From a5503c0c606e196f368a58ea3d1b8457e76a3a31 Mon Sep 17 00:00:00 2001 From: Calum Lind Date: Mon, 14 Feb 2022 18:00:23 +0000 Subject: [PATCH] [WebUI] Fix encoding HTML entities for torrent attributes Ensure all torrent attributes that might contain malicious HTML entities are encoded. By allowing HTML entities to be rendered it enable malicious torrent files to perform XSS attacks. Resolves: https://dev.deluge-torrent.org/ticket/3459 --- deluge/ui/web/js/deluge-all/EditTrackersWindow.js | 1 + deluge/ui/web/js/deluge-all/FilterPanel.js | 2 +- deluge/ui/web/js/deluge-all/TorrentGrid.js | 4 ++-- deluge/ui/web/js/deluge-all/add/AddWindow.js | 3 +++ deluge/ui/web/js/deluge-all/add/FilesTab.js | 1 + deluge/ui/web/js/deluge-all/details/DetailsTab.js | 4 +++- deluge/ui/web/js/deluge-all/details/FilesTab.js | 1 + deluge/ui/web/js/deluge-all/details/PeersTab.js | 2 +- 8 files changed, 13 insertions(+), 5 deletions(-) diff --git a/deluge/ui/web/js/deluge-all/EditTrackersWindow.js b/deluge/ui/web/js/deluge-all/EditTrackersWindow.js index f6733aaa6..178fd583f 100644 --- a/deluge/ui/web/js/deluge-all/EditTrackersWindow.js +++ b/deluge/ui/web/js/deluge-all/EditTrackersWindow.js @@ -57,6 +57,7 @@ Deluge.EditTrackersWindow = Ext.extend(Ext.Window, { header: _('Tracker'), width: 0.9, dataIndex: 'url', + tpl: new Ext.XTemplate('{url:htmlEncode}'), }, ], columnSort: { diff --git a/deluge/ui/web/js/deluge-all/FilterPanel.js b/deluge/ui/web/js/deluge-all/FilterPanel.js index b6e5ec5ca..f1fade120 100644 --- a/deluge/ui/web/js/deluge-all/FilterPanel.js +++ b/deluge/ui/web/js/deluge-all/FilterPanel.js @@ -171,5 +171,5 @@ Deluge.FilterPanel.templates = { tracker_host: '
{filter} ({count})
', + 'tracker/{filter});">{filter:htmlEncode} ({count})', }; diff --git a/deluge/ui/web/js/deluge-all/TorrentGrid.js b/deluge/ui/web/js/deluge-all/TorrentGrid.js index 198ec279f..ded3fb03b 100644 --- a/deluge/ui/web/js/deluge-all/TorrentGrid.js +++ b/deluge/ui/web/js/deluge-all/TorrentGrid.js @@ -17,7 +17,7 @@ return String.format( '
{1}
', r.data['state'].toLowerCase(), - value + Ext.util.Format.htmlEncode(value) ); } function torrentSpeedRenderer(value) { @@ -62,7 +62,7 @@ '
{0}
', - value + Ext.util.Format.htmlEncode(value) ); } diff --git a/deluge/ui/web/js/deluge-all/add/AddWindow.js b/deluge/ui/web/js/deluge-all/add/AddWindow.js index a4aff067b..771543de3 100644 --- a/deluge/ui/web/js/deluge-all/add/AddWindow.js +++ b/deluge/ui/web/js/deluge-all/add/AddWindow.js @@ -93,6 +93,9 @@ Deluge.add.AddWindow = Ext.extend(Deluge.add.Window, { sortable: true, renderer: torrentRenderer, dataIndex: 'text', + tpl: new Ext.XTemplate( + '
{text:htmlEncode}
' + ), }, ], stripeRows: true, diff --git a/deluge/ui/web/js/deluge-all/add/FilesTab.js b/deluge/ui/web/js/deluge-all/add/FilesTab.js index fed52282d..d712c023d 100644 --- a/deluge/ui/web/js/deluge-all/add/FilesTab.js +++ b/deluge/ui/web/js/deluge-all/add/FilesTab.js @@ -28,6 +28,7 @@ Deluge.add.FilesTab = Ext.extend(Ext.ux.tree.TreeGrid, { header: _('Filename'), width: 295, dataIndex: 'filename', + tpl: new Ext.XTemplate('{filename:htmlEncode}'), }, { header: _('Size'), diff --git a/deluge/ui/web/js/deluge-all/details/DetailsTab.js b/deluge/ui/web/js/deluge-all/details/DetailsTab.js index fdb4f7f0d..f1da178b1 100644 --- a/deluge/ui/web/js/deluge-all/details/DetailsTab.js +++ b/deluge/ui/web/js/deluge-all/details/DetailsTab.js @@ -91,7 +91,9 @@ Deluge.details.DetailsTab = Ext.extend(Ext.Panel, { for (var field in this.fields) { if (!Ext.isDefined(data[field])) continue; // This is a field we are not responsible for. if (data[field] == this.oldData[field]) continue; - this.fields[field].dom.innerHTML = Ext.escapeHTML(data[field]); + this.fields[field].dom.innerHTML = Ext.util.Format.htmlEncode( + data[field] + ); } this.oldData = data; }, diff --git a/deluge/ui/web/js/deluge-all/details/FilesTab.js b/deluge/ui/web/js/deluge-all/details/FilesTab.js index edc388d19..60de832a6 100644 --- a/deluge/ui/web/js/deluge-all/details/FilesTab.js +++ b/deluge/ui/web/js/deluge-all/details/FilesTab.js @@ -18,6 +18,7 @@ Deluge.details.FilesTab = Ext.extend(Ext.ux.tree.TreeGrid, { header: _('Filename'), width: 330, dataIndex: 'filename', + tpl: new Ext.XTemplate('{filename:htmlEncode}'), }, { header: _('Size'), diff --git a/deluge/ui/web/js/deluge-all/details/PeersTab.js b/deluge/ui/web/js/deluge-all/details/PeersTab.js index 66d4a4b95..a1919630d 100644 --- a/deluge/ui/web/js/deluge-all/details/PeersTab.js +++ b/deluge/ui/web/js/deluge-all/details/PeersTab.js @@ -73,7 +73,7 @@ header: _('Client'), width: 125, sortable: true, - renderer: fplain, + renderer: 'htmlEncode', dataIndex: 'client', }, {