[WebUI] Fix encoding HTML entities for torrent attributes

Ensure all torrent attributes that might contain malicious HTML entities
are encoded.

By allowing HTML entities to be rendered it enable malicious torrent
files to perform XSS attacks.

Resolves: https://dev.deluge-torrent.org/ticket/3459
This commit is contained in:
Calum Lind 2022-02-14 18:00:23 +00:00
parent f754882498
commit a5503c0c60
No known key found for this signature in database
GPG Key ID: 90597A687B836BA3
8 changed files with 13 additions and 5 deletions

View File

@ -57,6 +57,7 @@ Deluge.EditTrackersWindow = Ext.extend(Ext.Window, {
header: _('Tracker'),
width: 0.9,
dataIndex: 'url',
tpl: new Ext.XTemplate('{url:htmlEncode}'),
},
],
columnSort: {

View File

@ -171,5 +171,5 @@ Deluge.FilterPanel.templates = {
tracker_host:
'<div class="x-deluge-filter" style="background-image: url(' +
deluge.config.base +
'tracker/{filter});">{filter} ({count})</div>',
'tracker/{filter});">{filter:htmlEncode} ({count})</div>',
};

View File

@ -17,7 +17,7 @@
return String.format(
'<div class="torrent-name x-deluge-{0}">{1}</div>',
r.data['state'].toLowerCase(),
value
Ext.util.Format.htmlEncode(value)
);
}
function torrentSpeedRenderer(value) {
@ -62,7 +62,7 @@
'<div style="background: url(' +
deluge.config.base +
'tracker/{0}) no-repeat; padding-left: 20px;">{0}</div>',
value
Ext.util.Format.htmlEncode(value)
);
}

View File

@ -93,6 +93,9 @@ Deluge.add.AddWindow = Ext.extend(Deluge.add.Window, {
sortable: true,
renderer: torrentRenderer,
dataIndex: 'text',
tpl: new Ext.XTemplate(
'<div class="x-deluge-add-torrent-name">{text:htmlEncode}</div>'
),
},
],
stripeRows: true,

View File

@ -28,6 +28,7 @@ Deluge.add.FilesTab = Ext.extend(Ext.ux.tree.TreeGrid, {
header: _('Filename'),
width: 295,
dataIndex: 'filename',
tpl: new Ext.XTemplate('{filename:htmlEncode}'),
},
{
header: _('Size'),

View File

@ -91,7 +91,9 @@ Deluge.details.DetailsTab = Ext.extend(Ext.Panel, {
for (var field in this.fields) {
if (!Ext.isDefined(data[field])) continue; // This is a field we are not responsible for.
if (data[field] == this.oldData[field]) continue;
this.fields[field].dom.innerHTML = Ext.escapeHTML(data[field]);
this.fields[field].dom.innerHTML = Ext.util.Format.htmlEncode(
data[field]
);
}
this.oldData = data;
},

View File

@ -18,6 +18,7 @@ Deluge.details.FilesTab = Ext.extend(Ext.ux.tree.TreeGrid, {
header: _('Filename'),
width: 330,
dataIndex: 'filename',
tpl: new Ext.XTemplate('{filename:htmlEncode}'),
},
{
header: _('Size'),

View File

@ -73,7 +73,7 @@
header: _('Client'),
width: 125,
sortable: true,
renderer: fplain,
renderer: 'htmlEncode',
dataIndex: 'client',
},
{