You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@ambari.apache.org by wu...@apache.org on 2022/11/10 17:58:41 UTC

[ambari] branch trunk updated: AMBARI-25329: Ambari breadcrumbs xss vulnerability (#3482)

This is an automated email from the ASF dual-hosted git repository.

wuzhiguo pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 2b80356c8b AMBARI-25329: Ambari breadcrumbs xss vulnerability (#3482)
2b80356c8b is described below

commit 2b80356c8b760e4e86c5c859c8da850300c3acad
Author: Zhiguo Wu <wu...@apache.org>
AuthorDate: Fri Nov 11 01:58:36 2022 +0800

    AMBARI-25329: Ambari breadcrumbs xss vulnerability (#3482)
---
 ambari-web/app/views/common/breadcrumbs_view.js | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/ambari-web/app/views/common/breadcrumbs_view.js b/ambari-web/app/views/common/breadcrumbs_view.js
index ec6e6a64ef..31190c5faf 100644
--- a/ambari-web/app/views/common/breadcrumbs_view.js
+++ b/ambari-web/app/views/common/breadcrumbs_view.js
@@ -149,8 +149,16 @@ App.BreadcrumbItem = Em.Object.extend({
   createLabel() {
     let label = this.get('label');
     let labelBindingPath = this.get('labelBindingPath');
+    let formattedLabel;
+
+    if (labelBindingPath) {
+      formattedLabel = Ember.Handlebars.Utils.escapeExpression(App.get(_getLabelPathWithoutApp(labelBindingPath)));
+    } else{
+      formattedLabel = label;
+    }
+
+
 
-    let formattedLabel = labelBindingPath ? App.get(_getLabelPathWithoutApp(labelBindingPath)) : label;
     this.set('formattedLabel', this.labelPostFormat(formattedLabel));
   },
 
@@ -216,7 +224,9 @@ App.BreadcrumbsView = Em.View.extend({
       }
       currentState = currentState.get('parentState');
     }
-    items = items.reverse().map(item => App.BreadcrumbItem.extend(item).create());
+    items.reverse();
+    items.slice(1).forEach(item => item.label = Ember.Handlebars.Utils.escapeExpression(item.label));
+    items = items.map(item => App.BreadcrumbItem.extend(item).create());
     if (items.length) {
       items.get('lastObject').setProperties({
         disabled: true,


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ambari.apache.org
For additional commands, e-mail: commits-help@ambari.apache.org