From ddd1d952d1284f27fa5dc7442949e17474bc6a6e Mon Sep 17 00:00:00 2001 From: Joseph Magen Date: Tue, 27 May 2014 15:58:56 +0300 Subject: [PATCH] fixes #5881 - XSS from create/update/destroy notification boxes Conflicts: app/controllers/concerns/foreman/controller/taxonomies_controller.rb app/controllers/hostgroups_controller.rb app/controllers/roles_controller.rb --- app/controllers/application_controller.rb | 8 ++++---- app/controllers/hostgroups_controller.rb | 3 +-- test/functional/smart_proxies_controller_test.rb | 4 ++-- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 602225e..0a9876c 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -131,15 +131,15 @@ class ApplicationController < ActionController::Base end def notice notice - flash[:notice] = notice + flash[:notice] = CGI::escapeHTML(notice) end def error error - flash[:error] = error + flash[:error] = CGI::escapeHTML(error) end def warning warning - flash[:warning] = warning + flash[:warning] = CGI::escapeHTML(warning) end # this method is used with nested resources, where obj_id is passed into the parameters hash. @@ -283,7 +283,7 @@ class ApplicationController < ActionController::Base hash[:error_msg] = [hash[:error_msg]].flatten hash[:error_msg] = hash[:error_msg].join("
") if hash[:render] - flash.now[:error] = hash[:error_msg] unless hash[:error_msg].empty? + flash.now[:error] = CGI::escapeHTML(hash[:error_msg]) unless hash[:error_msg].empty? render hash[:render] return elsif hash[:redirect] diff --git a/app/controllers/hostgroups_controller.rb b/app/controllers/hostgroups_controller.rb index 5d68c16..2728ff9 100644 --- a/app/controllers/hostgroups_controller.rb +++ b/app/controllers/hostgroups_controller.rb @@ -84,8 +84,7 @@ class HostgroupsController < ApplicationController process_error end rescue Ancestry::AncestryException - flash[:error] = _("Cannot delete group %{current} because it has nested groups.") % { :current => @hostgroup.label } - process_error + process_error(:error_msg => ("Cannot delete group %{current} because it has nested groups.") % { :current => @hostgroup.label } ) end end diff --git a/test/functional/smart_proxies_controller_test.rb b/test/functional/smart_proxies_controller_test.rb index ae4c0c1..4708140 100644 --- a/test/functional/smart_proxies_controller_test.rb +++ b/test/functional/smart_proxies_controller_test.rb @@ -70,12 +70,12 @@ class SmartProxiesControllerTest < ActionController::TestCase def test_refresh_fail proxy = smart_proxies(:one) errors = ActiveModel::Errors.new(Host::Managed.new) - errors.add :base, "Unable to communicate with the proxy: it's down" + errors.add :base, "Unable to communicate with the proxy: it is down" SmartProxy.any_instance.stubs(:errors).returns(errors) SmartProxy.any_instance.stubs(:associate_features).returns(true) post :refresh, {:id => proxy}, set_session_user assert_redirected_to smart_proxies_url - assert_equal "Unable to communicate with the proxy: it's down", flash[:error] + assert_equal "Unable to communicate with the proxy: it is down", flash[:error] end end -- 1.9.0