You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by jb...@apache.org on 2020/02/03 15:15:18 UTC
[activemq] branch master updated: AMQ-7231 - Fix XSS in WebConsole
This is an automated email from the ASF dual-hosted git repository.
jbonofre pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/activemq.git
The following commit(s) were added to refs/heads/master by this push:
new 81bd743 AMQ-7231 - Fix XSS in WebConsole
new c0e17a3 Merge pull request #429 from coheigea/AMQ-7231
81bd743 is described below
commit 81bd743eaa243f0cc5dfbb1342cee1fef1fc5df2
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Jan 23 12:34:17 2020 +0000
AMQ-7231 - Fix XSS in WebConsole
---
activemq-web-console/src/main/webapp/browse.jsp | 2 +-
activemq-web-console/src/main/webapp/js/common.js | 13 -------------
activemq-web-console/src/main/webapp/message.jsp | 20 ++++++++++++++++++--
3 files changed, 19 insertions(+), 16 deletions(-)
diff --git a/activemq-web-console/src/main/webapp/browse.jsp b/activemq-web-console/src/main/webapp/browse.jsp
index 0e18e15..ce093e4 100644
--- a/activemq-web-console/src/main/webapp/browse.jsp
+++ b/activemq-web-console/src/main/webapp/browse.jsp
@@ -50,7 +50,7 @@
<td><a href="<c:url value="message.jsp">
<c:param name="id" value="${row.JMSMessageID}" />
<c:param name="JMSDestination" value="${requestContext.queueBrowser.JMSDestination}"/></c:url>"
- title="${row.properties}">${row.JMSMessageID}</a></td>
+ title="<c:out value="${row.properties}"/>">${row.JMSMessageID}</a></td>
<td><c:out value="${row.JMSCorrelationID}"/></td>
<td><jms:persistent message="${row}"/></td>
<td><c:out value="${row.JMSPriority}"/></td>
diff --git a/activemq-web-console/src/main/webapp/js/common.js b/activemq-web-console/src/main/webapp/js/common.js
index e20a34f..a4f6921 100644
--- a/activemq-web-console/src/main/webapp/js/common.js
+++ b/activemq-web-console/src/main/webapp/js/common.js
@@ -106,16 +106,3 @@ function getEventTarget(e) {
return targ;
}
-function confirmAction(id, url) {
- //TODO i18n messages
- var select = document.getElementById(id);
- var selectedIndex = select.selectedIndex;
- if (select.selectedIndex == 0) {
- alert("Please select a value");
- return;
- }
- var value = select.options[selectedIndex].value;
- url = url.replace(/%target%/gi, value);
- if (confirm("Are you sure?"))
- location.href=url;
-}
\ No newline at end of file
diff --git a/activemq-web-console/src/main/webapp/message.jsp b/activemq-web-console/src/main/webapp/message.jsp
index 7563d06..262dc5e 100644
--- a/activemq-web-console/src/main/webapp/message.jsp
+++ b/activemq-web-console/src/main/webapp/message.jsp
@@ -151,7 +151,7 @@ No message could be found for ID <c:out value="${requestContext.messageQuery.id}
</tr>
</c:if>
<tr class="odd">
- <td><a href="<c:out value="javascript:confirmAction('queue', 'copyMessage.action?destination=%target%&JMSDestination=${requestContext.messageQuery.JMSDestination}&messageId=${row.JMSMessageID}&JMSDestinationType=queue&secret=${sessionScope['secret']}"/>')">Copy</a></td>
+ <td><a href="<c:out value="javascript:confirmAction('queue', 'copyMessage"/>')">Copy</a></td>
<td rowspan="2">
<select id="queue">
<option value=""> -- Please select --</option>
@@ -165,7 +165,7 @@ No message could be found for ID <c:out value="${requestContext.messageQuery.id}
</tr>
<tr class="odd">
- <td><a href="<c:out value="javascript:confirmAction('queue', 'moveMessage.action?destination=%target%&JMSDestination=${requestContext.messageQuery.JMSDestination}&messageId=${row.JMSMessageID}&JMSDestinationType=queue&secret=${sessionScope['secret']}"/>')"
+ <td><a href="<c:out value="javascript:confirmAction('queue', 'moveMessage"/>')"
>Move</a></td>
</tr>
</tbody>
@@ -225,6 +225,22 @@ function selectOptionByText (selElem, selText) {
}
}
+function confirmAction(id, action) {
+ //TODO i18n messages
+ var select = document.getElementById(id);
+ var selectedIndex = select.selectedIndex;
+ if (select.selectedIndex == 0) {
+ alert("Please select a value");
+ return;
+ }
+ var value = select.options[selectedIndex].value;
+ var url = action + ".action?destination=" + value;
+ url += "&JMSDestination=${requestContext.messageQuery.JMSDestination}";
+ url += "&messageId=${row.JMSMessageID}&JMSDestinationType=queue&secret=${sessionScope['secret']}";
+ if (confirm("Are you sure?"))
+ location.href=url;
+}
+
window.onload=function() {
sortSelect( document.getElementById('queue') );
selectOptionByText( document.getElementById('queue'), "-- Please select --" );