]+)$/)[1]);
        };
 
        var render_realm = function(userid) {
-           return userid.match(/@([^@]+)$/)[1];
+           return Ext.String.htmlEncode(userid.match(/@([^@]+)$/)[1]);
        };
 
        Ext.apply(me, {

diff --git a/www/manager6/form/GroupSelector.js b/www/manager6/form/GroupSelector.js
index 3d4776ee892d42fbb0b2d86dcb68ae5872041a9f..38fc196cabe0826c71e10cf345186105694d6175 100644 (file)
--- a/www/manager6/form/GroupSelector.js
+++ b/www/manager6/form/GroupSelector.js
@@ -35,6 +35,7 @@ Ext.define('PVE.form.GroupSelector', {
                header: gettext('Users'),
                sortable: false,
                dataIndex: 'users',
+               renderer: Ext.String.htmlEncode,
                flex: 1
            }
        ]

diff --git a/www/manager6/form/TokenSelector.js b/www/manager6/form/TokenSelector.js
index 8ece6e69ad95e2911f7813ee4efeada7b7f82858..bad829d21e160b0f58080130d2131919f11a337d 100644 (file)
--- a/www/manager6/form/TokenSelector.js
+++ b/www/manager6/form/TokenSelector.js
@@ -44,6 +44,7 @@ Ext.define('PVE.form.TokenSelector', {
                header: gettext('API Token'),
                sortable: true,
                dataIndex: 'id',
+               renderer: Ext.String.htmlEncode,
                flex: 1
            },
            {

diff --git a/www/manager6/form/UserSelector.js b/www/manager6/form/UserSelector.js
index cd01bc3ee24bef658d90535adedfb23402672e21..8f6f9fa4cc7432a9a8702ea31266199c6300159b 100644 (file)
--- a/www/manager6/form/UserSelector.js
+++ b/www/manager6/form/UserSelector.js
@@ -29,6 +29,7 @@ Ext.define('PVE.form.UserSelector', {
                        header: gettext('User'),
                        sortable: true,
                        dataIndex: 'userid',
+                       renderer: Ext.String.htmlEncode,
                        flex: 1
                    },
                    {

diff --git a/www/manager6/window/Settings.js b/www/manager6/window/Settings.js
index 2fa01ef08c41da87bba4a20a78e941d38798a574..e3519b1f101c0e07be15c44425307de7baa87244 100644 (file)
--- a/www/manager6/window/Settings.js
+++ b/www/manager6/window/Settings.js
@@ -36,7 +36,7 @@ Ext.define('PVE.window.Settings', {
            var sp = Ext.state.Manager.getProvider();
 
            var username = sp.get('login-username') || Proxmox.Utils.noneText;
-           me.lookupReference('savedUserName').setValue(username);
+           me.lookupReference('savedUserName').setValue(Ext.String.htmlEncode(username));
            var vncMode = sp.get('novnc-scaling');
            if (vncMode !== undefined) {
                me.lookupReference('noVNCScalingGroup').setValue({ noVNCScalingField: vncMode });