From 8c470128c353dd89f16ac21102ef347b835f47eb Mon Sep 17 00:00:00 2001 From: Joseph Magen Date: Tue, 27 May 2014 15:58:56 +0300 Subject: [PATCH] fixes #5881 - XSS from create/update/destroy notification boxes --- app/controllers/application_controller.rb | 8 ++++---- .../foreman/controller/taxonomies_controller.rb | 3 +-- app/controllers/hostgroups_controller.rb | 3 +-- app/controllers/roles_controller.rb | 3 +-- 4 files changed, 7 insertions(+), 10 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index e6d3ea8..85bfea1 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -165,15 +165,15 @@ class ApplicationController < ActionController::Base end def notice notice - flash[:notice] = notice + flash[:notice] = CGI::escapeHTML(notice) end def error error - flash[:error] = error + flash[:error] = CGI::escapeHTML(error) end def warning warning - flash[:warning] = warning + flash[:warning] = CGI::escapeHTML(warning) end # this method is used with nested resources, where obj_id is passed into the parameters hash. @@ -283,7 +283,7 @@ class ApplicationController < ActionController::Base hash[:error_msg] = [hash[:error_msg]].flatten hash[:error_msg] = hash[:error_msg].join("
") if hash[:render] - flash.now[:error] = hash[:error_msg] unless hash[:error_msg].empty? + flash.now[:error] = CGI::escapeHTML(hash[:error_msg]) unless hash[:error_msg].empty? render hash[:render] return elsif hash[:redirect] diff --git a/app/controllers/concerns/foreman/controller/taxonomies_controller.rb b/app/controllers/concerns/foreman/controller/taxonomies_controller.rb index 89585e0..c510a5d 100644 --- a/app/controllers/concerns/foreman/controller/taxonomies_controller.rb +++ b/app/controllers/concerns/foreman/controller/taxonomies_controller.rb @@ -93,8 +93,7 @@ module Foreman::Controller::TaxonomiesController process_error end rescue Ancestry::AncestryException - flash[:error] = _('Cannot delete %{current} because it has nested %{sti_name}.') % { :current => @taxonomy.title, :sti_name => @taxonomy.sti_name } - process_error + process_error(:error_msg => _('Cannot delete %{current} because it has nested %{sti_name}.') % { :current => @taxonomy.title, :sti_name => @taxonomy.sti_name }) end def select diff --git a/app/controllers/hostgroups_controller.rb b/app/controllers/hostgroups_controller.rb index 4068d35..84e751b 100644 --- a/app/controllers/hostgroups_controller.rb +++ b/app/controllers/hostgroups_controller.rb @@ -78,8 +78,7 @@ class HostgroupsController < ApplicationController process_error end rescue Ancestry::AncestryException - flash[:error] = _("Cannot delete group %{current} because it has nested groups.") % { :current => @hostgroup.title } - process_error + process_error(:error_msg => ("Cannot delete group %{current} because it has nested groups.") % { :current => @hostgroup.title } ) end end diff --git a/app/controllers/roles_controller.rb b/app/controllers/roles_controller.rb index bbf5c5b..bd969d4 100644 --- a/app/controllers/roles_controller.rb +++ b/app/controllers/roles_controller.rb @@ -41,8 +41,7 @@ class RolesController < ApplicationController def clone @cloned_role = true @original_role_id = @role.id - flash[:notice] = _("Role cloned from role %{old_name}") % - { :old_name => @role.name } + notice(_("Role cloned from role %{old_name}") % { :old_name => @role.name }) @role = Role.new render :action => :new end -- 1.7.1